Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present specification. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the specification, as detailed in the appended claims.
The terminology used in the description herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the description. As used in this specification and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It should be understood that although the terms first, second, third, etc. may be used herein to describe various information, these information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information, without departing from the scope of the present specification. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
In the current banking business, the user identity is directly collected, stored and managed by each commercial bank in the account opening process. Identity information and transaction data in the whole transaction process of the user are finally collected to a commercial bank, the commercial bank can identify the real identity of the user in any transaction at any time according to the stored identity information, and the user cannot realize real anonymous transaction; moreover, since the user uses a relatively fixed bank account number (bank card number) to conduct transactions, the merchant can analyze and track the transaction records of the specific user by storing and comparing the user account number. The identification and tracking of the user identity by commercial banks and merchants causes the user privacy protection requirement to be difficult to meet in most transaction business scenarios.
Correspondingly, digital currencies such as bitcoin and the like manage the user identity by directly using the certificate to bind the user identity based on the block chain technology, the user can register a plurality of accounts and can complete transactions without providing real identity information, the user can realize complete anonymity, and the privacy can be fully protected. However, under the condition that partial supervision or judicial intervention is required, the complete anonymous payment of similar bitcoins cannot identify the real identity of the user through technical means, and the complete anonymous payment also becomes a huge obstacle for legal supervision and financial risk prevention.
In view of the above problems, embodiments of the present specification provide an online transaction method and an online transaction apparatus for performing the method, and with reference to fig. 1, by separately encrypting and managing service information and identity information in a transaction, a "semi-anonymous" transaction manner is implemented in which a user is anonymous to a commercial bank during normal transaction, and a specific scenario can search for real information according to transaction information. The method and the device can be applied to transactions based on block chains.
The following first describes an operating system architecture according to an embodiment of the present disclosure.
In the account opening stage, the entities involved in the embodiments of the present specification include: client, account management system, identity management system, wherein:
the client is a terminal used by a user for opening an account or conducting a transaction, the client can be a device specially used for the transaction, or can be software with a transaction function (for example, a mobile phone with a payment wallet) installed on an intelligent terminal, and the user can open one or more virtual accounts through the client.
The account management system is an account management system used by a user for opening a transaction account, and can be a commercial bank under a common condition, the account management system has a function of collecting biological characteristics (human faces, irises and the like) of the user, and the account management system can provide a safe communication channel with the user and an identity management system.
The identity management system is a mechanism for managing real identity information of a user, and when a transaction in question needs to be traced, the identity management system can correspondingly identify the natural person identity information of the user through virtual account information in the transaction.
In the transaction phase, the entities involved in the embodiments of the present specification include: payment end, first account management system, cash receiving end, second account management system, identity management system, wherein:
the payment end is a payment initiator of the transaction, is a client used by the user when paying the money, and can be a device specially used for payment or software with a payment function (for example, a mobile phone with a payment wallet) installed on an intelligent terminal.
The first account management system is an account management system of the payment end, and may be a commercial bank in general, and when the payment end conducts transaction, transaction information needs to be submitted to the first account management system.
The payment receiving end is a transaction receiving party and is a client used by a user when receiving payment, and the payment receiving end can be equipment specially used for payment or software (such as a mobile phone provided with a payment treasure wallet) which is installed on an intelligent terminal and has a money receiving function.
The second account management system is an account management system of the receiving end, and may be a commercial bank in general, and when the receiving end performs a transaction, the second account management system is required to receive transaction information.
The identity management system is the same as the identity management system in the account opening stage.
In the following, two phases, namely "account initialization" and "account online transaction", will be described, which are provided by the present specification, a "semi-anonymous" transaction scheme, in which a merchant bank is anonymous when a user normally transacts, and a specific scenario can search for real information according to transaction information, where the "semi-anonymous" transaction scheme can be applied to a block chain, such as the field of legal digital currency.
Fig. 2 is a flowchart of an account initialization method provided in the present specification, which is applied to an account opening phase of a transaction account, and may include the following steps:
s201, a client generates a service key and an initialization request, wherein the initialization request at least comprises an account name, a client identification and user characteristics;
account initialization may be understood as a user applying for a new transaction account in an account management system, and first, a client generates an initialization request, where the initialization request includes at least an account name, a client identifier, and a user characteristic.
The account name may typically be entered by the user, and may be understood as a nickname or ID used by the user during the transaction.
The client identification is used to generate session keys based on the devices, and different devices may generate different session keys. The client identifier may include device identifier information and a random number preset in the device; and the device identification information may include at least a manufacturer identification and a specific device identification:
manufacturer identification: if Huashi, the manufacturer of millet and other equipment presets the manufacturer identification in the equipment; equipment identification: the device identification can be composed of information such as the model number of the device, the production batch of the device and the like.
The user characteristics are used for searching the corresponding user real identity information, and it should be noted that the right for searching the corresponding user real identity information according to the user characteristics is only possessed by the identity management system, and the terminal, the account management system and other commercial banks cannot search the corresponding user real identity information according to the user characteristics. For example, the following steps are carried out: the identity management system can be a feature comparison library of a central row, a central row prestores or has authority to access public security and other mechanisms, and the feature comparison library comprises a one-to-one correspondence relationship between user features and real identities of users.
The user characteristics can be input by the user in an account opening stage, for example, when the user opens an account in a commercial bank, the user characteristic information is input at a user characteristic acquisition device provided by the account management system. The user characteristic information may be biological characteristic information of a natural person, such as a face, a fingerprint, an iris, and the like of the user.
S202, the client sends the service key and the initialization request to an account management system;
the service key is generated by the client, and may include a service public key and a service private key, where the service public key is used to decrypt the transaction, and the service private key is used to encrypt the transaction.
S203, the account management system sends the initialization request to an identity management system;
it should be noted that the account name, client identification and user characteristics provided by the client are sent to the identity management system via the account management system, but the client identification and user characteristics are not of practical significance to the account management system. The account management system does not know the specific way of calculating the session key according to the client identifier, and does not have the authority to find the corresponding real user identity according to the user characteristics.
The account management system may generate a unique account ID for the account upon receiving the initialization request. For example, when a user opens an account, the nickname "zhang san" is taken for a new transaction account, and the nickname is often not unique, and the account management system can generate an account ID for the new account by using a preset ID generation rule, wherein the account ID is used for uniquely identifying the new account. The account generation rule may be to increment/decrement numbers and/or letters according to a certain rule, or to combine elements such as time, which is not limited in this specification.
S204, the identity management system generates an identity recognition key of the transaction account, and stores the corresponding relation between the account, the identity recognition key and the user characteristics;
the identity management system is a third-party organization different from the client and a commercial bank to which the client account belongs, and when the method is applied to the field of legal digital currency transaction, the identity management system can be an issuer of virtual currency, such as a central bank.
The identity management system stores the corresponding relationship between the account and the identity identification key and the user characteristics, and the specific storage form can refer to the following table:
account ID
|
Identity identification key
|
User features
|
1111
|
XXXX
|
AAAA
|
2222
|
YYYY
|
BBBB
|
3333
|
ZZZZ
|
CCCC
|
…
|
…
|
… |
TABLE 1
The identity identification key can also comprise an identity identification public key, an identity identification private key and an identity identification certificate issued according to the identity management system private key and the identity identification public key. In subsequent transactions, the private key in the identification key may be used to encrypt the identity information contained in the transaction, and the public key in the identification key may be used to decrypt the identity information contained in the transaction.
S205, the identity management system sends the identity identification key encrypted according to the client identifier to the account management system, and the encrypted identity identification key can only be decrypted by the client;
the identity management system calculates client end identification to obtain a session key, encrypts the identity identification key by using the session key and then sends the encrypted identity identification key to the client end through the account management system, wherein different equipment identifications correspond to different session key calculation modes, and the calculation modes are generated by the identity management system and preset in the client end equipment.
The calculation method may exist in the form of a specific formula or a key, for example: the identity management system assigns a key 1 to manufacturer a, and the key 1 is preset in the device when the device of manufacturer a leaves the factory. The key 1 is not known by other institutions such as commercial banks.
In one communication, the identity management system and the manufacturer a can obtain the key 1 correspondingly according to the client identifier preset in the device by the manufacturer a, and further calculate and obtain the session key, and further, add a random number in each session, so that the identity management system and the manufacturer a can obtain different session keys for each session according to the key 1 and the random number.
S206, the account management system signs a service encryption certificate according to the service key;
s207, the account management system sends the service encryption certificate and the encrypted identification key to the client;
and S208, the client decrypts to obtain the identification key. The identity identification key, the service encryption certificate and the like are stored in a trusted environment of the client, so that identity information and transaction information are respectively encrypted during subsequent transaction, and the separation of identity confidentiality and transaction confidentiality in the transaction process is realized.
It should be noted that the multiple times of the user's account management system in different account management systems may enable the identity management system to generate multiple identity keys corresponding to different transaction accounts. When a user opens an account, the user can select a real name (the same and bound with the real name every time the account is opened) or select anonymity (different and bound with an account name every time the account is opened), but no matter the user selects the real name or the anonymity, the identity management system has the corresponding relation of the account name, the identity identification key and the user characteristics, so that the real identity query can be carried out through the user characteristics under special conditions.
FIG. 3 is a flow chart of another account initialization method provided herein, which may include the steps of:
s301, a client generates a service public and private key pair;
s302, the client sends an account name, user characteristics, a service public key, an equipment manufacturer identifier, an equipment identifier and a random number to an account management system;
s303, the account management system sends the account name, the user characteristics, the equipment manufacturer identification, the equipment identification and the random number to an identity management system;
s304, the identity management system calculates the session key according to the manufacturer identifier, the equipment identifier and the random number;
s305, the identity management system generates an identity recognition public and private key pair for an account, uses a self private key to sign an identity recognition certificate for the account, and stores the user characteristic corresponding relation between the account and an identity recognition key;
s306, the identity management system encrypts the identity recognition public and private key pair and the identity recognition certificate by using the session key;
s307, the identity management system sends the encrypted public and private key pair for identity recognition and the identity recognition certificate to the account management system;
s308, the account management system signs a service encryption certificate according to the service key;
s309, the account management system sends the service encryption certificate, the encrypted identification public and private key pair and the identification certificate to the client;
s310, the client calculates the session key according to the manufacturer identifier, the equipment identifier and the random number;
s311, the client uses the session key to decrypt and obtain the identification public and private key pair and identification certificate.
Fig. 4 is a flowchart of an online transaction method provided in this specification, in which a payment-side account in an online transaction belongs to a first account management system, a collection-side account belongs to a second account management system, the payment-side account prestores an online transaction key, an identity recognition key, and a service key, which are provided by an identity management system, in an account opening phase, and the identity management system prestores user feature information corresponding to the payment-side account in the account opening phase, where the method may include the following steps:
s401, the client integrates the transaction information, the transaction certificate encrypted by using the online transaction key and the identity certificate encrypted by using the identity identification key into a transaction request, and encrypts the transaction request by using a service key;
the online transaction key is provided by the identity management system and is prestored in the payment terminal, and the specific steps of the online transaction key include:
s401a, the first account management system sends the initialization request of the payment account to an identity management system;
s401b, the identity management system generates an online transaction key for the payment terminal account according to the self transaction root key, and encrypts the online transaction key by using the identity identification key corresponding to the payment terminal account;
s401c, the identity management system sends the encrypted online transaction key to the payment end for storage.
The transaction certificate and the identity certificate are respectively used for verifying the validity of the transaction and acquiring real identity information in suspicious transactions. The specific acquisition mode of the transaction certificate and the identity certificate can be as follows: encrypting the transaction information by using the online transaction key, and taking the encrypted transaction information as a transaction certificate; and encrypting the transaction information by using the identification key, and using the encrypted transaction information as an identification certificate.
S402, the client sends the encrypted transaction request to a first account management system;
s403, the first account management system decrypts the received transaction request by using the service key corresponding to the payment terminal account and checks the transaction state of the payment terminal;
as described above, the service key corresponding to the account of the payment terminal is generated during the account opening stage of the payment terminal (i.e., the client terminal described above), and the service key is sent to the first account management system (i.e., the account management system described above) by the payment terminal during the account opening stage.
The service key can be specifically divided into a service public key and a service private key, the service public key and the service private key can be respectively held by the payment terminal and the first account management system, and when a transaction is carried out, the client terminal and the first account management system respectively use the service private key and the service public key to encrypt and decrypt the transaction request so as to avoid information leakage in the transaction request.
The verifying the transaction state of the payment terminal comprises: checking whether the account state of the payment terminal is normal; checking whether the transaction conforms to business rules; checking whether there is currently a transaction risk.
S404, the first account management system forwards the transaction request to the identity management system after verification is passed;
s405, the identity management system verifies the transaction certificate by using the payment terminal online transaction key;
after receiving the transaction request, the identity management system needs to determine the right of the transaction request. The authentication is a process that the identity management system verifies the validity of the transaction initiated by the payment terminal by using the transaction certificate, and in the initialization stage of the user terminal, the identity management system calculates according to the self transaction root key and the payment terminal account to obtain an online transaction key and presets the key at the client terminal.
In the process of determining the right, the identity management system calculates again according to the received account information of the payment terminal and the self transaction root key to obtain the online transaction key, verifies the received transaction certificate by using the online transaction key, if the verification is passed, the online transaction key used by the client terminal for encrypting the transaction certificate is true, the step S406 is continuously executed, and if the verification is not passed, the online transaction key used by the client terminal for encrypting the transaction certificate is false, the process is ended. Further, this transaction may be considered an unsecure transaction and moved into an unsecure transaction processing flow.
S406, the identity management system notifies a second account management system after passing the verification;
s407, the second account management system checks the transaction state of the payee;
the step of checking the transaction state of the payee comprises the following steps: checking whether the account state of the cash register is normal or not; checking whether the transaction conforms to business rules; the current transaction risk is checked.
S408, the second account management system notifies the identity management system after passing the verification;
s409, the identity management system transfers the corresponding money right from the payment end to the collection end and changes the local account book.
Further, after the bookkeeping registration center synchronously changes its own account book, it also needs to notify each party of the transaction result, and the specific steps may be as follows:
after receiving a successful response of the bookkeeping registration center, the identity management system returns payment result information to the first account management system;
the first account management system sends the payment result information to the payment amount and the second account management system;
and the second account management system sends the payment result information to the collection end.
Further, when the method provided by the present specification is applied to the field of legal digital currency transactions, after the identity management system transfers the corresponding currency right from the payment end to the collection end and changes the local account book, the identity management system also needs to send the payment result to the bookkeeping registration center, so that the bookkeeping registration center synchronously changes its own account book. And after the bookkeeping registration center synchronously changes the self account book, the identity management system signs the transaction result by using the identity identification key of the payment terminal account, and submits the account book of the bookkeeping registration center to the block chain.
The account initialization method and the transaction method in the embodiments of the present specification can realize a "semi-anonymous" transaction mode in which a user is anonymous to a commercial bank during normal transaction, and real information can be searched for in a specific scenario according to transaction information, and an identity confirmation method for searching real information according to transaction information is described below in a specific scenario, as shown in fig. 5, the method includes the following steps:
s501, the identity management system extracts account information and identity certificates in target transactions;
s502, the identity management system acquires a user identity identification key according to the account information and verifies the identity certificate by using the user identity identification key;
as described above, the user identification key corresponding to the account information is generated by the identity management system in the account opening stage and is stored in the trusted environment of the client, and the identity identification key is only stored in the client and the identity management system and cannot be known by a third party organization (e.g., a commercial bank).
The identity identification key may be specifically divided into an identity identification public key and an identity identification private key, and the identity identification public key may be held by the identity management system and the client (the payment end/the collection end), respectively. When the transaction is carried out, the client and the identity management system respectively use the identity identification private key and the identity identification public key to encrypt and decrypt the identity certificate so as to avoid information leakage in the identity certificate.
The identity management system obtains an identity identification key according to the received account information and the corresponding relation between the account stored by the identity management system and the identity identification key (see the table 1 above), verifies the received identity certificate by using the identity identification key, if the verification is passed, the identity identification key used by the client for encrypting the transaction certificate is true, and if the verification is not passed, the identity identification key used by the client for encrypting the identity certificate is false.
S503, determine whether the verification passes? If the verification is passed, continue to execute step S503, if the verification is not passed, end the flow
S504, after the verification is passed, the identity management system searches the corresponding user characteristics according to the account information, and determines the real identity information of the user corresponding to the account information according to the user characteristics.
The identity management system obtains the user identity characteristic information according to the corresponding relation between the account stored by the identity management system and the user identity characteristic (see the table 1 above). The user characteristics are used for searching the corresponding user real identity information, and it should be noted that the right for searching the corresponding user real identity information according to the user characteristics is only possessed by the identity management system, and the terminal, the account management system and other commercial banks cannot search the corresponding user real identity information according to the user characteristics. For example, the following steps are carried out: the identity management system is a central row, a characteristic comparison library of mechanisms such as public security and the like is prestored or has authority to access by the central row, and the characteristic comparison library comprises one-to-one correspondence between user characteristics and real identities of users. The user characteristics are input by the user at the account opening stage, and the user characteristic information can be biological characteristic information of natural people, such as the face, the fingerprint, the iris and the like of the user.
In order to more clearly illustrate the solution of the embodiments of the present specification, the following describes the method performed from a single-sided perspective, respectively:
referring to fig. 6, an account initialization method executed on a client side for the embodiment of the present specification is applied to an account opening phase of a transaction account, and the method includes:
s601, generating a service key and an initialization request, wherein the initialization request at least comprises an account name, a client identification and user characteristics, sending the service key to an account management system to obtain a service encryption certificate issued by the account management system according to the service key, and sending the initialization request to an identity management system through the account management system;
s602, receiving an identity identification key sent by an identity management system through an account management system, wherein the identity identification key is generated by the identity management system and is encrypted by the identity management system according to a client identifier, and the encrypted identity identification key can only be decrypted by the client;
s603, decrypting to obtain an identity recognition key, wherein the identity recognition key is used for identity encryption during transaction, and the service key is used for service encryption during transaction, so that the identity confidentiality and the transaction confidentiality are separated during the transaction.
Referring to fig. 7, an account initialization method executed in the identity management system for the embodiment of the present specification is applied to an account opening phase of a transaction account, and the method includes:
s701, receiving an initialization request sent by a client through an account management system, wherein the initialization request at least comprises an account of the transaction account, a client identification and user characteristics;
s702, generating an identity identification key of the account, and storing the account, the corresponding identity identification key and user characteristics, wherein the identity management system has the right to use the user characteristics to obtain the corresponding real identity of the user;
and S703, sending the identification key encrypted according to the client identifier to the client through the account management system, wherein the encrypted identification key can only be decrypted by the client, the identification key is used for carrying out identification encryption during transaction, and the service key is used for carrying out service encryption during transaction, so as to realize the separation of the identity confidentiality and the transaction confidentiality during the transaction.
Referring to fig. 8, in an online transaction method executed at a payment end in an embodiment of the present specification, a payment end account in the online transaction belongs to a first account management system, a collection end account belongs to a second account management system, the payment end account prestores an online transaction key, an identity recognition key, and a service key, which are provided by an identity management system, in an account opening phase, and the identity management system prestores user feature information corresponding to the payment end account in the account opening phase, where the method includes:
s801, integrating transaction information, a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity identification key into a transaction request, encrypting the transaction request by using a service key, and then sending the transaction request to a first account management system, so that the transaction request is decrypted and checked by the first account management system and then forwarded to the identity management system;
s802, receiving a transaction result notice sent by the identity management system after the corresponding money right is transferred from the payment end to the collection end and the local account book is changed.
Referring to fig. 9, in an online transaction method executed in an identity management system according to an embodiment of the present disclosure, a payment-side account in the online transaction belongs to a first account management system, a collection-side account belongs to a second account management system, the payment-side account prestores an online transaction key, an identity recognition key, and a service key, which are provided by the identity management system, in an account opening phase, and the identity management system prestores user feature information corresponding to the payment-side account in the account opening phase, where the method includes:
s901, receiving a transaction request sent by a payment terminal after being checked by a first account management system, wherein the transaction request is formed by integrating a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity identification key according to transaction information by the payment terminal;
s902, verifying the transaction certificate by using the payment terminal online transaction key, and notifying a second account management system after the verification is passed;
and S903, receiving the checking result of the second account management system, transferring the corresponding currency right from the payment end to the collection end, and changing the local account book.
For details of the single-side execution method of the payment end and the service end, reference may be made to the description of the foregoing embodiments, which are not described herein again.
Corresponding to the above method embodiment, an embodiment of the present specification further provides an account initialization apparatus, applied to a client in an account opening phase of a transaction account, as shown in fig. 10, where the apparatus includes: a request generation module 1010, a key reception module 1020, and a key decryption module 1030;
the request generation module 1010: the system comprises a business key generation module, an account management system and an initialization module, wherein the business key generation module is used for generating a business key and an initialization request, the initialization request at least comprises an account name, a client identification and user characteristics, the business key is sent to the account management system to obtain a business encryption certificate issued by the account management system according to the business key, and the initialization request is sent to the identity management system through the account management system;
the key reception module 1020: the system comprises a client, a server and a server, wherein the client is used for receiving an identity identification key sent by an identity management system through an account management system, the identity identification key is generated by the identity management system and is encrypted by the identity management system according to a client identifier, and the encrypted identity identification key can only be decrypted by the client;
the key decryption module 1030: the system is used for decrypting to obtain an identity identification key, the identity identification key is used for identity encryption during transaction, and the business key is used for business encryption during transaction so as to realize the separation of identity confidentiality and transaction confidentiality during transaction.
Corresponding to the above method embodiment, an embodiment of the present specification further provides an account initialization apparatus, which is applied to an identity management system in an account opening stage of a transaction account, and as shown in fig. 11, the apparatus includes: a request receiving module 1110, a key generating module 1120, and a key transmitting module 1130;
the request receiving module 1110: the system comprises a client, a system server and a client terminal, wherein the client is used for receiving an initialization request sent by the client terminal through an account management system, and the initialization request at least comprises an account of the transaction account, a client terminal identification and user characteristics;
the key generation module 1120: the identity recognition key is used for generating the account, and the account, the corresponding identity recognition key and the corresponding user characteristics are stored, wherein the identity management system has the authority to use the user characteristics to obtain the corresponding real identity of the user;
the key sending module 1130: the system comprises an account management system, a client side and a service key, wherein the account management system is used for sending an identification key encrypted according to a client side identification to the client side through the account management system, the encrypted identification key can only be decrypted by the client side, the identification key is used for carrying out identification encryption during transaction, and the service key is used for carrying out service encryption during transaction so as to realize separation of identity confidentiality and transaction confidentiality during transaction.
Corresponding to the above method embodiment, an embodiment of the present specification further provides an online transaction apparatus, which is applied to a payment end, where an account of the payment end in an online transaction belongs to a first account management system, an account of the collection end belongs to a second account management system, the payment end account prestores, in an account opening phase, an online transaction key, an identity recognition key, and a service key, the online transaction key and the identity recognition key being provided by an identity management system, the service key being provided by the first account management system, and the identity management system prestores, in an account opening phase, user feature information corresponding to the account of the payment end, as shown in fig. 12, the apparatus includes: a request integration module 1210 and a result receiving module 1220.
The request integration module 1210: the system comprises a payment terminal, a first account management system and a second account management system, wherein the payment terminal is used for integrating transaction information, a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity identification key into a transaction request, and the transaction request is encrypted by using a service key and then sent to the first account management system, so that the transaction request is decrypted and checked by the first account management system and then forwarded to the identity management system;
the result receiving module 1220: and the system is used for enabling the payment end to receive the transaction result notice sent by the identity management system after the corresponding currency right is transferred from the payment end to the collection end and the local account book is changed.
Corresponding to the above method embodiment, an embodiment of the present specification further provides an online transaction apparatus, which is applied to an identity management system, where a payment-side account in an online transaction belongs to a first account management system, a collection-side account belongs to a second account management system, the payment-side account prestores an online transaction key, an identity recognition key, and a service key provided by the first account management system in an account opening phase, the identity management system prestores user feature information corresponding to the payment-side account in the account opening phase, as shown in fig. 13, and the apparatus includes: a transaction receipt module 1310, a transaction verification module 1320, and a money transfer module 1330;
the transaction receiving module 1310: the system comprises an identity management system, a first account management system and a second account management system, wherein the identity management system is used for receiving a transaction request sent by a payment terminal after being checked by the first account management system, and the transaction request is formed by integrating a transaction certificate encrypted by an online transaction key and an identity certificate encrypted by an identity identification key according to transaction information by the payment terminal;
the transaction verification module 1320: the identity management system is used for verifying the transaction certificate by using the payment terminal online transaction key and notifying the second account management system after the verification is passed;
money-transfer module 1330: and the identity management system is used for receiving the verification result of the second account management system, transferring the corresponding currency right from the payment end to the collection end and changing the local account book.
Corresponding to the above method embodiment, an embodiment of the present specification further provides an identity verification apparatus, which, as shown in fig. 14, may include: information extraction module 1410, information verification module 1420, and identity determination module 1430.
Information extraction module 1410: the identity management system is used for extracting account information and identity credentials in the target transaction;
information verification module 1420: the identity management system is used for acquiring a user identity identification key according to the account information and verifying the identity certificate by using the user identity identification key;
identity determination module 1430: and after the verification is passed, the identity management system searches the corresponding user characteristics according to the account information and determines the real identity information of the user corresponding to the account information according to the user characteristics.
The present specification further provides an electronic device, which at least includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the program to implement the aforementioned account initialization method executed on a client, and the method is applied to an account opening phase of a transaction account, and the method at least includes:
generating a service key and an initialization request, wherein the initialization request at least comprises an account name, a client identification and user characteristics, sending the service key to an account management system to obtain a service encryption certificate issued by the account management system according to the service key, and sending the initialization request to an identity management system through the account management system;
receiving an identity identification key sent by an identity management system through an account management system, wherein the identity identification key is generated by the identity management system and is encrypted by the identity management system according to a client identifier, and the encrypted identity identification key can only be decrypted by the client;
and decrypting to obtain an identity identification key, wherein the identity identification key is used for identity encryption during transaction, and the service key is used for service encryption during transaction so as to realize the separation of identity confidentiality and transaction confidentiality during transaction.
An embodiment of the present specification further provides an electronic device, which at least includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the program to implement the aforementioned account initialization method executed in the identity management system, and the method is applied to an account opening phase of a transaction account, and the method at least includes:
receiving an initialization request sent by a client through an account management system, wherein the initialization request at least comprises an account of the transaction account, a client identification and user characteristics;
generating an identity identification key of the account, and storing the account, the corresponding identity identification key and user characteristics, wherein the identity management system has the authority to use the user characteristics to obtain the corresponding real identity of the user;
and sending the identity recognition key encrypted according to the client identification to the client through the account management system, wherein the encrypted identity recognition key can only be decrypted by the client, the identity recognition key is used for identity encryption during transaction, and the service key is used for service encryption during transaction so as to realize the separation of identity confidentiality and transaction confidentiality during the transaction.
An embodiment of the present specification further provides an electronic device, which at least includes a memory, a processor, and a computer program stored in the memory and capable of being executed on the processor, where the processor executes the program to implement the online transaction method executed on a payment terminal, an account of the payment terminal in the online transaction belongs to a first account management system, an account of a collection terminal belongs to a second account management system, the payment terminal account prestores an online transaction key, an identity identification key, and a service key, which are provided by the first account management system, in an account opening phase, the identity management system prestores user feature information corresponding to the payment terminal account, and the method at least includes:
integrating transaction information, a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity recognition key into a transaction request, and encrypting the transaction request by using a service key and then sending the transaction request to a first account management system so that the transaction request is decrypted and checked by the first account management system and then forwarded to the identity management system;
and receiving a transaction result notice sent by the identity management system after the corresponding currency right is transferred from the payment end to the collection end and the local account book is changed.
An embodiment of the present specification further provides an electronic device, which at least includes a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor executes the program to implement the online transaction method executed in the identity management system, an account of a payment end in the online transaction belongs to a first account management system, an account of a collection end belongs to a second account management system, the account of the payment end prestores, in an account opening phase, an online transaction key, an identity identification key, and a service key, the account management system prestores, in an account opening phase, user feature information corresponding to the account of the payment end, and the method at least includes:
receiving a transaction request sent by a payment terminal after being checked by a first account management system, wherein the transaction request is formed by integrating a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity identification key according to transaction information by the payment terminal;
verifying the transaction certificate by using the payment terminal online transaction key, and notifying a second account management system after the verification is passed;
and receiving the checking result of the second account management system, transferring the corresponding currency right from the payment end to the collection end, and changing the local account book.
Embodiments of the present specification further provide an electronic device, which at least includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the foregoing identity confirmation method when executing the program, and the method at least includes:
the identity management system extracts account information and identity certificates in the target transaction;
enabling the identity management system to acquire a user identity identification key according to the account information and verifying the identity certificate by using the user identity identification key;
after the verification is passed, the identity management system searches the corresponding user characteristics according to the account information and determines the real identity information of the user corresponding to the account information according to the user characteristics.
Fig. 15 is a more specific hardware structure diagram of a computing device provided in an embodiment of the present specification, where the device may include: a processor 1510, a memory 1520, an input/output interface 1530, a communication interface 1540, and a bus 1550. Wherein the processor 1510, the memory 1520, the input/output interface 1530, and the communication interface 1540 are communicatively coupled to each other within the device via a bus 1550.
The processor 1510 may be implemented by a general-purpose CPU (Central Processing Unit), a microprocessor, an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits, and is configured to execute related programs to implement the technical solutions provided in the embodiments of the present specification.
The Memory 1520 may be implemented in the form of a ROM (Read Only Memory), a RAM (Random Access Memory), a static storage device, a dynamic storage device, or the like. The memory 1520 may store an operating system and other application programs, and when the technical solution provided by the embodiments of the present specification is implemented by software or firmware, the relevant program codes are stored in the memory 1520 and called by the processor 1510 for execution.
The input/output interface 1530 is used for connecting an input/output module to input and output information. The i/o module may be configured as a component in a device (not shown) or may be external to the device to provide a corresponding function. The input devices may include a keyboard, a mouse, a touch screen, a microphone, various sensors, etc., and the output devices may include a display, a speaker, a vibrator, an indicator light, etc.
The communication interface 1540 is used for connecting a communication module (not shown in the figure) to implement the communication interaction between the present apparatus and other apparatuses. The communication module can realize communication in a wired mode (such as USB, network cable and the like) and also can realize communication in a wireless mode (such as mobile network, WIFI, Bluetooth and the like).
Bus 1550 includes a path that transfers information between various components of the device, such as processor 1510, memory 1520, input/output interface 1530, and communication interface 1540.
It should be noted that although the above-described apparatus only shows the processor 1510, the memory 1520, the input/output interface 1530, the communication interface 1540 and the bus 1550, in a specific implementation, the apparatus may also include other components necessary for normal operation. In addition, those skilled in the art will appreciate that the above-described apparatus may also include only those components necessary to implement the embodiments of the present description, and not necessarily all of the components shown in the figures.
Embodiments of the present specification further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the aforementioned account initialization method, which is applied to an account opening stage of a transaction account, where the method at least includes:
generating a service key and an initialization request, wherein the initialization request at least comprises an account name, a client identification and user characteristics, sending the service key to an account management system to obtain a service encryption certificate issued by the account management system according to the service key, and sending the initialization request to an identity management system through the account management system;
receiving an identity identification key sent by an identity management system through an account management system, wherein the identity identification key is generated by the identity management system and is encrypted by the identity management system according to a client identifier, and the encrypted identity identification key can only be decrypted by the client;
and decrypting to obtain an identity identification key, wherein the identity identification key is used for identity encryption during transaction, and the service key is used for service encryption during transaction so as to realize the separation of identity confidentiality and transaction confidentiality during transaction.
Embodiments of the present specification further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the aforementioned account initialization method executed in an identity management system, and the method is applied to an account opening phase of a transaction account, where the method at least includes:
receiving an initialization request sent by a client through an account management system, wherein the initialization request at least comprises an account of the transaction account, a client identification and user characteristics;
generating an identity identification key of the account, and storing the account, the corresponding identity identification key and user characteristics, wherein the identity management system has the authority to use the user characteristics to obtain the corresponding real identity of the user;
and sending the identity recognition key encrypted according to the client identification to the client through the account management system, wherein the encrypted identity recognition key can only be decrypted by the client, the identity recognition key is used for identity encryption during transaction, and the service key is used for service encryption during transaction so as to realize the separation of identity confidentiality and transaction confidentiality during the transaction.
An embodiment of the present specification further provides a computer-readable storage medium, where a computer program is stored thereon, and when the computer program is executed by a processor, the method for performing online transaction performed at a payment end is implemented, where an account at the payment end in the online transaction belongs to a first account management system, an account at the collection end belongs to a second account management system, the account at the payment end prestores, in an account opening phase, an online transaction key, an identity identification key, and a service key, which are provided by an identity management system, and the identity management system prestores, in the account opening phase, user feature information corresponding to the account at the payment end, where the method at least includes:
integrating transaction information, a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity recognition key into a transaction request, and encrypting the transaction request by using a service key and then sending the transaction request to a first account management system so that the transaction request is decrypted and checked by the first account management system and then forwarded to the identity management system;
and receiving a transaction result notice sent by the identity management system after the corresponding currency right is transferred from the payment end to the collection end and the local account book is changed.
An embodiment of the present specification further provides a computer-readable storage medium, where a computer program is stored thereon, and when the computer program is executed by a processor, the method for performing online transaction performed in an identity management system is implemented, where a payment-side account in the online transaction belongs to a first account management system, a collection-side account belongs to a second account management system, the payment-side account prestores an online transaction key, an identity identification key, and a service key provided by the first account management system, the online transaction key, the identity identification key, and the service key provided by the first account management system, the identity management system prestores user feature information corresponding to the payment-side account in an account opening stage, and the method at least includes:
receiving a transaction request sent by a payment terminal after being checked by a first account management system, wherein the transaction request is formed by integrating a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity identification key according to transaction information by the payment terminal;
verifying the transaction certificate by using the payment terminal online transaction key, and notifying a second account management system after the verification is passed;
and receiving the checking result of the second account management system, transferring the corresponding currency right from the payment end to the collection end, and changing the local account book.
Embodiments of the present specification further provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the method for identity verification as described above is implemented, where the method at least includes:
the identity management system extracts account information and identity certificates in the target transaction;
enabling the identity management system to acquire a user identity identification key according to the account information and verifying the identity certificate by using the user identity identification key;
after the verification is passed, the identity management system searches the corresponding user characteristics according to the account information and determines the real identity information of the user corresponding to the account information according to the user characteristics.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
An embodiment of the present specification further provides an account initialization system, which is applied to an account opening stage of a transaction account, and the system includes:
a client and an identity management system;
the client is used for generating a business key and an initialization request, wherein the initialization request at least comprises an account of the transaction account, a client identifier and user characteristics, the business key is sent to an account management system to obtain a business encryption certificate issued by the account management system according to the business key, and the initialization request is sent to an identity management system through the account management system;
the identity management system is used for generating an identity identification key of the account and storing the account, the corresponding identity identification key and the user characteristics, wherein the identity management system has the authority to use the user characteristics to obtain the corresponding real identity of the user;
the identity management system is used for sending an identity identification key encrypted according to a client identifier to a client through the account management system, and the encrypted identity identification key can only be decrypted by the client;
the client is used for decrypting to obtain an identity recognition key, the identity recognition key is used for identity encryption during transaction, and the business key is used for business encryption during transaction so as to realize the separation of identity confidentiality and transaction confidentiality during transaction.
In the account initialization system provided in the embodiment of the present specification, the generating, by the identity management system, an identity key of the account includes:
and the identity management system generates an identity identification key of the account, wherein the identity identification key comprises an identity identification public and private key pair and an identity identification certificate issued according to the identity management system private key and the identity identification public key.
The embodiment of the specification provides an account initialization system, wherein the user characteristics at least comprise the biological characteristics of a client user.
In the account initialization system provided in the embodiments of the present specification, the service key includes a service public key and a service private key, where the service public key is used to decrypt a transaction, and the service private key is used to encrypt a transaction.
In the account initialization system provided in the embodiment of the present specification, the sending the service key to the account management system to obtain a service encryption certificate issued by the account management system according to the service key includes:
sending the public key in the service key to an account management system;
the account management system uses a self certificate to sign the public key, and further obtains a service encryption certificate;
and sending the service encryption certificate back to the client.
In the account initialization system provided in an embodiment of the present specification, the sending the initialization request to an identity management system via an account management system includes:
sending the initialization request to an account management system;
and the account management system signs a service encryption certificate for the account according to the service public key and forwards the account information, the client identification and the user characteristics to the identity management system.
In the account initialization system provided in the embodiment of the present specification, the identity management system sends an identity recognition key encrypted according to a client identifier to the client via the account management system, where the encrypted identity recognition key is only decryptable by the client, and the method includes:
the identity management system calculates client end identification to obtain a session key, encrypts the identity identification key by using the session key and then sends the encrypted identity identification key to the client end through the account management system, wherein different equipment identifications correspond to different session key calculation modes, and the calculation modes are generated by the identity management system and preset in the client end equipment.
In the account initialization system provided in the embodiment of the present specification, the decrypting, by the client, to obtain the identification key includes:
the client calculates the client identification to obtain a session key, and the session key is used for decryption to obtain the identification key.
Embodiments of the present specification provide an account initialization system, where the client identifier includes at least a client manufacturer identifier, a client device identifier, and/or a random number.
An embodiment of the present specification further provides an online transaction system, where a payment-side account in the transaction in the online transaction belongs to a first account management system, a collection-side account belongs to a second account management system, the payment-side account prestores, in an account opening phase, an online transaction key, an identity recognition key, and a service key, the online transaction key, the identity recognition key, and the service key being provided by the first account management system, the identity management system prestores, in the account opening phase, user feature information corresponding to the payment-side account, and the system includes:
the system comprises a payment end, a first account management system, an identity management system and a second account management system;
the payment terminal is used for integrating transaction information, a transaction certificate encrypted by using an online transaction key and an identity certificate encrypted by using an identity identification key into a transaction request, and sending the transaction request to the first account management system after encrypting the transaction request by using a service key;
the first account management system is used for decrypting the transaction request by using a service key corresponding to the account of the payment terminal, checking the transaction state of the payment terminal, and forwarding the data to the identity management system for right confirmation after the check is passed;
the identity management system is used for verifying the transaction certificate by using the payment terminal online transaction key and notifying the second account management system after the verification is passed;
the second account management system is used for checking the transaction state of the cash register and notifying the identity management system after the checking is passed;
and the identity management system is used for transferring the corresponding currency right from the payment end to the collection end and changing the local account book.
In the online transaction system provided in the embodiment of the present specification, after the identity management system transfers the corresponding monetary right from the payment terminal to the collection terminal and changes the local account book, the online transaction system further includes:
and sending the payment result to a bookkeeping registration center so that the bookkeeping registration center synchronously changes the self account book.
In the online transaction system provided in the embodiment of the present specification, after the bookkeeping registration center synchronously changes its own book, the system further includes:
the identity management system signs the transaction result by using the identity identification key of the payment terminal account and submits the book of the book-keeping registration center to the blockchain.
In the online transaction system provided in the embodiment of the present specification, after the bookkeeping registration center synchronously changes its own book, the system further includes:
after receiving a successful response of the bookkeeping registration center, the identity management system returns payment result information to the first account management system;
the first account management system sends the payment result information to the payment amount and the second account management system;
and the second account management system sends the payment result information to the collection end.
In the online transaction system provided in the embodiment of the present specification, the online transaction key provided by the identity management system is prestored at the account opening stage by the payment terminal, and the specific steps include:
the first account management system sends the initialization request of the payment terminal account to an identity management system;
the identity management system generates an online transaction key for the payment terminal account according to the self transaction root key, and encrypts the online transaction key by using an identity identification key corresponding to the payment terminal account;
and the identity management system sends the encrypted online transaction key to the payment end for storage.
In the online transaction system provided in the embodiment of the present specification, before the identity management system verifies the transaction credential using the online transaction key at the payment terminal, the identity management system further includes:
and the identity management system calculates according to the self transaction root key and the payment terminal account so as to obtain the payment terminal online transaction key.
In the online transaction system provided in the embodiment of the present specification, the checking the transaction status of the payer/payee includes:
checking whether the account state of the payment end/the collection end is normal or not;
checking whether the transaction conforms to business rules;
the current transaction risk is checked.
In the online transaction system provided in the embodiment of the present specification, the service key provided by the first account management system includes a service public key and a service private key, and the service public key and the service private key are respectively used for encrypting and decrypting the transaction request.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in the specification. One of ordinary skill in the art can understand and implement it without inventive effort.
From the above description of the embodiments, it is clear to those skilled in the art that the embodiments of the present disclosure can be implemented by software plus necessary general hardware platform. Based on such understanding, the technical solutions of the embodiments of the present specification may be essentially or partially implemented in the form of a software product, which may be stored in a storage medium, such as a ROM/RAM, a magnetic disk, an optical disk, etc., and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments of the present specification.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer, which may take the form of a personal computer, laptop computer, cellular telephone, camera phone, smart phone, personal digital assistant, media player, navigation device, email messaging device, game console, tablet computer, wearable device, or a combination of any of these devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus embodiment, since it is substantially similar to the method embodiment, it is relatively simple to describe, and reference may be made to some descriptions of the method embodiment for relevant points. The above-described apparatus embodiments are merely illustrative, and the modules described as separate components may or may not be physically separate, and the functions of the modules may be implemented in one or more software and/or hardware when implementing the embodiments of the present disclosure. And part or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
The foregoing is only a specific embodiment of the embodiments of the present disclosure, and it should be noted that, for those skilled in the art, a plurality of modifications and decorations can be made without departing from the principle of the embodiments of the present disclosure, and these modifications and decorations should also be regarded as the protection scope of the embodiments of the present disclosure.
The above description is only a preferred embodiment of the present disclosure, and should not be taken as limiting the present disclosure, and any modifications, equivalents, improvements, etc. made within the spirit and principle of the present disclosure should be included in the scope of the present disclosure.