CN110688364A - Data transfer method, device, storage medium and electronic equipment - Google Patents

Data transfer method, device, storage medium and electronic equipment Download PDF

Info

Publication number
CN110688364A
CN110688364A CN201910837367.1A CN201910837367A CN110688364A CN 110688364 A CN110688364 A CN 110688364A CN 201910837367 A CN201910837367 A CN 201910837367A CN 110688364 A CN110688364 A CN 110688364A
Authority
CN
China
Prior art keywords
authentication result
data transfer
authentication
identity authentication
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910837367.1A
Other languages
Chinese (zh)
Inventor
刘文杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Oppo Chongqing Intelligent Technology Co Ltd
Original Assignee
Oppo Chongqing Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Oppo Chongqing Intelligent Technology Co Ltd filed Critical Oppo Chongqing Intelligent Technology Co Ltd
Priority to CN201910837367.1A priority Critical patent/CN110688364A/en
Publication of CN110688364A publication Critical patent/CN110688364A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/214Database migration support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the application discloses a data transfer method, a data transfer device, a storage medium and electronic equipment, wherein the data transfer method comprises the following steps: when a data transfer trigger signal is detected, acquiring a first identity authentication result and storing the first identity authentication result in an authentication database in a trusted execution environment; calling a private instruction, calling the first identity authentication result from the authentication database, and acquiring a second identity authentication result in the feasible execution environment based on the private instruction and the first identity authentication result; and when the second identity authentication result is that the authentication is successful, activating the virtual account and performing data transfer. By adopting the embodiment of the application, the authentication result is prevented from being tampered, so that the network data transfer process is prevented from being attacked, and the security of data transfer can be improved.

Description

Data transfer method, device, storage medium and electronic equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data transfer method and apparatus, a storage medium, and an electronic device.
Background
With the increasing popularization of network technology, network transactions are being accepted and accepted by more and more people, have the advantages of being all-weather, high in efficiency, convenient and fast, and are rapidly changing life styles of people. With the explosion of network transactions, network transaction data transfer is becoming more and more common.
At present, a network transaction data transfer method for data transfer application mainly performs identity authentication by calling a standard fingerprint interface, returns an authentication result to a data transfer application terminal, and the data transfer application terminal determines whether to perform a next data transfer process according to the returned authentication result.
In the process, the identity authentication part is completed in the trusted execution environment TZ/TEE environment, but the decision is made whether to execute the data transfer process or to be determined by the data transfer application terminal, and the data transfer application is determined according to the result returned by the identity authentication interface, and the subsequent data transfer process is allowed as long as the returned result passes. However, the data transfer application is located in a REE environment, which is a relatively vulnerable environment, in the above scheme, the fingerprint service or service application is attacked, the fingerprint authentication result is always modified and returned to the authentication pass, and at this time, even if the data transfer operation is performed by a non-user himself, the data transfer process can be completed, and economic loss is caused to the user. Therefore, the existing network data transfer process is easy to attack and has low security.
Disclosure of Invention
The embodiment of the application provides a data transfer method, a data transfer device, a storage medium and electronic equipment, and can solve the problems that a network data transfer process is easy to attack and the security is low. The technical scheme is as follows:
in a first aspect, an embodiment of the present application provides a data transfer method, where the method includes:
when a data transfer trigger signal is detected, acquiring a first identity authentication result and storing the first identity authentication result in an authentication database in a trusted execution environment;
calling a private instruction, calling the first identity authentication result from the authentication database, and acquiring a second identity authentication result in the feasible execution environment based on the private instruction and the first identity authentication result;
and when the second identity authentication result is that the authentication is successful, activating the virtual account and performing data transfer.
In a second aspect, an embodiment of the present application provides a field data transfer apparatus, including:
the first result storage module is used for acquiring a first identity authentication result and storing the first identity authentication result into an authentication database in a trusted execution environment when the data transfer trigger signal is detected;
a second result obtaining module, configured to invoke a private instruction, invoke the first identity authentication result from the authentication database, and obtain a second identity authentication result based on the private instruction and the first identity authentication result in the feasible execution environment;
and the data transfer module is used for activating the virtual account and transferring data when the second identity authentication result is that the authentication is successful.
In a third aspect, embodiments of the present application provide a computer storage medium storing a plurality of instructions adapted to be loaded by a processor and to perform the above-mentioned method steps.
In a fourth aspect, an embodiment of the present application provides an electronic device, which may include: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the above-mentioned method steps.
The beneficial effects brought by the technical scheme provided by some embodiments of the application at least comprise:
in the embodiment of the application, when a data transfer trigger signal is detected, a first identity authentication result is obtained and stored in an authentication database in the TEE, then a private instruction is called, the first identity authentication result is called from the authentication database, a second identity authentication result is obtained in the TEE based on the private instruction and the first identity authentication result, and when the second identity authentication result is successful, a virtual account is activated and data transfer is performed. The first identity authentication result is stored in the authentication database under the safer TEE, when key operations such as activation and the like are required to be carried out on the virtual account, the previous identity authentication result is verified again from the authentication database under the TEE, and when the verification is passed, the virtual account is used for completing the data transfer process, so that the authentication result is prevented from being tampered, the network data transfer process is prevented from being attacked, and the data transfer safety can be improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a data transfer method provided in an embodiment of the present application;
fig. 2 is a schematic diagram illustrating an effect of an identity authentication prompt according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a control system of a user terminal according to an embodiment of the present application;
FIG. 4 is an interaction diagram of a system environment when a user terminal performs data transfer according to an embodiment of the present application;
fig. 5 is a schematic flowchart of a data transfer method provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of a data transfer device according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of a data transfer device according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a second result obtaining module according to an embodiment of the present disclosure;
fig. 9 is a schematic structural diagram of a data transfer module according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the application, as detailed in the appended claims.
In the description of the present application, it is to be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. The specific meaning of the above terms in the present application can be understood in a specific case by those of ordinary skill in the art. Further, in the description of the present application, "a plurality" means two or more unless otherwise specified. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship.
The data transfer method provided by the embodiment of the present application will be described in detail below with reference to fig. 1 to 5. The method may be implemented in dependence on a computer program, operable on a data transfer device based on the von neumann architecture. The computer program may be integrated into the application or may run as a separate tool-like application. The data transfer device in the embodiment of the present application may be a user terminal, including but not limited to a personal computer, a tablet computer, a handheld device, an in-vehicle device, a wearable device, a computing device, or other processing device connected to a wireless modem.
Please refer to fig. 1, which is a flowchart illustrating a data transfer method according to an embodiment of the present disclosure. As shown in fig. 1, the method of the embodiment of the present application may include the steps of:
s101, when a data transfer trigger signal is detected, acquiring a first identity authentication result and storing the first identity authentication result in an authentication database in a trusted execution environment;
data transfer refers to the process of transferring data from one virtual account to another triggered by a user for a targeted transaction (transaction, consumption). The user triggering mode may include opening a Near Field Communication (NFC) function of the user terminal, approaching the user terminal to a receiving terminal such as a POS machine, or opening a code scanning function of a data transfer application and performing a data transfer code scanning operation.
The following description will take the example of turning on NFC and triggering data transfer.
In a specific implementation, when the user starts the NFC function of the user terminal and brings the user terminal close to the acquiring terminal, the user terminal triggers sending of a communication event to the NFC service and jumps to the identity authentication interface, as shown in fig. 2, showing "please perform fingerprint authentication" to prompt the user to input fingerprint information. After the user inputs the identity authentication information, the identity authentication information is compared with the pre-stored identity information to authenticate the identity authentication information, a first identity authentication result is generated, and the first identity authentication result is stored in an authentication database under a Trusted Execution Environment (TEE). The authentication database is stored in a storage system of the user terminal and is encrypted firstly through a TEE built-in key.
The first authentication result may include a biometric authentication result or a password/PIN authentication result, and may further include an authentication duration. The biometric authentication result may be a fingerprint authentication result, an iris authentication result, or the like. The authentication duration may be understood as a duration from the collection of authentication information to the end of authentication. Whether the first identity authentication result is successfully authenticated or not needs to be stored in an authentication database, because the authentication result contains the acquired biological characteristic information for subsequent identity authentication.
It should be noted that, in the existing NFC data transfer scheme, the virtual account information (virtual card/electronic cash card) and various data transfer applications are stored in the hardware secure chip eSE, as shown in fig. 3, and provide an environment required for executing the non-contact service (data transfer). Since the security chip eSE is isolated from the software system and the access requires a key, absolute security of the account information and the related applications is guaranteed. In the existing data transfer scheme (13.56MHZ frequency band), NFC is mainly used as a data transmission channel, and because the effective working range is very short, data is not easily stolen, thereby ensuring the security of data in the data transfer process.
As shown in fig. 4, part of the user operation (e.g., inputting authentication information, clicking on a user terminal interface, etc.) is located at the REE side, and the operation on the eSE is performed through the TEE security execution environment. The TEE is a secure execution environment isolated from the REE environment, and mainly functions to execute some sensitive operations, such as some sensitive algorithm operations and secure storage. The TEE is used for accessing the eSE, mainly because the TEE can execute safe operation, and the interaction with the eSE can prevent various hardware and software attacks, and ensure that the access operation and data reading and storing of the eSE are safe.
S102, calling a private instruction, calling the first identity authentication result from the authentication database, and acquiring a second identity authentication result in the feasible execution environment based on the private instruction and the first identity authentication result;
the private instruction is an instruction including information such as an identity authentication method and a virtual account type, and the instruction is an instruction before an activation instruction and is processed in the TEE.
The format of the private instruction is: private protocol header (4 bytes) ffffaabcd + TLV. The private protocol header identifies an identity authentication mode, and the TLV identifies a virtual account type. And the private instruction corresponds to the activate instruction, if the normal activate instruction is 80F00101124F10a00000033301010003080000001001, then the corresponding private instruction is ffffaabcd 4F10a 00000033301010003080000001001. The private protocol header ffffaabcd is identified as a fingerprint authentication. AID (a0000003330101) is identified as a union pay card type.
In specific implementation, a private instruction APDU is called to obtain an identity authentication mode and a virtual account type contained in the instruction, but when the identity authentication mode is biological feature authentication and the virtual account type is a union pay card type, biological feature information in a first identity authentication result is called from an authentication database, and second biological feature authentication is performed.
It is understood that the first authentication result includes the collected biometric information, and the biometric information is verified again to obtain a second authentication result. And the second identity authentication result comprises a biological characteristic authentication result and authentication duration.
If the returned result is 0x9000, the biometric authentication is successful, the authentication duration is within the preset duration, the verification is successful, the second identity authentication result is true, if the returned result is 0xFFFF, the biometric authentication is unsuccessful, and if the returned result is 0xFFFF, the authentication is overtime, the second identity authentication result is flash. And storing the second identity authentication result in the authentication database.
S103, when the second identity authentication result is that the authentication is successful, activating the virtual account and performing data transfer.
And when the second identity authentication result is true, generating an activation instruction to activate the virtual account corresponding to the virtual account type and transfer data (payment, deduction) to the virtual account.
The issued activation instruction may be generated according to a private instruction. Optionally, the activation instruction may also be adapted according to CLA as shown in table 1.
TABLE 1
Figure BDA0002192611640000061
And when the second identity authentication result is the flash, returning to 0x6320, and if the second identity authentication result (the last identity authentication result) is not successful in authentication, generating a deactivation instruction and outputting prompt information to prompt that the user fails in identity authentication.
In the embodiment of the application, when a data transfer trigger signal is detected, a first identity authentication result is obtained and stored in an authentication database in the TEE, then a private instruction is called, the first identity authentication result is called from the authentication database, a second identity authentication result is obtained in the TEE based on the private instruction and the first identity authentication result, and when the second identity authentication result is successful, a virtual account is activated and data transfer is performed. The first identity authentication result is stored in the authentication database under the safer TEE, when key operations such as activation and the like are required to be carried out on the virtual account, the previous identity authentication result is verified again from the authentication database under the TEE, and when the verification is passed, the virtual account is used for completing the data transfer process, so that the authentication result is prevented from being tampered, the network data transfer process is prevented from being attacked, and the data transfer safety can be improved.
Please refer to fig. 5, which is a flowchart illustrating a data transfer method according to an embodiment of the present disclosure. The embodiment is exemplified by applying the data transfer method to a smart phone. The data transfer method may include the steps of:
s201, when a data transfer trigger signal is detected, acquiring a first identity authentication result and storing the first identity authentication result in an authentication database in a trusted execution environment;
see S101 for details, which are not described herein.
S202, encrypting the authentication database;
in particular, the authentication database may be encrypted by a built-in key.
The key encryption is an encryption method in which both of transmitting and receiving data perform encryption and decryption operations on a plaintext using the same or a symmetric key.
If the encryption algorithm is public, the true secret is the key, which must be kept secret, usually a string, and can be changed as often as necessary. The length of the key is therefore important because once the decryption key is found, the cipher is broken, and the longer the length of the key, the larger the key space, the longer it takes to traverse the key space, and the less likely it is to be broken.
The built-in key may be understood to be a key that is either self-contained in the system or pre-built in.
It will be appreciated that when the authentication database is generated, the built-in key is automatically invoked to encrypt the authentication database, or the built-in key is invoked to encrypt the database after the information is saved to the authentication database.
S203, closing the NFC wireless protocol monitoring;
the NFC standard is compliant with the FeliCaTM standard, as well as ISO 14443A B, i.e., the Mifare standard. Commonly referred to as Type a, Type B, Type f protocol. Wherein, Type A and Type B are Mifare standards, and Type F is FeliCaTM standard.
By turning off the NFC wireless protocol listening, direct data transfer is avoided.
S204, acquiring an attribute value of the data transfer application, calling a private instruction when the attribute value is true, decrypting the authentication database, and calling the first identity authentication result from the authentication database in the feasible execution environment;
and acquiring an attribute value corresponding to the data transfer application, and when the attribute value is true, indicating that a new scheme is adapted, and triggering and calling a private instruction.
The private instruction is an instruction containing information such as an identity authentication mode and a virtual account type, and the instruction is an instruction before an activation instruction, is not sent to the eSE for execution, is processed in the Pay TA in the TEE, generates a corresponding processing result, and returns to the data transfer application.
S205, analyzing the private instruction, and extracting a target authentication mode;
the format of the private instruction is: private protocol header (4 bytes) + TLV. Wherein the private protocol header identifies the identity authentication mode.
And analyzing the private instruction, extracting a private protocol header, and if the private protocol header is ffffffaabcd, indicating that the target authentication mode is a biological authentication mode.
S206, when the target authentication mode is a biological authentication mode, acquiring a second identity authentication result based on the first identity authentication result, wherein the second identity authentication result comprises a biological feature authentication result and authentication duration;
and when the private protocol header is ffffaabcd, the biological characteristic information is verified again to obtain a second identity authentication result. And the second identity authentication result comprises a biological characteristic authentication result and authentication duration. The authentication duration refers to the duration from the beginning of the second authentication to the end of the second authentication.
If the returned result is 0x9000, the biometric authentication is successful, the authentication duration is within the preset duration, the verification is successful, the second identity authentication result is true, if the returned result is 0xFFFF, the biometric authentication is unsuccessful, and if the returned result is 0xFFFF, the authentication is overtime, the second identity authentication result is flash. And storing the second identity authentication result in the authentication database.
S207, when the biometric authentication result is that the authentication is passed and the authentication duration is within a preset duration, acquiring the virtual account type in the private instruction;
the preset duration may be set to 3s based on empirical value statistics.
And comparing the biometric authentication result with the preset biometric, comparing the authentication duration with the preset duration, if the returned result is true, generating an activation instruction (such as 80F00101124F10A00000033301010003080000001001), and reading the virtual account type carried by the instruction. Wherein, AID (A0000003330101) marks as the Unionpay card type.
And S208, activating the virtual account corresponding to the virtual account type, and starting the NFC wireless protocol to monitor and perform data transfer.
And searching the union pay card bound by the data transfer application, directly activating the union pay card account when one account is included, activating the union pay card account according to the selection of a user when a plurality of accounts are included, opening the closed NFC wireless protocol function to realize a data transfer path, and then transferring data (paying, deducting money) to the virtual account.
In the embodiment of the application, when a data transfer trigger signal is detected, a first identity authentication result is obtained and stored in an authentication database in the TEE, then a private instruction is called, the first identity authentication result is called from the authentication database, a second identity authentication result is obtained in the TEE based on the private instruction and the first identity authentication result, and when the second identity authentication result is successful, a virtual account is activated and data transfer is performed. The first identity authentication result is stored in the authentication database under the safer TEE, when key operations such as activation and the like are required to be carried out on the virtual account, the previous identity authentication result is verified again from the authentication database under the TEE, when the verification is passed, the virtual account is used for completing the data transfer process, the data transfer application only needs to initiate a biological identification process, a return result is not required to be checked, the authentication result is prevented from being tampered, the network data transfer process is prevented from being attacked, and the security of data transfer can be improved.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Referring to fig. 6, a schematic structural diagram of a data transfer device according to an exemplary embodiment of the present application is shown. The data transfer device may be implemented as all or part of a user terminal, in software, hardware or a combination of both. The apparatus 1 comprises a first result saving module 10, a second result obtaining module 20 and a data transfer module 30.
A first result storage module 10, configured to, when a data transfer trigger signal is detected, obtain a first identity authentication result and store the first identity authentication result in an authentication database in a trusted execution environment;
a second result obtaining module 20, configured to invoke a private instruction, invoke the first identity authentication result from the authentication database, and obtain a second identity authentication result in the feasible execution environment based on the private instruction and the first identity authentication result;
and the data transfer module 30 is configured to activate the virtual account and perform data transfer when the second identity authentication result is that authentication is successful.
Optionally, the second identity authentication result includes a biometric authentication result and an authentication duration, and the data transfer module 30 is specifically configured to:
and when the biological characteristic authentication result is that the authentication is passed and the authentication time length is within the preset time length, activating the virtual account and performing data transfer.
Optionally, as shown in fig. 7, the apparatus further includes:
a database encryption module 40, configured to encrypt the authentication database;
the second result obtaining module 20 is specifically configured to:
decrypting the authentication database and calling the first identity authentication result from the authentication database.
Optionally, as shown in fig. 7, the apparatus further includes:
and the attribute value acquisition module 50 is configured to acquire an attribute value of the data transfer application, and when the attribute value is true, trigger the second result acquisition module to call the private instruction.
Optionally, as shown in fig. 8, the second result obtaining module 20 includes:
an authentication mode obtaining unit 201, configured to analyze the private instruction and extract a target authentication mode;
a second result obtaining unit 202, configured to obtain a second identity authentication result based on the first identity authentication result when the target authentication mode is the biometric authentication mode.
Optionally, as shown in fig. 9, the data transfer module 30 includes:
an account identifier obtaining unit 301, configured to obtain a virtual account type in the private instruction when the identity authentication result is that authentication is successful;
a data transfer unit 302, configured to activate a virtual account corresponding to the virtual account type and perform data transfer.
Optionally, the data transfer module 30 is specifically configured to:
when the second identity authentication result is that authentication is successful, activating a virtual account;
and starting the NFC wireless protocol to monitor and perform data transfer.
Optionally, as shown in fig. 7, the apparatus further includes:
and an interception closing module 60, configured to close the NFC wireless protocol interception.
It should be noted that, when the data transfer apparatus provided in the foregoing embodiment executes the data transfer method, only the division of the functional modules is illustrated, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the data transfer apparatus and the data transfer method provided in the above embodiments belong to the same concept, and details of implementation processes thereof are referred to in the method embodiments and are not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the embodiment of the application, when a data transfer trigger signal is detected, a first identity authentication result is obtained and stored in an authentication database in the TEE, then a private instruction is called, the first identity authentication result is called from the authentication database, a second identity authentication result is obtained in the TEE based on the private instruction and the first identity authentication result, and when the second identity authentication result is successful, a virtual account is activated and data transfer is performed. The first identity authentication result is stored in the authentication database under the safer TEE, when key operations such as activation and the like are required to be carried out on the virtual account, the previous identity authentication result is verified again from the authentication database under the TEE, when the verification is passed, the virtual account is used for completing the data transfer process, the data transfer application only needs to initiate a biological identification process, a return result is not required to be checked, the authentication result is prevented from being tampered, the network data transfer process is prevented from being attacked, and the security of data transfer can be improved.
An embodiment of the present application further provides a computer storage medium, where the computer storage medium may store a plurality of instructions, where the instructions are suitable for being loaded by a processor and executing the method steps in the embodiments shown in fig. 1 to 5, and a specific execution process may refer to specific descriptions of the embodiments shown in fig. 1 to 5, which are not described herein again.
Please refer to fig. 10, which provides a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 10, the electronic device 1000 may include: at least one processor 1001, at least one network interface 1004, a user interface 1003, memory 1005, at least one communication bus 1002.
Wherein a communication bus 1002 is used to enable connective communication between these components.
The user interface 1003 may include a Display screen (Display) and a Camera (Camera), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.
Processor 1001 may include one or more processing cores, among other things. The processor 1001 interfaces various components throughout the electronic device 1000 using various interfaces and lines to perform various functions of the electronic device 1000 and to process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1005 and invoking data stored in the memory 1005. Alternatively, the processor 1001 may be implemented in at least one hardware form of Digital Signal Processing (DSP), Field-Programmable Gate Array (FPGA), and Programmable Logic Array (PLA). The processor 1001 may integrate one or more of a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a modem, and the like. Wherein, the CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It is understood that the modem may not be integrated into the processor 1001, but may be implemented by a single chip.
The Memory 1005 may include a Random Access Memory (RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 1005 includes a non-transitory computer-readable medium. The memory 1005 may be used to store an instruction, a program, code, a set of codes, or a set of instructions. The memory 1005 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, and the like; the storage data area may store data and the like referred to in the above respective method embodiments. The memory 1005 may optionally be at least one memory device located remotely from the processor 1001. As shown in fig. 10, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a data transfer application program.
In the electronic device 1000 shown in fig. 10, the user interface 1003 is mainly used as an interface for providing input for a user, and acquiring data input by the user; and the processor 1001 may be configured to invoke the data transfer application stored in the memory 1005 and specifically perform the following operations:
when a data transfer trigger signal is detected, acquiring a first identity authentication result and storing the first identity authentication result in an authentication database in a trusted execution environment;
calling a private instruction, calling the first identity authentication result from the authentication database, and acquiring a second identity authentication result in the feasible execution environment based on the private instruction and the first identity authentication result;
and when the second identity authentication result is that the authentication is successful, activating the virtual account and performing data transfer.
In an embodiment, the second identity authentication result includes a biometric authentication result and an authentication duration, and when the processor 1001 activates the virtual account and performs data transfer when the second identity authentication result is successful, the following operations are specifically performed:
and when the biological characteristic authentication result is that the authentication is passed and the authentication time length is within the preset time length, activating the virtual account and performing data transfer.
In one embodiment, after obtaining the first authentication result and saving the first authentication result to the authentication database in the trusted execution environment, the processor 1001 further performs the following operations:
encrypting the authentication database;
when the processor 1001 calls the first identity authentication result from the authentication database, the following operations are specifically performed:
decrypting the authentication database and calling the first identity authentication result from the authentication database.
In one embodiment, the processor 1001, prior to executing the call private instruction, further performs the following operations:
and acquiring an attribute value of the data transfer application, and executing the step of calling the private instruction when the attribute value is true.
In one embodiment, when the processor 1001 obtains the second authentication result based on the private instruction and the first authentication result in the feasible execution environment, the following operations are specifically performed:
analyzing the private instruction in the feasible execution environment, and extracting a target authentication mode;
and when the target authentication mode is a biological authentication mode, acquiring a second identity authentication result based on the first identity authentication result.
In an embodiment, when the second identity authentication result is authentication success, the processor 1001 specifically performs the following operations when activating a virtual account and performing data transfer:
when the second identity authentication result is that authentication is successful, acquiring the virtual account type in the private instruction;
and activating the virtual account corresponding to the virtual account type and transferring data.
In an embodiment, when the second identity authentication result is authentication success, the processor 1001 specifically performs the following operations when activating a virtual account and performing data transfer:
when the second identity authentication result is that authentication is successful, activating a virtual account;
and starting the NFC wireless protocol to monitor and perform data transfer.
In one embodiment, after obtaining the first authentication result and saving the first authentication result to the authentication database in the trusted execution environment, the processor 1001 further performs the following operations:
and closing the NFC wireless protocol monitoring.
In the embodiment of the application, when a data transfer trigger signal is detected, a first identity authentication result is obtained and stored in an authentication database in the TEE, then a private instruction is called, the first identity authentication result is called from the authentication database, a second identity authentication result is obtained in the TEE based on the private instruction and the first identity authentication result, and when the second identity authentication result is successful, a virtual account is activated and data transfer is performed. The first identity authentication result is stored in the authentication database under the safer TEE, when key operations such as activation and the like are required to be carried out on the virtual account, the previous identity authentication result is verified again from the authentication database under the TEE, when the verification is passed, the virtual account is used for completing the data transfer process, the data transfer application only needs to initiate a biological identification process, a return result is not required to be checked, the authentication result is prevented from being tampered, the network data transfer process is prevented from being attacked, and the security of data transfer can be improved.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above disclosure is only for the purpose of illustrating the preferred embodiments of the present application and is not to be construed as limiting the scope of the present application, so that the present application is not limited thereto, and all equivalent variations and modifications can be made to the present application.

Claims (10)

1. A method of data transfer, the method comprising:
when a data transfer trigger signal is detected, acquiring a first identity authentication result and storing the first identity authentication result in an authentication database in a trusted execution environment;
calling a private instruction, calling the first identity authentication result from the authentication database, and acquiring a second identity authentication result in the feasible execution environment based on the private instruction and the first identity authentication result;
and when the second identity authentication result is that the authentication is successful, activating the virtual account and performing data transfer.
2. The method according to claim 1, wherein the second identity authentication result comprises a biometric authentication result and an authentication duration, and when the second identity authentication result is successful authentication, activating the virtual account and performing data transfer comprises:
and when the biological characteristic authentication result is that the authentication is passed and the authentication time length is within the preset time length, activating the virtual account and performing data transfer.
3. The method of claim 1, wherein after obtaining and saving the first authentication result to an authentication database in the trusted execution environment, further comprising:
encrypting the authentication database;
the invoking the first identity authentication result from the authentication database includes:
decrypting the authentication database and calling the first identity authentication result from the authentication database.
4. The method of claim 1, wherein the invoking the private instruction is preceded by:
and acquiring an attribute value of the data transfer application, and executing the step of calling the private instruction when the attribute value is true.
5. The method of claim 1, wherein obtaining a second authentication result based on the private instruction and the first authentication result in the viable execution environment comprises:
analyzing the private instruction in the feasible execution environment, and extracting a target authentication mode;
and when the target authentication mode is a biological authentication mode, acquiring a second identity authentication result based on the first identity authentication result.
6. The method according to claim 1, wherein when the second identity authentication result is authentication success, activating a virtual account and performing data transfer comprises:
when the second identity authentication result is that authentication is successful, acquiring the virtual account type in the private instruction;
and activating the virtual account corresponding to the virtual account type and transferring data.
7. The method according to claim 1, wherein when the second identity authentication result is authentication success, activating a virtual account and performing data transfer comprises:
when the second identity authentication result is that authentication is successful, activating a virtual account;
and starting the NFC wireless protocol monitoring and data transfer.
8. The method of claim 7, wherein after obtaining the first authentication result and saving the first authentication result to an authentication database in the trusted execution environment, further comprising:
and closing the NFC wireless protocol monitoring.
9. A computer storage medium, characterized in that it stores a plurality of instructions adapted to be loaded by a processor and to carry out the method steps according to any one of claims 1 to 8.
10. An electronic device, comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the method steps of any of claims 1 to 8.
CN201910837367.1A 2019-09-05 2019-09-05 Data transfer method, device, storage medium and electronic equipment Pending CN110688364A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910837367.1A CN110688364A (en) 2019-09-05 2019-09-05 Data transfer method, device, storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910837367.1A CN110688364A (en) 2019-09-05 2019-09-05 Data transfer method, device, storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN110688364A true CN110688364A (en) 2020-01-14

Family

ID=69107753

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910837367.1A Pending CN110688364A (en) 2019-09-05 2019-09-05 Data transfer method, device, storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN110688364A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104700268A (en) * 2015-03-30 2015-06-10 中科创达软件股份有限公司 Mobile payment method and mobile device
CN106936774A (en) * 2015-12-29 2017-07-07 中国电信股份有限公司 Authentication method and system in credible performing environment
CN108053212A (en) * 2017-12-29 2018-05-18 齐宇庆 A kind of bank paying Licensing Authority feedback information system of software and hardware combining
CN108964924A (en) * 2018-07-24 2018-12-07 腾讯科技(深圳)有限公司 Digital certificate method of calibration, device, computer equipment and storage medium
CN109583898A (en) * 2018-12-07 2019-04-05 四川长虹电器股份有限公司 The intelligent terminal and method paid based on TEE and block chain
CN109981585A (en) * 2019-02-26 2019-07-05 中国联合网络通信集团有限公司 Business handling method and apparatus
US20190213312A1 (en) * 2014-08-28 2019-07-11 Facetec, Inc. Method to add remotely collected biometric images / templates to a database record of personal information
CN110166246A (en) * 2016-03-30 2019-08-23 阿里巴巴集团控股有限公司 The method and apparatus of identity registration, certification based on biological characteristic

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190213312A1 (en) * 2014-08-28 2019-07-11 Facetec, Inc. Method to add remotely collected biometric images / templates to a database record of personal information
CN104700268A (en) * 2015-03-30 2015-06-10 中科创达软件股份有限公司 Mobile payment method and mobile device
CN106936774A (en) * 2015-12-29 2017-07-07 中国电信股份有限公司 Authentication method and system in credible performing environment
CN110166246A (en) * 2016-03-30 2019-08-23 阿里巴巴集团控股有限公司 The method and apparatus of identity registration, certification based on biological characteristic
CN108053212A (en) * 2017-12-29 2018-05-18 齐宇庆 A kind of bank paying Licensing Authority feedback information system of software and hardware combining
CN108964924A (en) * 2018-07-24 2018-12-07 腾讯科技(深圳)有限公司 Digital certificate method of calibration, device, computer equipment and storage medium
CN109583898A (en) * 2018-12-07 2019-04-05 四川长虹电器股份有限公司 The intelligent terminal and method paid based on TEE and block chain
CN109981585A (en) * 2019-02-26 2019-07-05 中国联合网络通信集团有限公司 Business handling method and apparatus

Similar Documents

Publication Publication Date Title
US11694199B2 (en) Payment system
CA2972895C (en) Security for mobile payment applications
JP6239788B2 (en) Fingerprint authentication method, apparatus, intelligent terminal, and computer storage medium
CN110555706A (en) Face payment security method and platform based on security unit and trusted execution environment
CN102542449B (en) A kind of radio communication device and payment authentication method
US20200065458A1 (en) Secure distributed information system for public device authentication
EP3608860A1 (en) Payment system for authorising a transaction between a user device and a terminal
CN210691384U (en) Face recognition payment terminal platform based on security unit and trusted execution environment
CN103729948A (en) Electronic payment method of mobile terminal with NFC (near field communication) and fingerprint functions
US20150248668A1 (en) Secure mobile device transactions
WO2011060115A1 (en) One time pin generation
CN108880791A (en) Cryptographic key protection method, terminal and computer readable storage medium
CN107766713B (en) Face template data entry control method and related product
US20160092876A1 (en) On-device shared cardholder verification
Frisby et al. Security Analysis of Smartphone Point-of-Sale Systems.
US9792606B2 (en) Method and secure device for performing a secure transaction with a terminal
CN111245620B (en) Mobile security application architecture in terminal and construction method thereof
CN106161481B (en) A kind of device of mobile terminal physical button isolation safe module prevention security risk
EP2985712B1 (en) Application encryption processing method, apparatus, and terminal
CN110688364A (en) Data transfer method, device, storage medium and electronic equipment
JP2012141754A (en) Ic chip, processing method in ic chip, processing program for ic chip, and portable terminal
CN108171085A (en) A kind of guard method, terminal device and computer-readable medium for solving confidential information
CN109872148B (en) Trusted data processing method and device based on TUI and mobile terminal
EP3686827A1 (en) Information display method and apparatus, storage medium and electronic device
WO2015117326A1 (en) Method and device for achieving remote payment, and smart card

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200114