CN111177694A - Method and device for processing data - Google Patents
Method and device for processing data Download PDFInfo
- Publication number
- CN111177694A CN111177694A CN201911292019.7A CN201911292019A CN111177694A CN 111177694 A CN111177694 A CN 111177694A CN 201911292019 A CN201911292019 A CN 201911292019A CN 111177694 A CN111177694 A CN 111177694A
- Authority
- CN
- China
- Prior art keywords
- data
- life cycle
- authentication
- equipment
- capability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
- G06F21/445—Program or device authentication by mutual authentication, e.g. between devices or programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a data processing method, and relates to the field of information security. The method can be applied to a scene that the second device shares the first data with the first device, and comprises the following steps: the second device receives a first request message sent by the first device, where the first request message is used to request the second device to share first data, and the second device includes the first data; the second device determines the life cycle of the first data according to the first request message, wherein the life cycle is the time when the first data exists in the first device; the second device sends the first data and the lifecycle of the first data to the first device. According to the data processing method provided by the embodiment of the application, the life cycle of the shared data is set according to the specific condition, so that the time of the shared data existing in other equipment can be flexibly controlled, and the safety of the shared data is ensured.
Description
Technical Field
The present application relates to the field of data processing, and more particularly, to a method and an apparatus for processing data.
Background
Biometric identification technology (biometric identification technology) refers to a technology for performing identity authentication using human body biometrics. More specifically, the biometric identification technology is to closely combine a computer with high-tech means such as optics, acoustics, biosensors and the principle of biometrics, and to identify the identity of an individual by using the inherent physiological characteristics and behavior characteristics of a human body.
The current biometric identification techniques can be broadly divided into two broad categories of directions of use: the method comprises the steps of local biological characteristic inputting and verification (such as inputting fingerprints and human faces by a mobile phone and unlocking) and end cloud cooperative identification (such as shooting the human faces through a camera in an airport and verifying the human faces through a face identification database on the cloud side).
With the current trend of diversification of home devices, the demands for biometric identification of devices and data collaboration after authentication in a distributed environment will gradually increase, and how to protect private data collaborated to other devices after cross-device authentication becomes an important topic.
Therefore, after identifying a user through authentication on a public device in a distributed environment, how to manage and protect user privacy data acquired by other devices becomes a problem to be solved urgently.
Disclosure of Invention
The embodiment of the application provides a method and a device for processing data, and the safety problem of the data after the data are shared by equipment across vehicles can be solved.
In a first aspect, a method for data processing is provided, where the method is applied in a scenario in which a second device shares first data with a first device, and includes: the second device receives a first request message sent by the first device, where the first request message is used to request the second device to share first data, and the second device includes the first data; the second device determines the life cycle of the first data according to the first request message, wherein the life cycle is the time when the first data exists in the first device; the second device sends the first data and the information of the first life cycle to the first device.
Optionally, the second device may determine, according to a request of the first device, a lifecycle of data to be shared, and send both the data to be shared and the lifecycle of the data to the first device, where the first device may delete the data when the lifecycle expires according to a time that indicates that the data may exist of the lifecycle.
According to the data processing method provided by the embodiment of the application, the existence time of the shared data in other equipment can be flexibly determined according to different conditions (such as the type and the safety capability of the first equipment, the safety level or the important performance of the shared data), and the safety of the data is further ensured.
With reference to the first aspect, in certain implementations of the first aspect, the determining the lifecycle of the first data includes: the second equipment determines the life cycle of the first data according to the safety capability of the first equipment; or the second equipment determines the life cycle of the first data according to the risk level of the first data; or the second device determines the life cycle of the first data according to an authentication mode adopted by the first device when the second device authenticates.
It should be understood that the basis for determining the lifecycle of the shared data according to the present application may be varied and is not limited to the above listed examples.
With reference to the first aspect, in some implementations of the first aspect, when the first device has a first security capability, the second device determines that a life cycle of the first data is a first life cycle, where the first device has the first security capability and is used to indicate that the first device has a complete TEE hardware encryption zone of a trusted execution environment, and a software Operating System (OS) of the first device supports the software encryption capability; when the first device is of a second safety capability, the second device determines that the life cycle of the first data is of a second life cycle, wherein the first device is of the second safety capability and is used for indicating that the first device is provided with a partial TEE hardware encryption area, and a software OS of the first device supports software encryption capability, and the second life cycle is shorter than the first life cycle; when the first device is of a third safety capability, determining that the life cycle of the first data is a third life cycle, wherein the first device is of the third safety capability and is used for indicating that the first device does not have a TEE hardware encryption area but a software OS of the first device supports a software encryption capability, and the third life cycle is shorter than the second life cycle; and when the first device is a fourth security capability, determining that the life cycle of the first data is a fourth life cycle, wherein the first device is the fourth security capability and is used for indicating that the software OS of the first device does not support the software encryption capability, and the fourth life cycle is shorter than the third life cycle.
Optionally, the first device may send its security capability to the second device, and the second device determines the life cycle of the first data according to whether the first device supports the TEE hardware encryption zone and the software OS encryption capability; or, the first device may determine its security capability level according to whether it supports the TEE hardware encryption region and the software OS encryption capability, and send the security capability level to the second device, and the second device determines the life cycle of the first data according to a mapping relationship between the security capability level of the first device and the life cycle of the first data.
Optionally, when the first device does not have the software OS platform, the second device may not share the first data with the first device.
With reference to the first aspect, in certain implementations of the first aspect, the determining, by the second device, a lifecycle of the first data according to a risk level of the first data includes: when the second device determines that the first data comprises first content, determining that the life cycle of the first data is a fifth life cycle, wherein the first content comprises one or more items of privacy information in position information, contact information and communication information of a user; when the second device determines that the first data comprises second content, determining that the life cycle of the first data is a sixth life cycle, wherein the second content comprises one or more privacy information of personal preference information, work and rest time information and schedule information of a user, and the sixth life cycle is longer than the fifth life cycle; when the second device determines that the first data comprises third content, determining that the life cycle of the first data is a seventh life cycle, wherein the third content is non-private information of a user, and the seventh life cycle is longer than the sixth life cycle.
With reference to the first aspect, in some implementations of the first aspect, the determining, by the second device, a life cycle of the first data according to an authentication method used by the first device when the second device performs authentication includes: when the second device determines that the first device adopts a first authentication mode, determining that the life cycle of the first data is an eighth life cycle, wherein the first authentication mode comprises one or more of three-dimensional (3D) face information authentication, password information authentication, iris information authentication and fingerprint information authentication; when the second device determines that the first device adopts a second authentication mode, determining that the life cycle of the first data is a ninth life cycle, wherein the second authentication mode comprises one or more of two-dimensional (2D) face information authentication, voiceprint information authentication and gait information authentication, and the ninth life cycle is longer than the eighth life cycle; and when the second equipment determines that the first equipment adopts a third authentication mode, determining that the life cycle of the first data is a tenth life cycle, wherein the third authentication mode comprises one or more of handwriting information authentication, height information authentication, weight information authentication and password information authentication, and the tenth life cycle is longer than the ninth life cycle.
It should be understood that the above listed authentication manners are only a few examples, and the life cycle of the first data is determined mainly according to the accuracy of the authentication manners. Wherein, the more accurate the authentication mode, the longer the life cycle can be set. The user may classify the authentication manner based on accuracy, or the first device and the second device may implement classification of the authentication manner based on accuracy in advance.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: the second device receives an authentication request message sent by the first device, wherein the authentication request message is used for the second device to authenticate the first device; and the second equipment sends an authentication response message to the first equipment according to the authentication request message, wherein the authentication response message is used for indicating the second equipment to finish authentication on the first equipment.
In a second aspect, a method for data processing is provided, where the method is applied in a scenario in which a second device shares first data with a first device, and includes: the first device sends a first request message to the second device, wherein the first request message is used for requesting the second device to share first data, and the second device comprises the first data; the first device receives the first data sent by the second device and information of a life cycle, wherein the life cycle is used for indicating the time of the first data existing in the first device; deleting, by the first device, the first data when the time the first data was present in the first device reaches the time indicated by the lifecycle.
With reference to the second aspect, in some implementations of the second aspect, the first device determines a security capability level according to the security capability of the first device, where the first device determines that the security capability level of the first device is a first security level when the first device has a complete TEE hardware encryption zone and a software Operating System (OS) of the first device supports software encryption capability; when the first device is provided with a partial TEE hardware encryption zone but the software OS of the first device supports software encryption capability, the first device determines the security capability level of the first device to be a second security level, wherein the second security level is lower than the first security level; when the first device does not have a TEE hardware encryption zone but the software OS of the first device supports software encryption capability, the first device determines that the security capability level of the first device is a third security level, and the third security level is lower than the second security level; when the first device does not have a TEE hardware encryption area and the software OS of the first device does not support the software encryption capability, the first device determines that the security capability level of the first device is a fourth security level, and the fourth security level is lower than the third security level.
With reference to the second aspect, in certain implementations of the second aspect, the method further includes: the first equipment sends an authentication request message to the second equipment, wherein the authentication request message is used for the second equipment to authenticate the first equipment; and the first equipment receives an authentication response message sent by the second equipment, wherein the authentication response message is used for indicating that the second equipment completes authentication on the first equipment.
In a third aspect, a data processing device is provided, which is configured to perform the method according to any of the implementation manners of the first aspect.
In a fourth aspect, a data processing device is provided, which is configured to perform the method according to any of the implementation manners of the second aspect.
In a fifth aspect, a data sharing system is provided, which includes a first device and a second device, where the first device shares data with the second device, the first device is configured to perform the method according to any implementation manner of the second aspect, and the second device is configured to perform the method according to any implementation manner of the first aspect.
According to the data processing method provided by the embodiment of the application, the life cycle of the shared data is set according to the specific condition, so that the time of the shared data existing in other equipment can be flexibly controlled, and the safety of the shared data is ensured.
Drawings
Fig. 1 shows a schematic diagram of sharing data across devices according to an embodiment of the present application.
Fig. 2 shows a schematic flow chart of a method for data processing according to an embodiment of the present application.
Fig. 3 is a schematic diagram illustrating another data processing method according to an embodiment of the present disclosure.
Fig. 4 is a schematic diagram illustrating another data processing method provided in the embodiment of the present application.
Fig. 5 is a schematic diagram illustrating another data processing method provided in an embodiment of the present application.
Fig. 6 shows a data processing device according to an embodiment of the present application.
Fig. 7 shows another data processing apparatus provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some, but not all, embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
At present, when data is shared across devices, the security of private data cannot be effectively protected, and the data sharing is limited to data sharing which is not related to the privacy of users or related to the places. If the user needs to share the data with higher privacy, the user needs to manually operate (such as mobile phone cloning and the like), and the data sharing among the devices cannot be automatically realized on the basis of ensuring the data security.
In order to solve the defects in the technology, the embodiment of the application provides a data processing method, and by the method, the processing mode of the shared data can be determined according to conditions such as the type of the data, the authentication method and the like, so that the safety of the private data in the cross-device sharing process is ensured.
Fig. 1 shows a schematic diagram of sharing data across devices according to an embodiment of the present application. Comprises the following steps.
S101, the first equipment sends an authentication request message to the second equipment.
The first device is a device requesting the second device to share data, and the second device is a device including data to be shared.
In one implementation, an authentication request message sent by a first device to a second device is used to request the second device to complete authentication for the first device. In other words, after the second device authenticates and passes the first device, it is determined that the first device is a trusted device, and data can be shared with the first device.
It should be understood that the authentication may be performed in various manners, such as password authentication, biometric authentication, etc., and the present application is not limited thereto.
S102, the second device sends an authentication response message to the first device.
In one implementation, after the second device passes the authentication of the first device, if the first device is a trusted secure device, the second device determines that data can be shared with the first device, and notifies the first device that the authentication passes and/or the first device can share the data through an authentication response message.
S103, the second equipment sends the shared data to the first equipment.
In one implementation, the second device sends the data to the first device according to the data that the first device requests to share. For example, the second device may copy the data, obtain a copy of the shared data, and then send the copy of the shared data to the first device.
It should be understood that, to ensure the security of data sharing, the second device needs to pass authentication and authentication first, and then perform data sharing after determining that the first device is a device capable of sharing data. When the shared data is the private data, the private data shared to the first device needs to be encrypted according to the risk level, specifically, a declaration period of the private data in the first device may be set according to a life cycle management principle, and after the life cycle expires, the relevant private data is deleted.
The procedure for setting the lifecycle management mechanism for the shared data obtained in the first device is described below with reference to the accompanying drawings.
Fig. 2 shows a schematic flow chart of a method for data processing according to an embodiment of the present application. The execution subject of the sending may be a second device, where the second device includes first data, and the first data is data that the first device requests the second device to share.
It should be understood that the method may be applied to a scenario in which the second device shares the first data with the first device. Comprises the following steps.
S201, a second device receives a first request message sent by a first device, where the first request message is used to request the second device to share first data, and the second device includes the first data.
In one implementation, before data sharing is performed, the second device needs to determine whether the first device is a trusted security device, and at this time, authentication of the first device needs to be performed. Specifically, the second device may receive an authentication request message sent by the first device, where the authentication request message is used for the second device to authenticate the first device; and if the authentication is passed, the second equipment sends an authentication response message to the first equipment according to the authentication request message, wherein the authentication response message is used for indicating the second equipment to finish the authentication on the first equipment.
In one implementation manner, the second device receives a first request message sent by the first device, where the first request message is used to request the second device to share the first data. The first data may comprise, for example, private data of the user.
In one implementation, the first device and the second device may simultaneously store feature information of the same user, such as face information, iris information, handwriting information, and the like, so that the first device and the second device may implement authentication through the foregoing information.
S202, the second device determines the life cycle of the first data according to the first request message, wherein the life cycle is the time when the first data can exist in the first device.
In one implementation, the second device determining the lifecycle of the first data may include: the second equipment determines the life cycle of the first data according to the safety capability of the first equipment; or the second equipment determines the life cycle of the first data according to the risk level of the first data; or the second device determines the life cycle of the first data according to an authentication mode adopted by the first device when the second device authenticates.
In an implementation manner, the second device may determine a life cycle of the first data according to the security capability of the first device, where when the first device has the first security capability, that is, when the first device has a hardware encryption region of a complete Trusted Execution Environment (TEE) of the trusted execution environment, and a software Operating System (OS) of the first device supports the software encryption capability, the second device determines the life cycle of the first data to be the first life cycle; when the first device is of the second safety capability, namely the first device is provided with a part of TEE hardware encryption area, the software OS of the first device supports the software encryption capability, and the second device determines that the life cycle of the first data is of the second life cycle, wherein the second life cycle is shorter than the first life cycle; when the first device is of a third safety capability, namely the first device does not have a TEE hardware encryption area, but the software OS of the first device supports the software encryption capability, the second device determines that the life cycle of the first data is a third life cycle, wherein the third life cycle is shorter than the second life cycle; when the first device is the fourth security capability, i.e., the software OS of the first device does not support the software encryption capability, the second device determines that the lifecycle of the first data is a fourth lifecycle, wherein the fourth lifecycle is shorter than the third lifecycle.
In one implementation manner, the first device may determine a security level according to its security capability, and send the security level to the second device, and the second device determines the lifecycle of the shared data according to a mapping relationship between the security level and the lifecycle of the shared data. The method for determining the security level of the first device may include: when the first device has a complete Trusted Execution Environment (TEE) hardware encryption area and a software Operating System (OS) of the first device supports software encryption capacity, determining the security level as a first security level; when the first equipment is provided with a part of TEE hardware encryption area and the software OS of the first equipment supports the software encryption capability, determining the security level as a second security level; when the first device does not have a TEE hardware encryption area but the software OS of the first device supports the software encryption capability, determining that the security level of the first device is a third security level; when the software OS of the first device does not support the software encryption capability, determining the security level as a fourth security level.
For example, the second device may store a mapping table between the lifecycle of the shared data and the security level of the first device in advance, where the mapping table may indicate, for example, that the first security level corresponds to a first lifecycle, the second security level corresponds to a second lifecycle, the third security level corresponds to a third lifecycle, and the fourth security level corresponds to a fourth lifecycle, and the second lifecycle is shorter than the first lifecycle, the third lifecycle is shorter than the second lifecycle, and the fourth lifecycle is shorter than the third lifecycle.
In an implementation manner, after the first device determines its own security level, the security level may be sent to the second device, and the second device determines a life cycle of data to be shared according to the mapping table.
In one implementation, the second device determines the life cycle of the first data according to the risk level of the first data, and may include the following modes: when the second device determines that the first data comprises first content, determining that the life cycle of the first data is a fifth life cycle, wherein the first content can comprise one or more items of privacy information in position information, contact information and communication information of a user; when the second device determines that the first data comprises second content, determining the life cycle of the first data to be a sixth life cycle, wherein the second content can comprise one or more private information of personal preference information, work and rest time information and schedule information of the user, and the sixth life cycle is longer than the fifth life cycle; when the second device determines that the first data comprises third content, determining that the life cycle of the first data is a seventh life cycle, wherein the third content is non-private information of the user, and the seventh life cycle is longer than the sixth life cycle.
In one implementation, the determining, by the second device, the life cycle of the first data according to the authentication method adopted by the first device when the second device performs authentication may include: when the second equipment determines that the first equipment adopts a first authentication mode, determining that the life cycle of the first data is an eighth life cycle, wherein the first authentication mode comprises one or more of three-dimensional (3D) face information authentication, password information authentication, iris information authentication and fingerprint information authentication; when the second device determines that the first device adopts a second authentication mode, determining that the life cycle of the first data is a ninth life cycle, wherein the second authentication mode comprises one or more of two-dimensional (2D) face information authentication, voiceprint information authentication and gait information authentication, and the ninth life cycle is longer than the eighth life cycle; and when the second device determines that the first device adopts a third authentication mode, determining that the life cycle of the first data is a tenth life cycle, wherein the third authentication mode comprises one or more of handwriting information authentication, height information authentication, weight information authentication and password information authentication, and the tenth life cycle is longer than the ninth life cycle.
S203, the second device sends the first data and the information of the life cycle to the first device.
In one implementation, since the first data is set with a life cycle, the first device may delete the first data after the life cycle of the first data expires according to the time indicated by the life cycle.
According to the data processing method provided by the embodiment of the application, the life cycle of the shared data is set according to the specific condition, so that the time of the shared data existing in other equipment can be flexibly controlled, and the safety of the shared data is ensured.
The data processing method provided by the embodiment of the present application is described in more detail below with reference to the accompanying drawings.
Fig. 3 shows a schematic diagram of a method for data processing according to an embodiment of the present application.
The data processing method may set a life cycle length of the shared data according to a device type of the first device, and specifically, may determine the life cycle of the shared data according to a security capability of the first device.
It should be understood that the lifecycle referred to in the embodiments of the present application refers to the time that the shared data exists in the first device, and the shared data may be deleted after the lifecycle expires.
In one implementation, the security capabilities of the first device may be classified into different levels according to whether the first device has an independent TEE hardware encryption zone and whether a software Operating System (OS) supports full software encryption capabilities.
For example, if the first device does not have the software encryption capability of the software OS, the first device may be considered as having no security capability, and accordingly, the security level of the first device is set to be the fourth security level; if the first device does not have the TEE hardware encryption area but has the software encryption capability of the software OS, the security capability of the first device can be set to a third security level; if the first device has a part of the TEE hardware encryption area and the software OS has the software encryption capability, the security capability of the first device can be set as a second security capability; if the first device has a complete TEE hardware encryption zone and the software OS thereof has a software encryption capability, the security capability of the first device may be set to the first security capability. Wherein, according to the sequence of the security levels from high to low, the security capability of the first device can satisfy the following conditions: first security capability > second security capability > third security capability > fourth security capability.
It should be understood that the above setting of the level of the security capability of the first device according to the TEE hardware and the software OS is only an example, and there may be a plurality of specific setting manners, which are not further exemplified herein.
In one implementation, when the security capabilities of the first device are at different levels, the life cycle of the shared data in the first device is also different. When the safety capability is the first safety capability, the second device can set the life cycle of the first data to be the first life cycle; when the security capability is a second security capability, the second device may set the lifecycle of the first data to a second lifecycle; when the security capability is a third security capability, the second device may set a lifecycle of the first data to a third lifecycle; when the security capability is a fourth security capability, the second device may set the lifecycle of the first data to a fourth lifecycle. And, when the time is sorted from long to short, the sequence of different life cycles may be: first life cycle > second life cycle > third life cycle > fourth life cycle.
In one implementation, a first device may send its security capabilities to a second device.
According to the data processing method provided by the embodiment of the application, the corresponding life cycle of the shared data is set according to the safety performance of the equipment, so that the data sharing can be ensured, and particularly, the data safety is ensured when the private data is shared.
Fig. 4 shows a schematic diagram of a method for data processing according to an embodiment of the present application.
In one implementation, the method of data processing may set the lifecycle length for the presence of shared data according to the risk level of the shared data.
It should be understood that the lifecycle referred to in the embodiments of the present application refers to the time that the shared data exists in the first device, and the shared data may be deleted or elapsed after the lifecycle expires.
In one implementation, the risk level of the shared data may be divided into four levels, high, medium, low, and none, wherein the risk level of the shared data may be defined according to the individual privacy data specification or autonomously by the user according to the importance of the shared data.
In one implementation, when the risk level of the shared data is set to different levels, the lifecycle of the shared data in the first device is also different. When the shared data comprises first content, the risk level is high, at this time, the second device sets the life cycle of the shared data to be a fifth life cycle, wherein the first content may comprise one or more privacy information of the user's location information, contact information and communication information, for example; when the shared data comprises second content, the risk level is 'middle', the second device sets the life cycle of the shared data to be a sixth life cycle, wherein the second content can comprise one or more privacy information of personal preference information, work and rest time information and schedule information of the user; when the shared data includes the third content, the risk level is "low", and the second device sets the life cycle of the shared data to be a seventh life cycle, wherein the third content is information unrelated to the privacy of the user, such as the device state and the like. And, when the time is sorted from long to short, the sequence of different life cycles may be: the seventh life cycle > the sixth life cycle > the fifth life cycle.
In one implementation, if the data requested to be shared by the first device by the second device includes important privacy data of the user, such as information of a bank account, a password, a payment password, and the like, the second device may also refuse to automatically share the data. At this time, the sharing may be manually performed by the user.
According to the data processing method provided by the embodiment of the application, the corresponding life cycle of the shared data is set according to the risk level of the shared data, so that the data sharing can be ensured, and particularly, the data security is ensured when the private data is shared.
Fig. 5 shows a schematic diagram of a method for data processing according to an embodiment of the present application.
In one implementation, the data processing method may set the life cycle of the shared data according to the identification accuracy of the first device during authentication, in other words, when the first device requests the second device for authentication, different authentication methods may be used, such as three-dimensional (3-dimensions, 3D) face authentication, password information authentication, fingerprint authentication, two-dimensional (2-dimensions, 2D) face authentication, voiceprint authentication and other soft biological characteristics or behavior authentication, and generally, the accuracy of 3D face authentication, fingerprint authentication is higher than the accuracy of 2D face authentication, voiceprint authentication, and the like, so if the first device uses the authentication methods with high accuracy such as 3D face authentication, fingerprint authentication, and the like, the life cycle of the shared data may be set to a longer time; conversely, if a lower accuracy authentication scheme is used, the lifecycle of the shared data may be set to a shorter time.
In other words, in the data processing method provided in the embodiment of the present application, the length of the lifetime of the shared data is set according to the accuracy of the authentication method adopted when the first device authenticates the second device.
It should be understood that the lifecycle referred to in the embodiments of the present application refers to the time when the shared data exists in the first device, and the first device may delete the shared data after the lifecycle expires.
In one implementation, the first device and the second device may each store a plurality of biometric information of the user, such as a facial image, a fingerprint, an iris, a voiceprint, a note, a gait, etc. of the user. When the first device requests authentication and authentication of the second device, the second device can determine whether to share data with the first device according to whether the received biological characteristic information meets the authentication condition by sending the one or more biological characteristic information to the second device; and determining the life cycle of the shared data according to the corresponding accuracy of the biological characteristic information.
In one implementation, when the authentication and authentication of the first device are performed in different manners, the second device determines that the life cycles of the shared data in the first device are different according to the accuracy rates of the authentication and authentication of the first device and the second device. When the authentication and authentication mode of the first device is high in accuracy, the life cycle may be an eighth life cycle; when the authentication and authentication mode of the first device is the medium accuracy, the life cycle may be a ninth life cycle; when the authentication and authentication manner of the first device is low in accuracy, the lifetime may be a tenth lifetime. And, when the time is sorted from long to short, the sequence of different life cycles may be: tenth lifecycle > ninth lifecycle > eighth lifecycle.
According to the data processing method provided by the embodiment of the application, when authentication and authentication are carried out according to the first equipment, the corresponding shared data life cycle is set by adopting the accuracy of the authentication and identification mode, so that data sharing can be ensured, and particularly, the safety of data is ensured when private data is shared. In addition, under a distributed environment, the method provided by the embodiment of the application can maximize sharable data of each device, and effectively prevent the problem of privacy data leakage possibly caused by data sharing through the authentication and management mechanism of the system.
In addition, the embodiment of the application also provides a data processing device.
Fig. 6 shows a data processing device according to an embodiment of the present application. The device 600 comprises a receiving unit 601, a processing unit 602 and a transmitting unit 603.
In an implementation manner, the receiving unit 601 is configured to receive a first request message sent by a first device, where the first request message is used to request a second device to share first data, where the second device includes the first data.
In one implementation, the processing unit 602 is configured to determine, according to the first request message, a lifetime of the first data, where the lifetime is a time when the first data exists in the first device.
In one implementation, the sending unit 603 is configured to send the first data and information of a life cycle of the first data to the first device.
In an implementation manner, the processing unit 602 is specifically configured to determine a life cycle of the first data according to the security capability of the first device; or determining the life cycle of the first data according to the risk level of the first data; or determining the life cycle of the first data according to an authentication mode adopted by the first device when the second device authenticates.
In an implementation manner, the processing unit 602 is specifically configured to determine that a life cycle of the first data is a first life cycle when the first device is of a first security capability, where the first device is of the first security capability and is used to indicate that the first device has a complete TEE hardware encryption area in a trusted execution environment, and a software operating system OS of the first device supports a software encryption capability; when the first device is of a second safety capability, determining the life cycle of the first data to be of a second life cycle, wherein the first device is of the second safety capability and is used for indicating that the first device is provided with a partial TEE hardware encryption area, a software OS of the first device supports the software encryption capability, and the second life cycle is shorter than the first life cycle; when the first device is of a third safety capability, determining the life cycle of the first data to be a third life cycle, wherein the first device is of the third safety capability and is used for indicating that the first device does not have a TEE hardware encryption area but a software OS of the first device supports the software encryption capability, and the third life cycle is shorter than the second life cycle; and when the first device is a fourth safety capability, determining that the life cycle of the first data is a fourth life cycle, wherein the first device is the fourth safety capability and is used for indicating that the software OS of the first device does not support the software encryption capability, and the fourth life cycle is shorter than the third life cycle.
In one implementation, the processing unit 602 is further specifically configured to determine that a life cycle of the first data is a fifth life cycle when it is determined that the first data includes first content, where the first content includes one or more items of privacy information of location information, contact information, and communication information of a user; when it is determined that the first data includes second content, determining that a lifecycle of the first data is a sixth lifecycle, wherein the second content includes the sixth lifecycle is longer than the fifth lifecycle; when it is determined that the first data includes third content, determining that a life cycle of the first data is a seventh life cycle, wherein the third content is non-private information of a user, and the seventh life cycle is longer than the sixth life cycle.
In an implementation manner, the processing unit 602 is further specifically configured to determine that the life cycle of the first data is an eighth life cycle when it is determined that the first device adopts a first authentication manner, where the first authentication manner includes one or more of three-dimensional (3D) face information authentication, password information authentication, iris information authentication, and fingerprint information authentication; when the first device is determined to adopt a second authentication mode, determining that the life cycle of the first data is a ninth life cycle, wherein the second authentication mode comprises one or more of two-dimensional (2D) face information authentication, voiceprint information authentication and gait information authentication, and the ninth life cycle is longer than the eighth life cycle; and when determining that the first equipment adopts a third authentication mode, determining that the life cycle of the first data is a tenth life cycle, wherein the third authentication mode comprises one or more of handwriting information authentication, height information authentication, weight information authentication and password information authentication, and the tenth life cycle is longer than the ninth life cycle.
In an implementation manner, the receiving unit 601 is further configured to receive an authentication request message sent by the first device, where the authentication request message is used for the second device to authenticate the first device.
In an implementation manner, the sending unit 603 is further configured to send, by the second device, an authentication response message to the first device according to the authentication request message, where the authentication response message is used to indicate that the second device completes authentication on the first device.
Fig. 7 shows a data processing device according to an embodiment of the present application. The device 700 comprises a transmitting unit 701, a receiving unit 702 and a processing unit 703.
In an implementation manner, the sending unit 701 may be configured to send a first request message to the second device, where the first request message is used to request the second device to share first data, where the second device includes the first data.
In an implementation manner, the receiving unit 702 may be configured to receive the first data sent by the second device, where the first data is provided with a lifecycle by the second device, and the lifecycle is a time when the first data exists in the first device.
In one implementation, the processing unit 703 may be configured to delete the first data when the time when the first data exists in the first device reaches the time indicated by the life cycle.
In an implementation manner, the processing unit 703 may be further configured to determine that the security capability level of the first device is a first security level when the first device has a complete TEE hardware encryption region and a software operating system OS of the first device supports software encryption capability; when the first device is provided with a partial TEE hardware encryption zone but the software OS of the first device supports software encryption capability, determining a security capability level of the first device by a second security level, wherein the second security level is lower than the first security level; when the first device does not have a TEE hardware encryption zone but the software OS of the first device supports software encryption capability, determining the security capability level of the first device to be a third security level, wherein the third security level is lower than the second security level; when the first device does not have a TEE hardware encryption area and the software OS of the first device does not support the software encryption capability, determining that the security capability level of the first device is a fourth security level, wherein the fourth security level is lower than the third security level.
In an implementation manner, the sending unit 701 may be further configured to send an authentication request message to the second device, where the authentication request message is used for the second device to authenticate the first device.
In an implementation manner, the receiving unit 702 may be further configured to receive an authentication response message sent by the second device, where the authentication response message is used to instruct the second device to complete authentication with the first device.
In addition, the embodiment of the application also provides a data sharing system, wherein the system comprises a first device and a second device. The first device and the second device may be adapted to perform the method described above.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (13)
1. A method for processing data, which is applied to a scenario in which a second device shares first data with a first device, includes:
the second device receives a first request message sent by the first device, where the first request message is used to request the second device to share first data, and the second device includes the first data;
the second device determines a life cycle of the first data according to the first request message, wherein the life cycle is used for indicating the time when the first data exists in the first device;
and the second equipment sends the first data and the information of the life cycle of the first data to the first equipment.
2. The method of claim 1, wherein determining the lifecycle of the first data comprises:
the second equipment determines the life cycle of the first data according to the safety capability of the first equipment; alternatively, the first and second electrodes may be,
the second equipment determines the life cycle of the first data according to the risk level of the first data; alternatively, the first and second electrodes may be,
and the second equipment determines the life cycle of the first data according to the authentication mode adopted by the first equipment when the second equipment authenticates.
3. The method of claim 2, wherein the second device determining the lifecycle of the first data based on the security capabilities of the first device comprises:
when the first device is provided with a first safety capability, the second device determines that the life cycle of the first data is a first life cycle, wherein the first device is provided with the first safety capability and is used for indicating that the first device is provided with a complete TEE hardware encryption area of a trusted execution environment, and a software Operating System (OS) of the first device supports the software encryption capability;
when the first device is of a second safety capability, the second device determines that the life cycle of the first data is of a second life cycle, wherein the first device is of the second safety capability and is used for indicating that the first device is provided with a partial TEE hardware encryption area, and a software OS of the first device supports software encryption capability, and the second life cycle is shorter than the first life cycle;
when the first device is of a third security capability, the second device determines that the life cycle of the first data is a third life cycle, wherein the first device is of the third security capability and is used for indicating that the first device does not have a TEE hardware encryption zone but a software OS of the first device supports a software encryption capability, and the third life cycle is shorter than the second life cycle;
when the first device is of a fourth security capability, the second device determines that the lifecycle of the first data is a fourth lifecycle, wherein the first device is of the fourth security capability and indicates that the software OS of the first device does not support the software encryption capability, and the fourth lifecycle is shorter than the third lifecycle.
4. The method of claim 2, wherein determining, by the second device, the lifecycle of the first data based on the risk level of the first data comprises:
when the second device determines that the first data comprises first content, determining that the life cycle of the first data is a fifth life cycle, wherein the first content comprises one or more items of privacy information of position information, contact information, communication information and image information of a user;
when the second device determines that the first data comprises second content, determining that the life cycle of the first data is a sixth life cycle, wherein the second content comprises one or more privacy information of personal hobbies of a user, the state of the first device and memo information, and the sixth life cycle is longer than the fifth life cycle;
when the second device determines that the first data comprises third content, determining that the life cycle of the first data is a seventh life cycle, wherein the third content is non-private information of a user, and the seventh life cycle is longer than the sixth life cycle.
5. The method according to claim 2, wherein the second device determines the life cycle of the first data according to an authentication method adopted by the first device when the second device performs authentication, and the determining includes:
when the second equipment determines that the first equipment adopts a first authentication mode, determining that the life cycle of the first data is an eighth life cycle, wherein the first authentication mode comprises one or more of three-dimensional (3D) face information authentication, password information authentication, iris information authentication and fingerprint information authentication;
when the second device determines that the first device adopts a second authentication mode, determining that the life cycle of the first data is a ninth life cycle, wherein the second authentication mode comprises one or more of two-dimensional (2D) face information authentication, voiceprint information authentication and gait information authentication, and the ninth life cycle is longer than the eighth life cycle;
and when the second equipment determines that the first equipment adopts a third authentication mode, determining that the life cycle of the first data is a tenth life cycle, wherein the third authentication mode comprises one or more of handwriting information authentication, height information authentication, weight information authentication and password information authentication, and the tenth life cycle is longer than the ninth life cycle.
6. The method according to any one of claims 1-5, further comprising:
the second device receives an authentication request message sent by the first device, wherein the authentication request message is used for the second device to authenticate the first device;
and the second equipment sends an authentication response message to the first equipment according to the authentication request message, wherein the authentication response message is used for indicating the second equipment to finish authentication on the first equipment.
7. A method for processing data, which is applied to a scenario in which a second device shares first data with a first device, includes:
the first device sends a first request message to the second device, wherein the first request message is used for requesting the second device to share first data, and the second device comprises the first data;
the first device receives the first data sent by the second device and information of a life cycle of the first data, wherein the life cycle is used for indicating the time when the first data exists in the first device;
deleting, by the first device, the first data when the time the first data was present in the first device reaches the time indicated by the lifecycle.
8. The method of claim 7, wherein the first device determines a security capability level based on a security capability of the first device, wherein,
when the first equipment is provided with a complete TEE hardware encryption area and a software Operating System (OS) of the first equipment supports software encryption capacity, the first equipment determines that the safety capacity level of the first equipment is a first safety level;
when the first device is provided with a partial TEE hardware encryption zone but the software OS of the first device supports software encryption capability, the first device determines the security capability level of the first device to be a second security level, wherein the second security level is lower than the first security level;
when the first device does not have a TEE hardware encryption zone but the software OS of the first device supports software encryption capability, the first device determines that the security capability level of the first device is a third security level, and the third security level is lower than the second security level;
when the first device does not have a TEE hardware encryption area and the software OS of the first device does not support the software encryption capability, the first device determines that the security capability level of the first device is a fourth security level, and the fourth security level is lower than the third security level.
9. The method of claim 8, further comprising:
the first device sends the security level of the first device to the second device.
10. The method according to any one of claims 7-10, further comprising:
the first equipment sends an authentication request message to the second equipment, wherein the authentication request message is used for the second equipment to authenticate the first equipment;
and the first equipment receives an authentication response message sent by the second equipment, wherein the authentication response message is used for indicating that the second equipment completes authentication on the first equipment.
11. An apparatus for data processing, characterized in that the apparatus is adapted to perform the method of any of claims 1 to 6.
12. A data processing device, characterized in that the device is adapted to perform the method of any of claims 7 to 9.
13. A system for data sharing, comprising a first device and a second device, wherein the first device shares data with the second device, the first device is configured to perform the method of any of claims 7 to 10, and the second device is configured to perform the method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911292019.7A CN111177694B (en) | 2019-12-16 | 2019-12-16 | Method and device for processing data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911292019.7A CN111177694B (en) | 2019-12-16 | 2019-12-16 | Method and device for processing data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111177694A true CN111177694A (en) | 2020-05-19 |
| CN111177694B CN111177694B (en) | 2023-03-17 |
Family
ID=70646320
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911292019.7A Active CN111177694B (en) | 2019-12-16 | 2019-12-16 | Method and device for processing data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111177694B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113691439A (en) * | 2021-07-12 | 2021-11-23 | 维沃移动通信(杭州)有限公司 | Content sharing method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138908A1 (en) * | 2005-06-28 | 2010-06-03 | Ravigopal Vennelakanti | Access Control Method And Apparatus |
| CN104769984A (en) * | 2012-12-26 | 2015-07-08 | 迈克菲股份有限公司 | Automatic sanitization of data on a mobile device in a network environment |
| CN106022196A (en) * | 2016-06-30 | 2016-10-12 | 维沃移动通信有限公司 | Information sharing method and intelligent terminal |
| CN107491472A (en) * | 2017-06-22 | 2017-12-19 | 浙江力石科技股份有限公司 | A kind of safe shared system of big data platform sensitive data and method based on life cycle |
| CN108156128A (en) * | 2017-01-03 | 2018-06-12 | 中兴通讯股份有限公司 | A kind of sharing method, apparatus and system |
| CN110378145A (en) * | 2019-06-10 | 2019-10-25 | 华为技术有限公司 | A kind of method and electronic equipment of sharing contents |
-
2019
- 2019-12-16 CN CN201911292019.7A patent/CN111177694B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138908A1 (en) * | 2005-06-28 | 2010-06-03 | Ravigopal Vennelakanti | Access Control Method And Apparatus |
| CN104769984A (en) * | 2012-12-26 | 2015-07-08 | 迈克菲股份有限公司 | Automatic sanitization of data on a mobile device in a network environment |
| CN106022196A (en) * | 2016-06-30 | 2016-10-12 | 维沃移动通信有限公司 | Information sharing method and intelligent terminal |
| CN108156128A (en) * | 2017-01-03 | 2018-06-12 | 中兴通讯股份有限公司 | A kind of sharing method, apparatus and system |
| CN107491472A (en) * | 2017-06-22 | 2017-12-19 | 浙江力石科技股份有限公司 | A kind of safe shared system of big data platform sensitive data and method based on life cycle |
| CN110378145A (en) * | 2019-06-10 | 2019-10-25 | 华为技术有限公司 | A kind of method and electronic equipment of sharing contents |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113691439A (en) * | 2021-07-12 | 2021-11-23 | 维沃移动通信(杭州)有限公司 | Content sharing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111177694B (en) | 2023-03-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10009327B2 (en) | Technologies for secure storage and use of biometric authentication information | |
| CA3082338C (en) | Cryptographically transmitting and storing identity tokens and/or activity data among spatially distributed computing devices | |
| US9712565B2 (en) | System and method to provide server control for access to mobile client data | |
| US8904509B2 (en) | Resource access based on multiple credentials | |
| US9525668B2 (en) | Face based secure messaging | |
| RU2723308C1 (en) | Control of private transactions in chains of blocks based on processing flow | |
| US20160306955A1 (en) | Performing user seamless authentications | |
| CN110741370A (en) | Biometric authentication using user input | |
| US8656455B1 (en) | Managing data loss prevention policies | |
| US20160171220A1 (en) | Display control method and apparatus and display device comprising same | |
| CN104951704B (en) | A kind of image information collecting device and its encryption method | |
| JP6176866B2 (en) | Method and system for authentication of communication and operation | |
| CN114155639A (en) | Access control method based on Internet of things, access control system and storage medium | |
| US20150113602A1 (en) | Method and system for authentication of communication and operation | |
| CN111177694B (en) | Method and device for processing data | |
| CN113678125A (en) | Biometric digital signature generation for identity verification | |
| KR20150100602A (en) | Data storing and reading methods, apparatuses and devices | |
| US10331937B2 (en) | Method and system for context-driven fingerprint scanning to track unauthorized usage of mobile devices | |
| US20210224374A1 (en) | Challenge and Response in Continuous Multifactor Authentication on a Safe Case | |
| KR102086858B1 (en) | Method of sharing address book and system thereof | |
| US20230208634A1 (en) | Key management method and apparatus | |
| US20210224375A1 (en) | Systems and Methods for Cloud-Based Continuous Multifactor Authentication | |
| WO2022093168A1 (en) | Access to confidential data | |
| JP2020204853A (en) | Information processor and data management device and information processing method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |