CN109714169A - It is a kind of based on the credible distribution platform of data strictly authorized and its circulation method - Google Patents

Abstract

The present invention discloses a kind of based on the credible distribution platform of data strictly authorized and its circulation method.Platform is made of operating side management system, client management system, mobile terminal SDK, data routing system, data storage layer, Third Party Authentication with card six parts of platform are deposited.The participant of data circulation model includes data requirements main body, data ownership main body, data provider, data are credible distribution platform, Third Party Authentication and deposits card platform.Data circulation is a kind of new things being born under internet economy background, new industry situation, belongs to emerging field and therefore forms a standardized circulation systems not yet, lacks common recognition in each link that circulates between the main body that circulates.The present invention can help enterprise or orderly data circulation stream journey is improved in personal implementation, and unified circulation rule eliminates data among enterprises imbalance between supply and demand.

Description

It is a kind of based on the credible distribution platform of data strictly authorized and its circulation method

Technical field

The invention belongs to the data fields of circulation, are related to data circulation model, data grant technology technology, specifically a kind of base In the credible distribution platform of data and its circulation method that strictly authorize.

Background technique

Data generate, data circulate and data application is the complete industrial chain in big data ecology, and data intermediate links Even more get through the key node of this industrial chain.Even pointed out in policy " to guide and cultivate big data trade market, carry out towards The data trade market pilot of application is explored and carries out the transaction of big data derived product, encourages the main market players of each link of industrial chain Data exchange and transaction are carried out, data resource circulation is promoted, establishes and improve data resource mechanism of exchange and pricing mechanism, specification is handed over It is easy for etc. a series of thinkings and behave for perfecting market development mechanism ", this, which is undoubtedly, from policy level has affirmed data flow Lead to the important value in society and market economy.

But undeniably the current data field of circulation is there is " shared " area of grey, does not focus on secret protection, no The problems such as respect attribution data power, the data flowthrough mechanism not standardized, all causes threat to data safety, or even touches Legal deadline.Therefore a set of perfect data circulation model is needed, realizes that data grant, data add in multistage circulation scene Close, data traceability is so that the entire data flow passage of specification is.To solve the above-mentioned problems, a solution is now provided.

Summary of the invention

The purpose of the present invention is to provide a kind of based on the credible distribution platform of data strictly authorized.

The purpose of the present invention can be achieved through the following technical solutions:

It is a kind of sub based on the credible distribution platform of data strictly authorized, including operating side management subsystem, client-side management System, mobile terminal SDK, data routing subsystem, data storage layer, third party service layer；

Wherein, the operation management subsystem is for assert the qualification for moving in data requirements main body, it is ensured that is selected for a post by audit It is all regular legal for choosing the data requirements main body that platform is moved in, and creates a client-side management system for data requirements main body The login account of system；

The operation management subsystem is also used to audit the application that data requirements main body is linked into platform, specifies enterprise's needs The content of the data of circulation closes rule detection for data；It is signed with data requirements main body and applies access protocol, using access protocol It is signed using digital signature technology, and carries out trustship preservation in third party Cun Zheng service organization；For answering for each access With a unique APP_ID is generated, the unique identification in platform is applied as this；

Wherein, the data requirements main body that logs in of the client-side management subsystem must be by qualification certification, demand Main body creates the data application information of oneself on platform and is submitted to the audit of operation management subsystem；

Wherein, the data application information must include data flow incoming interface, and the data flow incoming interface is for receiving number It, after the approval can be for using binding data provider according to the data that provider sends；To audit the application choosing passed through Affiliate is selected as data provider, client management system is that each data provider generation one is unique secret Key S_KEY makees the voucher that data provider participates in data circulation；Data requirements main body needs to provide APP_ID and S_KEY Data provider is given, to be embedded in mobile terminal SDK in the application system of oneself；

The mobile terminal SDK includes the SDK of android operating system and the SDK of IOS operating system, provide the testimony of a witness veritify, EID is veritified, authorized agreement is signed and authorization historical query function.

All data for being related to unique individual's equity must be authorized from attribution data people and could be provided to data requirements main body, Steps are as follows in SDK completion Authorized operation by attribution data people:

Step 1: ownership person part is veritified；Two kinds of veritification modes are provided；

S1: the first is that the testimony of a witness veritifies mode, mainly extracts human face photo using face living body technology and uploads identity card Photo confirms ownership person part by OCR and face alignment technology；

S2: second is eID carrier patch mode card, uses the NFC technique of mobile device, dedicated EID chip reader The eID coding in carrier is read, the eID network identity operating agency IDSO for uploading the Third Research Institute of Ministry of Public Security's certification carries out identity Confirmation；

Step 2: authorized agreement signature；Authorized agreement is first presented to ownership people in mobile terminal for PDF format and checks, if Agree to authorization, is signed electronically using the digital certificate that the CA mechanism with national authentication qualification issues, it will be by signature Certificate is uploaded to the third party Cun Zheng mechanism with related qualification and carries out trustship；

Step 3: data signature and data encryption；The data to be circulated are digitally signed using S_KEY, using dynamic Data after state secret key pair signature carry out symmetric cryptography, data signature in order to prevent data in transmission process by usurping Change, make with non repudiation, data encryption be in order to prevent data in transmission process by stealing, guarantee data security Safety；

Wherein, the data routing subsystem is for being connected to mobile terminal SDK, operating side management subsystem, client-side management Subsystem, data storage layer, third party service layer and data flow into interface；

The data that SDK is uploaded are decrypted using dynamic code key to be formed in plain text for the data routing subsystem, then make S_KEY is used to be digitally signed sign test in plain text as secret key pair, it is ensured that data are not distorted；

The data routing subsystem is checked engine using data conjunction rule to conjunction rule detection is carried out in plain text, and the data route Subsystem be used to check sensitive content situation in data and with consistent situation, sensitive content is containing harmful national security and society Content that can be stable, consistent situation are that data and the statement of party in request's data requirements are consistent；When in data exist comprising sensitive content, When middle any case inconsistent with demand, then the data flow incoming interface of data requirements side is not pushed to；

Wherein, the log recording engine of the data routing subsystem all records each sub-authorization and transmission, protects It deposits to data storage layer, accomplishes to have good grounds, dates back；

The data storage layer includes relevant database and non-relational database；The relevant database is supported For ACID db transaction to guarantee the data correctness in circulation services, the non-relational database does not need predefined number According to mode, predefined table structure is stored on each local server after being divided data using no share framework, has elasticity Expansible characteristic is very suitable to the demand of magnanimity and the storage of random daily record data；

The third party service layer is Third Party Authentication and deposits card platform, and the third party service layer has state for docking The CA mechanism of family's certification qualification, the eID network identity operating agency of the Third Research Institute of Ministry of Public Security's certification, the with related qualification Tripartite Cun Zheng mechanism；The identity veritification and electronic signature supporting of authority are provided for platform.

Further, the operating side management subsystem is that the operating side of the trust data system for the distribution of commodities manages platform；

The operating side management subsystem include Basic Information Management, enterprise qualification audit, enterprise information management, using note Volume audit, application message inquiry, charging regulation management, disbursement and sattlement management, au-thorization log analysis, transmission log analysis and enterprise State of affairs analysis.

Further, the client-side management subsystem is trust data system for the distribution of commodities client-side management platform, the visitor Family end management subsystem include Basic Information Management, Enterprise Application Management, partner management, expenses management, using grant date Log query is transmitted in will inquiry, data, and affiliate authorizes number statistics, affiliate to transmit log statistic.

Further, the data routing subsystem includes that data pull interface, data-pushing interface, data query connect Mouth, authorized agreement query interface, authorized agreement signature interface, data close rule detecting and alarm and log recording engine.

Further, the third party service layer include the testimony of a witness veritify interface, identity card OCR interface, eID generate interface, EID veritifies interface, PDF digital signature interface, deposits card interface, recognition of face interface, face alignment interface and face retrieval interface.

It is a kind of based on the credible circulation method of data strictly authorized, this method includes the following steps:

Step 1: identity validation is carried out to data ownership main body, the mode of identity validation is using testimony of a witness matching confirmation and EID It is any in confirmation；

Step 2: identity veritification is carried out to data ownership main body using data distribution platform, identity, which is veritified, uses the testimony of a witness With any in verifying and eID verifying；

Step 3: data ownership main body signs authorized agreement, and data distribution platform carries out authorization association using authoritative CA certificate View is digitally signed, and the authorized agreement deposit third party after signature is deposited card platform and deposits card；

Step 4: mobile terminal SDK is encrypted and is signed to data, by data-pushing to data distribution platform；

Step 5: data are decrypted data distribution platform and sign test, using data close rule check engine to plaintext into Row closes rule detection, and conjunction rule detect the data flow incoming interface by the way that ciphertext to be pushed to data requirements main body.

Beneficial effects of the present invention:

1, the present invention can help enterprise or orderly data circulation stream journey is improved in personal implementation, and unified circulation rule disappears Except data among enterprises imbalance between supply and demand.Data circulation is a kind of new things being born under internet economy background, new industry situation, is belonged to new Therefore emerging field forms a standardized circulation systems not yet, lack common recognition in each link that circulates between the main body that circulates, The present invention closes rule by data requirements statement, data-interface specification, data grant system, data signature and encryption system, data The standard process and technological means of some column such as detection architecture ensure data safety, legal, conjunction rule circulation.Enterprise passes through client Management system facilitates the data provider of management oneself, real-time monitors data current intelligence, to eliminate imbalance between supply and demand.It is logical It crosses data routing system and mobile terminal SDK easily gets through the data channel of both sides of supply and demand, eliminate data silo.

2, it realizes that data circulation safety closes rule, protects individual privacy.There are two the data fields of circulation, and problem is more concerned, First is that attribution data weighs problem, second is that Privacy Protection.It is all can Direct Recognition to the identity data of unique individual, such as citizen Identification number, social security number, driver's license, telephone number etc., can Direct Recognition to unique individual sensitive data, as marital status, Date of birth, health status etc. belong to and are related to the private data of unique individual's equity, and the right of attribution of this kind of data is individual, Belong to unlawful practice if enterprise circulates privately, it is necessary to could circulate and use via data ownership people authorization.This hair Bright to be veritified by the testimony of a witness, eID identity veritify to determine ownership person part, by authorized agreement digital signature, the third-party institution is deposited Card guarantees the legitimacy of Data Data authorization.Ensure data not using data signature, the encryption of dynamic code key in the data transmission It is leaked, steals, distorts, replicates, protect individual privacy.

Detailed description of the invention

In order to facilitate the understanding of those skilled in the art, the present invention will be further described below with reference to the drawings.

Fig. 1 is plateform system architecture diagram of the present invention；

Fig. 2 is platform network topological diagram of the present invention；

Fig. 3 is that requirement of main body of the present invention moves in auditing flow figure；

Fig. 4 is that flow chart is issued in present invention application；

Fig. 5 is the flow chart of data circulation method of the present invention.

Specific embodiment

As shown in Figs 1-4, a kind of based on the credible distribution platform of data strictly authorized, including operating side management subsystem, Client-side management subsystem, mobile terminal SDK, data routing subsystem, data storage layer, third party service layer；

Wherein, the operation management subsystem is for assert the qualification for moving in data requirements main body, it is ensured that is selected for a post by audit It is all regular legal for choosing the data requirements main body that platform is moved in, and creates a client-side management system for data requirements main body The login account of system；

The operation management subsystem is also used to audit the application that data requirements main body is linked into platform, specifies enterprise's needs The content of the data of circulation closes rule detection for data；It is signed with data requirements main body and applies access protocol, using access protocol It is signed using digital signature technology, and carries out trustship preservation in third party Cun Zheng service organization；For answering for each access With a unique APP_ID is generated, the unique identification in platform is applied as this；

Wherein, the data requirements main body that logs in of the client-side management subsystem must be by qualification certification, demand Main body creates the data application information of oneself on platform and is submitted to the audit of operation management subsystem；

Wherein, the data application information must include data flow incoming interface, and the data flow incoming interface is for receiving number It, after the approval can be for using binding data provider according to the data that provider sends；To audit the application choosing passed through Affiliate is selected as data provider, client management system is that each data provider generation one is unique secret Key S_KEY makees the voucher that data provider participates in data circulation；Data requirements main body needs to provide APP_ID and S_KEY Data provider is given, to be embedded in mobile terminal SDK in the application system of oneself；

The mobile terminal SDK includes the SDK of android operating system and the SDK of IOS operating system, provide the testimony of a witness veritify, EID is veritified, authorized agreement is signed and authorization historical query function.

All data for being related to unique individual's equity must be authorized from attribution data people and could be provided to data requirements main body, Steps are as follows in SDK completion Authorized operation by attribution data people:

Step 1: ownership person part is veritified；Two kinds of veritification modes are provided；

S1: the first is that the testimony of a witness veritifies mode, mainly extracts human face photo using face living body technology and uploads identity card Photo confirms ownership person part by OCR and face alignment technology；

S2: second is eID carrier patch mode card, uses the NFC technique of mobile device, dedicated eID chip reader The eID coding in carrier is read, the eID network identity operating agency IDSO for uploading the Third Research Institute of Ministry of Public Security's certification carries out identity Confirmation；

Step 2: authorized agreement signature；Authorized agreement is first presented to ownership people in mobile terminal for PDF format and checks, if Agree to authorization, is signed electronically using the digital certificate that the CA mechanism with national authentication qualification issues, it will be by signature Certificate is uploaded to the third party Cun Zheng mechanism with related qualification and carries out trustship；

Step 3: data signature and data encryption；The data to be circulated are digitally signed using S_KEY, using dynamic Data after state secret key pair signature carry out symmetric cryptography, data signature in order to prevent data in transmission process by usurping Change, make with non repudiation, data encryption be in order to prevent data in transmission process by stealing, guarantee data security Safety；

Wherein, the data routing subsystem is for being connected to mobile terminal SDK, operating side management subsystem, client-side management Subsystem, data storage layer, third party service layer and data flow into interface；

The data that SDK is uploaded are decrypted using dynamic code key to be formed in plain text for the data routing subsystem, then make S_KEY is used to be digitally signed sign test in plain text as secret key pair, it is ensured that data are not distorted；

The data routing subsystem is checked engine using data conjunction rule to conjunction rule detection is carried out in plain text, and the data route Subsystem be used to check sensitive content situation in data and with consistent situation, sensitive content is containing harmful national security and society Content that can be stable, consistent situation are that data and the statement of party in request's data requirements are consistent；When in data exist comprising sensitive content, When middle any case inconsistent with demand, then the data flow incoming interface of data requirements side is not pushed to；

Wherein, the log recording engine of the data routing subsystem all records each sub-authorization and transmission, protects It deposits to data storage layer, accomplishes to have good grounds, dates back；

The data storage layer includes relevant database and non-relational database；The relevant database is supported For ACID db transaction to guarantee the data correctness in circulation services, the non-relational database does not need predefined number According to mode, predefined table structure is stored on each local server after being divided data using no share framework, has elasticity Expansible characteristic is very suitable to the demand of magnanimity and the storage of random daily record data；

The third party service layer is Third Party Authentication and deposits card platform, and the third party service layer has state for docking The CA mechanism of family's certification qualification, the eID network identity operating agency of the Third Research Institute of Ministry of Public Security's certification, the with related qualification Tripartite Cun Zheng mechanism；The identity veritification and electronic signature supporting of authority are provided for platform.

Further, the operating side management subsystem is that the operating side of the trust data system for the distribution of commodities manages platform；

The operating side management subsystem include Basic Information Management, enterprise qualification audit, enterprise information management, using note Volume audit, application message inquiry, charging regulation management, disbursement and sattlement management, au-thorization log analysis, transmission log analysis and enterprise State of affairs analysis.

Further, the client-side management subsystem is trust data system for the distribution of commodities client-side management platform, the visitor Family end management subsystem include Basic Information Management, Enterprise Application Management, partner management, expenses management, using grant date Log query is transmitted in will inquiry, data, and affiliate authorizes number statistics, affiliate to transmit log statistic.

Further, the data routing subsystem includes that data pull interface, data-pushing interface, data query connect Mouth, authorized agreement query interface, authorized agreement signature interface, data close rule detecting and alarm and log recording engine.

Further, the third party service layer include the testimony of a witness veritify interface, identity card OCR interface, eID coding generate connect Mouth, eID veritify interface, PDF digital signature interface, deposit card interface, and recognition of face interface, face alignment interface and face retrieval connect Mouthful.

As shown in figure 5, a kind of based on the credible circulation method of data strictly authorized, this method includes the following steps:

Step 1: identity validation is carried out to data ownership main body, the mode of identity validation is using testimony of a witness matching confirmation and eID It is any in confirmation；

Step 2: identity veritification is carried out to data ownership main body using data distribution platform, identity, which is veritified, uses the testimony of a witness With any in verifying and eID verifying；

Step 3: data ownership main body signs authorized agreement, and data distribution platform carries out authorization association using authoritative CA certificate View is digitally signed, and the authorized agreement deposit third party after signature is deposited card platform and deposits card；

Step 4: mobile terminal SDK is encrypted and is signed to data, by data-pushing to data distribution platform；

Step 5: data are decrypted data distribution platform and sign test, using data close rule check engine to plaintext into Row closes rule detection, and conjunction rule detect the data flow incoming interface by the way that ciphertext to be pushed to data requirements main body.

The present invention can help enterprise or orderly data circulation stream journey is improved in personal implementation, and unified circulation rule is eliminated Data among enterprises imbalance between supply and demand.Data circulation is a kind of new things being born under internet economy background, new industry situation, is belonged to emerging Field therefore form a standardized circulation systems not yet, lack common recognition in each link of circulating between the main body that circulates, this Invention closes rule inspection by data requirements statement, data-interface specification, data grant system, data signature and encryption system, data The standard process and technological means of some column such as survey system ensure data safety, legal, conjunction rule circulation.Enterprise passes through client's end pipe Reason system facilitates the data provider of management oneself, real-time monitors data current intelligence, to eliminate imbalance between supply and demand.Pass through Data routing system and mobile terminal SDK easily get through the data channel of both sides of supply and demand, eliminate data silo.

It realizes that data circulation safety closes rule, protects individual privacy.There are two the data fields of circulation, and problem is more concerned, and one It is the full problem of attribution data, second is that Privacy Protection.It is all can Direct Recognition to unique individual identity data, such as citizen's body Part number, social security number, driver's license, telephone number etc., can Direct Recognition arrive the sensitive data of unique individual, such as marital status, out Phase birthday, health status etc. belong to and are related to the private data of unique individual's equity, and the right of attribution of this kind of data is individual, such as Fruit enterprise circulates privately, belongs to unlawful practice, it is necessary to could circulate and use via data ownership people authorization.The present invention It veritified by the testimony of a witness, EID identity veritify to determine ownership person part, by authorized agreement digital signature, the third-party institution deposits card Guarantee the legitimacy of Data Data authorization.In the data transmission using data signature, dynamic code key encryption come ensure data not by It reveals, steal, distort, replicate, protect individual privacy.

Above content is only to structure of the invention example and explanation, affiliated those skilled in the art couple Described specific embodiment does various modifications or additions or is substituted in a similar manner, without departing from invention Structure or beyond the scope defined by this claim, is within the scope of protection of the invention.

Claims (6)

1. a kind of based on the credible distribution platform of data strictly authorized, which is characterized in that including operating side management subsystem, client Hold management subsystem, mobile terminal SDK, data routing subsystem, data storage layer, third party service layer；

Wherein, the operation management subsystem is for assert the qualification for moving in data requirements main body, it is ensured that is selected by audit The data requirements main body that platform is moved in all is regular legal, and creates a client management system for data requirements main body Login account；

The operation management subsystem is also used to audit the application that data requirements main body is linked into platform, specifies enterprise and needs to circulate Data content, for data close rule detection；It is signed with data requirements main body and applies access protocol, used using access protocol Digital signature technology is signed, and carries out trustship preservation in third party Cun Zheng service organization；It is produced for the application of each access A raw unique APP_ID, the unique identification in platform is applied as this；

Wherein, the data requirements main body that logs in of the client-side management subsystem must be by qualification certification, requirement of main body The data application information of oneself is created on platform and is submitted to the audit of operation management subsystem；

Wherein, the data application information must include data flow incoming interface, and the data flow incoming interface mentions for receiving data It, after the approval can be for using binding data provider for the data that main body is sent；It is closed to audit the application selection passed through Make partner as data provider, client management system is that each data provider generates a unique code key S_ KEY makees the voucher that data provider participates in data circulation；Data requirements main body needs APP_ID and S_KEY being supplied to number According to provider, to be embedded in mobile terminal SDK in the application system of oneself；

The mobile terminal SDK includes the SDK of android operating system and the SDK of IOS operating system, provides testimony of a witness veritification, eID It veritifies, authorized agreement is signed and authorization historical query function；

All data for being related to unique individual's equity must be authorized from attribution data people and could be provided to data requirements main body, data Belonging to people, steps are as follows in SDK completion Authorized operation:

Step 1: ownership person part is veritified；Two kinds of veritification modes are provided；

S1: the first is that the testimony of a witness veritifies mode, mainly extracts human face photo using face living body technology and uploads identity card picture, Ownership person part is confirmed by OCR and face alignment technology；

S2: second is eID carrier patch mode card, is read using the NFC technique of mobile device, dedicated eID chip reader EID coding in carrier, the eID network identity operating agency IDSO progress identity for uploading the Third Research Institute of Ministry of Public Security's certification are true Recognize；

Step 2: authorized agreement signature；Authorized agreement is first presented to ownership people in mobile terminal for PDF format and checks, if agreed to Authorization, is signed electronically using the digital certificate that the CA mechanism with national authentication qualification issues, will be by the certificate of signature It is uploaded to the third party Cun Zheng mechanism with related qualification and carries out trustship；

Step 3: data signature and data encryption；The data to be circulated are digitally signed using S_KEY, it is secret using dynamic Key to after signature data carry out symmetric cryptography, data signature in order to prevent data in transmission process by distorting, make With non repudiation, data encryption be in order to prevent data in transmission process by stealing, the peace that guarantees data security Quan Xing；

Wherein, the data routing subsystem is for being connected to mobile terminal SDK, operating side management subsystem, client-side management subsystem System, data storage layer, third party service layer and data flow into interface；

The data that SDK is uploaded are decrypted using dynamic code key to be formed in plain text for the data routing subsystem, then use S_ KEY is digitally signed sign test as secret key pair in plain text, it is ensured that data are not distorted；

The data routing subsystem closes rule using data and checks engine to conjunction rule detection is carried out in plain text, and the data route subsystem Unite for check sensitive content situation in data and with consistent situation, sensitive content is steady containing harmful national security and society Fixed content, consistent situation are that data and the statement of party in request's data requirements are consistent；When in data exist include sensitive content, with need When seeking inconsistent middle any case, then the data flow incoming interface of data requirements side is not pushed to；

Wherein, the log recording engine of the data routing subsystem all records each sub-authorization and transmission, saves extremely Data storage layer is accomplished to have good grounds, dates back；

The data storage layer includes relevant database and non-relational database；The relevant database supports ACID number According to library affairs to guarantee the data correctness in circulation services, the non-relational database does not need predefined data mould Formula, predefined table structure are stored on each local server after being divided data using no share framework, and there is elasticity can expand The characteristic of exhibition is very suitable to the demand of magnanimity and the storage of random daily record data；

The third party service layer is Third Party Authentication and deposits card platform, and the third party service layer is recognized for docking with country Demonstrate,prove the CA mechanism of qualification, the eID network identity operating agency of the Third Research Institute of Ministry of Public Security's certification, the third party with related qualification Cun Zheng mechanism；The identity veritification and electronic signature supporting of authority are provided for platform.

2. according to claim 1 a kind of based on the credible distribution platform of data strictly authorized, which is characterized in that the fortune It seeks the operating side that end management subsystem is the trust data system for the distribution of commodities and manages platform；

The operating side management subsystem include Basic Information Management, enterprise qualification audit, enterprise information management, using registration examine Core, application message inquiry, charging regulation management, disbursement and sattlement management, au-thorization log analysis, transmission log analysis and business event Status analysis.

3. according to claim 1 a kind of based on the credible distribution platform of data strictly authorized, which is characterized in that the visitor Family end management subsystem is trust data system for the distribution of commodities client-side management platform, and the client-side management subsystem includes basis letter Cease management, Enterprise Application Management, partner management, expenses management, using au-thorization log inquiry, data transmission log query, Affiliate authorizes number statistics, affiliate to transmit log statistic.

4. according to claim 1 a kind of based on the credible distribution platform of data strictly authorized, which is characterized in that the number It include data pull interface, data-pushing interface, data-query interfaces, authorized agreement query interface, authorization according to routing subsystem Agreement signature interface, data close rule detecting and alarm and log recording engine.

5. according to claim 1 a kind of based on the credible distribution platform of data strictly authorized, which is characterized in that described Tripartite service layer includes that the testimony of a witness veritifies interface, identity card OCR interface, eID generation interface, eID veritification interface, PDF digital signature Interface deposits card interface, recognition of face interface, face alignment interface and face retrieval interface.

6. a kind of based on the credible circulation method of data strictly authorized, which is characterized in that this method includes the following steps:

Step 1: identity validation is carried out to data ownership main body, the mode of identity validation is using testimony of a witness matching confirmation and eID confirmation In it is any；

Step 2: identity veritification is carried out to data ownership main body using data distribution platform, identity is veritified to be tested using testimony of a witness matching It is any in card and eID verifying；

Step 3: data ownership main body signs authorized agreement, data distribution platform using authoritative CA certificate carry out authorized agreement into Row digital signature, and the authorized agreement deposit third party after signature is deposited into card platform and deposits card；

Step 4: mobile terminal SDK is encrypted and is signed to data, by data-pushing to data distribution platform；

Step 5: data are decrypted data distribution platform and sign test, closes rule using data and checks engine to closing in plain text Rule detection, closes the data flow incoming interface advised and detected by the way that ciphertext to be pushed to data requirements main body.