CN111127014A - Transaction information processing method, server, user terminal, system and storage medium - Google Patents
Transaction information processing method, server, user terminal, system and storage medium Download PDFInfo
- Publication number
- CN111127014A CN111127014A CN201911356945.6A CN201911356945A CN111127014A CN 111127014 A CN111127014 A CN 111127014A CN 201911356945 A CN201911356945 A CN 201911356945A CN 111127014 A CN111127014 A CN 111127014A
- Authority
- CN
- China
- Prior art keywords
- transaction
- information
- result information
- ciphertext
- user terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/382—Payment protocols; Details thereof insuring higher security of transaction
- G06Q20/3829—Payment protocols; Details thereof insuring higher security of transaction involving key management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q20/00—Payment architectures, schemes or protocols
- G06Q20/38—Payment protocols; Details thereof
- G06Q20/40—Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
- G06Q20/401—Transaction verification
- G06Q20/4014—Identity check for transactions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/04—Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
Landscapes
- Business, Economics & Management (AREA)
- Engineering & Computer Science (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- General Physics & Mathematics (AREA)
- Strategic Management (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Marketing (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The application provides a transaction information processing method, a server, a user terminal, a system and a storage medium, and relates to the field of data processing. The transaction information processing method applied to the user terminal comprises the following steps: the TA receives a first transaction message, and analyzes the first transaction message to obtain transaction sensitive information and a transaction sensitive information ciphertext, and the transaction sensitive information ciphertext is obtained by encrypting the transaction sensitive information by a server by using a shared key; the TA decrypts the analyzed transaction sensitive information ciphertext by using the shared key to obtain a transaction sensitive information plaintext; the TA generates result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext, wherein the result information indicates the transaction result represented by the first transaction message; the TA encrypts the result information by using the shared key to obtain a result information ciphertext; and the TA generates and sends a second transaction message according to the result information and the result information ciphertext. By using the technical scheme of the application, the safety of electronic transaction can be improved.
Description
Technical Field
The present application relates to the field of data processing, and in particular, to a transaction information processing method, a server, a user terminal, a system, and a storage medium.
Background
With the rapid development of electronic technology, electronic transactions are being applied in more and more fields. For electronic transactions, security is one of the major concerns of electronic transactions, since it involves a large amount of information that is extremely security-demanding.
In the process of electronic transaction, the server and the user terminal need to be subjected to security authentication. In the security authentication, an interface of an operating system of the user terminal needs to be called. However, the security of the operating system is low, and the operating system is easy to be broken, and once the operating system is broken, information in the electronic transaction process is leaked and possibly tampered. Thereby reducing the security of the electronic transaction.
Disclosure of Invention
The embodiment of the application provides a transaction information processing method, a server, a user terminal, a system and a storage medium, which can improve the safety of electronic transaction.
In a first aspect, an embodiment of the present application provides a transaction information processing method, which is applied to a user terminal, where the user terminal is provided with a trusted execution environment TEE, and the TEE is provided with a trusted application TA, and the transaction information processing method includes:
the TA receives a first transaction message, and analyzes the first transaction message to obtain transaction sensitive information and a transaction sensitive information ciphertext, and the transaction sensitive information ciphertext is obtained by encrypting the transaction sensitive information by a server by using a shared key;
the TA decrypts the analyzed transaction sensitive information ciphertext by using the shared key to obtain a transaction sensitive information plaintext;
the TA generates result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext, wherein the result information indicates the transaction result represented by the first transaction message;
the TA encrypts the result information by using the shared key to obtain a result information ciphertext;
and the TA generates and sends a second transaction message according to the result information and the result information ciphertext.
In a second aspect, an embodiment of the present application provides a transaction information processing method, which is applied to a server, and the transaction information processing method includes:
encrypting the transaction sensitive information by using the shared secret key to obtain a transaction sensitive information ciphertext;
generating a first transaction message according to the transaction sensitive information and the transaction sensitive information ciphertext and sending the first transaction message to a user terminal, wherein the user terminal is provided with a secure execution environment TEE, a trusted application TA is arranged in the TEE, and the TA has a shared secret key;
receiving a second transaction message sent by the user terminal, analyzing the second transaction message to obtain a result information ciphertext and result information, wherein the result information ciphertext is obtained by encrypting the result information by using a shared key through a TA (timing advance) in the user terminal;
decrypting the analyzed result information ciphertext by using the shared key to obtain a result information plaintext;
and if the analyzed result information is consistent with the plaintext of the result information obtained by decryption, processing the transaction represented by the first transaction message based on the result information.
In a third aspect, an embodiment of the present application provides a user equipment, where the user equipment is provided with a trusted execution environment TEE, the TEE is provided with a trusted application TA, and the TA in the user equipment includes:
the analysis module is used for receiving the first transaction message, analyzing the first transaction message to obtain transaction sensitive information and a transaction sensitive information ciphertext, and encrypting the transaction sensitive information by the server by using the shared key to obtain the transaction sensitive information ciphertext;
the decryption module is used for decrypting the analyzed transaction sensitive information ciphertext by using the shared secret key to obtain a transaction sensitive information plaintext;
the result generation module is used for generating result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext, wherein the result information indicates the transaction result represented by the first transaction message;
the encryption module is used for encrypting the result information by using the shared key to obtain a result information ciphertext;
and the message generation module is used for generating and sending a second transaction message according to the result information and the result information ciphertext.
In a fourth aspect, an embodiment of the present application provides a server, including:
the encryption module is used for encrypting the transaction sensitive information by using the shared secret key to obtain a transaction sensitive information ciphertext;
the message generating module is used for generating a first transaction message according to the transaction sensitive information and the transaction sensitive information ciphertext and sending the first transaction message to the user terminal, the user terminal is provided with a secure execution environment TEE, a trusted application TA is arranged in the TEE, and the TA has a shared secret key;
the analysis module is used for receiving a second transaction message sent by the user terminal, and analyzing the second transaction message to obtain a result information ciphertext and result information, wherein the result information ciphertext is obtained by encrypting the result information by using a shared key through a TA (timing advance) in the user terminal;
the decryption module is used for decrypting the analyzed result information ciphertext by using the shared key to obtain a result information plaintext;
and the processing module is used for processing the transaction represented by the first transaction message based on the result information if the analyzed result information is consistent with the plaintext of the result information obtained by decryption.
In a fifth aspect, an embodiment of the present application provides a user terminal, which includes a processor, a memory, and a computer program stored on the memory and capable of running on the processor, and when the computer program is executed by the processor, the transaction information processing method applied to the user terminal in the technical solution of the first aspect is implemented.
In a sixth aspect, an embodiment of the present application provides a server, including a processor, a memory, and a computer program stored on the memory and capable of running on the processor, where the computer program, when executed by the processor, implements the transaction information processing method applied to the server in the technical solution of the second aspect.
In a seventh aspect, an embodiment of the present application provides a transaction information processing system, including the user terminal in the technical solution of the fifth aspect and the server in the technical solution of the sixth aspect.
In an eighth aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when executed by a processor, the computer program implements a transaction information processing method applied to a user terminal in the technical solution of the first aspect, or implements a transaction information processing method applied to a server in the technical solution of the second aspect.
The embodiment of the application provides a transaction information processing method, a server, a user terminal, a system and a storage medium, wherein the user terminal analyzes a first transaction message generated by the server, decrypts a transaction sensitive information ciphertext to generate result information, encrypts the result information, generates a second transaction message and the like, and all actions are realized in a TA of a TEE in the user terminal. And the TA generates result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext so as to complete the safety authentication from the server to the user block. And the TA generates and sends a second transaction message so that the server receives the second transaction message and completes the security authentication from the user terminal to the server. The security of the TEE and TA is much higher than that of the operating system of the user terminal and is difficult to be breached. The safety of transaction information processing is improved, the safety authentication from the user terminal to the server and the safety authentication from the server to the user terminal can be safely carried out, the safety of transaction information processing is improved, and therefore the safety of electronic transaction is improved.
Drawings
The present application may be better understood from the following description of specific embodiments thereof taken in conjunction with the accompanying drawings. Wherein like or similar reference numerals refer to like or similar features.
FIG. 1 is a schematic topology diagram of a transaction information processing system according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a transaction information processing method applied to a user terminal according to an embodiment of the present application;
fig. 3 is a flowchart of a transaction information processing method applied to a user terminal according to another embodiment of the present application;
fig. 4 is a flowchart of a transaction information processing method applied to a user terminal according to another embodiment of the present application;
fig. 5 is a flowchart of a transaction information processing method applied to a server according to an embodiment of the present application;
fig. 6 is a flowchart of a transaction information processing method applied to a server according to another embodiment of the present application;
fig. 7 is a schematic structural diagram of a user terminal according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a user terminal according to another embodiment of the present application;
fig. 9 is a schematic structural diagram of a user terminal according to another embodiment of the present application;
fig. 10 is a schematic structural diagram of a server according to an embodiment of the present application;
fig. 11 is a schematic structural diagram of a server according to another embodiment of the present application;
fig. 12 is a schematic hardware structure diagram of a user terminal according to an embodiment of the present application.
Detailed Description
Features and exemplary embodiments of various aspects of the present application will be described in detail below. In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the present application. It will be apparent, however, to one skilled in the art that the present application may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present application by illustrating examples thereof. The present application is in no way limited to any specific configuration and algorithm set forth below, but rather covers any modification, replacement or improvement of elements, components or algorithms without departing from the spirit of the present application. In the drawings and the following description, well-known structures and techniques are not shown in order to avoid unnecessarily obscuring the present application.
The embodiment of the application provides a transaction information processing method, a server, a user terminal, a system and a storage medium, which can be applied to a scene that the server and the user terminal perform bidirectional authentication in the electronic transaction process. Fig. 1 is a schematic topology diagram of a transaction information processing system according to an embodiment of the present disclosure. As shown in fig. 1, the transaction information processing system may include a server 100 and a user terminal 200. The server 100 and the user terminal 200 can communicate with each other. One server 100 may correspond to one user terminal 200, or may correspond to two or more user terminals 200, which is not limited herein. The user terminal 200 may be a mobile phone, a computer, a tablet computer, and the like, but is not limited thereto. In the embodiment of the present application, the user terminal 200 is provided with a Trusted Execution Environment (TEE), and the TEE may be provided with a Trusted Application (TA). The security of the trusted application is higher than that of an operating system of the user terminal, the possibility of being broken is very small, the TA is utilized to realize the processing process of the transaction information, and the security of the electronic transaction is improved. In some examples, the user terminal 200 may also be provided with an Embedded Secure Element (eSE). The security of the eSE is higher than that of the operating system of the user terminal 200, and the possibility of being broken is very small, and the eSE is applied to the processing process of the user transaction information, so that the security of the electronic transaction is further improved.
The embodiment of the application provides a transaction information processing method which is particularly applicable to a user terminal. Fig. 2 is a flowchart of a transaction information processing method applied to a user terminal according to an embodiment of the present application. As shown in fig. 2, the transaction information processing method may include steps S301 to S305.
In step S301, the TA receives the first transaction message, and parses the transaction sensitive information and the transaction sensitive information ciphertext from the first transaction message.
The first transaction message is a transaction message generated by the server. The first transaction message may include transaction sensitive information and a transaction sensitive information ciphertext. And the transaction sensitive information ciphertext is obtained by encrypting the transaction sensitive information by using the shared secret key by the server. However, it should be noted that the transaction sensitive information and/or the transaction sensitive information ciphertext in the first transaction message may be tampered during transmission between the server and the TA of the user terminal, and authentication needs to be performed in a subsequent process. The first transaction message may also include other information, and is not limited herein.
The transaction sensitive information is sensitive information in the transaction process, and the transaction sensitive information has higher requirements on safety. The content of the transaction sensitive information may be set according to a specific type of the electronic transaction, and is not limited herein. For example, taking an electronic transaction as an electronic transfer, the transaction sensitive information may include a payee name, a payee account number, a payee amount, etc.
In step S302, the TA decrypts the parsed transaction sensitive information ciphertext using the shared key to obtain the transaction sensitive information plaintext.
The TA of the ue and the server may agree in advance on the shared key or an algorithm for generating the shared key. The TA may generate the shared key using a shared key generation algorithm before decryption, or may call the shared key stored in the TA or the eSE before decryption, which is not limited herein.
The transaction sensitive information plaintext is the plaintext obtained by decrypting the transaction sensitive information ciphertext.
In step S303, the TA generates result information according to the parsed transaction sensitive information and the decrypted transaction sensitive information plaintext.
Wherein the result information indicates a transaction result represented by the first transaction message. Specifically, security authentication can be performed and a transaction result can be determined by whether the analyzed transaction sensitive information is consistent with the transaction sensitive information message obtained through decryption. The result information needs to be fed back to the server, so that the server processes the transaction represented by the first transaction message.
In step S304, the TA encrypts the result information by using the shared key to obtain a result information ciphertext.
And the result information ciphertext is the encrypted result information.
In step S305, the TA generates and transmits a second transaction message according to the result information and the result information ciphertext.
The second transaction message includes result information and a result information ciphertext. Specifically, the second transaction message is sent to the server, so that the server can perform security authentication according to the result information and the result information ciphertext in the second transaction message, and bidirectional authentication between the user terminal and the server is achieved.
