CN111915306A - Service data verification method and verification platform - Google Patents

Service data verification method and verification platform Download PDF

Info

Publication number
CN111915306A
CN111915306A CN201910523115.1A CN201910523115A CN111915306A CN 111915306 A CN111915306 A CN 111915306A CN 201910523115 A CN201910523115 A CN 201910523115A CN 111915306 A CN111915306 A CN 111915306A
Authority
CN
China
Prior art keywords
information
service
data
verification
registration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910523115.1A
Other languages
Chinese (zh)
Other versions
CN111915306B (en
Inventor
王蜀洪
李艺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huakong Tsingjiao Information Technology Beijing Co Ltd
Original Assignee
Huakong Tsingjiao Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huakong Tsingjiao Information Technology Beijing Co Ltd filed Critical Huakong Tsingjiao Information Technology Beijing Co Ltd
Publication of CN111915306A publication Critical patent/CN111915306A/en
Application granted granted Critical
Publication of CN111915306B publication Critical patent/CN111915306B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Medical Informatics (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a verification method and a verification platform of service data, wherein the verification method comprises the following steps: carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data; verifying whether a service account corresponding to the encrypted service data exists in each stored registration message; the registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data; if so, the verification is passed. The verification method and the verification platform for the service data can realize that the service data or the service registration data is not displayed in a clear text all the time in the verification process, and ensure the safety and reliability of the service data or the service registration data.

Description

Service data verification method and verification platform
Technical Field
The present application relates to the field of data security processing technologies, and in particular, to a method and a platform for verifying business data, a computer system, and a computer-readable storage medium.
Background
With the use of electronic technology and communication networks, the way of implementing services, such as access control, attendance checking, public transportation, ticketing, financial payments, etc., by means of a digital system is now widely used.
Taking the financial payment service as an example, generally, when payment is realized, a merchant acquires verification information of a consumer and uploads the verification information to a financial verification platform to verify the verification information, so as to acquire a corresponding financial account, and a payment message is formed according to the verification information, so that a financial institution carries out money deduction operation.
However, in the financial payment service, the following disadvantages exist: the verification information can reside in a server memory of the financial verification platform for a long time because of frequent use, and the risk of stealing the verification information by an IT administrator or a hacker or by an attack exists; particularly, the verification information is stored in the server memory of the financial verification platform in a plaintext form, so that great potential safety hazards exist.
Disclosure of Invention
In view of the above-mentioned shortcomings of the prior art, the present application aims to disclose a method and a platform for verifying business data, a computer system, and a computer-readable storage medium for solving the problem of risk prevention and control of the security of business data in the prior art.
To achieve the above and other related objects, a first aspect of the present application discloses a method for verifying business data, comprising:
carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data;
verifying whether a service account corresponding to the encrypted service data exists in each stored registration message; the registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data;
if so, the verification is passed.
In certain embodiments of the first aspect of the present application, the method for verifying the service data further includes: receiving registration information, and carrying out privacy encryption on service registration data in the registration information to obtain encrypted service registration data; and dispersing the registration information containing the encrypted service registration data into a plurality of ciphertext fragments and storing the ciphertext fragments in a plurality of storage nodes.
In certain embodiments of the first aspect of the present application, the service data to be verified includes first verification information and second verification information; the step of privacy encryption of the service data to be verified comprises the following steps: and carrying out privacy encryption on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or ciphertext fragments of the second verification information.
In certain embodiments of the first aspect of the present application, the verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords; and obtaining the service account in the service registration data matched with the second verification information.
A second aspect of the present application discloses a verification platform for business data, including: the privacy encryption module is used for carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data; the verification module is used for verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information; the registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data.
In some embodiments of the second aspect of the present application, the service data to be authenticated includes first authentication information and second authentication information, and the manner for the privacy encryption module to perform privacy encryption on the service data to be authenticated in the service request includes: and privacy encryption is carried out on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or ciphertext fragments of the second verification information.
In some embodiments of the second aspect of the present application, the manner in which the verification module verifies whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords; and obtaining the service account in the service registration data matched with the second verification information.
In certain embodiments of the second aspect of the present application, the validation platform for business data further comprises: and the service message generation module is used for generating a service message based on the first verification information and the service account after the matched service account is determined.
A third aspect of the present application discloses a computer system comprising:
a storage device for storing at least one program;
an interface device;
and the processing device is connected with the storage device and the interface device, wherein the processing device is integrated with a trusted processing environment, and the processing environment executes the service data verification method according to the stored at least one program.
A fourth aspect of the present application discloses a computer-readable storage medium storing computer instructions that, when invoked, participate in performing the method for validating business data as described above.
As described above, the verification method and verification platform for service data, the computer system, and the computer readable storage medium disclosed in the present application perform private encryption on service data or service registration data during service implementation, and perform verification in a private encryption manner during verification, and do not display in plaintext all the time, thereby ensuring the security and reliability of the service data or service registration data, and being used to solve the problem of risk prevention and control of the security of the service data in the prior art.
Drawings
Fig. 1 is a schematic structural diagram of a hardware system of a service data verification platform according to an embodiment of the present application.
FIG. 2 is a schematic diagram of a privacy encryption store and privacy computing architecture.
Fig. 3 is a schematic structural diagram of a registration system for service registration data of the present application in an embodiment.
Fig. 4 is a schematic structural diagram of a registration system for service registration data of the present application in another embodiment.
Fig. 5 is a flowchart illustrating a registration method of service registration data according to the present application.
Fig. 6 is a flowchart illustrating a verification method of service data according to the present application.
Detailed Description
The following description of the embodiments of the present application is provided for illustrative purposes, and other advantages and capabilities of the present application will become apparent to those skilled in the art from the present disclosure.
In the following description, reference is made to the accompanying drawings that describe several embodiments of the application. It is to be understood that other embodiments may be utilized and that compositional and operational changes may be made without departing from the spirit and scope of the present disclosure. The following detailed description is not to be taken in a limiting sense, and the scope of embodiments of the present application is defined only by the claims of the patent of the present application. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
Also, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context indicates otherwise. For example, the term "at least one client" in this application includes a client and a plurality of clients. It will be further understood that the terms "comprises," "comprising," "includes" and/or "including," when used in this specification, specify the presence of stated features, steps, operations, elements, components, items, species, and/or groups, but do not preclude the presence, or addition of one or more other features, steps, operations, elements, components, species, and/or groups thereof. The terms "or" and/or "as used herein are to be construed as inclusive or meaning any one or any combination.
In some service implementation applications, operations such as verification using service data may be involved, the service data may constitute sensitive data, and protection of the sensitive data needs to involve multiple parties such as a data provider, an intermediate verification platform, and a data user of the data.
Taking face-brushing payment as an example, the face-brushing payment process involves data such as face data (including face pictures and face features), payment passwords (including payment security codes), bank card numbers and the like.
Generally, a payment password (including a payment security code), a face picture, a face feature, a bank card, etc., any single information (referred to as sensitive information) does not form sensitive data. In fact, single information such as 6-digit payment passwords, faces, bank accounts, etc. are visible everywhere. For example, we only know 262626 that it is the payment password of a certain bank card (but not which bank card) and do not have any meaning. However, once this information is correlated, we can then know 262626 that it is the payment password for the bank card xxxx, for example, the bank card can be forged to steal another person's funds. Thus, the payment password and its associated information with the bank card number are really sensitive data.
Similarly, the face image, the face features and the associated information with the bank card number and the payment password are all sensitive data which need to be protected intensively. The human face picture is more visual as sensitive data, but the necessity of privacy protection of the human face feature is easily ignored due to the processing of the feature extraction algorithm, and the human face feature extraction algorithm is regarded as a false area of the encryption algorithm. In fact, although information is lost after feature extraction, a face picture cannot be uniquely and definitely restored from the face features, the lost face information is unimportant face information in the process, and the most important face feature information is left (otherwise, the face cannot be identified). Therefore, after the face features are obtained, it is very easy to falsify face elements with the same or similar features by the prior art, and even the living body detection can be deceived by simple dressing of the living body. In any case, the face and any biometric information cannot be changed at will, and once leaked, cannot be remedied.
In a face-brushing payment cleartext scheme, a registered user may complete payment with fake face elements. The IT administrator can attack more, for example, fake the face elements of all users with the same payment password as the user to impersonate the users to initiate illegal payment, the impersonated users can deny the payment, and the IT administrator cannot be proved, because the business process can search a group of users with the same payment security code, the IT administrator knows the group where the IT administrator is located, and is equivalent to know the payment passwords of all users in the group, and further associates the payment passwords with the fake face elements to complete the attack.
In summary, the payment password, the payment security code and the association relationship between the payment security code and the bank card, and the face feature, the face picture and the association relationship between the face feature and the payment password are all sensitive data that must be strictly protected.
In order to enable parties involved in sensitive data to realize processing of the sensitive data on the basis of protection of the sensitive data, in some embodiments, the sensitive data is subjected to privacy processing so that the sensitive data does not appear in plaintext. Therefore, the application provides a technology which can still realize sensitive data verification, interaction, application processing and the like under the condition that the sensitive data is privacy encryption at the verification end in payment consumption.
In view of this, the present application discloses a method for verifying service data, a platform for verifying service data, a computer system, and a storage medium, which perform privacy encryption on service data in service implementation, so that the service data is verified in a privacy encryption manner and is not displayed in a plaintext all the time, thereby ensuring the safety and reliability of the service data, and solving the problem of risk prevention and control on the safety of the service data in the existing service implementation.
Please refer to fig. 1, which is a schematic structural diagram of a hardware system of a verification platform for business data according to an embodiment of the present application. The service data verification platform shown in fig. 1 is used for verifying the service data in the triggered service request to confirm the user identity from the pre-stored registration information, and determining the bound service account according to the user identity to complete payment verification. It should be noted that, the processes executed according to the hardware system shown in fig. 1 are only examples, and in different application scenarios, they may be executed alone or in combination with other executed processes based on actual design requirements.
The verification platform of the business data can be an electronic device comprising a storage device, a processing device, an interface device and the like, wherein the electronic device is a single computer device, a computer cluster, a service system based on a cloud architecture and the like. The single computer device may be an autonomously configured computer device that can execute the methods of the present application, and may be located in a private computer room or a leased computer location in a public computer room. The computer cluster may be a group of mutually independent computer devices interconnected by a high-speed network, which form a group and are managed in a single system mode. The Service system of the Cloud architecture comprises a Public Cloud (Public Cloud) Service end and a Private Cloud (Private Cloud) Service end, wherein the Public or Private Cloud Service end comprises Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and the like. The private cloud service end is used for example for an Aliskian cloud computing service platform, an Amazon cloud computing service platform, a Baidu cloud computing platform, a Tencent cloud computing platform and the like.
According to the hardware device actually executing each of the above methods, each device constituting the electronic apparatus may be located on a single server, or located in a plurality of servers and cooperatively completed by data communication between the servers.
For this purpose, the interface device is connected to the processing device in a data-transmitting manner via a bus connection or via a communication network. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means through a bus, and the like. For example, the interface device corresponding to the second computer system is communicatively connected to the interface device of the first computer system, the interface device of the user equipment, and the like. Each of the interface devices performs data communication through the internet, a mobile network, and a local area network.
The storage device is for storing at least one program that can perform any one or more of the methods described above. The storage device corresponding to the same electronic device may be located on the same physical server as the processing device, or may be located in a different physical server and transfer the program to the processing device running the program through the interface device of each server. The storage may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid state storage devices. In certain embodiments, the memory may also include memory that is remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, Local Area Networks (LANs), wide area networks (WLANs), Storage Area Networks (SANs), etc., or a suitable combination thereof. The storage device also includes a memory controller that can control access to the memory by other components of the device, such as the CPU and peripheral interfaces. Among the software components stored in the storage device are an operating system, a communications module (or set of instructions), a text input module (or set of instructions), and an application (or set of instructions).
The processing device is operatively coupled with the storage device. More specifically, the processing device may execute programs stored in the memory and/or the non-volatile storage to perform operations in the task platform. As such, the processing device may include one or more general purpose microprocessors, one or more application specific processors (ASICs), one or more field programmable logic arrays (FPGAs), or any combination thereof. Wherein, the plurality of CPUs included in the processing device can be located in the same entity server or distributed in a plurality of entity servers, and realize data communication by means of the interface device so as to cooperatively execute the steps of the methods.
As shown in fig. 1, the verification platform for service data of the present application may include: a transceiver module 11, a privacy encryption module 13, a storage module 15 and a verification module 17.
The transceiver module 11 is used for transceiving information.
In this embodiment, the transceiver module 11 may be configured to receive a service request, where the service request includes service data to be verified.
Generally, when a service is implemented, a data provider obtains service data of a user and generates a service request including the service data, the service request is sent to a verification platform, and the verification platform verifies the received service request. Taking the most common payment service as an example, in a payment transaction, a terminal (e.g. a merchant side) generates a payment request containing payment data directly or through an acquiring system, sends the payment request to a verification platform for verification, and receives the payment request through a transceiver module 11 of the verification platform.
In some embodiments, the service data in the service request includes first authentication information.
For example, in a business scenario of entrance guard, attendance, public transportation, ticketing, and the like, in the implementation of the business, at least first verification information needs to be provided, where the first verification information may be, for example, password information (which is self-set by a user or sent by a business executor through a short message, a mail, or a message in a mobile phone APP application), a mobile phone number of the user, two-dimensional code information, or an electronic card. In some examples, the password information may be, for example, a 6-bit or 8-bit or more digital password, but not limited thereto, and the password information may also be more complex if the terminal device can provide corresponding technical support, for example, 8 to 16-bit characters, which include at least three types of numbers, uppercase letters, lowercase letters, and special characters, and have higher security. In some examples, the password information may be associated with identity information of the user, or a mobile phone number of the user, for example, the password information may be part or all of the identification number, or the mobile phone number, or some combination of the identification number, the mobile phone number, and other information.
Of course, the first verification information is not limited thereto, and for example, the first verification information may also be biometric information. The biological information has the unique property that the human body is inherent and can not be copied, stolen or forgotten. The method and the device utilize the biological identification technology to carry out identity authentication, and have the advantages of safety, reliability, accuracy, convenience and the like. The information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belonging to human body biological characteristics is applied to business realization along with the rapid development of technologies such as a photoelectric technology, a microcomputer technology, an image processing technology, a mode recognition technology and the like.
In some embodiments, the service data in the service request includes first authentication information and second authentication information.
Taking financial payment service as an example, in a traditional bank card payment scenario, the first verification information may be, for example, a bank card number and the second verification information may be, for example, a payment password, or the first verification information may be, for example, a payment password and the second verification information may be, for example, a bank card number, and the verification platform of the service data may verify the validity of the service data according to the bank card number and the payment password, and after sending the verification information to the card issuing bank, the card issuing bank performs a deduction operation according to the verification, thereby completing payment.
However, as the information technology is rapidly developed, the cardless payment is increasingly developed, in the cardless payment scenario, the first verification information may be, for example, password information, the second verification information may be, for example, biological information, the verification platform of the business data may perform verification in the database through the password information and the biological information to determine a business account (for example, a bank card number or a customer identification code issued by a bank and capable of uniquely representing a customer) matching the password information and the biological information, and after the validity of the business account is verified, the issuing bank performs a money deduction operation according to the verification after the verification information is sent to the issuing bank, so as to complete the payment.
The password information can be associated with a bank card number of the user, or associated with identity information of the user, or associated with a mobile phone number of the user, and the like. In some examples, the password information may be, for example, a payment password, which may be, for example, a 6-digit or 8-digit password, but not limited thereto, and the payment password may be more complex if the payment device at the merchant end can provide corresponding technical support, for example, 8 to 16-digit characters, including at least three types of digits, capital letters, small letters, and special characters, so as to have higher security. In some examples, the password information may also be in other forms, such as a gesture password, and the like.
The biological information has the unique property that the human body is inherent and can not be copied, stolen or forgotten. The method and the device utilize the biological identification technology to carry out identity authentication, and have the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human biological characteristics.
In practice, the service data in the service request is collected by the terminal.
For example, in an access service scenario, the access terminal may be, for example, a password keyboard, an electronic card reader, or a fingerprint acquirer.
For example, in an attendance business scenario, the attendance terminal may be, for example, a password keyboard, an electronic card reader, a fingerprint acquirer, or the like.
For example, in a ticket service scenario, the ticket terminal may be, for example, a password keyboard, a two-bit code reader, or a fingerprint acquirer.
For example, in a financial payment business, taking a common bank card payment as an example, the terminal is usually configured with a POS (Point Of Sale) machine including a card reader for reading bank card information (e.g., a magnetic stripe reader for reading a magnetic stripe Of a bank card or a chip reader for reading a chip Of a bank card) and a password keyboard.
For example, in the cardless payment service, the terminal is usually configured with a POS machine, and the POS machine is also usually provided with or associated with a biological information collecting device, the POS machine can collect password information of the user, and the biological information collecting device can collect biological information of the user, and the biological information can be face information, fingerprint information, palm print information, iris information, heart rate information, and the like.
In the following, taking face-brushing payment as an example for detailed description, a camera is usually arranged or associated at the merchant terminal for shooting a face image of a business requester. The service requester or the staff at the business user side can select a 'face brushing' button in the payment terminal to start the camera to collect the face image. Taking the payment service as an example, after the staff at the business account selects 'face brushing payment', the business requester (consumer) can face the camera, so that the camera can collect the face image of the business requester.
In addition, a collection device with a payment password is usually set or associated at the merchant end, such as: pure numeric keyboards, computer keyboards, touch screens, etc. The payment password is usually preset by the service requester, and may be a group of numbers, a group of letters, a group of symbols, or a combination of numbers, letters, and symbols, and the application is not limited in particular.
In practical application, the service requester may input a preset payment password through the keyboard or the touch screen after acquiring the face image, or may acquire the face image after inputting the preset payment password through the keyboard or the touch screen.
Thus, in the embodiment, after the merchant collects the payment password and the facial image of the service requester, the merchant can combine the payment password and the facial image with the characteristic information (such as the merchant account number, the equipment identification code of the POS machine, and the like) of the merchant to form a service request, and send the service request to the service data verification platform through the acquiring system, so that the service data in the service request can be verified by the verification platform.
In some examples, the POS further includes encrypting the payment password, such as salt encryption.
Because the password information is set by the user, in practical application, the complexity of the password set by the user may not be high enough, and different users are likely to use the same password, so that the cipher information cipher text fragments corresponding to the users are also the same, so that an attacker can easily find the users with the same password after a database storing the password of the user is leaked, thereby reducing the difficulty of cracking the password.
Salt encryption is an encryption method for password information (such as payment passwords), and is implemented by associating each piece of password information with an n-bit random number called "salt". The random number is randomly generated by a computer and is mixed in the original password in a random mode, and then a string of character strings is generated in an encryption mode and stored. In other words, this is one-way, the computer does not know the original password of the user, and even if the encryption method is known, the character string before encryption, which is reversely derived, is a result of mixing the true password with the random value, and thus the true password of the user cannot be analyzed.
Therefore, after the business user collects the password information (such as payment password) and the biological information (such as face image) of the business requester, the POS machine encrypts the password information to form a password information ciphertext fragment, the password information ciphertext fragment and the biological information are combined with the characteristic information (such as a merchant account number, a device identification code of a cash register POS machine and the like) of the business user to form a business request, and the business request is sent to a verification platform of business data through a receipt system.
The privacy encryption module 13 is configured to perform privacy encryption on the service data to be verified in the service request to obtain encrypted service data.
For example, in an entrance guard service scenario, verification information (e.g., password information, electronic card information, fingerprint information, etc.) collected by an entrance guard terminal is uploaded to a monitoring center, the monitoring center verifies whether the verification information is legal, and after the verification passes, confirmation can be replied to the entrance guard terminal, and the entrance guard terminal opens the entrance guard.
For example, in an attendance service scenario, verification information (e.g., password information, electronic card information, fingerprint information, etc.) collected by an attendance terminal is uploaded to an attendance management and control center, the attendance management and control center verifies whether the verification information is valid verification information, and after the verification passes, confirmation can be replied to attendance, and the attendance terminal confirms that attendance operation is completed.
For example, in a ticket business scenario, verification information (e.g., password information, barcode information, two-dimensional code information, fingerprint information, etc.) collected by a ticket terminal is uploaded to a ticket verification center, the ticket verification center verifies whether the verification information is valid verification information, and after the verification is passed, a confirmation can be replied to the ticket terminal.
In the financial payment business, taking bank card payment as an example, a merchant sends collected bank card information and payment passwords to an acquiring system through a POS machine, the acquiring system forwards the bank card information and the payment passwords to a verification platform, the verification platform obtains bank account numbers corresponding to consumers after verification, a payment message formed by the bank account numbers and the payment passwords of the consumers is sent to an issuing bank, and the issuing bank deducts money to complete payment.
Taking face-swiping payment as an example, a merchant sends a collected face picture and a payment password to an acquiring system through a POS machine, the acquiring system forwards the face picture and the payment password to a verification platform, the verification platform obtains a bank account number corresponding to a consumer after verification, a payment message formed by the bank account number and the payment password of the consumer is sent to an issuing bank, and the issuing bank deducts money to complete payment.
However, in the above various service scenarios, there are the following disadvantages: the verification information is stored in a server memory of the financial verification platform in a plaintext form, and potential safety hazards exist.
In particular, taking the above-mentioned face-brushing payment service as an example, the following disadvantages exist: the payment password is used for retrieving the password which is different from the traditional password verification, and the password is resided on a service data verification platform for a long time because of frequent use, so that the password is stolen by an IT (information technology) manager or a hacker, and the risk of stealing the payment password by dictionary attack is caused; the face data plaintext of the bank end is visible for a verification platform of the business data, and if the face data is abused in a large scale, the problem that the responsibility division between the bank and the verification platform of the business data is unclear exists; the verification platform of the business data can easily associate the payment security code, the face data, the bank account and other core business data belonging to the bank, so that the cooperative bank has data and privacy protection concerns.
In some embodiments, the service data includes first verification information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be verified, including performing privacy encryption on the first verification information in the service data, to form a plurality of ciphertext fragments of the first verification information.
For example, in an entrance guard business scenario, the privacy encryption module 13 may perform privacy encryption on first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the business data.
For example, in an attendance business scenario, the privacy encryption module 13 may perform privacy encryption on first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the business data.
For example, in a ticket business scenario, the privacy encryption module 13 may perform privacy encryption on first authentication information (e.g., password information, barcode information, two-dimensional code information, fingerprint information, etc.) in the business data.
In some embodiments, the service data includes first authentication information and second authentication information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be authenticated, including performing privacy encryption on at least one of the first authentication information and the second authentication information in the service data. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on the first authentication information in the service data to form a plurality of ciphertext fragments of the first authentication information. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on the second authentication information in the service data to form a plurality of ciphertext fragments of the second authentication information. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on both the first authentication information and the second authentication information in the business data, that is, to perform privacy encryption on the first authentication information in the business data to form a plurality of ciphertext fragments of the first authentication information, and to perform privacy encryption on the second authentication information in the business data to form a plurality of ciphertext fragments of the second authentication information. In this way, by using the privacy encryption module 13 to perform privacy encryption on at least one of the first authentication information and the second authentication information, protection of sensitive information including the first authentication information and the second authentication information is achieved, and an association relationship between the sensitive information (for example, between the first authentication information and the second authentication information) can also be protected, thereby ensuring security and reliability of the service data.
For example, in a bank card payment service, the privacy encryption module 13 performs privacy encryption on at least one of bank card information and a payment password. In some examples, the privacy encryption module 13 is used for privacy encryption of bank card information in the business data. In some examples, the privacy encryption module 13 is used to privacy encrypt the payment password in the service data. In some examples, the privacy encryption module 13 is used for privacy encrypting both the bank card information and the payment password in the business data.
For example, in the cardless payment service, the privacy encryption module 13 performs privacy encryption on at least one of password information and biometric information. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on the cryptographic information in the service data. In some examples, the privacy encryption module 13 is used for privacy encrypting the biological information in the service data. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on both the password information and the biometric information in the service data.
Still taking face-brushing payment as an example for details, the privacy encryption module 13 performs privacy encryption on at least one of the payment password and the face information. In some examples, the privacy encryption module 13 is used to privacy encrypt the payment password in the service data. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on face information in the service data. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on both the payment password and the face information in the service data.
The way for the privacy encryption module 13 to perform privacy encryption on the first verification information in the service data to be verified includes: and carrying out privacy encryption on the first verification information in the service data to be verified to form ciphertext fragments of the first verification information.
Referring to FIG. 2, a diagram of a privacy encryption storage and privacy computing architecture in one embodiment is shown.
As shown in fig. 2, the privacy encryption storage and privacy computing architecture may include a user side and a server side. In this example, the server is configured with four computing nodes, where the computing nodes are a single computer device, or a physical device or a virtual device used in a cloud-based service system. The single computer device may be a computer device which is configured autonomously and can execute the processing method of the service data, and may be located in a private computer room or a leased computer location in a public computer room. The service system of the cloud architecture comprises a public cloud service end and a private cloud service end, wherein the public or private cloud service end comprises SaaS, PaaS, IaaS and the like. The private cloud service end comprises an Array cloud computing service platform, an Amazon cloud computing service platform, a Baidu cloud computing platform, a Tencent cloud computing platform and the like. The virtual device may be one of devices in which an entity server virtualizes a single stand-alone device into multiple logical devices through a virtualization technology, and the logical devices are used by multiple user processes simultaneously.
The computing nodes may include storage devices, processing devices, network interface devices, and the like. In fact, according to the hardware device of the processing method for actually operating the service data by the computing node, the above devices may be located on a single server, or located in multiple servers and cooperatively completed through data communication among the servers.
The interface device is in data connection with the processing device, which may be connected via a bus or via a communication network for data transfer. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means through a bus, and the like. The interface device is also in communication connection with a task management platform, wherein the task management platform may be the aforementioned task management platform or another task management platform that can provide computing instructions. The interface device is in data communication with the task management platform and the data source through at least one of the internet, the mobile network and the local area network so as to receive a calculation instruction for secret calculation sent by the task management platform and acquire private data of the data source.
The storage device is used for storing at least one program capable of executing the processing method of the service data. The storage device may be located on the same physical server as the processing device, or in a different physical server and transmits the calculation instructions to the processing device running the calculation through the interface device of each server. The storage may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid state storage devices. In certain embodiments, the memory may also include memory that is remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, Local Area Networks (LANs), wide area networks (WLANs), Storage Area Networks (SANs), etc., or a suitable combination thereof. The storage device also includes a memory controller that can control access to the memory by other components of the device, such as the CPU and peripheral interfaces. Among the software components stored in the storage device are an operating system, a communications module (or set of instructions), a text input module (or set of instructions), and an application (or set of instructions).
The interface device is in data connection with the processing device, which may be connected via a bus or via a communication network for data transfer. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means through a bus, and the like. The interface device is also in communication connection with a task management platform, wherein the task management platform may be the aforementioned task management platform or another task management platform that can provide computing instructions. The interface device is in data communication with the task management platform and the data source through at least one of the internet, the mobile network and the local area network so as to receive a calculation instruction for secret calculation sent by the task management platform and acquire private data of the data source.
The storage device is used for storing at least one program capable of executing the computing method. The storage device may be located on the same physical server as the processing device, or in a different physical server and transmits the calculation instructions to the processing device running the calculation through the interface device of each server. The storage may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid state storage devices. In certain embodiments, the memory may also include memory that is remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, Local Area Networks (LANs), wide area networks (WLANs), Storage Area Networks (SANs), etc., or a suitable combination thereof. The storage device also includes a memory controller that can control access to the memory by other components of the device, such as the CPU and peripheral interfaces. Among the software components stored in the storage device are an operating system, a communications module (or set of instructions), a text input module (or set of instructions), and an application (or set of instructions).
The processing device is operatively coupled with the storage device. More specifically, the processing device may execute programs stored in the memory and/or the non-volatile storage to perform operations in the task platform. As such, the processing device may include one or more general purpose microprocessors, one or more application specific processors (ASICs), one or more field programmable logic arrays (FPGAs), or any combination thereof. Wherein, the plurality of CPUs included in the processing device can be located in the same entity server or dispersed in a plurality of entity servers, and realize data communication by means of the interface device to cooperatively execute the computing method.
The functions that the privacy encryption storage and privacy computing architecture can implement may include privacy encryption storage and privacy computing.
The following description of the relevant functions is still made taking the four computing nodes shown in fig. 2 as an example.
And (3) privacy encryption storage:
and the user side carries out privacy encryption on the data X to be stored to form a ciphertext and sends the ciphertext to the server side.
Specifically, taking data X as an example, the data X is subjected to private encryption to form ciphertext fragments (shares) X1, X2, Xa, and Xb. In some embodiments, the ciphertext fragments X1, X2, Xa, and Xb are obtained by a random distribution process, i.e., data X is randomly distributed based on a random number generated by the private encryption to form a plurality of ciphertext fragments. For example, ciphertext fragment X1 is a randomly selected large integer, and ciphertext fragment X2 satisfies X1+ X2 ═ X (mod 2^256), Xa ═ X1+ R, Xb ═ X2-R, where R ═ random (seed) is a shared random number generated based on a random number seed shared between compute nodes S1, S2. Each computing node performs local computation using a shared random number to obtain intermediate data or computation results that can be cancelled, wherein each computing node is configured with a random number generator that generates the random number.
In some embodiments, the plurality of ciphertext fragments formed via the private encryption may be maintained by a compute node of the server. For example, taking four ciphertext fragments X1, X2, Xa, and Xb formed through private encryption as an example, ciphertext fragment X1 is stored by server-side compute node S1, ciphertext fragment X2 is stored by server-side compute node S2, ciphertext fragment Xa is stored by server-side compute node Sa, and ciphertext fragment Xb is stored by server-side compute node Sb. Therefore, these compute nodes S1, S2, Sa, Sb may act as storage nodes.
In some embodiments, the plurality of ciphertext fragments formed via the private encryption may also be stored by other memories. For example, taking four ciphertext fragments X1, X2, Xa, and Xb formed by private encryption as an example, ciphertext fragment X1 is stored in memory C1 (not shown), ciphertext fragment X2 is stored in memory C2 (not shown), ciphertext fragment Xa is stored in memory Ca (not shown), and ciphertext fragment Xb is stored in memory Cb (not shown). The memories C1, C2, Ca and Cb (not shown) may be used as storage nodes.
In addition, for the storage nodes, the storage nodes may be configured in a single computer device, a computer cluster, or a service system based on a cloud architecture.
By dispersedly storing a plurality of ciphertext fragments formed by privacy encryption of input data in each storage node, the attack which all storage nodes may face after being invaded by hackers can be resisted.
And (3) privacy calculation:
on the premise of no collusion, the four computing nodes S1, S2, Sa, Sb obey the privacy operational protocol, and utilize the four computing nodes to cooperatively compute the multi-party computation corresponding to a computation task. For example, a computational task may include two or more mathematical computational tasks that input data. Each compute node performs local computations using the shared random number to obtain intermediate data or computation results that can be cancelled, thereby ensuring that data transmitted between compute nodes, between compute nodes and other devices cannot be compromised.
Taking the mathematical computation task of two input data as an example, basic operations such as X + Y, XY, X > Y, etc. can be computed based on ciphertext fragments without recovering the plaintext input data X, Y. In some examples, when Z is to be calculated as X + Y, the computing nodes S1 and S2 are only required to locally calculate Z1 as X1+ Y1 and Z2 as X2+ Y2, and add random numbers to Z1 and Z2 and send the result to the result receiver, so as to decrypt Z, that is, Z1+ Z2 as X1+ Y1+ X2+ Y2 as (X1+ X2) + (Y1+ Y2) as X + Y. In some examples, if Z XY (X1+ X2) (Y1+ Y2) is to be calculated, the formula may be expanded: Z-XY (X1+ X2) (Y1+ Y2) ═ X1Y1+ X1Y2+ X2Y1+ X2Y2, where non-intersecting terms (X1Y1, X2Y2) and intersecting terms (X2Y1, X1Y 2). Based on the first privacy-encrypted ciphertext fragment, the compute nodes S1, S2 may locally compute non-intersecting terms (X1Y1, X2Y2), respectively, and based on the second privacy-encrypted ciphertext fragment, the compute nodes Sa, Sb may locally compute intersecting terms (X2Y1, X1Y2), respectively. And adding random numbers to the non-cross terms (X1Y1, X2Y2) and the cross terms (X2Y1, X1Y2) and then sending the result to a result receiver to decrypt and obtain Z. The correctness of the result can be proved mathematically, and any computing node cannot recover X/Y/Z without colluding with a corresponding node, thereby ensuring the safety of basic privacy computation.
It should be noted that, according to the design requirement of the privacy computing architecture, the number of the participating computing nodes is not limited to the above example, and the number of the computing nodes providing the computing result is not limited to the above example.
In some embodiments, the service data includes first verification information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be verified, including performing privacy encryption on the first verification information in the service data to form a plurality of ciphertext fragments of the first verification information, where the ciphertext fragments of the first verification information may be dispersedly stored in a plurality of storage nodes (e.g., computing nodes). The example that the privacy encryption module 13 performs privacy encryption on the first authentication information in the service data is described.
It should be noted that in the foregoing various service scenarios, the terminal acquires the first verification information by using a set or associated acquisition device, the terminal sends a service request including the first verification information to the verification platform, and the verification platform performs privacy encryption on the decrypted first verification information by using the privacy encryption module 13.
The way of using the privacy encryption module 13 to perform privacy encryption on the first authentication information in the service data may include: the first verification information X is subjected to privacy encryption to form ciphertext fragments X1, X2, Xa and Xb of the first verification information.
Taking the storage node as the computing node, for example, the ciphertext fragments X1, X2, Xa, Xb of the first verification information formed by performing the privacy encryption on the first verification information X by the privacy encryption module 13 may be stored in the four computing nodes S1, S2, Sa, Sb in a distributed manner, specifically, the ciphertext fragment X1 of the first verification information is stored in the computing node S1, the ciphertext fragment X2 of the first verification information is stored in the computing node S2, the ciphertext fragment Xa of the first verification information is stored in the computing node Sa, and the ciphertext fragment Xb of the first verification information is stored in the computing node Sb.
In some embodiments, the service data includes first authentication information and second authentication information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be authenticated, including performing privacy encryption on at least one of the first authentication information and the second authentication information in the service data.
The way of using the privacy encryption module 13 to perform privacy encryption on the first authentication information in the service data may include: the first verification information X is subjected to privacy encryption to form ciphertext fragments X1, X2, Xa and Xb of the first verification information. Taking the example of the storage node as a computing node, the ciphertext fragments X1, X2, Xa, Xb of the first verification information may be stored in four computing nodes S1, S2, Sa, Sb in a distributed manner, specifically, the ciphertext fragment X1 of the first verification information is stored in the computing node S1, the ciphertext fragment X2 of the first verification information is stored in the computing node S2, the ciphertext fragment Xa of the first verification information is stored in the computing node Sa, and the ciphertext fragment Xb of the first verification information is stored in the computing node Sb.
The way of using the privacy encryption module 13 to perform privacy encryption on the second authentication information in the service data may include: and privacy encryption is carried out on the second verification information Y to form ciphertext fragments Y1, Y2, Ya and Yb of the second verification information. Taking the example of the storage node as a computing node, the ciphertext fragments Y1, Y2, Ya, Yb of the second verification information may be stored in four computing nodes S1, S2, Sa, Sb in a distributed manner, specifically, the ciphertext fragment Y1 of the second verification information is stored in the computing node S1, the ciphertext fragment Y2 of the second verification information is stored in the computing node S2, the ciphertext fragment Ya of the second verification information is stored in the computing node Sa, and the ciphertext fragment Yb of the second verification information is stored in the computing node Sb.
Still taking the cardless payment service as an example, the first authentication information in the service data is, for example, password information, and the second authentication information is, for example, biological information.
The privacy encryption module 13 is used to perform privacy encryption on the cryptographic information in the service data.
It should be noted that, in the foregoing card-less payment service, the POS at the merchant end collects the password information by using a set or associated collection device (e.g., a pure digital keyboard, a computer keyboard, a touch screen, etc.), and the POS at the merchant end encrypts the collected password information before uploading the service request to form encrypted password information, so that the service data verification platform may further include an encryptor configured to decrypt the encrypted password information to recover the password information. Subsequently, the privacy encryption module 13 is used to perform privacy encryption on the decrypted password information.
Still taking four computing nodes as an example, the way of using the privacy encryption module 13 to perform privacy encryption on the cryptographic information in the service data may include: and privacy encryption is carried out on the password information X to form password information ciphertext fragments X1, X2, Xa and Xb.
In this way, the cipher information ciphertext fragments X1, X2, Xa, Xb formed by the privacy encryption module 13 performing the privacy encryption on the cipher information X are dispersedly stored in four storage nodes (e.g., the computing nodes S1, S2, Sa, Sb), so that the security of the cipher information can be ensured.
Similarly, the privacy encryption module 13 will be described as an example of privacy encrypting the biometric information in the service data.
In the current information age, how to accurately identify the identity of a person and protect the information security becomes a key social problem which must be solved. Conventional identity authentication (e.g., identification cards, drivers licenses, social security cards, bank cards, etc.) is becoming increasingly difficult to satisfy social needs because they are extremely easy to lose and counterfeit.
The most convenient and safe solution at present is undoubtedly the biometric identification technology. The biological identification technology is closely combined with high-tech means such as optics, acoustics, biosensors and the principle of biometry by a computer, and the identity of an individual is identified by utilizing the biological characteristics of the human body. The human body biological characteristics have the advantages of no loss, no forgetting, uniqueness, invariance, good anti-counterfeiting performance, convenient use and the like, so that the biological identification technology is more and more accepted and widely applied by the society. Commonly, biometric information applicable to biometric identification techniques may include, but is not limited to: the biometric identification technology corresponding to the face information, the fingerprint information, the palm print information, the iris information, the heart rate information and the like is respectively the face identification technology, the fingerprint identification technology, the palm print identification technology, the iris identification technology, the heart rate identification technology and the like.
Generally, the related biological information, regardless of the type, can be classified into biological raw data having a natural meaning and biological characteristic data obtained by extracting characteristics of the biological raw data.
In some examples, taking the biological information as human face information as an example, the human face information may include a human face image as biological raw data and human face features as biological feature data, where the human face features are obtained by performing feature extraction on the human face image.
In some examples, taking the biological information as fingerprint information as an example, the fingerprint information may include a fingerprint image as biological raw data and fingerprint features as biological feature data, where the face features are obtained by performing feature extraction on the fingerprint image.
In some examples, taking the biological information as palm print information as an example, the palm print information may include a palm print image as biological raw data and palm print features as biological feature data, where the palm print features are obtained by performing feature extraction on the palm print image.
In some examples, taking the biological information as iris information as an example, the iris information may include an iris image as biological raw data and iris features as biological feature data, where the iris features are obtained by performing feature extraction on the iris image.
Among these biometric technologies, the face recognition technology has the following characteristics compared to other types of biometric technologies: optional characteristics: the user can almost acquire the face image in an unconscious state without specially matching with face acquisition equipment; non-contact property: the user can obtain the face image without directly contacting with the equipment; simple and convenient: the face acquisition equipment is simple and easy to popularize, and the face acquisition mode is simple and easy to realize.
In practical application, a merchant terminal acquires biological information of a service requester by using a set or associated biological information acquisition device, and a POS machine of the merchant terminal sends the biological information to a service data verification platform through an acquiring system in a formed service request. Here, the biological information refers to biological raw data, for example, a face image, a fingerprint image, a palm print image, an iris image, and the like.
In some examples, the POS or acquirer system at the merchant site may also perform some encryption on the biometric raw data collected.
However, in consideration of simplifying the device complexity of the client, reducing the cost, promoting the application, and the like, the merchant terminal or the acquiring system generally does not perform the feature extraction operation on the acquired biological raw data. Therefore, the verification platform of the business data may further include a biometric extraction module (not shown in the drawings) for performing feature extraction on the biological raw data in the business request to obtain the biometric feature.
In some examples, for example, the biometric feature extraction module may perform feature extraction on a face image as biometric raw data to obtain face features.
In some examples, taking fingerprint identification as an example, the biometric extraction module may perform feature extraction on a fingerprint image as biometric raw data to obtain fingerprint features.
In some examples, taking palm print recognition as an example, the biometric feature extraction module may perform feature extraction on a palm print image as biometric raw data to obtain palm print features.
In some examples, taking iris recognition as an example, the biometric extraction module may perform feature extraction on an iris image as biometric raw data to obtain iris features.
Still take face-brushing payment applying face recognition technology as an example, generally, only a camera needs to be set or associated at a merchant end as face acquisition equipment. In some examples, the camera may be, for example, a 2D camera, and the image including the photographic subject is obtained, but not limited thereto, and in some examples, the camera may be, for example, a 3D camera, and depth information, that is, three-dimensional position and size information of the photographic subject may be acquired compared to a general 2D camera, so as to enhance the face and object recognition function of the camera.
The merchant terminal collects the face image of the service requester by using the arranged or associated camera, and the POS machine of the merchant terminal sends the face image to the verification platform of the service data through the acquiring system in the formed service request. Therefore, the verification platform of the service data may further include a face feature extraction module, configured to perform feature extraction on the face image in the service request to obtain the face feature.
In some embodiments, the process of the service data verification platform extracting the features of the face image in the service request to obtain the face features may specifically include: and extracting the face characteristic vector of the face image in the service request by using a pre-constructed and trained deep learning model. Wherein, the deep learning model can be a deep learning model based on a multilayer neural network. In the deep learning model based on the multilayer neural network, a plurality of base layers can be generally included, and each base layer can be used as an independent feature extraction layer to extract local features of a face image. When implemented, the multi-layer neural network may employ a convolution pattern, i.e., a convolutional neural network.
Taking training a convolutional neural network model as an example: preparing a certain amount of face image samples, and classifying the face image samples by a user; and inputting the face image samples serving as training samples into the convolutional neural network model for training, and continuously adjusting the weight parameters of the connection between the nodes on each base layer of the convolutional neural network model according to the classification result output by the convolutional neural network model. In the continuous adjustment process, after the convolutional neural network model is trained based on the input training samples, the accuracy of the output classification result is gradually improved compared with the classification result calibrated by the user. Meanwhile, a user can preset an accuracy threshold, and in the continuous adjustment process, if the classification result output by the deep learning model is compared with the classification result calibrated by the user, and the accuracy reaches the preset accuracy threshold, the weight parameters connected between the base nodes in the convolutional neural network model are all the optimal weight parameters, so that the convolutional neural network model can be considered to be trained.
After the training is finished, the convolutional neural network model can be directly used for extracting the face feature vector of the face image to be recognized in the service request.
Still taking four computing nodes as an example, the way of using the privacy encryption module 13 to perform privacy encryption on the biological information in the service data may include: and privacy encryption is carried out on the biological information Y to form biological information ciphertext fragments Y1, Y2, Ya and Yb. Here, the biometric information herein actually refers to biometric data obtained by extracting features from raw biometric data.
Taking the example that the privacy encryption module 13 performs privacy encryption on the face information in the service data, the face features of the face appearing in the face image are obtained through face feature extraction. The privacy encryption module 13 performs privacy encryption on the face information in the service data, that is, performs privacy encryption on the extracted face features. Specifically, the privacy encryption of the extracted facial features by the privacy encryption module 13 may include: and carrying out privacy encryption on the face characteristic Y to form ciphertext fragments Y1, Y2, Ya and Yb of the face characteristic.
In some embodiments, taking the example of extracting the facial features from the facial image by using the convolutional neural network model, the facial feature vector can be extracted from the facial image in the service request by using the convolutional neural network model. As such, the privacy encryption of the face feature vector extracted by the convolutional neural network model by the privacy encryption module 13 may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, Ya and Yb of the face feature vector.
In this way, the biometric information ciphertext fragments Y1, Y2, Ya, Yb obtained by privacy-encrypting the biometric information Y by the privacy-encrypting module 13 are dispersed and stored in the four computing nodes S1, S2, Sa, Sb, so that the security of the biometric information can be ensured.
The verification module 17 is configured to verify whether a service account corresponding to the encrypted service data exists in each stored registration message.
The registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data.
In some embodiments, the service data in the service request includes first authentication information, and correspondingly, the registration information includes the service account and its associated service registration data, which also includes the first authentication information. The first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information, and the ciphertext fragments of the first authentication information are dispersedly stored in a plurality of storage nodes (e.g., computing nodes) of the storage module 15.
In some embodiments, the service data in the service request includes first authentication information and second authentication information, and correspondingly, the registration information includes the service account and its associated service registration data, which also includes the first authentication information and the second authentication information. The first verification information and/or the second verification information in the service registration data are/is encrypted through privacy to form a plurality of ciphertext fragments of the first verification information and/or a plurality of ciphertext fragments of the second verification information. In some examples, the first authentication information in the service enrollment data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. In some examples, the second authentication information in the service enrollment data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information. In some examples, the first authentication information and the second authentication information in the service enrollment data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively. These ciphertext fragments of the first authentication information and/or the ciphertext fragments of the second authentication information are stored in a plurality of storage nodes (e.g., compute nodes) of the storage module 15 in a decentralized manner.
Still taking the cardless payment service as an example, what needs to be solved is to match the service request with the service account of the corresponding service requester, and at least the following aspects are involved here: how to realize the matching of the service requester information in the service request and the service account of the corresponding service requester; how to increase the matching speed.
In the cardless payment service, the service data in the service request includes first authentication information and second authentication information, wherein the first authentication information may be password information, for example, and the second authentication information may be biological information, for example. The verification module 17 can quickly match the service request with the service account of the corresponding service requester through the password information and the biological information, and thus, payment verification is completed.
Under the condition of mature technical conditions, in principle, the matching of the service request and the service account of the corresponding service requester can be realized by independently using the biological information, however, in view of the characteristics of huge sample size of the user with the service account and biological characteristics of the biological information, the biological information is used for matching the corresponding service requester from massive user data in the user database, the calculation amount is huge, the time is consumed, and the scene requirement of cardless payment cannot be met. Therefore, in this embodiment, the service data in the service request includes password information and biological information, wherein the password information is used to search and filter a massive user data aggregate, and a user data subset with the same password information is screened out from the massive user data aggregate, wherein the user data amount of the user data subset with the same password information is far smaller than that of the user data aggregate, and then the biological information is used to perform matching operation in the screened user data subset. In the processing flow, because the password information is relatively simple, the password information can be used for quickly and accurately searching and filtering in the user data total set, and in addition, because the data volume of the screened user data subset is far smaller than that of the user data total set, the biological information can be used for quickly matching in the user data subset. Therefore, the business data including the password information and the biological information can realize higher verification efficiency than the business data only including the biological information, and the reliability of the data can be relatively improved.
Also, the verification module 17 may be configured to verify whether a service account corresponding to the encrypted service data exists in each stored registration message. Therefore, in this embodiment, the verification platform of the service data of the present application further stores registration information including user data, and the transceiver module 11 is further configured to receive the registration information.
As mentioned above, in the cardless payment service, the service data in the service request includes the first authentication information (e.g. password information) and the second authentication information (e.g. biometric information), and correspondingly, the registration information includes the service account and the service registration data associated therewith, and the service registration data also includes the first authentication information (e.g. password information) and the second authentication information (e.g. biometric information). The first authentication information (e.g., password information) and the second authentication information (e.g., biometric information) in the service enrollment data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information (e.g., password information ciphertext fragments) and/or a plurality of ciphertext fragments of the second authentication information (e.g., biometric information ciphertext fragments), and the ciphertext fragments of the first authentication information (e.g., password information ciphertext fragments) and/or the ciphertext fragments of the second authentication information (e.g., biometric information ciphertext fragments) are dispersedly stored in a plurality of storage nodes (e.g., computing nodes) of the storage module 15.
The application also discloses a registration system of the service registration data, which is used for executing the registration of the service registration data.
Please refer to fig. 3, which is a schematic structural diagram of a registration system of service registration data according to an embodiment of the present invention.
The registration system of the service registration data shown in fig. 3 is used for performing registration operation of the service registration data, so that the verification platform can complete service verification subsequently.
The service registration data is associated with the service account, and therefore, generally, the service registration data is obtained by a service execution mechanism to which the service account belongs.
For example, in an entrance guard service, the service execution mechanism may be, for example, a monitoring center.
For example, in an attendance service, the service execution mechanism may be, for example, an attendance management and control center.
For example, in a ticketing service, the service execution mechanism may be, for example, a ticketing validation center.
For example, in a financial payment service, the service execution entity may be, for example, a financial institution. The institution is, for example, a bank, but not limited thereto, and the financial institution may also be, for example, a securities company, an insurance company, a fund management company, and the like. Generally, taking a bank as an example, the same bank is configured with a registration system of the same service registration data, and different banks are configured with a registration system of the same or different service registration data. In some examples, a certain bank performs a registration operation of the business registration data through a configured registration system of the business registration data, and uploads the business registration data and the associated business account thereof directly to a verification platform of the business data. In some examples, a certain bank performs registration operation of the business registration data through a configured registration system of the business registration data, uploads the business registration data and the associated business account thereof to a data center of a head office, and uploads the registration information to a verification platform of the business data through the data of the head office.
The registration system of the business registration data may be an electronic device including a storage device, a processing device, an interface device, and the like, wherein the electronic device is a single computer device, a computer cluster, or a cloud architecture-based service system, and the like. The single computer device may be an autonomously configured computer device that can execute the methods of the present application, and may be located in a private computer room or a leased computer location in a public computer room. The computer cluster may be a group of independent computer devices interconnected by a high-speed network, which form a group and are managed in a single system mode. The Service system of the Cloud architecture comprises a Public Cloud (Public Cloud) Service end and a Private Cloud (Private Cloud) Service end, wherein the Public or Private Cloud Service end comprises Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), Infrastructure-as-a-Service (IaaS), and the like. The private cloud service end is used for example for an Aliskian cloud computing service platform, an Amazon cloud computing service platform, a Baidu cloud computing platform, a Tencent cloud computing platform and the like.
According to the hardware device actually executing each of the above methods, each device constituting the electronic apparatus may be located on a single server, or located in a plurality of servers and cooperatively completed by data communication between the servers.
For this purpose, the interface device is connected to the processing device in a data-transmitting manner via a bus connection or via a communication network. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means through a bus, and the like. For example, the interface device corresponding to the second computer system is communicatively connected to the interface device of the first computer system, the interface device of the user equipment, and the like. Each of the interface devices performs data communication through the internet, a mobile network, and a local area network.
The storage device is for storing at least one program that can perform any one or more of the methods described above. The storage device corresponding to the same electronic device may be located on the same physical server as the processing device, or may be located in a different physical server and transfer the program to the processing device running the program through the interface device of each server. The storage may include high speed random access memory and may also include non-volatile memory, such as one or more magnetic disk storage devices, flash memory devices, or other non-volatile solid state storage devices. In certain embodiments, the memory may also include memory that is remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, Local Area Networks (LANs), wide area networks (WLANs), Storage Area Networks (SANs), etc., or a suitable combination thereof. The storage device also includes a memory controller that can control access to the memory by other components of the device, such as the CPU and peripheral interfaces. Among the software components stored in the storage device are an operating system, a communications module (or set of instructions), a text input module (or set of instructions), and an application (or set of instructions).
The processing device is operatively coupled with the storage device. More specifically, the processing device may execute programs stored in the memory and/or the non-volatile storage to perform operations in the task platform. As such, the processing device may include one or more general purpose microprocessors, one or more application specific processors (ASICs), one or more field programmable logic arrays (FPGAs), or any combination thereof. Wherein, the plurality of CPUs included in the processing device can be located in the same entity server or distributed in a plurality of entity servers, and realize data communication by means of the interface device so as to cooperatively execute the steps of the methods.
As shown in fig. 3, the registration system for service registration data of the present application may include: the system comprises a privacy encryption module 21 and a storage module 23, wherein the privacy encryption module 21 can be configured at the service execution mechanism end, and the storage module 23 can be configured at the verification platform end.
The privacy encryption module 21 is configured to perform privacy encryption on service registration data associated with the service account in the registration information to form encrypted service registration data.
In some embodiments, the service registration data includes first verification information, and the privacy encryption module 21 is configured to perform privacy encryption on the service registration data associated with the service account in the registration information, including performing privacy encryption on the first verification information in the service registration data, to form a plurality of ciphertext fragments of the first verification information.
For example, in business scenarios such as entrance guard, attendance checking, public transportation, ticketing, etc., the first authentication information may be, for example, password information, a mobile phone number of a user, two-dimensional code information, an electronic card, etc. In some examples, the password information may be, for example, a 6-bit or 8-bit or more digital password, but not limited thereto, and the password information may also be more complex if the terminal device can provide corresponding technical support, for example, 8 to 16-bit characters, which include at least three types of numbers, uppercase letters, lowercase letters, and special characters, and have higher security. In some examples, the password information may be associated with identity information of the user, or a mobile phone number of the user, for example, the password information may be part or all of the identification number, or the mobile phone number, or some combination of the identification number, the mobile phone number, and other information.
Of course, the first verification information is not limited thereto, and for example, the first verification information may also be biometric information. The biological information has the unique property that the human body is inherent and can not be copied, stolen or forgotten. The method and the device utilize the biological identification technology to carry out identity authentication, and have the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human biological characteristics, and with the rapid development of technologies such as a photoelectric technology, a microcomputer technology, an image processing technology, pattern recognition and the like, application of the biological information to business realization is also applied.
For example, in an entrance guard business scenario, the privacy encryption module 21 may perform privacy encryption on first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the business registration data.
For example, in an attendance transaction scenario, the privacy encryption module 21 may privacy-encrypt the first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the transaction registration data.
For example, in a ticket business scenario, the privacy encryption module 21 may perform privacy encryption on first authentication information (e.g., password information, barcode information, two-dimensional code information, fingerprint information, etc.) in the business registration data.
In some embodiments, the service registration data includes first authentication information and second authentication information, and the privacy encryption module 21 is configured to perform privacy encryption on the service registration data includes performing privacy encryption on at least one of the first authentication information and the second authentication information in the service registration data. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on the first authentication information in the service registration data to form a plurality of ciphertext fragments of the first authentication information. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on the second authentication information in the service registration data to form a plurality of ciphertext fragments of the second authentication information. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on both the first authentication information and the second authentication information in the service registration data to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information. In this way, by using the privacy encryption module 21 to perform privacy encryption on at least one of the first authentication information and the second authentication information, protection of sensitive information including the first authentication information and the second authentication information is achieved, and an association relationship between the sensitive information (for example, between the first authentication information and the second authentication information) can also be protected, thereby ensuring security and reliability of the service registration data.
For example, in a bank card payment service, the service registration data includes bank card information and a payment password. Accordingly, the privacy encryption module 21 privacy-encrypts at least one of the bank card information and the payment password. In some examples, the privacy encryption module 21 is used to perform privacy encryption on the bank card information in the service registration data. In some examples, the privacy encryption module 21 is used to privacy encrypt the payment password in the service enrollment data. In some examples, the privacy encryption module 21 is used to perform privacy encryption on both the bank card information and the payment password in the service registration data.
For example, in a cardless payment service, the service registration data includes password information and biometric information. Accordingly, the privacy encryption module 21 performs privacy encryption on at least one of the password information and the biological information. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on cryptographic information in the service registration data. In some examples, the privacy encryption module 21 is used to privacy encrypt the biometric information in the service registration data. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on both the password information and the biometric information in the service registration data.
Still taking face-brushing payment as an example for detailed description, the service registration data includes a payment password and face information. The privacy encryption module 21 performs privacy encryption on at least one of the payment password and the face information. In some examples, the privacy encryption module 21 is used to privacy encrypt the payment password in the service enrollment data. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on face information in the service registration data. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on both the payment password and the face information in the service registration data.
The privacy encryption module 21 in the registration system of the service registration data of the present application may be similar to the privacy encryption module 13 in the authentication platform of the service data. Therefore, the working principle and structure of the privacy encryption module 21 in the registration system for service registration data of the present application can be described with reference to fig. 2 and its corresponding content.
Still taking the cardless payment service as an example, the case where the privacy encryption module 21 performs privacy encryption on the password information in the service registration data is as follows.
In some examples, when a user applies for a business account at a financial institution, the financial institution may collect both password information and biometric information associated with the applied business account. In some examples, the at least one of the cryptographic information and the biometric information may also be collected at some time after the business account is created.
In the foregoing, the financial institution side collects password information (e.g., payment password) by using a set or associated password information collection device (e.g., a pure numeric keyboard, a computer keyboard, a touch screen, etc.), and before uploading the password information, the financial institution side performs privacy encryption on the collected password information by using the privacy encryption module 21.
After the private encryption module 21 performs private encryption on the password information, a plurality of password information ciphertext fragments can be formed.
The storage module 23 is used for storing the registration information containing the encrypted service registration data to complete the registration.
The storage module 23 comprises a plurality of storage nodes for storing the encrypted service registration data in a decentralized manner.
Taking four computing nodes as an example, the way of performing privacy encryption on the collected password information by using the privacy encryption module 21 may include: and privacy encryption is carried out on the password information X to form password information ciphertext fragments X1, X2, Xa and Xb.
In some embodiments, multiple cipher-information ciphertext fragments formed via private encryption may be maintained by each computing node. For example, the cryptographic information ciphertext fragment X1 is maintained by compute node S1, the cryptographic information ciphertext fragment X2 is maintained by compute node S2, the cryptographic information ciphertext fragment Xa is maintained by compute node Sa, and the cryptographic information ciphertext fragment Xb is maintained by compute node Sb. Therefore, these compute nodes S1, S2, Sa, Sb may act as storage nodes.
In some embodiments, the plurality of cipher information ciphertext fragments formed through the private encryption may also be stored by other memories. For example, the cipher information cipher text segment X1 is stored in the memory C1 (not shown), the cipher information cipher text segment X2 is stored in the memory C2 (not shown), the cipher information cipher text segment Xa is stored in the memory Ca (not shown), and the cipher information cipher text segment Xb is stored in the memory Cb (not shown). The memories C1, C2, Ca and Cb (not shown) may be used as storage nodes.
For the storage nodes, the storage nodes may be configured in a single computer device, a computer cluster, or a service system based on a cloud architecture.
In addition, the registration system for the service registration data may further include a re-encryption module (not shown in the drawings) for re-encrypting the encrypted service registration data in the registration information to ensure the transmission security of the verification platform which subsequently sends the service registration data to the service data through the transceiver module.
In some embodiments, the service registration data includes first authentication information, and re-encrypting the encrypted service registration data in the registration information using the re-encryption module includes re-encrypting a ciphertext fragment of the first authentication information formed by privacy encryption in the registration information.
In some embodiments, the service registration data includes first verification information and second verification information, and the re-encrypting the encrypted service registration data in the registration information by using the re-encrypting module includes re-encrypting the ciphertext fragment of the first verification information and/or the ciphertext fragment of the second verification information, which are formed by privacy encryption in the registration information. That is, in some examples, a ciphertext fragment of the first authentication information formed from the privacy encryption in the enrollment information is re-encrypted using a re-encryption module. In some examples, the ciphertext fragment of the second authentication information formed by the private encryption in the registration information is re-encrypted using a re-encryption module. And a re-encryption module is used for re-encrypting the ciphertext fragment of the first verification information and the ciphertext fragment of the second verification information which are formed by privacy encryption in the registration information.
Taking the cardless payment service as an example, the service registration data includes password information, and the password information is encrypted through privacy to form a plurality of password information ciphertext fragments. Therefore, the re-encryption of the encrypted service registration data in the registration information by the re-encryption module comprises re-encryption of the cipher information cipher text fragment in the registration information.
Commonly, biometric information applicable to biometric identification techniques may include, but is not limited to: the biometric identification technology corresponding to the face information, the fingerprint information, the palm print information, the iris information, the heart rate information and the like is respectively the face identification technology, the fingerprint identification technology, the palm print identification technology, the iris identification technology, the heart rate identification technology and the like.
Generally, the related biological information, regardless of the type, can be classified into biological raw data having a natural meaning and biological characteristic data obtained by extracting characteristics of the biological raw data.
In some examples, taking the biological information as human face information as an example, the human face information may include a human face image as biological raw data and human face features as biological feature data, where the human face features are obtained by performing feature extraction on the human face image.
In some examples, taking the biological information as fingerprint information as an example, the fingerprint information may include a fingerprint image as biological raw data and fingerprint features as biological feature data, where the face features are obtained by performing feature extraction on the fingerprint image.
In some examples, taking the biological information as palm print information as an example, the palm print information may include a palm print image as biological raw data and palm print features as biological feature data, where the palm print features are obtained by performing feature extraction on the palm print image.
In some examples, taking the biological information as iris information as an example, the iris information may include an iris image as biological raw data and iris features as biological feature data, where the iris features are obtained by performing feature extraction on the iris image.
Among these biometric technologies, the face recognition technology has the following characteristics compared to other types of biometric technologies: optional characteristics: the user can almost acquire the face image in an unconscious state without specially matching with face acquisition equipment; non-contact property: the user can obtain the face image without directly contacting with the equipment; simple and convenient: the face acquisition equipment is simple and easy to popularize, and the face acquisition mode is simple and easy to realize.
In practical application, the financial institution collects the biological information of the business account applicant by using a set or associated biological information collecting device.
Taking face-brushing payment applying a face recognition technology as an example, generally, a camera is set or associated at a financial institution end as a face acquisition device. In some examples, the camera may be, for example, a 2D camera, and the image including the photographic subject is obtained, but not limited thereto, and in some examples, the camera may be, for example, a 3D camera, and depth information, that is, three-dimensional position and size information of the photographic subject may be acquired compared to a general 2D camera, so as to enhance the face and object recognition function of the camera.
As described above, the biological information may include biological raw data in a natural sense and biological feature data obtained by feature extraction of the biological raw data. Thus, there may be different ways to process the biometric information.
In some embodiments, the registration system of the service registration data does not perform privacy encryption on the collected biological information, but directly sends biological raw data of the collected biological information to the verification platform of the service data through the transceiver module.
Under the condition, the registration system of the service registration data re-encrypts the biological original data (such as a face image, a fingerprint image, a palm print image, an iris image and the like) of the collected biological information through the re-encryption module so as to ensure the transmission security of the verification platform which sends the business data through the transceiving module.
Subsequently, the verification platform of the service data receives the encrypted biological original data, decrypts the biological original data, extracts the characteristics of the biological original data to obtain biological characteristic data, and carries out privacy encryption on the extracted biological characteristic data.
The processing mode of the biological information has extremely high safety, the registration system of the business registration data is simplified because privacy encryption of the biological information is avoided, the operation and maintenance management of the system is transferred and is concentrated on the verification platform of the business data, unified management is facilitated, and the problems of high technical implementation difficulty and the like exist.
In some embodiments, the enrollment system of the business enrollment data privately encrypts the collected biometric information.
The privacy encryption module 21 will now be described as an example of privacy encryption of the biometric information in the service registration data. Actually, the privacy encryption module 21 privacy-encrypts the biometric information in the service registration data refers to privacy-encrypting the biometric data in the biometric information.
The registration system of the business registration data may further include a biometric extraction module (not shown in the drawings) for performing feature extraction on the biological raw data of the biological information collecting device to obtain the biological features.
In some examples, for example, the biometric feature extraction module may perform feature extraction on a face image as biometric raw data to obtain face features.
In some examples, taking fingerprint identification as an example, the biometric extraction module may perform feature extraction on a fingerprint image as biometric raw data to obtain fingerprint features.
In some examples, taking palm print recognition as an example, the biometric feature extraction module may perform feature extraction on a palm print image as biometric raw data to obtain palm print features.
In some examples, taking iris recognition as an example, the biometric extraction module may perform feature extraction on an iris image as biometric raw data to obtain iris features.
Taking face recognition as an example, in some embodiments, the process of performing feature extraction on a face image in a service request by a registration system of service registration data to obtain a face feature may specifically include: and extracting the face characteristic vector of the face image in the service request by using a pre-constructed and trained deep learning model. Wherein, the deep learning model can be a deep learning model based on a multilayer neural network. In the deep learning model based on the multilayer neural network, a plurality of base layers can be generally included, and each base layer can be used as an independent feature extraction layer to extract local features of a face image. When implemented, the multi-layer neural network may employ a convolution pattern, i.e., a convolutional neural network.
Taking training a convolutional neural network model as an example: preparing a certain amount of face image samples, and classifying the face image samples by a user; and inputting the face image samples serving as training samples into the convolutional neural network model for training, and continuously adjusting the weight parameters of the connection between the nodes on each base layer of the convolutional neural network model according to the classification result output by the convolutional neural network model. In the continuous adjustment process, after the convolutional neural network model is trained based on the input training samples, the accuracy of the output classification result is gradually improved compared with the classification result calibrated by the user. Meanwhile, a user can preset an accuracy threshold, and in the continuous adjustment process, if the classification result output by the deep learning model is compared with the classification result calibrated by the user, and the accuracy reaches the preset accuracy threshold, the weight parameters connected between the base nodes in the convolutional neural network model are all the optimal weight parameters, so that the convolutional neural network model can be considered to be trained.
After the training is finished, the convolutional neural network model can be directly used for extracting the face feature vector of the face image to be recognized in the service request.
Taking four computing nodes as an example, the way of privacy-encrypting the biological information in the service registration data by using the privacy-encrypting module 21 may include: and privacy encryption is carried out on the biological information Y to form biological information ciphertext fragments Y1, Y2, Ya and Yb. Here, the biometric information herein actually refers to biometric data obtained by extracting features from raw biometric data.
Taking the example that the privacy encryption module 21 performs privacy encryption on the face information in the service registration data, the face features of the face appearing in the face image are obtained through face feature extraction. The privacy encryption module 21 performs privacy encryption on the face information in the service registration data, that is, performs privacy encryption on the extracted face features. Specifically, the privacy encryption of the extracted facial features by the privacy encryption module 21 may include: and carrying out privacy encryption on the face characteristic Y to form ciphertext fragments Y1, Y2, Ya and Yb of the face characteristic.
In some embodiments, taking the example of extracting the face features from the face image by using the convolutional neural network model, the face feature vector can be extracted from the face image in the service request by using the convolutional neural network model. As such, privacy encrypting the face feature vector extracted by the convolutional neural network model by using the privacy encryption module 21 may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, Ya and Yb of the face feature vector.
In this way, the biometric information Y is privacy-encrypted by the privacy encryption module 21 to form a plurality of biometric information ciphertext fragments. The biological information ciphertext fragments are sent to a verification platform of the service data through a transceiving module and then stored in each storage node. Taking the storage node as an example, the biological information ciphertext fragments Y1 and Y2 may be stored in the computing nodes S1 and S2 of the service data verification platform after being uploaded, and the biological information ciphertext fragments Ya and Yb may be stored in the computing nodes Sa and Sb of the service data verification platform after being uploaded, so that the security of the biological information may be ensured.
This kind of processing mode to bioinformation, the security is higher, can satisfy privacy protection's demand, can eliminate financial institution's worry to data security and privacy protection, and efficiency and accuracy all can satisfy the application demand moreover.
Similarly, the registration system for the service registration data of the present application may further include a re-encryption module (not shown in the drawings) for re-encrypting the encrypted service registration data in the registration information.
Taking a cardless payment service as an example, the service registration data includes biological information, and the biological information is encrypted through privacy to form a plurality of biological information ciphertext fragments. Therefore, the re-encrypting the encrypted service registration data in the registration information by using the re-encrypting module comprises re-encrypting the biological information ciphertext fragment in the registration information.
Please refer to fig. 4, which is a schematic structural diagram of a registration system for service registration data according to another embodiment of the present application.
As shown in fig. 4, the registration system for service registration data of the present application may include: compared with the registration system of the service registration data shown in fig. 3, the privacy encryption module 22 and the storage module 24 in the registration system of the service registration data shown in fig. 4 are both configured at the service execution mechanism side.
The privacy encryption module 22 is configured to perform privacy encryption on the service registration data associated with the service account in the registration information to form encrypted service registration data.
As for the implementation manner of the privacy encryption module 22 performing privacy encryption on the service registration data associated with the service account in the registration information to form encrypted service registration data, reference may be made to the content description of the privacy encryption module 21 in fig. 3, which is not described herein again.
The storage module 24 comprises a plurality of storage nodes for storing the encrypted service registration data in a decentralized manner.
For the implementation manner of the storage module 24 performing privacy encryption on the service registration data associated with the service account in the registration information to form encrypted service registration data, reference may be made to the content description of the storage module 23 in fig. 3, which is not described herein again.
In the registration system of service registration data shown in fig. 4, the encrypted service registration data in the storage module 23 can be sent to the verification platform for storage through the transceiver module.
Please refer to fig. 5, which is a flowchart illustrating a registration method of service registration data according to the present application. The registration method of the service registration data is executed based on a registration system of the service registration data.
Step S101, carrying out privacy encryption on service data associated with the service account in the registration information to form encrypted service registration data.
In some embodiments, the service registration data includes first authentication information. Thus, in step S101, privacy encrypting the service registration data associated with the service account includes privacy encrypting the first authentication information in the service registration data to form a plurality of ciphertext fragments of the first authentication information.
For example, in business scenarios such as entrance guard, attendance checking, public transportation, ticketing, etc., the first authentication information may be, for example, password information, a mobile phone number of a user, two-dimensional code information, an electronic card, etc. In some examples, the password information may be, for example, a 6-bit or 8-bit or more digital password, but not limited thereto, and the password information may also be more complex if the terminal device can provide corresponding technical support, for example, 8 to 16-bit characters, which include at least three types of numbers, uppercase letters, lowercase letters, and special characters, and have higher security. In some examples, the password information may be associated with identity information of the user, or a mobile phone number of the user, for example, the password information may be part or all of the identification number, or the mobile phone number, or some combination of the identification number, the mobile phone number, and other information.
Of course, the first verification information is not limited thereto, and for example, the first verification information may also be biometric information. The biological information has the unique property that the human body is inherent and can not be copied, stolen or forgotten. The method and the device utilize the biological identification technology to carry out identity authentication, and have the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human biological characteristics, and with the rapid development of technologies such as a photoelectric technology, a microcomputer technology, an image processing technology, pattern recognition and the like, application of the biological information to business realization is also applied.
For example, in an entrance guard business scenario, privacy encrypting business registration data associated with a business account includes privacy encrypting first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the business registration data.
For example, in an attendance transaction scenario, privacy encrypting the transaction registration data associated with the transaction account includes privacy encrypting first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the transaction registration data.
For example, in a ticketing services scenario, privacy encrypting service registration data associated with a service account includes privacy encrypting first authentication information (e.g., password information, barcode information, two-dimensional code information, fingerprint information, etc.) in the service registration data.
In some embodiments, the service registration data comprises first authentication information and second authentication information. Thus, in step S101, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of the first authentication information and the second authentication information in the service registration data.
In some examples, privacy encrypting the service enrollment data associated with the service account includes privacy encrypting the first authentication information in the service enrollment data to form a plurality of ciphertext fragments of the first authentication information. In some examples, privacy encrypting the service enrollment data associated with the service account includes privacy encrypting second authentication information in the service enrollment data to form a plurality of ciphertext fragments of the second authentication information. In some examples, privacy encrypting the service enrollment data associated with the service account includes privacy encrypting both the first authentication information and the second authentication information in the service enrollment data to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information. In this way, by performing privacy encryption on at least one of the first authentication information and the second authentication information, protection of sensitive information including the first authentication information and the second authentication information is achieved, and an association relationship between the sensitive information (for example, between the first authentication information and the second authentication information) can also be protected, thereby ensuring safety and reliability of service registration data.
For example, in a bank card payment service, the service registration data includes bank card information and a payment password. Thus, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of bank card information and a payment password. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting bank card information in the service registration data. In some examples, privacy encrypting the service enrollment data associated with the service account includes privacy encrypting a payment password in the service enrollment data. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting both bank card information and a payment password in the service registration data.
For example, in a cardless payment service, the service registration data includes password information and biometric information. Thus, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of the cryptographic information and the biometric information. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting cryptographic information in the service registration data to form a plurality of cryptographic information ciphertext fragments. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting the biometric information in the service registration data to form a plurality of biometric information cryptogram fragments. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting both the cryptographic information and the biometric information in the service registration data to form a plurality of cryptographic information ciphertext fragments and a plurality of biometric information ciphertext fragments.
Still taking face-brushing payment as an example for detailed description, the service registration data includes a payment password and face information. Thus, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of a payment password and face information. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting a payment password in the service registration data to form a plurality of payment password cryptogram fragments. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting face information in the service registration data to form a plurality of face information ciphertext fragments. In some examples, privacy encrypting the service registration data associated with the service account includes privacy encrypting both a payment password and face information in the service registration data to form a plurality of payment password ciphertext fragments and a plurality of face information ciphertext fragments.
Still taking the cardless payment service as an example, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of the password information and the biometric information.
The business account is an account which is opened by a financial institution aiming at an account applicant and can realize various financial transactions. The financial institution may be, for example, a bank, a securities company, an insurance company, a fund management company, etc., and the business account opened by the bank as the account applicant may be, for example, at least one bank card number.
The cryptographic information may be associated with a business account. In some examples, the password information may be, for example, a payment password, which may be, for example, a 6-digit or 8-digit password, but not limited thereto, and the payment password may be more complex, for example, 8 to 16-digit characters, including at least three types of digits, uppercase letters, lowercase letters, and special characters, and having higher security. In some examples, the password information may also be in other forms, such as a gesture password, and the like.
The biological information has the unique property that the human body is inherent and can not be copied, stolen or forgotten. The method and the device utilize the biological identification technology to carry out identity authentication, and have the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human biological characteristics.
In some examples, when a user applies for a business account at a financial institution, the financial institution may collect both password information and biometric information associated with the applied business account. In some examples, the at least one of the cryptographic information and the biometric information may also be collected at some time after the business account is created.
The financial institution collects password information (such as payment password) by using a set or associated password information collection device (such as a pure digital keyboard, a computer keyboard, a touch screen and the like)
The way of privacy encrypting the collected password information may include: and carrying out privacy encryption on the password information X to form a plurality of password information ciphertext fragments.
The working principle of privacy encryption of the password information can be described with reference to fig. 2 and the corresponding content thereof.
Taking four computing nodes as an example, the way of privacy encrypting the collected password information may include: and privacy encryption is carried out on the password information X to form password information ciphertext fragments X1, X2, Xa and Xb.
Therefore, a plurality of cipher information ciphertext fragments can be formed after the cipher information is subjected to privacy encryption. And the cipher information cipher text fragments are sent to a verification platform of the service data and then stored in each storage node. Taking the storage node as an example, the cryptographic information ciphertext fragments X1 and X2 may be stored in the computing nodes S1 and S2 of the service data verification platform after being uploaded, and the cryptographic information ciphertext fragments Xa and Xb may be stored in the computing nodes Sa and Sb of the service data verification platform after being uploaded, so that the security of the cryptographic information can be ensured.
The financial institution terminal collects the biological information of the business account applicant by using a set or associated biological information collecting device.
Commonly, biometric information applicable to biometric identification techniques may include, but is not limited to: the biometric identification technology corresponding to the face information, the fingerprint information, the palm print information, the iris information, the heart rate information and the like is respectively the face identification technology, the fingerprint identification technology, the palm print identification technology, the iris identification technology, the heart rate identification technology and the like.
Generally, the related biological information, regardless of the type, can be classified into biological raw data having a natural meaning and biological characteristic data obtained by extracting characteristics of the biological raw data.
In some examples, taking the biological information as human face information as an example, the human face information may include a human face image as biological raw data and human face features as biological feature data, where the human face features are obtained by performing feature extraction on the human face image.
In some examples, taking the biological information as fingerprint information as an example, the fingerprint information may include a fingerprint image as biological raw data and fingerprint features as biological feature data, where the face features are obtained by performing feature extraction on the fingerprint image.
In some examples, taking the biological information as palm print information as an example, the palm print information may include a palm print image as biological raw data and palm print features as biological feature data, where the palm print features are obtained by performing feature extraction on the palm print image.
In some examples, taking the biological information as iris information as an example, the iris information may include an iris image as biological raw data and iris features as biological feature data, where the iris features are obtained by performing feature extraction on the iris image.
Among these biometric technologies, the face recognition technology has the following characteristics compared to other types of biometric technologies: optional characteristics: the user can almost acquire the face image in an unconscious state without specially matching with face acquisition equipment; non-contact property: the user can obtain the face image without directly contacting with the equipment; simple and convenient: the face acquisition equipment is simple and easy to popularize, and the face acquisition mode is simple and easy to realize.
Taking face-brushing payment applying a face recognition technology as an example, generally, a camera is set or associated at a financial institution end as a face acquisition device. In some examples, the camera may be, for example, a 3D camera, and depth information of a photographed object, that is, three-dimensional position and size information may be acquired as compared to a general 2D camera, so as to enhance a face and object recognition function of the camera.
As described above, the biological information may include biological raw data in a natural sense and biological feature data obtained by feature extraction of the biological raw data. Thus, there may be different ways to process the biometric information.
In some embodiments, the collected biological information is not privacy encrypted, but biological raw data of the collected biological information is directly sent to a verification platform of business data.
In this case, the biological raw data (e.g., a face image, a fingerprint image, a palm print image, an iris image, etc.) of the collected biological information is re-encrypted to ensure the security of transmission to the authentication platform of the business data.
Subsequently, the verification platform of the service data receives the encrypted biological original data, decrypts the biological original data, extracts the characteristics of the biological original data to obtain biological characteristic data, and carries out privacy encryption on the obtained biological characteristic data.
The biological information processing mode has extremely high safety, but the technical realization difficulty is high and the like.
In some embodiments, the collected biometric information is privacy encrypted.
The example of privacy encryption of biometric information in service registration data will now be described. Actually, the privacy encryption of the biological information in the service registration data refers to privacy encryption of the biological feature data in the biological information.
The method can also comprise a step of extracting the characteristics of biological raw data of the biological information acquisition equipment to obtain the biological characteristics before privacy encryption of the biological information.
In some examples, for example, in face recognition, a face image as biological raw data may be subjected to feature extraction to obtain face features.
In some examples, for example, fingerprint recognition, a fingerprint image as the biological raw data may be subjected to feature extraction to obtain fingerprint features.
In some examples, for example, palm print recognition, a palm print image as the biological raw data may be subjected to feature extraction to obtain palm print features.
In some examples, for example, iris recognition, an iris image as the biological raw data may be subjected to feature extraction to obtain iris features.
The way of privacy encrypting the biometric information in the service registration data may include: and carrying out privacy encryption on the biological information Y to form a plurality of biological information ciphertext fragments.
Taking four computing nodes as an example, the way of privacy encrypting the collected biological information may include: and privacy encryption is carried out on the biological information Y to form biological information ciphertext fragments Y1, Y2, Ya and Yb. Here, the biometric information herein actually refers to biometric data obtained by extracting features from raw biometric data. Here, the biological information refers to biological feature data obtained by extracting features of biological raw data.
Taking privacy encryption of the collected face information as an example, the face features of the face appearing in the face image are obtained through face feature extraction. And carrying out privacy encryption on the collected face information, namely carrying out privacy encryption on the extracted face characteristics. Specifically, the privacy encryption of the extracted facial features may include: and carrying out privacy encryption on the face characteristic Y to form ciphertext fragments Y1, Y2, Ya and Yb of the face characteristic.
In some embodiments, taking the example of extracting the face features from the face image by using the convolutional neural network model, the face feature vector can be extracted from the face image in the service request by using the convolutional neural network model. As such, privacy encrypting the face feature vector extracted by the convolutional neural network model may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, Ya and Yb of the face feature vector.
Thus, a plurality of biological information ciphertext fragments can be formed by carrying out privacy encryption on the biological information. And the biological information ciphertext fragments are sent to a verification platform of the service data and then stored in each storage node. Taking the storage node as an example, the biological information ciphertext fragments Y1 and Y2 may be stored in the computing nodes S1 and S2 of the service data verification platform after being uploaded, and the biological information ciphertext fragments Ya and Yb may be stored in the computing nodes Sa and Sb of the service data verification platform after being uploaded, so that the security of the biological information may be ensured.
This kind of processing mode to bioinformation, the security is higher, can satisfy privacy protection's demand, can eliminate financial institution's worry to data security and privacy protection, and efficiency and accuracy all can satisfy the application demand moreover.
Step S103, storing the registration information containing the encrypted service registration data, and completing the registration.
In some embodiments, the service registration data includes first authentication information. Therefore, in step S103, storing the registration information including the encrypted service registration data includes storing the service account and the formed plurality of secret fragments of the first authentication information.
In some embodiments, the service registration data comprises first authentication information and second authentication information. Thus, in step S103, storing the registration information including the encrypted service registration data includes storing the service account and first and second authentication information, wherein at least one of the first and second authentication information is privacy encrypted.
In some examples, the first authentication information in the service enrollment data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, a plurality of ciphertext fragments of the first authentication information, and the second authentication information.
In some examples, the second authentication information in the service enrollment data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, the first authentication information, and ciphertext fragments of the plurality of second authentication information.
In some examples, the first authentication information and the second authentication information in the service enrollment data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, a plurality of ciphertext fragments of the first authentication information, and a plurality of ciphertext fragments of the second authentication information.
For example, in a bank card payment service, the service registration data includes bank card information and a payment password. Thus, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of bank card information and a payment password. In some examples, the bank card information in the business registration data is privacy encrypted. Thus, storing registration information including encrypted service registration data includes storing a service account, privacy-encrypted bank card information, and a payment password. In some examples, the payment password in the service enrollment data is privacy encrypted. Accordingly, storing registration information including encrypted service registration data stores a service account, bank card information, and a privacy-encrypted payment password. In some examples, the bank card information and payment password in the service enrollment data are privacy encrypted. Thus, storing the registration information including the encrypted service registration data includes storing the service account, the privacy-encrypted bank card information, and the payment password.
For example, in a cardless payment service, the service registration data includes password information and biometric information. Thus, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of the cryptographic information and the biometric information. In some examples, the cryptographic information in the service enrollment data is privacy encrypted to form a plurality of cryptographic information ciphertext fragments. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, the plurality of cipher information cipher text segments, and the biometric information. In some examples, the biometric information in the service enrollment data is privacy encrypted to form a plurality of biometric information ciphertext fragments. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, the password information, and the plurality of biometric information ciphertext fragments. In some examples, the cryptographic information and the biometric information in the service enrollment data are privacy encrypted to form a plurality of biometric information ciphertext fragments and a plurality of biometric information ciphertext fragments. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, the plurality of biometric information ciphertext fragments, and the plurality of biometric information ciphertext fragments.
Still taking face-brushing payment as an example for detailed description, the service registration data includes a payment password and face information. Thus, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of a payment password and face information. In some examples, the payment password in the service enrollment data is privacy encrypted to form a plurality of payment password ciphertext fragments. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, the plurality of payment password ciphertext fragments, and the face information. In some examples, the face information in the service registration data is privacy encrypted to form a plurality of face information ciphertext fragments. Accordingly, storing the registration information including the encrypted service registration data includes storing the service account, the payment password, and the plurality of face information ciphertext fragments. In some examples, the payment password and the face information in the service registration data are privacy encrypted to form a plurality of payment password ciphertext fragments and a plurality of face information ciphertext fragments. Thus, storing the registration information including the encrypted service registration data includes storing the service account, the plurality of payment password ciphertext fragments, and the plurality of face information ciphertext fragments.
In practical applications, to ensure the security of the data during transmission, the service account and the encrypted service registration data may be re-encrypted in advance before step S103 is executed.
In some embodiments, the service registration data includes first authentication information. Therefore, pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account and the plurality of ciphertext fragments of the first authentication information.
In some embodiments, the service registration data comprises first authentication information and second authentication information. Therefore, pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account and the plurality of ciphertext fragments of the first authentication information and/or the plurality of ciphertext fragments of the second authentication information. In some examples, the first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information, and thus, pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account, the plurality of ciphertext fragments of the first authentication information, and the second authentication information. In some examples, the second authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information, and thus, pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account, the first authentication information, and the plurality of ciphertext fragments of the second authentication information. In some examples, the first authentication information and the second authentication information in the service registration data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively, and thus, pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account, the plurality of ciphertext fragments of the first authentication information, and the plurality of ciphertext fragments of the second authentication information.
The registration method and the registration system of the service registration data are used for carrying out privacy encryption on the service registration data in service implementation, and the service registration data are verified in a privacy encryption mode during verification and are not displayed in a plaintext all the time, so that the safety and the reliability of the service registration data are ensured, and the method and the system are used for solving the problem of risk prevention and control on the safety of the service data in the prior art.
Returning to the authentication platform of the service data, the transceiver module 11 is also used to receive registration information. The registration information includes a service account and associated service registration data thereof, wherein the service registration data is privacy encrypted to form encrypted service registration data.
In some embodiments, the service registration data includes first authentication information. Thus, receiving the registration information includes receiving a business account and a plurality of ciphertext fragments of the first authentication information.
In some embodiments, the service registration data comprises first authentication information and second authentication information. Thus, in some examples, receiving the registration information includes receiving the business account, a plurality of ciphertext fragments of the first authentication information, and the second authentication information. In some examples, receiving the registration information includes receiving a business account, a first authentication information, and a ciphertext fragment of a plurality of second authentication information. In some examples, receiving the registration information includes receiving the business account and a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information.
For example, in a cardless payment service, the service registration data includes password information and biometric information. Thus, in some examples, receiving the registration information includes receiving a business account, biometric information, and a plurality of cryptographic information ciphertext fragments. In some examples, receiving the registration information includes receiving a business account, cryptographic information, and a plurality of biometric information ciphertext fragments. In some examples, receiving the registration information includes receiving a business account and a plurality of cryptographic information ciphertext fragments and a plurality of biometric information ciphertext fragments.
In practical applications, after receiving the registration information by the transceiver module 11, the encrypted service registration data is also stored in a plurality of storage nodes in the storage module 15 in a distributed manner.
In some embodiments, the service registration data includes first authentication information. Therefore, the plurality of ciphertext fragments of the first authentication information are dispersedly stored in the plurality of storage nodes.
In some embodiments, the service registration data comprises first authentication information and second authentication information. Thus, in some examples, ciphertext fragments of the plurality of first authentication information are stored in a plurality of storage nodes in a decentralized manner. In some examples, the ciphertext fragments of the plurality of second authentication information are stored in a plurality of storage nodes in a decentralized manner. In some examples, the plurality of ciphertext fragments of the first authentication information and the plurality of ciphertext fragments of the second authentication information are stored in the plurality of storage nodes in a decentralized manner.
It is to be noted that, for the biological information, the biological information may include biological raw data of a natural meaning and biological feature data after feature extraction is performed on the biological raw data. Thus, there may be different ways to process the biometric information.
In some embodiments, the registration system of the service registration data performs privacy encryption on the collected biological information and sends a plurality of biological information ciphertext fragments to the verification platform of the service data. Therefore, the service data verification platform can utilize the transceiver module 11 to receive the plurality of biometric information ciphertext fragments in the service registration data, and dispersedly store the plurality of biometric information ciphertext fragments in a plurality of storage nodes.
The service account and the encrypted service registration data are re-encrypted by the registration system of the service registration data, and then the re-encrypted service account and the encrypted service registration data are received by the verification platform of the service data and are dispersedly stored in a plurality of storage nodes.
In some embodiments, the registration system of the service registration data does not perform privacy encryption on the collected biological information, but directly transmits biological raw data of the collected biological information to the verification platform of the service data. In this way, the received biometric information can be privacy encrypted by the verification platform of the business data.
The process of privacy encryption of the received biological information by the verification platform of the business data may include:
receiving the biometric information of the service registration data by using the transceiving module 11.
And decrypting the received biological information ciphertext by using an encryption machine to obtain biological original data of the biological information.
And performing feature extraction on the biological original data by using a feature extraction module to obtain biological feature data.
The biometric data is privacy encrypted using the privacy encryption module 13.
And re-encrypting the plurality of biological information ciphertext fragments by using an encryption machine.
And dispersedly storing the plurality of encrypted biological information ciphertext fragments in a plurality of storage nodes.
By storing the encrypted registration information or the re-encrypted registration information in a plurality of storage nodes in a scattered manner, the secure storage of the sensitive data is ensured, so that the sensitive data does not appear in the clear.
Meanwhile, in this embodiment, the verification platform of the service data may dispersedly store the encrypted registration information or the re-encrypted registration information in a plurality of storage nodes, and each storage node stores the registration information in a corresponding database.
The following describes the service registration data in the embodiment in detail by taking the example that the service registration data includes the first authentication information and the second authentication information.
It is assumed that the first authentication information and the second authentication information in the service registration data are both privacy-encrypted and conventionally re-encrypted.
In some embodiments, in the platform for verifying the service data, each storage node is provided with or associated with a corresponding database, that is, each storage node is provided with or associated with a database. The database can be used for storing the registration information on the corresponding storage node, a plurality of records with data structures are stored in the database, and each record comprises a record serial number Seq, a ciphertext fragment of the re-encrypted first verification information, a ciphertext fragment of the re-encrypted second verification information and a re-encrypted service account. As shown in table one below.
Watch 1
Figure BDA0002097330830000361
By using the stored registration information, when the verification platform of the service data receives a new service request, the verification module 17 may retrieve a service account corresponding to the service data from the stored registration information based on the first verification information and the second verification information in the new service request.
In order to realize quick retrieval of information, in the present embodiment, a data encryption retrieval technique is applied.
The data encryption retrieval technology is used for quickly searching records meeting conditions from various databases in encrypted storage, and comprises three parts of index creation, maintenance and retrieval.
In the stage of index creation and maintenance, data encrypted through privacy is used as input, a unique safety index is established for each record keyword through privacy calculation and privacy comparison, and records with the same keyword are classified into a group. In the retrieval process, keywords to be retrieved are input in a data form which is encrypted through privacy, and the groups are determined through privacy calculation and privacy comparison, so that encrypted objects with the same keywords can be quickly output.
In this embodiment, a data structure similar to a hash table on plaintext data is implemented through privacy calculation, and secure and efficient retrieval of data is implemented, where a ciphertext fragment of first verification information in a service request is used as a query key of the hash table.
In this embodiment, the verification platform for business data may further include a hash table creation module (not shown in the drawings) configured to perform a hash operation on the business account and the associated business registration data in each stored registration message by using the first verification information as a key to create a hash table.
In this embodiment, in order to improve the retrieval efficiency, each computing node first invokes the encryptor to decrypt the stored re-encrypted service registration data (the encrypted service registration data may be, for example, ciphertext fragments of the first verification information and/or ciphertext fragments of the second verification information) to obtain encrypted service registration data, and then, the hash table creating module may be used to create a hash table (or a hash table).
With the created hash table, the retrieving, by the verification module 17, the service account corresponding to the first verification information and the second verification information from the stored registration information according to the first verification information and the second verification information in the new service request may include:
firstly, searching from each stored registration information based on first verification information in service data, and positioning a group where the first verification information is located; wherein all entries in the group have the same first authentication information characteristic.
In this embodiment, the step of retrieving from the stored registration information based on the first verification information in the service data and locating the packet in which the first verification information is located includes: based on first verification information in the service data, a packet corresponding to the first verification information in the service data is located in the hash table through privacy calculation.
In this embodiment, based on the ciphertext fragment of the first verification information in the service data, a record corresponding to the hash address value is found in the hash table by using a data security retrieval technology. In this way, the group in which the first authentication information is located can be quickly located, wherein all entries in the group have the same first authentication information characteristic, i.e., the same first authentication information or the same first authentication information equivalent characteristic. In this way, through the retrieval of the first verification information, the matching range can be reduced from the number of users in the original user data aggregate to the user data subsets with the same first verification information, wherein the user data amount of the user data subsets with the same first verification information is far smaller than that of the user data aggregate. This can also be understood as follows: and searching the second verification information routing library N by taking the first verification information as a key word, so that the range of subsequent second verification information searching is reduced to be performed in M subsets, wherein M is far smaller than N. The efficiency of the whole retrieval process is greatly improved.
Of course, if the record corresponding to the hash address value is not found in the hash table, the verification operation is ended.
In some embodiments, the business data includes first authentication information, and the first authentication information in the business data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information.
Thus, in some embodiments, the means for verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information comprises: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, screening out service registration data corresponding to the first verification information from each stored registration information, subsequently, continuously obtaining matched service registration data from the service registration data corresponding to the first verification information which is screened out, and obtaining a service account in the matched service registration data.
Taking a hash table structure as an example, specifically, after performing hash operation with ciphertext fragments of first verification information in the encrypted service data as a key to obtain a hash address value and locating a packet corresponding to the hash address value in a hash table based on the obtained hash address value, subsequently, in some examples, a matched record item may be directly obtained from the located packet, and a service account in the matched record item may be obtained.
In some embodiments, the business data includes first authentication information and second authentication information, wherein privacy encrypting the business data includes privacy encrypting at least one of the first authentication information and the second authentication information to form a plurality of ciphertext fragments of the first authentication information and/or a plurality of ciphertext fragments of the second authentication information.
In some examples, privacy encrypting the business data includes privacy encrypting first authentication information in the business data to form a plurality of ciphertext fragments of the first authentication information, and privacy encrypting second authentication information in the business data to form a plurality of ciphertext fragments of the second authentication information. Therefore, the manner of verifying whether the service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords; and obtaining the service account in the service registration data matched with the second verification information.
Taking a hash table structure as an example, specifically, when a hash operation is performed with ciphertext fragments of first verification information in the encrypted service data as a key to obtain a hash address value, and a packet corresponding to the hash address value is located in a hash table based on the obtained hash address value, the method may further include: and acquiring a matched record item in the positioned group by taking the ciphertext fragment of the second verification information in the encrypted service data as a keyword, wherein the matched record item comprises the second verification information matched with the service data, and acquiring a service account in the matched record item.
It is to be noted that, in some embodiments of the foregoing embodiments, when the data includes the first authentication information and the second authentication information, both the first authentication information and the second authentication information in the service data are privacy-encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively, but the disclosure is not limited thereto, and other changes may be made in other embodiments.
For example, in some embodiments, privacy encrypting the business data includes privacy encrypting first authentication information in the business data to form a plurality of ciphertext fragments of the first authentication information. Therefore, the manner of verifying whether the service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the second verification information in the encrypted service data as a key word; and obtaining the service account in the service registration data matched with the second verification information.
For example, in some embodiments, privacy encrypting the business data includes privacy encrypting second authentication information in the business data to form a plurality of ciphertext fragments of the second authentication information. Therefore, the manner of verifying whether the service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from the stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords; and obtaining the service account in the service registration data matched with the second verification information.
By searching with the first verification information as the key word, the range of the group corresponding to the first verification information is greatly reduced, and subsequently, matching can be performed from the obtained group based on the second verification information to determine the matched service account.
In practical applications, the matching in the packet may have different implementations based on the content of the second authentication information. In some examples, the second authentication information may be, for example, password information, barcode information, two-dimensional code information, etc., and the match in the packet may be retrieved conventionally. In some examples, the second verification information may be, for example, biometric information, and the matching in the grouping may be implemented using biometric similarity calculations.
The following description will be made for a cardless payment service as an example. In the cardless payment service, the service registration data includes password information and biometric information, and the service data includes password information and biometric information.
The password information may be, for example, a numeric password or a multi-digit character including at least three types of numbers, uppercase letters, lowercase letters, special characters, and the like. The biological information may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, and the like.
It is assumed that both the cryptographic information and the biometric information in the service registration data are subjected to private encryption and conventional re-encryption.
In some examples, each record in the database contains a record sequence number Seq, a re-encrypted cryptographic information ciphertext fragment, a re-encrypted biological information ciphertext fragment, and a re-encrypted business account. As shown in table two below.
Watch two
Figure BDA0002097330830000391
Figure BDA0002097330830000401
By using the stored registration information, when the verification platform of the service data receives a new service request, the verification module 17 can verify the password information and the biological information in the new service request to the stored registration information to determine the corresponding service account.
In the payment scenario, in the process of verifying the service data, in addition to the requirement of achieving accurate matching, the verification method is also required to be fast, and the response time is required to be as short as possible (for example, the response time is required to be within 500 milliseconds), so as to improve the user experience.
In order to realize quick verification of information, in the embodiment, a data encryption retrieval technology is applied.
The data encryption retrieval technology is used for quickly searching records meeting conditions from an encrypted and stored database and comprises three parts of index creation, maintenance and retrieval.
In the stage of index creation and maintenance, data encrypted through privacy is used as input, a unique safety index is established for each record keyword through privacy calculation and privacy comparison, and records with the same keyword are classified into a group. In the retrieval process, keywords to be retrieved are input in a data form which is encrypted through privacy, and the groups are determined through privacy calculation and privacy comparison, so that encrypted objects with the same keywords can be quickly output.
In this embodiment, a data structure similar to a hash table on plaintext data is implemented through privacy calculation, so as to implement safe and efficient retrieval of data, and a query keyword of the hash table is a cipher information ciphertext fragment when a service request is made.
In this embodiment, the verification platform for business data may further include a hash table creation module (not shown in the drawings) configured to perform a hash operation on the business account and the associated business registration data in each stored registration message by using the password information as a key to create a hash table.
In this embodiment, in order to improve the retrieval efficiency, each computing node first calls the encryptor to decrypt the stored encrypted service registration data (e.g., the cryptographic information and/or the biometric information) that is then encrypted to obtain the encrypted service registration data, and then, the hash table creating module may create the hash table (or the hash table).
The process of the verification module 17 verifying the password information and the biometric information in the new service request to the stored registration information by using the created hash table may include:
firstly, searching from each stored registration information based on password information in service data, and positioning a group where the password information is located; wherein all entries in the group have the same cryptographic information characteristics;
in this embodiment, the step of retrieving from the stored registration information based on the password information in the service data and locating the packet where the password information is located includes: based on the password information in the service data, a packet corresponding to the password information in the service data is positioned in the hash table through privacy calculation.
In this embodiment, based on cipher information ciphertext fragments in service data, a data security retrieval technology is used, a hash address value is calculated through privacy, and a record corresponding to the hash address value is found in a hash table. In this way, the group in which the password information is located can be quickly located, wherein all entries in the group have the same password information characteristics, i.e., the same password information or the same password information equivalent characteristics. In this way, through the retrieval of the password information, the matching range can be reduced from the number of users in the original user data total set to the user data subsets with the same password information, wherein the user data amount of the user data subsets with the same password information is far smaller than that of the user data total set. This can also be understood as follows: the biological information routing library N is searched by taking the password information as a key word, so that the range of subsequent biological information identification is reduced to M subsets, wherein M is far smaller than N. In the processing flow, because the password information is relatively simple, the password information can be used for quickly and accurately searching and filtering in the user data total set, and in addition, because the data volume of the screened user data subset is far smaller than that of the user data total set, the biological information can be used for quickly matching in the user data subset.
Of course, if the record corresponding to the hash address value is not found in the hash table, the verification operation is ended.
In some embodiments, the traffic data includes cryptographic information.
And when the hash operation is carried out by taking the cipher information ciphertext fragments in the encrypted service data as keywords to obtain a hash address value, and a group corresponding to the hash address value is positioned in a hash table based on the obtained hash address value, subsequently, a matched record item can be obtained from the positioned group, and a service account in the matched record item is obtained.
For example, if the first verification information is password information, then, when a password information ciphertext fragment corresponding to the password information is used as a key to perform a hash operation to obtain a hash address value, and based on the obtained hash address value, a packet corresponding to the hash address value is located in the hash table. In some examples, the password information may be associated with identity information of the user, or a mobile phone number of the user, for example, the password information may be part or all of the identification number, or the mobile phone number, or some combination of the identification number, the mobile phone number, and other information. In this case, the matching entry may be obtained directly from the located group, and the business account in the matching entry may be obtained. Or, in some examples, although the matching record item cannot be directly obtained from the located group by only using the password information, the matching record item can be obtained from the located group by other information in the service data (for example, terminal information for collecting the service data, the service type in the service data, and the like), and the service account in the matching record item is obtained.
In some embodiments, the business data includes cryptographic information and biometric information.
Therefore, when performing hash operation with the cipher information ciphertext fragment in the encrypted service data as a key to obtain a hash address value, and locating a packet corresponding to the hash address value in a hash table based on the obtained hash address value, the method may further include: and acquiring a matched record item in the positioned group by taking the biological information ciphertext fragment in the encrypted service data as a keyword, wherein the matched record item comprises the biological information matched with the service data, and acquiring a service account in the matched record item.
In this embodiment, the step of obtaining a matching entry in the located packet by using the biometric information ciphertext fragment in the encrypted service data as a key includes: and based on the biological information in the service data, performing similarity calculation with the biological information of all record items positioned in the group corresponding to the password information in the service data in the hash table to determine a matched record item.
In some examples, taking face recognition as an example, the similarity calculation is performed with the biological information of all the record items in the group based on the biological information in the business data, and includes: and based on the face features subjected to privacy encryption in the service data, performing feature similarity calculation with the face features subjected to privacy encryption in all the record items in the group to determine the matched record items.
Specifically, in the foregoing, the face features of the face image in the service data are extracted and extracted through face feature extraction, and these features can be converted into corresponding face feature vectors. And carrying out privacy encryption on the face features, namely carrying out privacy encryption on face feature vectors corresponding to the face features.
Whether the face information in the service registration data or the face information in the service data is subjected to the privacy encryption of the face feature vector corresponding to the face feature may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, Ya and Yb of the face feature vector.
Therefore, when the face feature similarity calculation is performed, the method may include: the ciphertext fragments Y1, Y2, Ya, Yb of the face feature vector formed by the privacy encryption module 13 and the ciphertext fragments Y1 ', Y2', Ya ', Yb' of the face feature vector subjected to the privacy encryption in each record item in the located group are respectively subjected to privacy computation to obtain the similarity between the face feature vector to be recognized and the face feature vector in each record item in the group.
In some embodiments, when performing similarity calculation based on the face feature vector, the similarity between the face image to be recognized and the face feature vector of the face image in the database may be characterized by using the vector distance between the two.
For example, by the vector distance between the privacy-encrypted face feature vector to be recognized and the privacy-encrypted face feature vector in each entry in the packet. In some examples, the calculated vector distance is converted into a corresponding similarity value according to a preset similarity conversion strategy. The similarity conversion strategy may, for example, pre-establish a correspondence list of vector distances and similarity values according to a relationship between feature vectors and similarities, the correspondence list may be divided into a plurality of different similarity levels according to a preset vector distance threshold, and a corresponding similarity value is set for each similarity level, because the vector distance between feature vectors is generally inversely proportional to the similarity between feature vectors, the smaller the vector distance, the higher the similarity value, and the larger the vector distance, the lower the similarity value. In this way, the similarity value corresponding to the calculated vector distance can be obtained by directly querying the corresponding relation list. In some examples, a minimum vector distance value is screened from the calculated vector distances, so that the record item corresponding to the minimum euclidean distance value can be regarded as a record item matched with the face information in the service data. The vector distance may be a cosine distance or an euclidean distance, which is not particularly limited in this embodiment.
In some examples, taking fingerprint identification as an example, similarity calculation is performed with the biological information of all record items in the group based on the biological information in the business data, and includes: and based on the fingerprint features subjected to privacy encryption in the service data, performing feature similarity calculation with the fingerprint features subjected to privacy encryption in all record items in the group to determine the matched record items.
In some examples, taking a palm print as an example, based on the biological information in the business data, performing similarity calculation with the biological information of all the record items in the group includes: and based on the privacy-encrypted palm print features in the service data, performing feature similarity calculation with the privacy-encrypted palm print features in all the record items in the group to determine the matched record items.
In some examples, taking iris as an example, similarity calculation is performed with the biological information of all the record items in the group based on the biological information in the business data, including: and based on the iris features subjected to privacy encryption in the service data, performing feature similarity calculation with the iris features subjected to privacy encryption in all the record items in the group to determine the matched record items.
Therefore, the characteristic similarity calculation of the biological information is only carried out in the screened groups (namely M subsets), compared with the characteristic similarity calculation in all databases, the efficiency is greatly improved, and the requirement of payment quick response can be met.
As for the biological information, as described above, in some embodiments, after the biological information in all the service registration data is sent to the verification platform of the service data, the verification platform of the service data performs privacy encryption on the biological information in the service registration data through the privacy encryption module 13, so that the verification platform of the service data only needs to perform feature extraction on the biological information in the service request.
And after the matched record items are determined, the business account in the matched record items can be obtained.
Referring to table two, after the matching entry is determined, the service account can be obtained from the entry, and the service account is determined to belong to the service requester corresponding to the service request.
The verification platform for the service data further comprises a service message generation module, and the service message generation module is used for generating a service message based on the first verification information and the service account after the matched service account is determined.
The verification platform for the service data can further comprise a receiving and sending module, wherein the receiving and sending module is used for sending the service message to a service execution mechanism corresponding to the service account, and the service execution mechanism executes corresponding operation according to the service message.
For example, in an access service, verification information (e.g., password information, electronic card information, fingerprint information, etc.) collected by an access terminal is uploaded to a monitoring center, the monitoring center verifies whether the verification information is valid, and after the verification passes, confirmation can be replied to the access terminal, and the access terminal opens the access.
For example, in an attendance service, verification information (e.g., password information, electronic card information, fingerprint information, etc.) collected by an attendance terminal is uploaded to an attendance management and control center, the attendance management and control center verifies whether the verification information is valid verification information, and after the verification passes, confirmation can be replied to attendance, and the attendance terminal confirms that the attendance operation is completed.
For example, in the ticketing service, the verification information (such as password information, barcode information, two-dimensional code information, fingerprint information, and the like) collected by the ticketing terminal is uploaded to a ticketing verification center, the ticketing verification center verifies whether the verification information is legal, and after the verification is passed, confirmation can be replied to the ticketing terminal.
In the bank card payment service, a merchant sends collected bank card information and a payment password to a verification platform through a POS machine, the verification platform obtains a bank account number corresponding to a consumer after verification, a payment message formed by the bank account number and the payment password of the consumer is sent to an issuing bank, and the issuing bank deducts money to complete payment.
In the card-free payment service, a merchant sends acquired password information and biological information to a verification platform through a POS machine, the verification platform obtains a bank account number corresponding to a consumer after verification, a payment message formed by the bank account number and the password information of the consumer is sent to an issuing bank, and the issuing bank deducts money to complete payment.
Of course, in some embodiments, the service message may also be encrypted by using an encryption machine before being sent to the service execution mechanism corresponding to the service account.
Please refer to fig. 6, which is a flowchart illustrating a verification method of service data according to the present application, where the verification method is executed in a computer system.
As shown in fig. 6, the method for verifying the service data includes the following steps:
step S301, privacy encryption is carried out on the service data to be verified in the service request, and encrypted service data are obtained.
In some embodiments, the service data in the service request includes first authentication information. In some examples, the first authentication information may be password information, which may be, for example, a numeric password or a multi-digit character including at least three types of numbers, uppercase letters, lowercase letters, special characters, or the like. In some examples, the first authentication information may be biometric information, which may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, or the like.
In some embodiments, the service data in the service request includes first authentication information and second authentication information. In some examples, the first authentication information may be password information, which may be, for example, a numeric password or a multi-digit character including at least three types of numbers, uppercase letters, lowercase letters, special characters, or the like. The second authentication information may be biometric information, which may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, and the like.
In practical application, the service data in the service request is collected by the terminal.
After the terminal collects the service data, the service data can be combined with the characteristic information of the terminal to form a service request, and the service request is uploaded to a verification platform of the service data.
After receiving the service request, the service data verification platform can perform privacy encryption on the service data to be verified in the service request.
In some embodiments, the service data in the service request includes the first authentication information, and thus, privacy encryption of the service data to be authenticated in the service request includes privacy encryption of the first authentication information in the service data.
In some embodiments, the service data in the service request includes the first authentication information and the second authentication information, and thus, the privacy encrypting the service data to be authenticated in the service request includes privacy encrypting at least one of the first authentication information and the second authentication information in the service data. In some examples, the privacy encrypting the service data to be authenticated in the service request includes privacy encrypting the first authentication information in the service data. In some examples, the privacy encrypting the service data to be authenticated in the service request includes privacy encrypting the second authentication information in the service data. In some examples, the privacy encrypting the service data to be authenticated in the service request includes privacy encrypting both the first authentication information and the second authentication information in the service data. At least one of the first verification information and the second verification information is subjected to privacy encryption, so that the sensitive information comprising the first verification information and the second verification information is protected, the association relation between the sensitive information (such as between the first verification information and the second verification information) can also be protected, and the safety and the reliability of the service data are ensured.
In this embodiment, the principle of privacy encrypting the first authentication information and/or the second authentication information in the service data may specifically refer to fig. 2.
Step S303, verifying whether a service account corresponding to the encrypted service data exists in each stored registration information.
In some embodiments, the service data in the service request includes first authentication information, and correspondingly, the registration information includes the service account and its associated service registration data, which also includes the first authentication information. The first verification information in the service registration data is subjected to privacy encryption to form a plurality of ciphertext fragments of the first verification information, and the ciphertext fragments of the first verification information are dispersedly stored in a plurality of storage nodes.
In some embodiments, the service data in the service request includes first authentication information and second authentication information, and correspondingly, the registration information includes the service account and its associated service registration data, which also includes the first authentication information and the second authentication information. The first authentication information and/or the second authentication information in the service registration data is/are privacy-encrypted. In some examples, the first authentication information in the service enrollment data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. In some examples, the second authentication information in the service enrollment data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information. In some examples, the first authentication information and the second authentication information in the service enrollment data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively.
The description of the registration system and the registration method section of the service registration data can be referred to for the way of privacy-encrypting the first authentication information and/or the second authentication information in the service registration data and storing them dispersedly.
The ciphertext fragments of the first verification information and/or the ciphertext fragments of the second verification information are dispersedly stored in a plurality of storage nodes, so that the security of the first verification information and/or the second verification information can be ensured.
In some examples, the first authentication information may be password information, which may be, for example, a numeric password or a multi-digit character including at least three types of numbers, uppercase letters, lowercase letters, special characters, or the like. The second authentication information may be biometric information, which may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, and the like.
In some embodiments, the service registration data in the registration information is subjected to conventional re-encryption after being subjected to privacy encryption to obtain encrypted registration service data, the re-encrypted service registration data is dispersedly stored in a plurality of storage nodes, and each storage node stores the registration information in a corresponding database.
In addition, each storage node may store the privacy-encrypted service registration information in a corresponding database.
In some embodiments, the service registration data in the registration information includes the first authentication information, and thus, the database includes a plurality of records having a data structure, each record including a record serial number, a service account and its associated ciphertext fragment of the first authentication information.
In some embodiments, the service registration data in the registration information includes the first authentication information and the second authentication information, and thus the database includes a plurality of records having a data structure, each record including a record serial number, a cryptogram fragment of the service account and its associated first authentication information, and/or a cryptogram fragment of the second authentication information.
In order to realize quick verification of information, in the embodiment, a data encryption retrieval technology is applied.
The data encryption retrieval technology is used for quickly searching records meeting conditions from an encrypted and stored database and comprises three parts of index creation, maintenance and retrieval.
In the stage of index creation and maintenance, data encrypted through privacy is used as input, a unique safety index is established for each record keyword through privacy calculation and privacy comparison, and records with the same keyword are classified into a group. In the retrieval process, keywords to be retrieved are input in a data form which is encrypted through privacy, and the groups are determined through privacy calculation and privacy comparison, so that encrypted objects with the same keywords can be quickly output.
In some embodiments, the service data in the service request includes first authentication information, and correspondingly, the registration information includes the service account and its associated service registration data, which also includes the first authentication information. The first verification information in the service registration data is subjected to privacy encryption to form a plurality of ciphertext fragments of the first verification information, and the ciphertext fragments of the first verification information are dispersedly stored in a plurality of storage nodes. First verification information in the business data is subjected to privacy encryption to form a plurality of ciphertext fragments of the first verification information.
Thus, in some embodiments, the means for verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information comprises: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, screening out service registration data corresponding to the first verification information from each stored registration information, subsequently, continuously obtaining matched service registration data from the service registration data corresponding to the first verification information which is screened out, and obtaining a service account in the matched service registration data.
In some embodiments, the service data in the service request includes first authentication information and second authentication information, and correspondingly, the registration information includes the service account and its associated service registration data, which also includes the first authentication information and the second authentication information. The first authentication information and/or the second authentication information in the service registration data is/are privacy-encrypted.
In some examples, the first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information, and correspondingly, the first authentication information in the service data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. Thus, in some examples, the manner of verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the second verification information in the encrypted service data as a key word; and obtaining the service account in the service registration data matched with the second verification information.
In some examples, the second authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information, and correspondingly, the second authentication information in the service data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. Thus, in some examples, the manner of verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from the stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords; and obtaining the service account in the service registration data matched with the second verification information.
In some examples, the first authentication information and the second authentication information in the service registration data are privacy-encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively, and correspondingly, the first authentication information and the second authentication information in the service data are privacy-encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively. Thus, in some examples, the manner of verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information; acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords; and obtaining the service account in the service registration data matched with the second verification information.
In the embodiment, a data structure similar to a hash table on plaintext data is realized through privacy calculation, and safe and efficient retrieval of data is realized.
Taking the example that the service registration data in the registration information includes first verification information and second verification information (assuming that the first verification information in the service registration data is privacy-encrypted to form a plurality of ciphertext fragments of the first verification information, and the second verification information is privacy-encrypted to form a plurality of ciphertext fragments of the second verification information), the query key of the hash table is the first verification information when the service is requested.
In this embodiment, the method for verifying the service data may further include performing a hash operation on the service account and the service registration data associated with the service account in each stored registration information, using the first verification information as a key, to create a hash table.
The process of creating and maintaining the hash table can be referred to the corresponding description of the verification platform part of the business data.
With the created hash table, in step S303, the step of verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes:
firstly, searching from each stored registration information based on first verification information in service data, and positioning a group where the first verification information is located; wherein all entries in the group have the same first authentication information characteristic.
In this embodiment, the step of retrieving from the stored registration information based on the first verification information in the service data and locating the packet in which the first verification information is located includes: based on first verification information in the service data, a packet corresponding to the first verification information in the service data is located in the hash table through privacy calculation.
Specifically, a hash operation is performed by using ciphertext fragments of first verification information in the encrypted service data as keywords to obtain a hash address value, and based on the obtained hash address value, a packet corresponding to the hash address value is located in a hash table. Namely, based on the ciphertext fragment of the first verification information in the service data, the data security retrieval technology is used, the hash address value is calculated through privacy, and the record corresponding to the hash address value is found in the hash table. In this way, the group in which the first authentication information is located can be quickly located, wherein all entries in the group have the same first authentication information characteristic, i.e., the same first authentication information or the same first authentication information equivalent characteristic. In this way, through the retrieval of the first verification information, the matching range can be reduced from the number of users in the original user data aggregate to the user data subsets with the same first verification information, wherein the user data amount of the user data subsets with the same first verification information is far smaller than that of the user data aggregate. Taking the first authentication information as the password information as an example, in this processing flow, since the password information is relatively simple, the password information can be used to quickly and accurately search and filter in the user data set. In addition, since the data size of the screened user data subset is much smaller than that of the user data total set, subsequently, the second verification information (for example, the second verification information is biological information) can be used for performing fast matching on the user data subset.
Of course, if the record corresponding to the hash address value is not found in the hash table, the verification operation is ended.
And then, matching is carried out based on second verification information in the service data, and a service account matched with the second verification information is determined from the group.
Specifically, a ciphertext fragment of second verification information in the encrypted service data is used as a keyword, and a matched record item is obtained in the located group, wherein the matched record item contains the second verification information matched with the service data.
Taking the second verification information as the biometric information as an example, in this embodiment, the step of determining the service account matching the biometric information from the group based on the matching of the biometric information in the service data includes: similarity calculation is carried out on the biological information in the business data and the biological information of all record items positioned in the group corresponding to the first verification information (for example, the first verification information is password information) in the business data in the hash table, and a matched record item is determined.
Therefore, the characteristic similarity calculation of the biological information is only carried out in the screened groups (namely M subsets), compared with the characteristic similarity calculation in all databases, the efficiency is greatly improved, and the requirement of payment quick response can be met.
After the verification is passed, step S305 may be executed.
Step S305, generating a service message based on the service account.
After the matched record items are determined, namely after the verification is passed, a service account can be obtained from the record items, and the service account is determined to belong to a service requester corresponding to the service request. Therefore, in step S305, a service packet is generated based on the first verification information and the service account, the service packet is sent to a service execution mechanism corresponding to the service account, and the service execution mechanism executes a corresponding operation according to the service packet.
The present application also discloses a computer-readable storage medium storing at least one program that participates in performing a verification method of service data or a registration method of service registration data when being called. The verification method of the service data can refer to fig. 6 and the related description related to fig. 6, and the registration method of the service registration data can refer to fig. 5 and the related description related to fig. 5, which are not repeated herein. It should be noted that, through the above description of the embodiments, those skilled in the art can clearly understand that part or all of the present application can be implemented by software and combined with necessary general hardware platform. With this understanding, the computer-readable storage medium stores at least one program that, when invoked, performs any of the methods described above. With this understanding in mind, the technical solutions of the present application and/or portions thereof that contribute to the prior art may be embodied in the form of a software product that may include one or more machine-readable media having stored thereon machine-executable instructions that, when executed by one or more machines such as a computer, network of computers, or other electronic devices, may cause the one or more machines to perform operations in accordance with embodiments of the present application. For example, each step in the positioning method of the robot is performed. The machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs (compact disc-read only memories), magneto-optical disks, ROMs (read only memories), RAMs (random access memories), EPROMs (erasable programmable read only memories), EEPROMs (electrically erasable programmable read only memories), magnetic or optical cards, flash memory, or other type of media/machine-readable medium suitable for storing machine-executable instructions. The computer readable storage medium may be located in a server or a third party server, such as an aristo service system. The application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
As described above, the service data verification method, the service data verification platform, the computer system, and the computer readable storage medium disclosed in the present application perform private encryption on service data in service implementation, perform verification in a private encryption manner during verification, and do not display in a plaintext all the time, thereby ensuring the safety and reliability of service data, and being used for solving the problem of risk prevention and control of the safety of service data in the existing service implementation.
Based on the technical frameworks reflected by the examples described in the above-mentioned service data verification method, verification platform, computer system, and computer-readable storage medium, the present application discloses the following technical solutions:
1. a method for verifying service data is characterized by comprising the following steps:
carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data;
verifying whether a service account corresponding to the encrypted service data exists in each stored registration message; the registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data;
if so, the verification is passed.
2. The authentication method according to embodiment 1, further comprising a step of receiving registration information and storing the registration information.
3. The authentication method according to embodiment 2, wherein the step of receiving registration information and storing the registration information comprises:
receiving registration information, and carrying out privacy encryption on service registration data in the registration information to obtain encrypted service registration data;
and dispersing the registration information containing the encrypted service registration data into a plurality of ciphertext fragments and storing the ciphertext fragments in a plurality of storage nodes.
4. The verification method according to embodiment 1, wherein the service data to be verified includes first verification information; the step of privacy encryption of the service data to be verified comprises the following steps: and carrying out privacy encryption on the first verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information.
5. The verification method according to embodiment 4, wherein the step of verifying whether or not a service account corresponding to the encrypted service data exists in each of the stored registration information includes:
searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information;
and acquiring matched service registration data from the screened service registration data corresponding to the first verification information, and acquiring a service account in the matched service registration data.
6. The verification method according to embodiment 1, wherein the service data to be verified includes first verification information and second verification information; the step of privacy encryption of the service data to be verified comprises the following steps: and carrying out privacy encryption on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or ciphertext fragments of the second verification information.
7. The verification method according to embodiment 6, wherein the step of verifying whether or not a service account corresponding to the encrypted service data exists in each of the stored registration information includes:
searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information;
acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords;
and obtaining the service account in the service registration data matched with the second verification information.
8. The verification method according to embodiment 5 or 7, further comprising a step of generating a service packet based on the service account after the matched service account is obtained.
9. A platform for validating business data, comprising:
the privacy encryption module is used for carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data;
the verification module is used for verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information; the registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data.
10. The verification platform according to embodiment 9, wherein the verification platform for business data further comprises a storage module, and the storage module comprises a plurality of storage nodes; the service registration data in the registration information is encrypted service registration data formed by private encryption, and the registration information containing the encrypted service registration data is dispersed into a plurality of ciphertext fragments and stored in a plurality of storage nodes.
11. The verification platform according to embodiment 9, wherein the service data to be verified includes first verification information, and the manner in which the privacy encryption module is configured to perform privacy encryption on the service data to be verified in the service request includes: and carrying out privacy encryption on first verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information.
12. The verification platform according to embodiment 11, wherein the means for the verification module to verify whether the service account corresponding to the encrypted service data exists in each of the stored registration information includes:
searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information;
and acquiring matched service registration data from the screened service registration data corresponding to the first verification information, and acquiring a service account in the matched service registration data.
13. The verification platform according to embodiment 9, wherein the service data to be verified includes first verification information and second verification information, and the way for the privacy encryption module to perform privacy encryption on the service data to be verified in the service request includes: and privacy encryption is carried out on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or ciphertext fragments of the second verification information.
14. The verification platform according to embodiment 13, wherein the means for the verification module to verify whether the service account corresponding to the encrypted service data exists in each of the stored registration information includes:
searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information;
acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords;
and obtaining the service account in the service registration data matched with the second verification information.
15. The verification platform of embodiment 12 or 14, further comprising: and the service message generation module is used for generating a service message based on the first verification information and the service account after the matched service account is determined.
16. A computer system, comprising:
a storage device for storing at least one program;
an interface device;
and the processing device is connected with the storage device and the interface device, wherein the processing device is integrated with a trusted processing environment, and the processing environment executes the service data verification method according to at least one stored program in any one of the processes 1 to 8.
17. A computer-readable storage medium, characterized in that the computer-readable storage medium stores computer instructions which, when invoked, participate in performing the method of validating business data as described in any of the preceding 1 to 8.
The above embodiments are merely illustrative of the principles and utilities of the present application and are not intended to limit the application. Any person skilled in the art can modify or change the above-described embodiments without departing from the spirit and scope of the present application. Accordingly, it is intended that all equivalent modifications or changes which can be made by those skilled in the art without departing from the spirit and technical concepts disclosed in the present application shall be covered by the claims of the present application.

Claims (9)

1. A method for verifying service data is characterized by comprising the following steps:
carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data;
verifying whether a service account corresponding to the encrypted service data exists in each stored registration message;
the registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data;
if so, the verification is passed.
2. The method for validating service data according to claim 1, further comprising the steps of:
receiving registration information, and carrying out privacy encryption on service registration data in the registration information to obtain encrypted service registration data;
and dispersing the registration information containing the encrypted service registration data into a plurality of ciphertext fragments and storing the ciphertext fragments in a plurality of storage nodes.
3. The method for verifying the service data according to claim 1, wherein the service data to be verified includes first verification information and second verification information; the step of privacy encryption of the service data to be verified comprises the following steps: and carrying out privacy encryption on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or ciphertext fragments of the second verification information.
4. The method for verifying service data according to claim 3, wherein the step of verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes:
searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information;
acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords;
and obtaining the service account in the service registration data matched with the second verification information.
5. A platform for validating business data, comprising:
the privacy encryption module is used for carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data;
the verification module is used for verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information; the registration information comprises a service account and service registration data related to the service account, and the service registration data corresponds to the service data.
6. The platform according to claim 5, wherein the service data to be verified includes first verification information and second verification information, and the privacy encryption module is configured to perform privacy encryption on the service data to be verified in the service request in a manner that includes: and privacy encryption is carried out on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or ciphertext fragments of the second verification information.
7. The platform of claim 6, wherein the means for verifying whether the stored registration information includes a service account corresponding to the encrypted service data comprises:
searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, and screening out service registration data corresponding to the first verification information from each stored registration information;
acquiring service registration data matched with second verification information from the screened service registration data corresponding to the first verification information by taking the ciphertext fragments of the second verification information in the encrypted service data as keywords;
and obtaining the service account in the service registration data matched with the second verification information.
8. A computer system, comprising:
a storage device for storing at least one program;
an interface device;
processing means connected to said storage means and to interface means, wherein said processing means integrates a trusted processing environment, said processing environment executing the method for verification of service data according to at least one stored program according to any one of claims 1 to 4.
9. A computer-readable storage medium, characterized in that it stores computer instructions which, when invoked, participate in performing a method of validation of business data according to any one of claims 1 to 4.
CN201910523115.1A 2019-05-08 2019-06-17 Service data verification method and verification platform Active CN111915306B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910381207 2019-05-08
CN2019103812070 2019-05-08

Publications (2)

Publication Number Publication Date
CN111915306A true CN111915306A (en) 2020-11-10
CN111915306B CN111915306B (en) 2023-12-19

Family

ID=73241795

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910523129.3A Pending CN111914264A (en) 2019-05-08 2019-06-17 Index creation method and device, and data verification method and device
CN201910523115.1A Active CN111915306B (en) 2019-05-08 2019-06-17 Service data verification method and verification platform

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201910523129.3A Pending CN111914264A (en) 2019-05-08 2019-06-17 Index creation method and device, and data verification method and device

Country Status (1)

Country Link
CN (2) CN111914264A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114581095A (en) * 2022-03-16 2022-06-03 网银在线(北京)科技有限公司 Payment method, collection terminal and system
CN114996748A (en) * 2022-08-04 2022-09-02 广州市森锐科技股份有限公司 Paperless application management method and device, computer equipment and storage medium
CN115329390A (en) * 2022-10-18 2022-11-11 北京锘崴信息科技有限公司 Financial privacy information security auditing method and device based on privacy protection calculation
WO2024021922A1 (en) * 2022-07-26 2024-02-01 中兴通讯股份有限公司 Video call method, electronic device, and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434125A (en) * 2020-11-30 2021-03-02 中国人寿保险股份有限公司 Index structure, and method, device and equipment for searching unstructured data
CN114090638B (en) * 2022-01-20 2022-04-22 支付宝(杭州)信息技术有限公司 Combined data query method and device based on privacy protection

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1052582A2 (en) * 1999-05-13 2000-11-15 Xerox Corporation Method for enabling privacy and trust in electronic communities
CN102176694A (en) * 2011-03-14 2011-09-07 张龙其 Fingerprint module with encryption unit
KR20140070143A (en) * 2012-11-30 2014-06-10 주식회사 하나은행 User terminal and password registration apparatus
US20150089241A1 (en) * 2011-12-22 2015-03-26 Galaxycore Shanghai Limited Corporation Image Sensor and Payment Authentication Method
CA3123658A1 (en) * 2015-07-21 2017-01-26 10353744 Canada Ltd. Online transaction method, device and system
WO2017069950A1 (en) * 2015-10-23 2017-04-27 Mastercard International Incorporated Biometric verification systems and methods for payment transactions
CN107181714A (en) * 2016-03-09 2017-09-19 阿里巴巴集团控股有限公司 Verification method and device, the generation method of service code and device based on service code
US20170277774A1 (en) * 2012-10-30 2017-09-28 FHOOSH, Inc. Systems and methods for secure storage of user information in a user profile
CN107465730A (en) * 2017-07-26 2017-12-12 深圳市金立通信设备有限公司 A kind of service request method and terminal
CN108446680A (en) * 2018-05-07 2018-08-24 西安电子科技大学 A kind of method for secret protection in face authentication system based on edge calculations
CN108667605A (en) * 2018-04-25 2018-10-16 拉扎斯网络科技(上海)有限公司 Data encryption and decryption method and device
CN108737442A (en) * 2018-06-12 2018-11-02 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method
US20180341930A1 (en) * 2017-05-25 2018-11-29 Oracle International Corporation Sharded Permissioned Distributed Ledgers
WO2019067357A1 (en) * 2017-09-29 2019-04-04 Alibaba Group Holding Limited Fourth Floor, One Capital Place Data storage method, data query method and apparatuses
CN109711184A (en) * 2018-12-28 2019-05-03 国网电子商务有限公司 Block chain data access control method and device based on attribute encryption

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2639997B1 (en) * 2012-03-15 2014-09-03 ATS Group (IP Holdings) Limited Method and system for secure access of a first computer to a second computer
CN104429019B (en) * 2012-07-05 2017-06-20 日本电信电话株式会社 Secret decentralized system, data dispersal device, dispersion data converting apparatus and secret
CN105474575B (en) * 2013-08-22 2018-12-14 日本电信电话株式会社 Secure Verification System, certificate server, intermediate server, Secure authentication method and program
JP6017392B2 (en) * 2013-09-27 2016-11-02 株式会社東芝 Information processing apparatus, host device, and system
US9256549B2 (en) * 2014-01-17 2016-02-09 Netapp, Inc. Set-associative hash table organization for efficient storage and retrieval of data in a storage system
CN106416151A (en) * 2014-05-30 2017-02-15 高通股份有限公司 Multi-table hash-based lookups for packet processing
ES2949399T3 (en) * 2014-11-12 2023-09-28 Calctopia Ltd Secure multiparty computing in spreadsheets
US10826707B2 (en) * 2017-10-16 2020-11-03 Assa Abloy Ab Privacy preserving tag

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1052582A2 (en) * 1999-05-13 2000-11-15 Xerox Corporation Method for enabling privacy and trust in electronic communities
CN102176694A (en) * 2011-03-14 2011-09-07 张龙其 Fingerprint module with encryption unit
US20150089241A1 (en) * 2011-12-22 2015-03-26 Galaxycore Shanghai Limited Corporation Image Sensor and Payment Authentication Method
US20170277774A1 (en) * 2012-10-30 2017-09-28 FHOOSH, Inc. Systems and methods for secure storage of user information in a user profile
KR20140070143A (en) * 2012-11-30 2014-06-10 주식회사 하나은행 User terminal and password registration apparatus
CA3123658A1 (en) * 2015-07-21 2017-01-26 10353744 Canada Ltd. Online transaction method, device and system
WO2017069950A1 (en) * 2015-10-23 2017-04-27 Mastercard International Incorporated Biometric verification systems and methods for payment transactions
CN107181714A (en) * 2016-03-09 2017-09-19 阿里巴巴集团控股有限公司 Verification method and device, the generation method of service code and device based on service code
US20180341930A1 (en) * 2017-05-25 2018-11-29 Oracle International Corporation Sharded Permissioned Distributed Ledgers
CN107465730A (en) * 2017-07-26 2017-12-12 深圳市金立通信设备有限公司 A kind of service request method and terminal
WO2019067357A1 (en) * 2017-09-29 2019-04-04 Alibaba Group Holding Limited Fourth Floor, One Capital Place Data storage method, data query method and apparatuses
CN108667605A (en) * 2018-04-25 2018-10-16 拉扎斯网络科技(上海)有限公司 Data encryption and decryption method and device
CN108446680A (en) * 2018-05-07 2018-08-24 西安电子科技大学 A kind of method for secret protection in face authentication system based on edge calculations
CN108737442A (en) * 2018-06-12 2018-11-02 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method
CN109711184A (en) * 2018-12-28 2019-05-03 国网电子商务有限公司 Block chain data access control method and device based on attribute encryption

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114581095A (en) * 2022-03-16 2022-06-03 网银在线(北京)科技有限公司 Payment method, collection terminal and system
WO2024021922A1 (en) * 2022-07-26 2024-02-01 中兴通讯股份有限公司 Video call method, electronic device, and storage medium
CN114996748A (en) * 2022-08-04 2022-09-02 广州市森锐科技股份有限公司 Paperless application management method and device, computer equipment and storage medium
CN114996748B (en) * 2022-08-04 2022-10-28 广州市森锐科技股份有限公司 Paperless application management method and device, computer equipment and storage medium
CN115329390A (en) * 2022-10-18 2022-11-11 北京锘崴信息科技有限公司 Financial privacy information security auditing method and device based on privacy protection calculation

Also Published As

Publication number Publication date
CN111914264A (en) 2020-11-10
CN111915306B (en) 2023-12-19

Similar Documents

Publication Publication Date Title
CN111915306B (en) Service data verification method and verification platform
EP3635937B1 (en) System and method for biometric identification
US10484178B2 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
EP3665862B1 (en) Use of biometrics and privacy preserving methods to authenticate account holders online
RU2747947C2 (en) Systems and methods of personal identification and verification
US20180115426A1 (en) Systems and methods for providing a universal decentralized solution for verification of users with cross-verification features
US10438197B2 (en) Public ledger authentication system
WO2021119099A1 (en) Privacy-preserving biometric authentication
CN111917695B (en) Registration method and registration system of service registration data
EP4185976A1 (en) Facial recognition tokenization
Venkatesan et al. Secure online payment through facial recognition and proxy detection with the help of TripleDES encryption
CN114826604A (en) Applet login verification method, device and equipment based on face recognition and storage medium
Wong et al. An enhanced user authentication solution for mobile payment systems using wearables
Islam An algorithm for electronic money transaction security (Three Layer Security): A new approach
CA3126437A1 (en) Offline interception-free interaction with a cryptocurrency network using a network-disabled device
US20230131437A1 (en) Method, system, and computer program product for authentication
US11531739B1 (en) Authenticating user identity based on data stored in different locations
Priya et al. An Effective Cardless Atm Transaction Using Computer Vision Techniques
Saharan et al. Issues and Advantages of Biometric In Online Payment of E-Commerce
Malathi et al. Wield Blockchain TechnologyTo Fortify Smart Wallet
Liu et al. A Review on Biometric Encryption System in Cloud Computing
Awotunde et al. Fingerprint Authentication System: Toward Enhancing ATM Security
Jebaselvi et al. The graphical secret code in internet banking for improved security transaction
Kuraku et al. Advanced Encryption Techniques in Biometric Payment Systems: A Big Data and AI Perspective
Sturgess et al. VisAuth: Authentication over a Visual Channel Using an Embedded Image

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant