Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with this specification.On the contrary, they are only and such as institute
The example of the consistent device and method of some aspects be described in detail in attached claims, this specification.
It is only to be not intended to be limiting this explanation merely for for the purpose of describing particular embodiments in the term that this specification uses
Book.The "an" of used singular, " described " and "the" are also intended to packet in this specification and in the appended claims
Most forms are included, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein is
Refer to and includes that one or more associated any or all of project listed may combine.
It will be appreciated that though various information may be described using term first, second, third, etc. in this specification, but
These information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not taking off
In the case where this specification range, the first information can also be referred to as the second information, and similarly, the second information can also be claimed
For the first information.Depending on context, word as used in this " if " can be construed to " ... when " or
" when ... " or " in response to determination ".
Fig. 1 is a kind of flow diagram of service implementation method shown in one exemplary embodiment of this specification.
Referring to FIG. 1, the service implementation method may comprise steps of:
Step 102, it is requested in response to the face authentication of service application, calls initialized camera acquisition facial image,
To store collected facial image into security context.
Step 104, face authentication is carried out to the facial image in security context, and business is generated based on authentication result
Data.
In the present embodiment, the security context include: TEE (Trust Execution Environment, it is credible to hold
Row environment), SE (Secure Element, safety element) etc., this specification is not particularly limited this.
In the present embodiment, specified end message can be acquired, and terminal risk is carried out in advance according to the end message
Sentence.Result can be prejudged to face authentication result, the end message and risk after obtaining risk anticipation result to sign,
Obtain business datum.
Step 106, the business datum is sent to the service application, by the service application by the business datum
It is sent to server-side.
In the present embodiment, server-side can verify the business datum, and can execute phase according to verification result
The business operation answered.
The collected facial image of camera can be stored into security context by the present embodiment it can be seen from above description,
And facial image can be authenticated in security context, so that it is guaranteed that face authentication is in the safe, credible of terminal side.In addition,
The present embodiment can also will include that the business datum of face authentication result is sent to server-side and verifies, and server-side can be according to testing
It demonstrate,proves result and executes corresponding service operation, so that verifying combines with cloud by face authentication, further ensure that the peace of customer service
Entirely, reliably.
Fig. 2 is a kind of application system architecture diagram of service implementation method shown in one exemplary embodiment of this specification.
Referring to FIG. 2, by taking security context is TEE as an example, the application system frame for the service implementation method that this specification provides
Structure includes terminal 21 and server-side 22.
Terminal 21 can be the smart machines such as mobile phone, tablet computer, PC machine, be generally integrated camera in terminal 21, can
Acquire 2D image.
Terminal 21 may include: service application 211, calling interface module 212 and secure processing module 213.
Wherein, service application 211 is usually the APP (Application, application program) of business service provider exploitation,
Service application 211 can be interacted with server-side 22 to complete the business of user's request, for example, payment transaction, transferred account service etc..
Calling interface module 212 operates in the REE of terminal 21, and (Rich Execution Environment, multimedia are held
Row environment) in, it can be called by service application 211, for example, initialized camera acquisition image of initialization camera, calling etc., institute
Stating initialized camera can store camera acquired image into security context.
Secure processing module 213 operates in the TEE of terminal 21, can authenticate to the facial image in security context,
And business datum can be generated based on authentication result.
The business datum that server-side 22 can upload service application 211 is verified, and is executed accordingly based on verification result
Business operation, for example, complete payment, refusal to pay etc..The physical structure of server-side 22 is usually server or server
Cluster.
In the present embodiment, service application 211 can be sent when user initiates the financial related service such as to pay, transfer accounts
Face authentication is requested to calling interface module 212, to authenticate to user identity.
Calling interface module 212 can call initialized camera acquisition facial image, which can will be collected
Facial image is stored into security context, it is ensured that collected facial image is not intercepted, is not tampered.
The secure processing module 213 operated in TEE can authenticate the facial image in security context, be then based on
Authentication result generates business datum.The process that entire face authentication, business datum generate all is completed in TEE, can effectively be ensured
Credible, the safety of face authentication and business datum.
Business datum can be sent to service application 211 by calling interface module 212 by secure processing module 213.Business
Business datum can be sent to server-side 22 using 211.
Server-side 22 can verify business datum, if being verified, can execute corresponding business operation, such as
Delivery operation is executed, if verifying does not pass through, can be refused to pay, and return to miscue.
The specific implementation of this specification is described in terms of the initialization of camera, the realization of business two separately below
Journey.
One, the initialization of camera
In the present embodiment, calling interface module 212 receive from service application 211 face authentication request when,
It can determine whether camera has initialized to finish.
It is finished if camera has initialized, camera can be called to acquire facial image.
If camera not yet initializes, camera can be initialized.
Fig. 3 is a kind of flow diagram of camera initialization shown in one exemplary embodiment of this specification.
Referring to FIG. 3, the process of camera initialization may comprise steps of:
Step 302, camera driving is loaded by initialization interface.
In the present embodiment, the camera driving can be pre-configured in terminal 21 by manufacturer terminal, can also be subsequent
It is downloaded from cloud, for example, downloaded from respective server by service application 211 etc., this specification is not particularly limited this.
Calling interface module 212 can load the camera driving by initialization interface.
It step 304, is camera storage allocation space, the memory headroom is for storing the camera acquired image.
Step 306, control instruction is configured for the memory headroom, to configure security context for the memory headroom.
In the present embodiment, calling interface module 212 can distribute one piece of memory headroom for camera, which is used for
Store camera acquired image data.
In the present embodiment, calling interface module 212 can also configure control instruction for the memory headroom of aforementioned distribution, with reality
Now to the access control of the memory headroom.For example, the secure processing module 213 in TEE is allowed to access the memory headroom, forbid
Routine access memory headroom etc. in REE.
So far, camera initialization finishes.
Two, the realization of business
Fig. 4 is a kind of flow diagram of service implementation method shown in one exemplary embodiment of this specification.
Referring to FIG. 4, the service implementation method may comprise steps of:
Step 402, calling interface module 212 is requested in response to the face authentication of service application 211, is called initialized
Camera acquires facial image, so that by the storage of collected facial image, into security context, the security context is to phase
Machine carries out in initialization procedure as the memory headroom of camera distribution.
For example, user is when requesting payment based on service application 211, service application 211 will recognize the identity of user
Card, and then face certification request can be sent to calling interface module 212, calling interface module 212 calls initialized phase
The facial image of machine acquisition user.
Step 404, secure processing module 213 pre-processes the facial image in security context.
In the present embodiment, the collected facial image of camera is usually binary stream format, for convenience of subsequent carry out people
Face certification, secure processing module 213 can format the facial image in security context, for example, by binary stream
The facial image of format is converted to jpeg format etc..
Step 406, secure processing module 213 carries out face authentication to pretreated facial image, obtains authentication result.
In the present embodiment, secure processing module 213 can carry out face authentication to the facial image in security context, and can
Secure memory is discharged after obtaining authentication result.
In the present embodiment, secure processing module 213 to facial image carry out certification may include: face character judgement,
The judgement of face living body, face characteristic are extracted, face living body is than equity.
Wherein, face character judgement can be used for determining that the eyes of facial image are opened or are closed, if eyes are closures,
It can then determine that face authentication fails.
The judgement of face living body can take precautions against illegal user's use using models such as infrared imaging, the detections of 3D depth information
Photo, video, mask, headgear etc. are attacked.
Face characteristic extraction can use ASM (Active Shape Model, active shape model) algorithm, AAM
(Active Appearance Model, active list item model) algorithm, SDM (Supervised Descent Method, supervision
Descending method) algorithm etc., this specification is not particularly limited this.
Based on the face characteristic extracted, the comparison of face living body can be by the face of collected facial image and legitimate user
Image is compared, with judge whether collected facial image whether be legitimate user facial image.It is adopted for example, can calculate
The similarity of the facial image and legitimate user's facial image that collect can determine comparison if similarity is more than or equal to threshold value
Pass through, if similarity is less than threshold value, can determine that comparison does not pass through.
In this step, the algorithm that secure processing module 213 can be provided using the relevant technologies realizes above-mentioned face authentication
Process, this is no longer going to repeat them for this specification.
In the present embodiment, the authentication result may include: image comparison result and collected facial image.Its
In, described image comparing result is to compare to pass through or compare not passing through.
It is worth noting that the collected facial image of camera is usually a very short video flowing, it may include multiframe people
Face image, the facial image in the authentication result is usually the frame face figure in the multiframe facial image in this step
Picture.
Step 408, secure processing module 213 is based on the authentication result and generates business datum.
In the present embodiment, after obtaining face authentication result, secure processing module 213 can also acquire specified terminal
Information, the end message may include: device id, equipment ROOT information, device geographical location etc., and this specification does not make this
It is specifically limited.
Secure processing module 213 can prejudge terminal risk according to the end message, for example, secure processing module
213, which can prejudge rule according to preset risk, prejudges terminal risk.Relatively simple, not by the equipment Risk ratio of ROOT
It is high by the equipment Risk of ROOT.
In the present embodiment, the risk anticipation result prejudged to terminal risk can be simple risky or calm
Danger, is also possible to risk class, for example, level-one, second level or three-level etc., this specification is not particularly limited this.
In the present embodiment, secure processing module 213 can using private key for user to above-mentioned authentication result, end message and
Risk anticipation result is signed, and business datum is obtained.
Step 410, the business datum is sent to industry by the calling interface module 212 by secure processing module 213
Business applies 211.
Step 412, the business datum is sent to server-side 22 by service application 211.
Step 414, server-side 22 verifies the business datum, and executes corresponding business behaviour based on verification result
Make.
In the present embodiment, server-side 22, can be using client public key to the industry after receiving the business datum
Business data are verified.
Still by taking payment transaction as an example, if authentication failed, it is rejected by payment, and return to miscue to service application 211.
If being proved to be successful, face authentication result and terminal risk anticipation result can be further extracted.
If face authentication does not pass through the result is that comparing, it is also rejected by payment, and return to mistake to service application 211 and mention
Show.
If face authentication passes through the result is that comparing, and the anticipation of terminal risk is the result is that devoid of risk, then can execute payment behaviour
Make.
If face authentication passes through the result is that comparing, but the anticipation of terminal risk is the result is that risky, then can be according to scheduled
Risk policy confirms follow-up business operation, for example, the payment amount of limitation user, request user using the modes such as password again into
Row authentication etc., this specification is not particularly limited this.
The verifying of above-mentioned business datum and the execution of business operation can be by the authentication modules (not shown) in server-side 22
It executes.
Optionally, in the present embodiment, server-side 22 can also by business datum facial image and authentication result close
UNPROFOR is deposited, and subsequent operation, this specification such as the identification of risk subscribers of being carried out based on these information of preservation does not make spy to this
Different limitation.
The collected facial image of camera can be stored into security context by this specification it can be seen from above description,
And facial image can be authenticated in the security context of terminal, so that it is guaranteed that face authentication is in the safe, credible of terminal side.
In addition, this specification terminal can also will include that the business datum of face authentication result is sent to server-side and verifies, service
End can execute corresponding service operation according to verification result, so that verifying combines with cloud by face authentication, further ensure that use
Family business it is safe and reliable.
Optionally, on the basis of framework shown in Fig. 2, referring to FIG. 5, secure processing module 213 may include: safe son
Module 2131, algorithm submodule 2132 and anticipation submodule 2133.
Wherein, safe submodule 2131 can pre-process the facial image in security context.
Algorithm submodule 2132 can carry out face authentication to pretreated facial image, obtain authentication result.
Anticipation submodule 2133 can acquire specified end message, and be carried out in advance according to the end message to terminal risk
Sentence;It signs to the authentication result, the end message and risk anticipation result, obtains business datum.
This specification also provides a kind of camera implementation method, which may include: to pass through initialization interface
Load camera driving;For camera storage allocation space, the memory headroom is for storing the camera acquired image;
Control instruction is configured for the memory headroom, to configure security context for the memory headroom.
Above-mentioned camera implementation method can refer to aforementioned embodiment shown in Fig. 3, and this is no longer going to repeat them for this specification.
In the present embodiment, image is acquired by the camera of initialization, image can be stored into security context, to keep away
Exempt from system plugin, rogue program intercepts image, distorts.
In one example, initialized camera captured identity card, bank card, passport etc. can be used and carry individual subscriber
The picture of information.
For example, needing user to upload identity card front and back sides, using the camera of above-mentioned initialization in some authentication links
It is acquired, the identity card picture taken can be stored into security context, identity card picture can be effectively prevent to be intercepted,
Leakage, it is ensured that user information safety.
In another example, initialized camera acquisition iris, fingerprint etc., which can be used, to be believed with identity user identity
The picture of breath.
For example, iris information is acquired using the camera of above-mentioned initialization in iris recognition scene, it can be by collected rainbow
Film information is stored into security context, and can be identified in security context to iris information, and iris information can be effectively prevent
Intercepted, leakage.
Image Acquisition is carried out using initialized camera in other scenes it is, of course, also possible to apply, such as secret is shone
Piece shooting etc., this specification is not particularly limited this.
Corresponding with the embodiment of aforementioned camera implementation method, this specification additionally provides the implementation of camera realization device
Example.
The embodiment of this specification camera realization device can be using in the electronic device.Installation practice can be by soft
Part is realized, can also be realized by way of hardware or software and hardware combining.Taking software implementation as an example, as a logical meaning
On device, be to be read computer program instructions corresponding in nonvolatile memory by the processor of electronic equipment where it
Get what operation in memory was formed.For hardware view, Fig. 6 is the knot of electronic equipment where this specification camera realization device
Structure schematic diagram, the electronic equipment may include the hardware such as processor, memory, network interface and nonvolatile memory, this
Specification repeats no more this.
Fig. 7 is a kind of block diagram of camera realization device shown in one exemplary embodiment of this specification.
Referring to FIG. 7, the camera realization device 700 can include: driving using in electronic equipment shown in fig. 6
Module 701, memory allocating module 702 and instruction configuration module 703.
Wherein, drive module 701 load camera driving by initialization interface;
Memory allocating module 702, is camera storage allocation space, and the memory headroom is adopted for storing the camera
The image collected;
Configuration module 703 is instructed, control instruction is configured for the memory headroom, so that the memory headroom to be configured to pacify
Full ambient engine.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The unit of explanation may or may not be physically separated, and component shown as a unit can be or can also be with
It is not physical unit, it can it is in one place, or may be distributed over multiple network units.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize this specification scheme.Those of ordinary skill in the art are not
In the case where making the creative labor, it can understand and implement.
System, device, module or the unit that above-described embodiment illustrates can specifically realize by computer chip or entity,
Or it is realized by the product with certain function.A kind of typically to realize that equipment is computer, the concrete form of computer can
To be personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play
In device, navigation equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment
The combination of any several equipment.
Corresponding with the embodiment of aforementioned service implementation method, this specification also provides a kind of business realizing device, the dress
Set includes: processor and the memory for storing machine-executable instruction.Wherein, processor and memory are usually by interior
Portion's bus is connected with each other.In other possible implementations, the equipment is also possible that external interface, with can be with other
Equipment or component are communicated.
It in the present embodiment, can by reading and executing the machine corresponding with business realizing logic of the memory storage
It executes instruction, the processor is prompted to:
In response to the face authentication request of service application, initialized camera acquisition facial image is called, to adopt
The facial image collected is stored into security context;
Face authentication is carried out to the facial image in security context, and business datum is generated based on authentication result;
The business datum is sent to the service application, the business datum is sent to clothes by the service application
Business end.
Optionally, face authentication is carried out to the facial image, and generates the process packet of business datum based on authentication result
It includes:
Facial image in the security context is pre-processed;
Face authentication is carried out to pretreated facial image, obtains authentication result;
The specified end message of acquisition, and terminal risk is prejudged according to the end message;
It signs to the authentication result, the end message and risk anticipation result, obtains the business datum.
Optionally, the end message includes: device id, equipment ROOT information, device geographical location.
Optionally, the initialization procedure of camera includes:
Camera driving is loaded by initialization interface;
For camera storage allocation space, the memory headroom is for storing the camera acquired image;
Control instruction is configured for the memory headroom, to configure security context for the memory headroom.
Optionally, server can by reading and executing the machine corresponding with business realizing logic of the memory storage
It executes instruction, the processor is prompted to:
The business datum is verified, and corresponding business operation is executed according to verification result.
Optionally, the security context includes: credible performing environment TEE.
Corresponding with the embodiment of aforementioned camera implementation method, this specification also provides another camera realization device, should
Device includes: processor and the memory for storing machine-executable instruction.Wherein, processor and memory usually by
Internal bus is connected with each other.In other possible implementations, the equipment is also possible that external interface, with can be with it
His equipment or component communicate.
It in the present embodiment, can by reading and executing the machine corresponding with camera realization logic of the memory storage
It executes instruction, the processor is prompted to:
Camera driving is loaded by initialization interface;
For camera storage allocation space, the memory headroom is for storing the camera acquired image;
Control instruction is configured for the memory headroom, to configure security context for the memory headroom.
Corresponding with the embodiment of aforementioned service implementation method, this specification also provides a kind of computer-readable storage medium
Matter is stored with computer program on the computer readable storage medium, which performs the steps of when being executed by processor
In response to the face authentication request of service application, initialized camera acquisition facial image is called, to adopt
The facial image collected is stored into security context;
Face authentication is carried out to the facial image in security context, and business datum is generated based on authentication result;
The business datum is sent to the service application, the business datum is sent to clothes by the service application
Business end.
Optionally, face authentication is carried out to the facial image, and generates the process packet of business datum based on authentication result
It includes:
Facial image in the security context is pre-processed;
Face authentication is carried out to pretreated facial image, obtains authentication result;
The specified end message of acquisition, and terminal risk is prejudged according to the end message;
It signs to the authentication result, the end message and risk anticipation result, obtains the business datum.
Optionally, the end message includes: device id, equipment ROOT information, device geographical location.
Optionally, the initialization procedure of camera includes:
Camera driving is loaded by initialization interface;
For camera storage allocation space, the memory headroom is for storing the camera acquired image;
Control instruction is configured for the memory headroom, to configure security context for the memory headroom.
Optionally, server-side verifies the business datum, and executes corresponding business operation according to verification result.
Optionally, the security context includes: credible performing environment TEE.
Corresponding with the embodiment of aforementioned camera implementation method, this specification also provides a kind of computer-readable storage medium
Matter is stored with computer program on the computer readable storage medium, which performs the steps of when being executed by processor
Camera driving is loaded by initialization interface;
For camera storage allocation space, the memory headroom is for storing the camera acquired image;
Control instruction is configured for the memory headroom, to configure security context for the memory headroom.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims
It is interior.In some cases, the movement recorded in detail in the claims or step can be come according to the sequence being different from embodiment
It executes and desired result still may be implemented.In addition, process depicted in the drawing not necessarily require show it is specific suitable
Sequence or consecutive order are just able to achieve desired result.In some embodiments, multitasking and parallel processing be also can
With or may be advantageous.
The foregoing is merely the preferred embodiments of this specification, all in this explanation not to limit this specification
Within the spirit and principle of book, any modification, equivalent substitution, improvement and etc. done should be included in the model of this specification protection
Within enclosing.