In the embodiment of the application, the actions of analyzing the first transaction message generated by the server, decrypting the transaction sensitive information ciphertext to generate the result information, encrypting the result information, generating the second transaction message and the like are all realized in the TA of the TEE in the user terminal. And the TA generates result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext so as to complete the safety authentication from the server to the user block. And the TA generates and sends a second transaction message so that the server receives the second transaction message and completes the security authentication from the user terminal to the server. The security of the TEE and TA is much higher than that of the operating system of the user terminal and is difficult to be breached. The safety of transaction information processing is improved, the safety authentication from the user terminal to the server and the safety authentication from the server to the user terminal can be safely carried out, the safety of transaction information processing is improved, and therefore the safety of electronic transaction is improved.
Fig. 3 is a flowchart of a transaction information processing method applied to a user terminal according to another embodiment of the present application. The transaction information processing method shown in fig. 3 is different from the transaction information processing method shown in fig. 2 in that the user terminal is further provided with a service application and an authentication application, and the transaction information processing method shown in fig. 3 may further include steps S306 to S311.
In step S306, the service application receives the first transaction message sent by the server, and encrypts the first transaction message by using a first encryption and decryption algorithm to obtain a first transaction ciphertext.
The service application is an application corresponding to a server, and may run in a Rich Execution Environment (REE). For example, if the server is a financial institution-specific server, the service application is a financial institution-specific service application. For example, the server is a server of a bank, the service application may be a service application specific to the bank.
After the server generates the first transaction message, the server can send the first transaction message to a service application set in the user terminal. In order to further ensure the security of the first transaction message, the service application may encrypt the first transaction message for transmission. The first encryption and decryption algorithm may be stored in a service application. The first transaction ciphertext is the first transaction message encrypted by using the first encryption and decryption algorithm. Specifically, the encryption of the first transaction message may be performed in a service Software Development Kit (SDK) in the service application, and the first encryption and decryption algorithm may be implemented by the service SDK.
In step S307, the service application transmits the first transaction cryptogram to the authentication application.
The authentication application may perform digital certificate authentication. The authentication application may run in the REE. For example, the authentication application may be an electronic U-shield installed in the user terminal. For example, the user terminal is a mobile phone, and the authentication application may be a mobile phone shield.
In step S308, the authentication application receives the first transaction ciphertext, decrypts the first transaction ciphertext by using the first encryption/decryption algorithm, obtains the first transaction message, and sends the first transaction message to the TA.
The authentication application may pre-agree with the service application for an encryption/decryption algorithm, and the authentication application may store the same first encryption/decryption algorithm as in the service application. In some examples, the first encryption/decryption algorithm may be a symmetric encryption algorithm. The authentication application may send the first transaction message to the TA over a secure private communication channel with the TEE.
In step S309, the authentication application receives the second transaction message sent by the TA, and encrypts the second transaction message by using the first encryption and decryption algorithm to obtain a second transaction ciphertext.
After the TA generates the second transaction message, the TA may send the second transaction message to the authentication application. To further ensure security during transmission of the second transaction message, the authentication application may encrypt the second transaction message. Specifically, the second transaction message may be encrypted by using a first encryption/decryption algorithm stored in the TA. The second transaction ciphertext is the encrypted second transaction message. The TA may send the second transaction message to the authentication application through a secure private communication channel of the authentication application and the TEE.
In step S310, the authentication application sends the second transaction cryptogram to the service application.
In step S311, the service application receives the second transaction ciphertext, decrypts the second transaction ciphertext by using the first encryption and decryption algorithm, obtains a second transaction message, and sends the second transaction message to the server.
Specifically, the decryption of the second transaction ciphertext may be performed in a service SDK in the service application, and the first encryption and decryption algorithm may be implemented by the service SDK. And the service application sends the decrypted second transaction message to the server. The security in the transmission process of the second transaction message is further ensured through the encryption and decryption between the authentication application and the service application.
Fig. 4 is a flowchart of a transaction information processing method applied to a user terminal according to another embodiment of the present application. The transaction information processing method shown in fig. 4 is different from the transaction information processing method shown in fig. 2 in that the transaction information processing method shown in fig. 4 may further include step S312 and step S313, or step S314 and step S315; step S303 in fig. 2 may be specifically subdivided into step S3031 or step S3032 in fig. 4; step S305 in fig. 2 can be specifically detailed as step S3051 and step S3052 in fig. 4.
In step S312, the TA parses the first transaction message to obtain the key generation auxiliary information.
Wherein the first transaction message further comprises key generation assistance information. The key generation assistance information may be server generated. The key generation assistance information is used to assist in generating the shared key. In some examples, the key generation assistance information may include a transaction session number and a transaction random number. The transaction numbers corresponding to different transactions are different, and the randomness of the transaction random numbers is high. The key generation auxiliary information corresponding to each transaction is different, so that the shared key generated correspondingly to each transaction can be different, the risk of leakage of the shared key is further reduced, and the safety of the electronic transaction is further improved.
In step S313, the TA generates a shared key using the key generation assistance information and the solid-state key stored by the TA.
In this example, the solid-state key is stored in the TA, so that the risk of tampering the solid-state key is avoided, and the security of the solid-state key is improved. And the TA generates auxiliary information and a solid key by using the key obtained by analyzing the first transaction message, and generates a shared key. The specific shared key generation algorithm may be stored in the TA, and the TA of the ue and the server may agree in advance on one or more shared key generation algorithms.
In some examples, the TA of the ue may pre-agree with the server for a plurality of shared key generation algorithms, which are stored in the TA. The first transaction message may also include an algorithm identification. The algorithm identifier may include an algorithm number or an algorithm name, and the like, and is not limited herein. The TA can analyze the algorithm identification from the first transaction message, call a shared key generation algorithm corresponding to the algorithm identification from a plurality of stored shared key generation algorithms, and generate the shared key by using the key to generate the auxiliary information and the solid key.
In step S314, the TA parses the first transaction message to obtain the key generation auxiliary information.
The content of step S314 can refer to the related description of step S312, and is not described herein again. Wherein, in some examples, the key generation assistance information includes a transaction session number and a transaction random number.
In step S315, the TA acquires the solid-state key from the eSE, generates the shared key using the key generation assistance information and the solid-state key.
In some examples, the user terminal is also provided with an eSE. The solid-state key may be stored in the eSE, and the TA may retrieve the solid-state key from the eSE, generate the shared key using the key to generate the side information and the solid-state key. For the specific content of generating the shared key by using the key generation auxiliary information and the solid-state key, reference may be made to the relevant description in step S313, which is not described herein again.
During communication between the TA and the eSE, the solid-state key transmitted between the TA and the eSE can be encrypted to reduce the risk of the solid-state key being compromised. Specifically, the eSE encrypts the solid-state key according to the second encryption and decryption algorithm to obtain a solid-state key ciphertext and sends the solid-state key ciphertext to the TA. And the TA decrypts the solid-state secret key ciphertext according to the second encryption and decryption algorithm to obtain the solid-state secret key.
The eSE and TA may pre-agree on a second encryption/decryption algorithm. The second encryption/decryption algorithm is stored in the eSE, as well as in the TA. In some examples, the second encryption/decryption algorithm may be a symmetric encryption/decryption algorithm.
In step S3031, if the plaintext of the analyzed transaction sensitive information matches the plaintext of the decrypted transaction sensitive information, the TA generates first result information.
The result information in the above embodiment includes the first result information. The plaintext of the analyzed transaction sensitive information is consistent with that of the transaction sensitive information obtained through decryption, the fact that the first transaction message is not tampered is shown, and the security authentication is successful. The first result information is used for indicating the transaction success represented by the first transaction message.
In step S3032, if the plaintext of the analyzed transaction sensitive information is inconsistent with the plaintext of the transaction sensitive information obtained by decryption, the TA generates second result information.
The result information in the above embodiment includes the second result information. The analyzed transaction sensitive information is inconsistent with the transaction sensitive information plaintext obtained through decryption, and the first transaction message is possibly tampered, the security authentication fails, the transaction represented by the first transaction table should not be executed, and the transaction fails. The second result information is used for indicating the transaction failure represented by the first transaction message.
In some examples, if the user terminal receives a PIN input error or PIN locking caused by the inconsistency between the user input password and the security password, the TA may also generate second result information to indicate that the transaction represented by the first transaction packet has failed.
In step S3051, the TA acquires key generation assistance information.
Specifically, the TA obtains the key generation auxiliary information from the first transaction packet. In some examples, the key generation assistance information may include a transaction session number and a transaction random number.
In step S3052, the TA performs a concatenation operation on the key generation auxiliary information, the result information, and the result information ciphertext to generate a second transaction packet and send the second transaction packet.
The specific splicing algorithm of the splicing operation is not limited herein. For example, the key generation auxiliary information includes a transaction session number sessionid and a transaction random number random, the result information is result, and the result information ciphertext is result'. The generated second transaction message may be "sessionid & random + random & result + result'". Since the specific splicing operation content is hard to know from the outside, the second transaction message generated by the splicing operation is hard to leak or be tampered, the security of the content in the second transaction message is improved, and the security of the electronic transaction is further improved.
The application also provides a transaction information processing method which can be particularly applied to the server. Fig. 5 is a flowchart of a transaction information processing method applied to a server according to an embodiment of the present application. As shown in fig. 5, the transaction information processing method may include steps S401 to S405.
In step S401, the transaction sensitive information is encrypted by using the shared key to obtain a transaction sensitive information ciphertext.
The transaction sensitive information is sensitive information in the transaction process, and the transaction sensitive information has higher requirements on safety. The content of the transaction sensitive information may be set according to a specific type of the electronic transaction, and is not limited herein. For example, taking an electronic transaction as an electronic transfer, the transaction sensitive information may include a payee name, a payee account number, a payee amount, etc. The transaction sensitive information ciphertext is the encrypted transaction sensitive information.
The TA of the server and the ue may agree in advance on the shared key or an algorithm for generating the shared key. The server may generate the shared key by using a shared key generation algorithm before encryption, or may call the shared key stored in the server before encryption, which is not limited herein.
In step S402, a first transaction message is generated according to the transaction sensitive information and the transaction sensitive information ciphertext and sent to the user terminal.
The first transaction message comprises transaction sensitive information and a transaction sensitive information ciphertext. Specifically, the first transaction message is sent to the user terminal, so that the user terminal can perform security authentication according to the transaction sensitive information and the transaction sensitive information ciphertext in the first transaction message, and thus bidirectional authentication between the server and the user terminal is realized.
Wherein the user terminal is provided with a secure execution environment TEE. The TEE is provided with a trusted application TA. The TA stores the shared secret or can generate the shared secret. And the task of performing security authentication according to the transaction sensitive information in the first transaction message and the transaction sensitive information ciphertext is executed by the TA of the user terminal.
In step S403, a second transaction message sent by the user terminal is received, and a result information ciphertext and result information are obtained through parsing in the second transaction message.
And the second transaction message comprises a result information ciphertext and result information. The result information ciphertext is obtained by encrypting the result information by the TA in the user terminal by using the shared key. However, it should be noted that the result information/result information ciphertext in the second transaction message may be tampered during the transmission process between the TA of the ue and the server, and needs to be authenticated in the subsequent process.
In step S404, the parsed result information ciphertext is decrypted using the shared key to obtain a result information plaintext.
And the result information plaintext is the plaintext obtained by decrypting the result information ciphertext.
In step S405, if the parsed result information is consistent with the decrypted result information plaintext, the transaction represented by the first transaction packet is processed based on the result information.
The plaintext of the analyzed result information is consistent with that of the decrypted result information, which shows that the second transaction message is not tampered, and the security authentication is successful. The transaction represented by the first transaction message may be processed with the result information indication.
In the embodiment of the application, the server encrypts the transaction sensitive information by using the shared key shared with the TA of the user terminal, generates a first transaction message comprising the transaction sensitive information and a transaction sensitive information ciphertext and sends the first transaction message to the user terminal, so that the AT of the user terminal receives the first transaction message and completes the security authentication from the server to the user terminal. And the server receives a second transaction message generated by the AT of the user terminal, and performs security authentication from the user terminal to the server according to whether the analyzed result information is consistent with the plaintext of the result information obtained by decryption. The security of the TEE and TA is much higher than that of the operating system of the user terminal and is difficult to be breached. The safety authentication from the server to the user terminal and the safety authentication from the user terminal to the server can be safely carried out, so that the safety of transaction information processing is improved, and the safety of electronic transaction is improved.
Fig. 6 is a flowchart of a transaction information processing method applied to a server according to another embodiment of the present application. The transaction processing method shown in fig. 6 is different from the transaction processing method shown in fig. 5 in that the transaction processing method shown in fig. 6 may further include steps S406 to S408, and step S409; step S402 in fig. 5 may be specifically subdivided into step S4021 and step S4022 in fig. 6; step S405 in fig. 5 can be specifically subdivided into step S4051 or step S4052 in fig. 6.
In step S406, a solid-state key is acquired.
The solid-state key is stored in the server, and the specific storage area is not limited herein.
In step S407, key generation assistance information is generated.
The server may generate the key generation assistance information before the server encrypts the transaction sensitive information. The key generation assistance information is used to assist in generating the shared key. In some examples, the key generation assistance information may include a transaction session number and a transaction random number. The transaction numbers corresponding to different transactions are different, and the randomness of the transaction random numbers is high. The key generation auxiliary information corresponding to each transaction is different, so that the shared key generated correspondingly to each transaction can be different, the risk of leakage of the shared key is further reduced, and the safety of the electronic transaction is further improved.
In step S408, a shared key is generated using the key generation assistance information and the solid-state key.
The server may pre-agree with the TA of the user terminal for one or more shared key generation algorithms.
In some examples, the server generates the shared key according to a shared key generation algorithm that may be pre-agreed with the TA of the user terminal, using the key generation assistance information and the solid-state key.
In other examples, the server generates the shared key using the key generation assistance information and the solid-state key according to one of a plurality of shared key generation algorithms that may be pre-agreed with the TA of the user terminal by the server. Correspondingly, the server can also generate the first transaction message by utilizing the algorithm identification of one shared key generation algorithm in the selected multiple shared key generation algorithms. I.e. the first transaction message may also comprise an algorithm identification.
In step S409, if the parsed result information is inconsistent with the decrypted result information plaintext, the transaction represented by the first transaction packet is cancelled.
The plaintext of the analyzed result information is inconsistent with the plaintext of the result information obtained by decryption, which indicates that the second transaction message is possibly tampered, the security authentication fails, the transaction is not executed, and the transaction is cancelled.
In step S4021, key generation assistance information is acquired.
The content of the key generation auxiliary information can be referred to the relevant description in step S407, and is not described herein again.
In step S4022, the key generation auxiliary information, the transaction sensitive information, and the transaction sensitive information ciphertext are spliced to generate a first transaction message and send the first transaction message to the user terminal.
The specific splicing algorithm of the splicing operation is not limited herein. For example, the key generation auxiliary information includes a transaction session number sessionid and a transaction random number random, the transaction sensitive information is param, and the result information ciphertext is param'. The generated second transaction message may be "sessionid & random + random & param + param'". Since the specific splicing operation content is hard to know from the outside, the first transaction message generated by the splicing operation is hard to leak or be tampered, the security of the content in the first transaction message is improved, and the security of the electronic transaction is further improved.
In step S4051, based on the first result information, the transaction represented by the first transaction packet is executed.
The result information in the above embodiment includes the first result information. The first result information is used for indicating the transaction success represented by the first transaction message.
In step S4052, based on the second result information, the transaction represented by the first transaction packet is cancelled.
The result information in the above embodiment includes the second result information. The second result information is used for indicating the transaction failure represented by the first transaction message.
The embodiment of the application also provides the user terminal. Fig. 7 is a schematic structural diagram of a user terminal according to an embodiment of the present application. The user terminal is provided with a TEE, and the TEE is provided with a TA. As shown in fig. 7, the TA in the user terminal 500 may include a parsing module 501, a decryption module 502, a result generation module 503, an encryption module 504, and a message generation module 505.
The analysis module 501 is configured to receive a first transaction message, and analyze the first transaction message to obtain transaction sensitive information and a transaction sensitive information ciphertext, where the transaction sensitive information ciphertext is obtained by encrypting the transaction sensitive information by using a shared key through a server;
and the decryption module 502 is configured to decrypt the parsed transaction sensitive information ciphertext with the shared key to obtain a transaction sensitive information plaintext.
And the result generating module 503 is configured to generate result information according to the parsed transaction sensitive information and the decrypted transaction sensitive information plaintext.
Wherein the result information indicates a transaction result represented by the first transaction message.
And the encryption module 504 is configured to encrypt the result information by using the shared key to obtain a result information ciphertext.
And the message generating module 505 is configured to generate and send a second transaction message according to the result information and the result information ciphertext.
In the embodiment of the application, the actions of analyzing the first transaction message generated by the server, decrypting the transaction sensitive information ciphertext to generate the result information, encrypting the result information, generating the second transaction message and the like are all realized in the TA of the TEE in the user terminal. And the TA generates result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext so as to complete the safety authentication from the server to the user block. And the TA generates and sends a second transaction message so that the server receives the second transaction message and completes the security authentication from the user terminal to the server. The security of the TEE and TA is much higher than that of the operating system of the user terminal and is difficult to be breached. The safety of transaction information processing is improved, the safety authentication from the user terminal to the server and the safety authentication from the server to the user terminal can be safely carried out, the safety of transaction information processing is improved, and therefore the safety of electronic transaction is improved.
The user terminal 500 is also provided with a service application and an authentication application. Correspondingly, the user terminal 500 may further include a module carrying a service application and a module carrying an authentication application. Fig. 8 is a schematic structural diagram of a user terminal according to another embodiment of the present application. The user terminal shown in fig. 8 is different from the user terminal shown in fig. 7 in that the user terminal 500 shown in fig. 8 may further include a first message encryption module 506, a first message decryption module 507, a second message encryption module 508, and a second message decryption module 509.
The first message encryption module 506 is configured to receive a first transaction message sent by the server, encrypt the first transaction message by using a first encryption and decryption algorithm, obtain a first transaction ciphertext, and send the first transaction ciphertext to the authentication application.
The first message decryption module 507 is configured to receive the first transaction ciphertext, decrypt the first transaction ciphertext by using a first encryption and decryption algorithm, obtain a first transaction message, and send the first transaction message to the TA.
The second message encryption module 508 is configured to receive a second transaction message sent by the TA, encrypt the second transaction message by using the first encryption and decryption algorithm, obtain a second transaction ciphertext, and send the second transaction ciphertext to the service application.
The second message decryption module 509 is configured to receive the second transaction ciphertext, decrypt the second transaction ciphertext by using the first encryption and decryption algorithm, obtain a second transaction message, and send the second transaction message to the server.
Fig. 9 is a schematic structural diagram of a user terminal according to yet another embodiment of the present application. The user terminal shown in fig. 9 is different from the user terminal shown in fig. 7 in that the TA in the user terminal 500 shown in fig. 9 may further include a key generation module 510. If the ue is configured with an eSE, the eSE in the ue may include a key encryption module 511.
In some examples, the first transaction message further includes key generation assistance information.
The parsing module 501 in the above embodiment may also be configured to parse the first transaction packet to obtain the key generation auxiliary information.
A key generation module 510, configured to generate a shared key by using the key generation assistance information and the solid-state key stored by the TA.
In other examples, the first transaction message further includes key generation assistance information. The user terminal is provided with an embedded secure element eSE.
The parsing module 501 in the above embodiment may also be configured to parse the first transaction packet to obtain the key generation auxiliary information.
A key generating module 501, configured to obtain a solid-state key from the eSE, generate the auxiliary information and the solid-state key by using the key, and generate a shared key.
The key encryption module 511 may be configured to encrypt the solid-state key according to the second encryption and decryption algorithm to obtain a solid-state key ciphertext and send the solid-state key ciphertext to the TA;
the key generation module 501 may be specifically configured to decrypt the solid-state key ciphertext according to a second encryption and decryption algorithm to obtain the solid-state key.
Specifically, the key generation assistance information in the above example includes a transaction session number and a transaction random number.
In the above embodiment, the result information includes first result information or second result information, where the first result information is used to indicate that the transaction represented by the first transaction message is successful, and the second result information is used to indicate that the transaction represented by the first transaction message is failed.
Correspondingly, the result generating module 503 in the foregoing embodiment may be specifically configured to: if the analyzed transaction sensitive information is consistent with the plaintext of the transaction sensitive information obtained through decryption, first result information is generated; and if the analyzed transaction sensitive information is inconsistent with the plaintext of the transaction sensitive information obtained by decryption, generating second result information.
The message generating module 505 in the foregoing embodiment may be specifically configured to: acquiring key generation auxiliary information; and splicing the key generation auxiliary information, the result information and the result information ciphertext to generate and send a second transaction message.
The application also provides a server. Fig. 10 is a schematic structural diagram of a server according to an embodiment of the present application. As shown in fig. 10, the server 600 may include an encryption module 601, a message generation module 602, a parsing module 603, a decryption module 604, and a processing module 605.
The encryption module 601 is configured to encrypt the transaction sensitive information by using the shared key to obtain a transaction sensitive information ciphertext;
the message generating module 602 is configured to generate a first transaction message according to the transaction sensitive information and the transaction sensitive information ciphertext, and send the first transaction message to the user terminal.
Wherein the user terminal is provided with a secure execution environment TEE. The TEE is provided with a trusted application TA. The TA has a shared secret key.
The parsing module 603 is configured to receive a second transaction message sent by the user terminal, and parse the second transaction message to obtain a result information ciphertext and result information.
And the result information ciphertext is obtained by encrypting the result information by the TA in the user terminal by using the shared key.
And a decryption module 604, configured to decrypt the parsed result information ciphertext with the shared key to obtain a result information plaintext.
The processing module 605 is configured to, if the parsed result information is consistent with the decrypted result information plaintext, process the transaction represented by the first transaction packet based on the result information.
In the embodiment of the application, the server encrypts the transaction sensitive information by using the shared key shared with the TA of the user terminal, generates a first transaction message comprising the transaction sensitive information and a transaction sensitive information ciphertext and sends the first transaction message to the user terminal, so that the AT of the user terminal receives the first transaction message and completes the security authentication from the server to the user terminal. And the server receives a second transaction message generated by the AT of the user terminal, and performs security authentication from the user terminal to the server according to whether the analyzed result information is consistent with the plaintext of the result information obtained by decryption. The security of the TEE and TA is much higher than that of the operating system of the user terminal and is difficult to be breached. The safety authentication from the server to the user terminal and the safety authentication from the user terminal to the server can be safely carried out, so that the safety of transaction information processing is improved, and the safety of electronic transaction is improved.
Fig. 11 is a schematic structural diagram of a server according to another embodiment of the present application. The server shown in fig. 11 is different from the server shown in fig. 10 in that the server 600 shown in fig. 11 may further include an acquisition module 606, an auxiliary information generation module 607, and a key generation module 608.
An obtaining module 606 may be configured to obtain the solid-state key.
An auxiliary information generation module 607 for generating key generation auxiliary information.
In particular, the key generation assistance information may include a transaction session number and a transaction random number.
And a key generation module 608, configured to generate a shared key by using the key generation auxiliary information and the solid-state key.
The message generating module 602 in the foregoing embodiment may be specifically configured to: acquiring key generation auxiliary information; and splicing the key generation auxiliary information, the transaction sensitive information and the transaction sensitive information ciphertext to generate a first transaction message and send the first transaction message to the user terminal.
The processing module 605 in the above embodiment may also be configured to cancel the transaction represented by the first transaction packet if the parsed result information is inconsistent with the plaintext of the result information obtained by decryption.
In some examples, the result information includes the first result information or the second result information. The first result information is used for indicating the transaction success represented by the first transaction message. The second result information is used for indicating the transaction failure represented by the first transaction message.
Correspondingly, the processing module 605 in the above embodiment may be specifically configured to: executing the transaction represented by the first transaction message based on the first result information; or canceling the transaction represented by the first transaction message based on the second result information.
Fig. 12 is a schematic hardware structure diagram of a user terminal according to an embodiment of the present application. As shown in fig. 12, the user terminal 700 comprises a memory 701, a processor 702 and a computer program stored on the memory 701 and executable on the processor 702.
In one example, the processor 702 may include a Central Processing Unit (CPU), or an Application Specific Integrated Circuit (ASIC), or may be configured to implement one or more integrated circuits of embodiments of the present application.
Memory 701 may include mass storage for data or instructions. By way of example, and not limitation, memory 701 may include an HDD, floppy disk drive, flash memory, optical disk, magneto-optical disk, magnetic tape, or a Universal Serial Bus (USB) drive or a combination of two or more of these. Memory 701 may include removable or non-removable (or fixed) media, where appropriate. Memory 701 may be internal or external to user terminal 700 at a terminal hotspot, where appropriate. In a particular embodiment, the memory 701 is a non-volatile solid-state memory. In a particular embodiment, the memory 701 includes Read Only Memory (ROM). Where appropriate, the ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), electrically rewritable ROM (EAROM), or flash memory or a combination of two or more of these.
The processor 702 runs a computer program corresponding to the executable program code by reading the executable program code stored in the memory 701, for implementing the transaction information processing method applied to the user terminal in the above-described embodiment.
In one example, user terminal 700 can also include a communication interface 703 and a bus 704. As shown in fig. 12, the memory 701, the processor 702, and the communication interface 703 are connected by a bus 704 to complete mutual communication.
The communication interface 703 is mainly used for implementing communication between modules, apparatuses, units and/or devices in this embodiment of the application. Input devices and/or output devices may also be accessed through communications interface 703.
The bus 704 comprises hardware, software, or both coupling the components of the user terminal 700 to each other. By way of example, and not limitation, the bus 704 may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an infiniband interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a PCI-Express (PCI-X) bus, a Serial Advanced Technology Attachment (SATA) bus, a video electronics standards association local (VLB) bus, or other suitable bus, or a combination of two or more of these. Bus 704 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.
The hardware structure of the server in the embodiment of the present application may refer to the hardware structure of the user terminal in the above embodiment, and is not described herein again. It should be noted that, the processor in the server executes the computer program corresponding to the executable program code by reading the executable program code stored in the memory, so as to implement the transaction information processing method applied to the server in the above-mentioned embodiment.
The embodiment of the application also can provide a transaction information processing system. As shown in fig. 1, the transaction information processing system includes the user terminal and the server in the above embodiment, and specific contents may refer to relevant descriptions in the above embodiment, which are not described herein again.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program can implement the transaction information processing method applied to the user terminal or the transaction information processing method applied to the server in the above-mentioned embodiments.
It should be clear that the embodiments in this specification are described in a progressive manner, and the same or similar parts in the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. For the user terminal embodiment, the server embodiment and the computer-readable storage medium embodiment, reference may be made to the description of the method embodiments for relevant points. The present application is not limited to the particular steps and structures described above and shown in the drawings. Those skilled in the art may make various changes, modifications and additions or change the order between the steps after appreciating the spirit of the present application. Also, a detailed description of known process techniques is omitted herein for the sake of brevity.
It will be appreciated by persons skilled in the art that the above embodiments are illustrative and not restrictive. Different features which are present in different embodiments may be combined to advantage. Other variations to the disclosed embodiments can be understood and effected by those skilled in the art upon studying the drawings, the specification, and the claims. In the claims, the term "comprising" does not exclude other means or steps; the indefinite article "a" does not exclude a plurality; the terms "first" and "second" are used to denote a name and not to denote any particular order. Any reference signs in the claims shall not be construed as limiting the scope. The functions of the various parts appearing in the claims may be implemented by a single hardware or software module. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
Claims (21)
1. A transaction information processing method is applied to a user terminal, the user terminal is provided with a Trusted Execution Environment (TEE), the TEE is provided with a Trusted Application (TA), and the method comprises the following steps:
the TA receives the first transaction message, and analyzes the first transaction message to obtain transaction sensitive information and a transaction sensitive information ciphertext, wherein the transaction sensitive information ciphertext is obtained by encrypting the transaction sensitive information by a server by using a shared key;
the TA decrypts the analyzed transaction sensitive information ciphertext by using the shared secret key to obtain a transaction sensitive information plaintext;
the TA generates result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext, wherein the result information indicates a transaction result represented by the first transaction message;
the TA encrypts the result information by using the shared secret key to obtain a result information ciphertext;
and the TA generates a second transaction message according to the result information and the result information ciphertext and sends the second transaction message.
2. The method according to claim 1, characterized in that the user terminal is further provided with a service application and an authentication application,
before the TA receives the first transaction message, the method further includes:
the service application receives the first transaction message sent by the server, encrypts the first transaction message by using a first encryption and decryption algorithm to obtain a first transaction ciphertext and sends the first transaction ciphertext to the authentication application;
and the authentication application receives the first transaction ciphertext, decrypts the first transaction ciphertext by using the first encryption and decryption algorithm to obtain the first transaction message and sends the first transaction message to the TA.
3. The method according to claim 2, wherein after the TA generates and transmits a second transaction message according to the result information and the result information ciphertext, the method further comprises:
the authentication application receives the second transaction message sent by the TA, encrypts the second transaction message by using the first encryption and decryption algorithm to obtain a second transaction ciphertext and sends the second transaction ciphertext to the service application;
and the service application receives the second transaction ciphertext, decrypts the second transaction ciphertext by using the first encryption and decryption algorithm to obtain the second transaction message and sends the second transaction message to the server.
4. The method of claim 1, wherein the first transaction message further includes key generation assistance information,
before the TA decrypts the parsed transaction sensitive information ciphertext by using the shared key to obtain the transaction sensitive information, the method further includes:
the TA analyzes the first transaction message to obtain the key generation auxiliary information;
and the TA generates the shared secret key by utilizing the secret key generation auxiliary information and the solid secret key stored by the TA.
5. The method according to claim 1, wherein the user terminal is provided with an embedded secure element (eSE), wherein the first transaction message further comprises key generation assistance information,
before the TA decrypts the parsed transaction sensitive information ciphertext by using the shared key to obtain the transaction sensitive information, the method further includes:
the TA analyzes the first transaction message to obtain the key generation auxiliary information;
and the TA acquires a solid-state key from the eSE, and generates the shared key by using the key generation auxiliary information and the solid-state key.
6. The method of claim 5, wherein the TA obtains a solid state key from the eSE, comprising:
the eSE encrypts the solid-state key according to a second encryption and decryption algorithm to obtain a solid-state key ciphertext and sends the solid-state key ciphertext to the TA;
and the TA decrypts the solid-state secret key ciphertext according to the second encryption and decryption algorithm to obtain the solid-state secret key.
7. The method according to claim 4, wherein the TA generates and sends a second transaction message according to the result information and the result information ciphertext, comprising:
the TA acquires the key generation auxiliary information;
and the TA carries out splicing operation on the key generation auxiliary information, the result information and the result information ciphertext to generate a second transaction message and send the second transaction message.
8. The method of claim 4, 5 or 7, wherein the key generation assistance information comprises a transaction session number and a transaction random number.
9. The method of claim 1, wherein the result information comprises first result information indicating a successful transaction represented by the first transaction message or second result information indicating a failed transaction represented by the first transaction message,
the TA generates result information according to the analyzed transaction sensitive information and the decrypted transaction sensitive information plaintext, and the result information comprises the following steps:
if the analyzed transaction sensitive information is consistent with the plaintext of the transaction sensitive information obtained through decryption, the TA generates the first result information;
and if the analyzed transaction sensitive information is inconsistent with the plaintext of the transaction sensitive information obtained by decryption, the TA generates second result information.
10. A transaction information processing method is applied to a server, and the method comprises the following steps:
encrypting the transaction sensitive information by using the shared secret key to obtain a transaction sensitive information ciphertext;
generating a first transaction message according to the transaction sensitive information and the transaction sensitive information ciphertext and sending the first transaction message to a user terminal, wherein the user terminal is provided with a secure execution environment (TEE), a Trusted Application (TA) is arranged in the TEE, and the TA is provided with the shared secret key;
receiving a second transaction message sent by the user terminal, and analyzing the second transaction message to obtain a result information ciphertext and result information, wherein the result information ciphertext is obtained by encrypting the result information by the TA in the user terminal by using the shared key;
decrypting the analyzed result information ciphertext by using the shared secret key to obtain a result information plaintext;
and if the analyzed result information is consistent with the result information plaintext obtained by decryption, processing the transaction represented by the first transaction message based on the result information.
11. The method of claim 10, wherein before encrypting the transaction sensitive information using the shared key to obtain the transaction sensitive information ciphertext, the method further comprises:
acquiring a solid-state secret key;
generating key generation auxiliary information;
and generating the shared secret key by utilizing the secret key generation auxiliary information and the solid secret key.
12. The method of claim 11, wherein generating and sending a first transaction message to a user terminal according to the transaction sensitive information and the transaction sensitive information ciphertext comprises:
acquiring the key generation auxiliary information;
and splicing the key generation auxiliary information, the transaction sensitive information and the transaction sensitive information ciphertext to generate the first transaction message and send the first transaction message to the user terminal.
13. The method according to claim 11 or 12, wherein the key generation assistance information comprises a transaction session number and a transaction random number.
14. The method of claim 10, further comprising:
and if the analyzed result information is inconsistent with the plaintext of the result information obtained by decryption, canceling the transaction represented by the first transaction message.
15. The method of claim 10, wherein the result information comprises first result information indicating a successful transaction represented by the first transaction message or second result information indicating a failed transaction represented by the first transaction message,
the processing the transaction represented by the first transaction message based on the result information includes:
executing the transaction represented by the first transaction message based on the first result information;
alternatively, the first and second electrodes may be,
and canceling the transaction represented by the first transaction message based on the second result information.
16. A user terminal, wherein the user terminal is provided with a Trusted Execution Environment (TEE), the TEE is provided with a Trusted Application (TA), and the TA in the user terminal comprises:
the analysis module is used for receiving the first transaction message and analyzing the first transaction message to obtain transaction sensitive information and a transaction sensitive information ciphertext, and the transaction sensitive information ciphertext is obtained by encrypting the transaction sensitive information by using a shared key through a server;
the decryption module is used for decrypting the analyzed transaction sensitive information ciphertext by using the shared secret key to obtain a transaction sensitive information plaintext;
the result generation module is used for generating result information according to the analyzed transaction sensitive information and the decrypted clear text of the transaction sensitive information, wherein the result information indicates the transaction result represented by the first transaction message;
the encryption module is used for encrypting the result information by using the shared secret key to obtain a result information ciphertext;
and the message generation module is used for generating and sending a second transaction message according to the result information and the result information ciphertext.
17. A server, comprising:
the encryption module is used for encrypting the transaction sensitive information by using the shared secret key to obtain a transaction sensitive information ciphertext;
the message generation module is used for generating a first transaction message according to the transaction sensitive information and the transaction sensitive information ciphertext and sending the first transaction message to a user terminal, wherein the user terminal is provided with a secure execution environment (TEE), a Trusted Application (TA) is arranged in the TEE, and the TA is provided with the shared secret key;
the analysis module is used for receiving a second transaction message sent by the user terminal, and analyzing the second transaction message to obtain a result information ciphertext and result information, wherein the result information ciphertext is obtained by encrypting the result information by the TA in the user terminal by using the shared key;
the decryption module is used for decrypting the analyzed result information ciphertext by using the shared secret key to obtain a result information plaintext;
and the processing module is used for processing the transaction represented by the first transaction message based on the result information if the analyzed result information is consistent with the plaintext of the result information obtained by decryption.
18. A user terminal comprising a processor, a memory and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing a transaction information processing method according to any one of claims 1 to 9.
19. A server comprising a processor, a memory, and a computer program stored on the memory and executable on the processor, the computer program, when executed by the processor, implementing a transaction information processing method according to any one of claims 10 to 15.
20. A transaction information processing system comprising a user terminal according to claim 18 and a server according to claim 19.
21. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements a transaction information processing method according to any one of claims 1 to 9 or implements a transaction information processing method according to any one of claims 10 to 15.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911356945.6A CN111127014B (en) | 2019-12-25 | 2019-12-25 | Transaction information processing method, server, user terminal, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911356945.6A CN111127014B (en) | 2019-12-25 | 2019-12-25 | Transaction information processing method, server, user terminal, system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111127014A true CN111127014A (en) | 2020-05-08 |
| CN111127014B CN111127014B (en) | 2023-09-19 |
Family
ID=70503564
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911356945.6A Active CN111127014B (en) | 2019-12-25 | 2019-12-25 | Transaction information processing method, server, user terminal, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111127014B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111695109A (en) * | 2020-06-02 | 2020-09-22 | 中国工商银行股份有限公司 | Receiving procedure access control method, receiving terminal and server |
| CN113037760A (en) * | 2021-03-15 | 2021-06-25 | 中国建设银行股份有限公司 | Message sending method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3040924A1 (en) * | 2014-12-30 | 2016-07-06 | Telefonica Digital España, S.L.U. | Method and system for providing device based authentication, integrity and confidentiality for transactions performed by mobile device users |
| US20170041312A1 (en) * | 2015-08-07 | 2017-02-09 | Alibaba Group Holding Limited | Transaction processing method and client based on trusted execution environment |
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN108229956A (en) * | 2017-12-13 | 2018-06-29 | 北京握奇智能科技有限公司 | Network bank business method, apparatus, system and mobile terminal |
| US20190005493A1 (en) * | 2015-12-24 | 2019-01-03 | Gemalto Sa | Method and system for enhancing the security of a transaction |
-
2019
- 2019-12-25 CN CN201911356945.6A patent/CN111127014B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP3040924A1 (en) * | 2014-12-30 | 2016-07-06 | Telefonica Digital España, S.L.U. | Method and system for providing device based authentication, integrity and confidentiality for transactions performed by mobile device users |
| US20170041312A1 (en) * | 2015-08-07 | 2017-02-09 | Alibaba Group Holding Limited | Transaction processing method and client based on trusted execution environment |
| US20190005493A1 (en) * | 2015-12-24 | 2019-01-03 | Gemalto Sa | Method and system for enhancing the security of a transaction |
| WO2018076365A1 (en) * | 2016-10-31 | 2018-05-03 | 美的智慧家居科技有限公司 | Key negotiation method and device |
| CN108229956A (en) * | 2017-12-13 | 2018-06-29 | 北京握奇智能科技有限公司 | Network bank business method, apparatus, system and mobile terminal |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111695109A (en) * | 2020-06-02 | 2020-09-22 | 中国工商银行股份有限公司 | Receiving procedure access control method, receiving terminal and server |
| CN111695109B (en) * | 2020-06-02 | 2024-04-26 | 中国工商银行股份有限公司 | Order receiving access control method, order receiving terminal and server |
| CN113037760A (en) * | 2021-03-15 | 2021-06-25 | 中国建设银行股份有限公司 | Message sending method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111127014B (en) | 2023-09-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110891061B (en) | Data encryption and decryption method and device, storage medium and encrypted file | |
| EP2999156B1 (en) | Device authenticity determination system and device authenticity determination method | |
| CN107248075B (en) | Method and device for realizing bidirectional authentication and transaction of intelligent key equipment | |
| CN111615105B (en) | Information providing and acquiring method, device and terminal | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| CN110995685B (en) | Data encryption and decryption method, device, system and storage medium | |
| CA2969332C (en) | A method and device for authentication | |
| KR20150079489A (en) | Instant messaging method and system | |
| CN111127014B (en) | Transaction information processing method, server, user terminal, system and storage medium | |
| CN113868684A (en) | Signature method, device, server, medium and signature system | |
| CN113660725B (en) | Positioning anti-cheating method, device and system, computer equipment and storage medium | |
| CN109451504B (en) | Internet of things module authentication method and system | |
| CN113038463B (en) | Communication encryption authentication experimental device | |
| CN115348023A (en) | Data security processing method and device | |
| CN111836260B (en) | Authentication information processing method, terminal and network equipment | |
| CN113297091B (en) | SoC chip debugging method and device and SoC chip | |
| CN115801232A (en) | Private key protection method, device, equipment and storage medium | |
| CN114692120B (en) | National password authentication method, virtual machine, terminal equipment, system and storage medium | |
| US9775043B2 (en) | Network locking method and system for wireless terminal | |
| CN112667992A (en) | Authentication method, authentication device, storage medium, and electronic apparatus | |
| CN112769759A (en) | Information processing method, information gateway, server and medium | |
| CN114928756B (en) | Video data protection, encryption and verification method, system and equipment | |
| CN113872769B (en) | Device authentication method and device based on PUF, computer device and storage medium | |
| CN115296934B (en) | Information transmission method and device based on industrial control network intrusion and electronic equipment | |
| EP4318354A1 (en) | Account opening method, system, and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |