CN111915306B - Service data verification method and verification platform - Google Patents

Service data verification method and verification platform Download PDF

Info

Publication number
CN111915306B
CN111915306B CN201910523115.1A CN201910523115A CN111915306B CN 111915306 B CN111915306 B CN 111915306B CN 201910523115 A CN201910523115 A CN 201910523115A CN 111915306 B CN111915306 B CN 111915306B
Authority
CN
China
Prior art keywords
service
information
data
verification
registration
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910523115.1A
Other languages
Chinese (zh)
Other versions
CN111915306A (en
Inventor
王蜀洪
李艺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huakong Tsingjiao Information Technology Beijing Co Ltd
Original Assignee
Huakong Tsingjiao Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huakong Tsingjiao Information Technology Beijing Co Ltd filed Critical Huakong Tsingjiao Information Technology Beijing Co Ltd
Publication of CN111915306A publication Critical patent/CN111915306A/en
Application granted granted Critical
Publication of CN111915306B publication Critical patent/CN111915306B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Data Mining & Analysis (AREA)
  • Medical Informatics (AREA)
  • Computational Linguistics (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a service data verification method and a verification platform, wherein the verification method comprises the following steps: carrying out privacy encryption on service data to be verified in the service request to obtain encrypted service data; verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information; the registration information comprises a service account and associated service registration data thereof, wherein the service registration data corresponds to the service data; if so, the verification passes. The service data verification method and the verification platform can realize that the service data is not displayed in the clear throughout the verification process, and ensure the safety and reliability of service data or service registration data.

Description

Service data verification method and verification platform
Technical Field
The present invention relates to the field of data security processing technologies, and in particular, to a service data verification method and verification platform, a computer system, and a computer readable storage medium.
Background
With the application of electronic technology and communication networks, a manner of implementing services such as access control, attendance checking, public transportation, ticketing, financial payment, etc. through a digital system is now being widely used.
Taking a financial payment service as an example, generally, when payment is realized, a merchant obtains authentication information of a consumer and uploads the authentication information to a financial authentication platform to authenticate the authentication information, so as to obtain a corresponding financial account number, and a payment message is formed according to the authentication information, so that a financial institution can carry out a deduction operation.
However, in the above financial payment service, there are drawbacks as follows: the verification information can reside in the server memory of the financial verification platform for a long time because of frequent use, and the risk of being stolen by IT administrators or hackers or being attacked to steal the verification information exists; particularly, the verification information is stored in a server memory of the financial verification platform in a plaintext form, so that great potential safety hazards exist.
Disclosure of Invention
In view of the above-mentioned drawbacks of the prior art, an object of the present application is to disclose a method and a platform for verifying service data, a computer system, and a computer readable storage medium for solving the risk prevention and control problem of service data security in the prior art.
To achieve the above and other related objects, a first aspect of the present application discloses a method for verifying service data, including:
Carrying out privacy encryption on service data to be verified in the service request to obtain encrypted service data;
verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information; the registration information comprises a service account and associated service registration data thereof, wherein the service registration data corresponds to the service data;
if so, the verification passes.
In certain implementations of the first aspect of the present application, the method for verifying service data further includes: receiving registration information, and carrying out privacy encryption on service registration data in the registration information to obtain encrypted service registration data; and dispersing the registration information containing the encrypted service registration data into a plurality of ciphertext fragments and storing the ciphertext fragments in a plurality of storage nodes.
In certain implementations of the first aspect of the present application, the service data to be verified includes first verification information and second verification information; the step of carrying out privacy encryption on the business data to be verified comprises the following steps: and carrying out privacy encryption on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or a plurality of ciphertext fragments of the second verification information.
In certain implementations of the first aspect of the present application, the step of verifying whether the service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
A second aspect of the present application discloses a service data verification platform, including: the privacy encryption module is used for carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data; the verification module is used for verifying whether the stored registration information contains a service account corresponding to the encrypted service data; the registration information comprises a service account and associated service registration data, wherein the service registration data corresponds to the service data.
In certain embodiments of the second aspect of the present application, the service data to be verified includes first verification information and second verification information, and the privacy encryption module is configured to perform privacy encryption on the service data to be verified in the service request, where the privacy encryption module includes: and carrying out privacy encryption on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or a plurality of ciphertext fragments of the second verification information.
In certain embodiments of the second aspect of the present application, the means for verifying, by the verification module, whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
In certain embodiments of the second aspect of the present application, the service data verification platform further includes: and the service message generation module is used for generating a service message based on the first verification information and the service account after the matched service account is determined.
A third aspect of the present application discloses a computer system comprising:
a storage device for storing at least one program;
an interface device;
and the processing device is connected with the storage device and the interface device, wherein the processing device is integrated with a trusted processing environment, and the processing environment executes the verification method of the service data according to the stored at least one program.
A fourth aspect of the present application discloses a computer-readable storage medium storing computer instructions that, when invoked, participate in performing a method of verifying business data as previously described.
As described above, the service data verification method, the verification platform, the computer system and the computer readable storage medium disclosed in the application perform privacy encryption on service data or service registration data in service implementation, and perform verification in a privacy encryption manner during verification, so that the service data or service registration data is not displayed in plaintext all the time, the safety and reliability of the service data or service registration data are ensured, and the method and the device are used for solving the risk prevention and control problem of the safety of the service data in the prior art.
Drawings
Fig. 1 is a schematic structural diagram of a hardware system of an authentication platform for service data in an embodiment of the present application.
Fig. 2 shows a schematic diagram of a private encryption storage and private computing architecture.
Fig. 3 is a schematic diagram of a registration system for service registration data according to the present application in an embodiment.
Fig. 4 is a schematic diagram of a registration system for registering data of a service in another embodiment.
Fig. 5 is a flow chart of a registration method of service registration data in the present application.
Fig. 6 is a schematic flow chart of a method for verifying service data according to the present application.
Detailed Description
Further advantages and effects of the present application will be readily apparent to those skilled in the art from the present disclosure, by describing the embodiments of the present application with specific examples.
In the following description, reference is made to the accompanying drawings, which describe several embodiments of the present application. It is to be understood that other embodiments may be utilized and that compositional and operational changes may be made without departing from the spirit and scope of the present disclosure. The following detailed description is not to be taken in a limiting sense, and the scope of embodiments of the present application is defined only by the claims of the patent of the present application. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
Furthermore, as used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context indicates otherwise. For example, the term "at least one client" in the present application includes one client and a plurality of clients. It will be further understood that the terms "comprises," "comprising," "includes," and/or "including" specify the presence of stated features, steps, operations, elements, components, items, categories, and/or groups, but do not preclude the presence, presence or addition of one or more other features, steps, operations, elements, components, items, categories, and/or groups. The terms "or" and/or "as used herein are to be construed as inclusive, or meaning any one or any combination.
In some applications of service implementation, operations such as authentication may involve using service data, where the service data may constitute sensitive data, and protection of the sensitive data may involve multiple parties such as a data provider, an intermediate authentication platform, and a data consumer of the data.
Taking face-brushing payment as an example, the face-brushing payment flow involves face data (including face pictures and face features), payment passwords (including payment security codes), bank card numbers and other data.
Typically, the payment password (containing the payment security code), face picture, face feature, bank card, etc., any single information (called sensitive information) does not form sensitive data. In fact, single information such as a 6-digit payment password, a face, a bank account number, etc. is everywhere visible. For example, it does not make any sense to know only that 262626 is the payment password of a certain bank card (but not which bank card). However, once this information is correlated, for example, we know that 262626 is the payment password corresponding to the bank card xxxxxx, we can forge the bank card to steal other funds. Therefore, the payment password and the information related to the bank card number are really sensitive data.
Similarly, the face picture, the face feature and the association information thereof with the bank card number and the payment password are sensitive data which need important protection. The face picture is more visual as sensitive data, but the necessity of privacy protection is easily ignored because the face features are processed by the feature extraction algorithm, and a misarea exists in which the face feature extraction algorithm is regarded as an encryption algorithm. In fact, although the information is lost after the feature extraction, the face picture cannot be uniquely restored from the face feature, the face information is not important in the process, and the most important face feature information is left (otherwise, the face cannot be identified). Thus, after the face features are obtained, it has been very easy to forge face elements having the same or similar features by the prior art, and even to trick the living body detection by simple dress up of the living body. In addition, the face and any biometric information cannot be modified at will, and once revealed, cannot be remedied.
In the plain scheme of face payment, a registered user may complete payment with counterfeit face elements. The IT manager can attack more, for example, the face elements of all users with the same payment password are counterfeited to impersonate the users to initiate illegal payments, the counterfeited users can deny the payments, and the IT manager cannot be verified, because the business process can search a group of users with the same payment security code, the IT manager knows the group of the users, which is equivalent to knowing the payment passwords of all users of the group, and then the payment passwords are associated with the counterfeited face elements to finish the attack.
In summary, the payment password, the payment security code and the association relationship between the payment security code and the bank card, and the face feature, the face picture and the association relationship between the face picture and the payment password are all sensitive data which need to be strictly protected.
In order for the parties involved in the sensitive data to effect processing of the sensitive data based on protecting the sensitive data, in some embodiments the sensitive data is privacy processed such that the sensitive data does not appear in the clear. Therefore, the application provides a technology for verifying, interacting and processing the sensitive data under the condition that the sensitive data are privacy encrypted by the verification terminal in payment consumption.
In view of this, the application discloses a service data verification method, a service data verification platform, a computer system and a storage medium, which perform privacy encryption on service data in service implementation, so that the service data is verified in a privacy encryption mode and is not displayed in plaintext all the time, the safety and reliability of the service data are ensured, and the service data verification method, the service data verification platform, the computer system and the storage medium are used for solving the risk prevention and control problem of the safety of the service data in the existing service implementation.
Referring to fig. 1, a schematic structural diagram of a hardware system of a verification platform for service data in an embodiment of the present application is shown. The service data verification platform shown in fig. 1 is used for verifying the service data in the triggered service request to confirm the user identity from the pre-stored registration information, and determining the bound service account by the user identity to complete payment verification. It should be noted that, the processes performed according to the hardware system shown in fig. 1 are merely examples, and may be performed alone or in combination with other performing processes based on actual design requirements in different application scenarios.
The verification platform of the service data can be an electronic device comprising a storage device, a processing device, an interface device and the like, wherein the electronic device is a single computer device, a computer cluster or a service system based on a cloud architecture. The single computer device may be an autonomously configured computer device capable of executing the methods of the present application, and may be located in a private machine room or in a rented machine location in a public machine room. The computer clusters may be a group of mutually independent computer devices interconnected through a high-speed network, which form a group and are managed in a single system mode. The Cloud architecture Service system comprises a Public Cloud (Public Cloud) Service end and a Private Cloud (Private Cloud) Service end, wherein the Public or Private Cloud Service end comprises Software-as-a-Service (Software as a Service, abbreviated as SaaS), platform-as-a-Service (Platform as a Service, abbreviated as PaaS), infrastructure-as-a-Service (Infrastructure as a Service, abbreviated as IaaS) and the like. The private cloud service end is, for example, an ali cloud computing service platform, an Amazon (Amazon) cloud computing service platform, a hundred degree cloud computing platform, a Tencel cloud computing platform, and the like.
According to the hardware device for actually running the above methods, each device constituting the electronic device may be located on a single server, or located in a plurality of servers and completed cooperatively by data communication between the servers.
For this purpose, the interface device is connected to the processing device in a data manner, which can be connected via a bus or can be data-transferred via a communication network. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means via a bus, etc. For example, the interface device of the corresponding second computer system is communicatively connected to the interface device of the first computer system, the interface device of the user equipment, and the like. The interface devices communicate data through the Internet, a mobile network and a local area network.
The storage device is used for storing at least one program capable of executing any one or more of the methods. The storage means corresponding to the same electronic device may be located on the same physical server as the processing means or in different physical servers and the program is transferred to the processing means running the program via the interface means of the respective servers. The storage may include high-speed random access memory, and may also include non-volatile memory, such as one or more disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. In some embodiments, the memory may also include memory remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, a Local Area Network (LAN), a wide area network (WLAN), a Storage Area Network (SAN), etc., or suitable combinations thereof. The storage also includes a memory controller that can control access to memory by other components of the device, such as the CPU and peripheral interfaces. Among other software components stored in the storage device include an operating system, a communication module (or instruction set), a text input module (or instruction set), and an application (or instruction set).
The processing device is operatively coupled with the storage device. More specifically, the processing apparatus may execute programs stored in the memory and/or the nonvolatile storage device to perform operations in the task platform. As such, the processing device may include one or more general purpose microprocessors, one or more application specific processors (ASICs), one or more field programmable logic arrays (FPGAs), or any combinations thereof. Wherein, the plurality of CPUs contained in the processing device can be positioned in the same entity server or distributed in a plurality of entity servers, and realize data communication by means of the interface device so as to cooperatively execute the steps of each method.
As shown in fig. 1, the verification platform for service data of the present application may include: the device comprises a transceiver module 11, a privacy encryption module 13, a storage module 15 and a verification module 17.
The transceiver module 11 is used for receiving and transmitting information.
In this embodiment, the transceiver module 11 may be configured to receive a service request, where the service request includes service data to be verified.
Generally, in service implementation, a data provider acquires service data of a user and generates a service request containing the service data according to the service data, the service request is sent to a verification platform, and the verification platform verifies the received service request. Taking the most common payment service as an example, during a payment transaction, a terminal (such as a merchant end) generates a payment request containing payment data directly or through a receipt system, and sends the payment request to a verification platform for verification, and the transceiver module 11 of the verification platform receives the payment request.
In some embodiments, the service data in the service request includes first authentication information.
For example, in a business scenario such as entrance guard, attendance, public transportation, ticketing, etc., in a business implementation, at least first authentication information needs to be provided, where the first authentication information may be, for example, password information (that is self-set by a user or is sent by a business executor through a short message, mail, or a message in a mobile APP application), a mobile phone number of the user, two-dimensional code information, or an electronic card, etc. In some examples, the password information may be, for example, a 6-bit or 8-bit or more digital password, but is not limited to, and the password information may be more complex, for example, 8-16-bit characters, at least including three types of numbers, capital letters, lowercase letters, and special characters, if the terminal device can provide corresponding technical support, so that the password information has higher security. In some examples, the cryptographic information may be associated with the user's identity information, or with the user's cell phone number, etc., e.g., the cryptographic information may be part or all of the identity card number, or the cell phone number, or some combination of the identity card number, cell phone number, and other information, etc.
Of course, the first verification information is not limited to this, and for example, the first verification information may be biological information. The biological information has the unique property of being unable to be copied, stolen or forgotten, which is inherent to human body. The method utilizes the biological recognition technology to carry out identity authentication, and has the advantages of safety, reliability, accuracy, convenience and the like. The information including human face information, fingerprint information, palm print information, iris information, heart rate information and the like, which belong to human body biological characteristics, is applied to business realization along with the rapid development of technologies such as photoelectric technology, microcomputer technology, image processing technology, pattern recognition and the like.
In some embodiments, the service data in the service request includes first authentication information and second authentication information.
Taking a financial payment service as an example, in a traditional bank card payment scenario, the first verification information may be, for example, a bank card number and the second verification information may be, for example, a payment password, or the first verification information may be, for example, a payment password and the second verification information may be, for example, a bank card number, and the verification platform of the service data may verify the validity of the service data according to the bank card number and the payment password, and after sending the verification information to the bank issuing the card, the bank issuing the card performs a deduction operation according to the verification, so as to complete payment.
With the rapid development of information technology, card-free payment is increasingly developed, in a card-free payment scenario, the first verification information may be, for example, password information, the second verification information may be, for example, biological information, the verification platform of the service data may verify through the password information and the biological information into a database to determine a service account (such as a bank card number or a customer identification code issued by a bank and capable of uniquely representing a customer, etc.) matched with the password information and the biological information, and after verifying the validity thereof, the card-issuing bank performs a deduction operation according to the verification by sending the verification information to the card-issuing bank, thereby completing the payment.
The password information may be associated with a user's bank card number, or with the user's identity information, or with the user's cell phone number, etc. In some examples, the password information may be, for example, a payment password, which may be, for example, a 6-bit or 8-bit digital password, but is not limited thereto, and may be more complex, for example, an 8-to 16-bit character, at least including three types of digits, uppercase letters, lowercase letters, and special characters, if the payment device at the merchant side can provide corresponding technical support, and have higher security. In some examples, the password information may also be in other forms, such as gesture passwords, and the like.
The biological information has the unique property of being unable to be copied, stolen or forgotten, which is inherent to human body. The method utilizes the biological recognition technology to carry out identity authentication, and has the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human body biological characteristics.
In practice, the service data in the service request is collected by the terminal.
For example, in a door access service scenario, the door access terminal may be, for example, a keypad, an electronic card reader, or a fingerprint collector.
For example, in an attendance service scenario, the attendance terminal may be, for example, a password keyboard, an electronic card reader, or a fingerprint collector.
For example, in a ticketing services scenario, the ticketing terminal may be, for example, a password keypad, a two-digit code reader, or a fingerprint collector, etc.
For example, in a financial payment service, taking a common bank card payment as an example, the terminal is typically configured with a POS (Point Of Sale) machine, including a card reader for reading information Of a bank card (for example, a magnetic stripe reader for reading a magnetic stripe Of a bank card or a chip reader for reading a chip Of a bank card) and a password keypad.
For example, in a cardless payment service, the terminal is typically configured with a POS machine, which is also typically provided with or associated with a biometric information collection device, which may collect password information of the user, and the biometric information collection device may collect biometric information of the user, which may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, etc.
In the following, a face payment is taken as an example, and a camera is usually arranged or associated at the merchant end for shooting a face image of the business requester. The business requester or the staff at the business end can select a 'face brushing' button in the payment terminal to start the camera to collect the face image. Taking payment service as an example, after a staff at a merchant end selects 'face-brushing payment', a service requester (consumer) can face a camera so that the camera can collect face images of the service requester.
In addition, a collection device of payment password is usually set or associated at the merchant end, for example: pure numeric keyboards, computer keyboards, touch screens, etc. The payment password is usually preset by the service requester, and may be a set of numbers, a set of letters, a set of symbols, or a combination of numbers, letters, and symbols, which is not particularly limited herein.
In practical application, the service requester may input a preset payment password through a keyboard or a touch screen after acquiring the face image, or may acquire the face image after inputting the preset payment password through the keyboard or the touch screen.
Thus, in the embodiment, after the merchant terminal collects the payment password and the face image of the service requester, the merchant terminal can combine the payment password and the face image with characteristic information (such as a merchant account number, a device identification code of a POS machine, etc.) of the merchant terminal to form a service request, and the service request is sent to the service data verification platform through the receipt system, so that the verification platform can verify the service data in the service request.
In some examples, the POS also includes encrypting the payment password, e.g., saline encryption.
Because the password information is set by the user, in practical application, the complexity of the password set by the user may not be high enough, and meanwhile, different users are very likely to use the same password, so that the password information ciphertext fragments corresponding to the users are the same, after the database storing the passwords of the users is leaked, an attacker can easily find out the users with the same password, so that the difficulty of cracking the password is reduced, therefore, when the passwords of the users are encrypted, the password information needs to be masked, even if the passwords with the same password are the different ciphers, even if the passwords input by the users are weak passwords, the password needs to be enhanced, and the difficulty of cracking the password is increased.
Salt encryption is an encryption method for password information (such as a payment password), and is implemented by associating each piece of password information with an n-bit random number called "salt". The random numbers are randomly generated by a computer and mixed in the original password in a random mode, and then a string of character strings is generated in an encrypted mode for storage. In other words, the password is unidirectional, the computer does not know the original password of the user, and even if the encryption mode is known, the character string before encryption which is pushed out reversely is the result of mixing the real password with the random value, so that the real password of the user cannot be analyzed.
Therefore, after the merchant terminal collects the password information (such as a payment password) and the biological information (such as a face image) of the service requester, the POS machine encrypts the password information to form a password information ciphertext fragment, the password information ciphertext fragment and the biological information are combined with characteristic information (such as a merchant account number, a device identification code of a POS machine, and the like) of the merchant terminal to form a service request, and the service request is sent to a verification platform of service data through a receipt system.
The privacy encryption module 13 is configured to perform privacy encryption on service data to be verified in the service request, so as to obtain encrypted service data.
For example, in an entrance guard service scenario, verification information (such as password information, electronic card information, fingerprint information, etc.) collected by an entrance guard terminal is uploaded to a monitoring center, the monitoring center verifies whether the verification information is legal verification information, after the verification is passed, confirmation can be returned to the entrance guard terminal, and the entrance guard terminal opens the entrance guard.
For example, in the attendance service scenario, verification information (such as password information, electronic card information, fingerprint information, etc.) collected by the attendance terminal is uploaded to the attendance management and control center, the attendance management and control center verifies whether the verification information is legal verification information, and after verification, the attendance can be replied to confirm, and the attendance terminal confirms that the attendance operation is completed.
For example, in a ticketing service scenario, verification information (such as password information, bar code information, two-dimensional code information, fingerprint information, etc.) collected by a ticketing terminal is uploaded to a ticketing verification center, the ticketing verification center verifies whether the verification information is legal verification information, and after verification is passed, a confirmation can be returned to the ticketing terminal.
In the financial payment business, taking bank card payment as an example, a merchant sends acquired bank card information and payment password to an order receiving system through a POS machine, the order receiving system forwards the bank card information and the payment password to a verification platform, the verification platform obtains a bank account number corresponding to a consumer after verification, a payment message formed by the bank account number and the payment password of the consumer is sent to an issuing bank, and the issuing bank deducts money to complete payment.
Taking face-brushing payment as an example, a merchant sends the acquired face picture and payment password to an order receiving system through a POS machine, the order receiving system forwards the face picture and the payment password to a verification platform, the verification platform obtains a bank account number corresponding to a consumer after verification, a payment message formed by the bank account number and the payment password of the consumer is sent to an issuing bank, and the issuing bank deducts money to complete payment.
However, in the above various service scenarios, there are the following drawbacks: the verification information is stored in a server memory of the financial verification platform in a plaintext form, and potential safety hazards exist.
In particular, taking the above face payment service as an example, there are the following drawbacks: the payment password is used for searching and is different from the traditional password verification, and can reside on a verification platform of service data for a long time because of frequent use, so that the risk of being stolen by an IT administrator or a hacker exists, and dictionary attack is performed to steal the payment password; the verification platform of the face data plaintext at the bank end for the business data is visible, if the face data is abused on a large scale, the problem of unclear responsibility division between the bank and the verification platform of the business data exists; because the verification platform of the business data can be easily associated with the payment security code, the face data, the bank account and other core business data belonging to the bank, the cooperative bank has the concerns of data and privacy protection.
In some embodiments, the service data includes first verification information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be verified includes performing privacy encryption on the first verification information in the service data to form a plurality of ciphertext fragments of the first verification information.
For example, in an access service scenario, the privacy encryption module 13 may perform privacy encryption on first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the service data.
For example, in an attendance business scenario, the privacy encryption module 13 may privacy encrypt first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the business data.
For example, in a ticketing services scenario, the privacy encryption module 13 may privacy encrypt first authentication information (e.g., password information, bar code information, two-dimensional code information, fingerprint information, etc.) in the service data.
In some embodiments, the service data includes first authentication information and second authentication information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be authenticated includes performing privacy encryption on at least one of the first authentication information and the second authentication information in the service data. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on the first verification information in the service data to form a plurality of ciphertext fragments of the first verification information. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on the second verification information in the service data to form a plurality of ciphertext fragments of the second verification information. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on both the first authentication information and the second authentication information in the service data, that is, perform privacy encryption on the first authentication information in the service data to form ciphertext fragments of the plurality of first authentication information, and perform privacy encryption on the second authentication information in the service data to form ciphertext fragments of the plurality of second authentication information. In this way, by privacy encrypting at least one of the first authentication information and the second authentication information by the privacy encrypting module 13, the protection of the sensitive information including the first authentication information and the second authentication information is realized, and the association relationship between the sensitive information (for example, between the first authentication information and the second authentication information) can also be protected, so that the security and reliability of the service data are ensured.
For example, in the bank card payment service, the privacy encryption module 13 performs privacy encryption of at least one of the bank card information and the payment password. In some examples, the privacy encryption module 13 is used to privacy encrypt the bank card information in the business data. In some examples, the privacy encryption module 13 is used to privacy encrypt the payment password in the business data. In some examples, the privacy encryption module 13 is used to privacy encrypt both the bank card information and the payment password in the business data.
For example, in the card-less payment service, the privacy encryption module 13 performs privacy encryption of at least one of the password information and the biometric information. In some examples, the privacy encryption module 13 is configured to privacy encrypt cryptographic information in the service data. In some examples, the privacy encryption module 13 is used to privacy encrypt biometric information in the business data. In some examples, the privacy encryption module 13 is configured to privacy encrypt both cryptographic information and biometric information in the business data.
Still referring to the face payment as an example, the privacy encryption module 13 performs privacy encryption on at least one of the payment password and the face information. In some examples, the privacy encryption module 13 is used to privacy encrypt the payment password in the business data. In some examples, the privacy encryption module 13 is configured to perform privacy encryption on face information in the service data. In some examples, the privacy encryption module 13 is configured to privacy encrypt both the payment password and the face information in the business data.
The manner in which the privacy encryption module 13 performs privacy encryption on the first verification information in the service data to be verified includes: and carrying out privacy encryption on the first verification information in the service data to be verified to form ciphertext fragments of the first verification information.
Referring to FIG. 2, a schematic diagram of a privacy encryption storage and privacy computing architecture in one embodiment is shown.
As shown in fig. 2, the privacy encryption storage and privacy computing architecture may include a user side and a server side. In this example, the server is configured with four computing nodes, where the computing nodes are a single computer device, or an entity device or a virtual device used in a service system based on a cloud architecture, and so on. The single computer device may be an autonomously configured computer device capable of executing the processing method of service data, and may be located in a private machine room or in a rented machine position in a public machine room. The service system of the cloud architecture comprises a public cloud service end and a private cloud service end, wherein the public or private cloud service end comprises SaaS, paaS, iaS and the like. The private cloud service end is, for example, an Arian cloud computing service platform, an Amazon cloud computing service platform, a hundred degree cloud computing platform, a Tencent cloud computing platform and the like. The virtual device may be one of devices that the entity server virtualizes an exclusive device into a plurality of logical devices through a virtual technology for simultaneous use by a plurality of user processes.
The computing node may include storage devices, processing devices, network interface devices, and the like. In fact, the above-mentioned devices may be located on a single server or in multiple servers and cooperatively implemented by data communication between the servers, depending on the hardware device of the processing method of the service data actually operated by the computing node.
The interface device is in data connection with the processing device, which may be connected via a bus or may be in data transfer via a communication network. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means via a bus, etc. The interface device is also in communication with a task management platform, where the task management platform may be the task management platform mentioned above or another task management platform that may provide computing instructions. The interface device is in data communication with the task management platform and the data source through at least one of the Internet, the mobile network and the local area network so as to receive a calculation instruction for secret calculation sent by the task management platform and acquire private data of the data source.
The storage device is used for storing at least one program of the processing method of the executable service data. The storage means may be located on the same physical server as the processing means or in a different physical server and communicate the calculation instructions to the processing means running the calculation via the interface means of each server. The storage may include high-speed random access memory, and may also include non-volatile memory, such as one or more disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. In some embodiments, the memory may also include memory remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, a Local Area Network (LAN), a wide area network (WLAN), a Storage Area Network (SAN), etc., or suitable combinations thereof. The storage also includes a memory controller that can control access to memory by other components of the device, such as the CPU and peripheral interfaces. Among other software components stored in the storage device include an operating system, a communication module (or instruction set), a text input module (or instruction set), and an application (or instruction set).
The interface device is in data connection with the processing device, which may be connected via a bus or may be in data transfer via a communication network. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means via a bus, etc. The interface device is also in communication with a task management platform, where the task management platform may be the task management platform mentioned above or another task management platform that may provide computing instructions. The interface device is in data communication with the task management platform and the data source through at least one of the Internet, the mobile network and the local area network so as to receive a calculation instruction for secret calculation sent by the task management platform and acquire private data of the data source.
The storage means is for storing at least one program executable by the computing method. The storage means may be located on the same physical server as the processing means or in a different physical server and communicate the calculation instructions to the processing means running the calculation via the interface means of each server. The storage may include high-speed random access memory, and may also include non-volatile memory, such as one or more disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. In some embodiments, the memory may also include memory remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, a Local Area Network (LAN), a wide area network (WLAN), a Storage Area Network (SAN), etc., or suitable combinations thereof. The storage also includes a memory controller that can control access to memory by other components of the device, such as the CPU and peripheral interfaces. Among other software components stored in the storage device include an operating system, a communication module (or instruction set), a text input module (or instruction set), and an application (or instruction set).
The processing device is operatively coupled with the storage device. More specifically, the processing apparatus may execute programs stored in the memory and/or the nonvolatile storage device to perform operations in the task platform. As such, the processing device may include one or more general purpose microprocessors, one or more application specific processors (ASICs), one or more field programmable logic arrays (FPGAs), or any combinations thereof. Wherein the plurality of CPUs included in the processing device may be located in the same physical server or dispersed in a plurality of physical servers, and implement data communication by means of an interface device to cooperatively execute the calculation method.
The functions that the privacy encryption storage and privacy computing architecture may implement may include privacy encryption storage and privacy computing.
The description of the relevant functions will be made below taking the four computing nodes shown in fig. 2 as an example.
Privacy encryption storage:
and the user encrypts the data X to be stored in a privacy manner to form a ciphertext and sends the ciphertext to the server.
Specifically, taking data X as an example, data X is subjected to privacy encryption to form ciphertext fragments (shares) X1, X2, xa, and Xb. In some embodiments, ciphertext fragments X1, X2, xa, and Xb are obtained by random dispersion processing, i.e., based on a random number generated by privacy encryption, data X is randomly dispersed to form a plurality of ciphertext fragments. For example, ciphertext fragment X1 is a randomly selected large integer, ciphertext fragment X2 satisfies x1+x2=x (mod 2 ζ), xa=x1+r, xb=x2-R, where r=random (seed) is a shared random number generated based on a random number seed shared between computing nodes S1, S2. Each computing node performs a local computation using a shared random number to obtain intermediate data or computation results that can be cancelled, wherein each computing node is configured with a random number generator that generates the random number.
In some embodiments, the plurality of ciphertext fragments formed by the private encryption may be maintained by a computing node of the server. For example, taking four ciphertext fragments X1, X2, xa, and Xb formed by privacy encryption as an example, ciphertext fragment X1 is held by computing node S1 of the server, ciphertext fragment X2 is held by computing node S2 of the server, ciphertext fragment Xa is held by computing node Sa of the server, and ciphertext fragment Xb is held by computing node Sb of the server. Therefore, these computing nodes S1, S2, sa, sb may act as storage nodes.
In some embodiments, the plurality of ciphertext fragments formed by the private encryption may also be maintained by other memory. For example, taking four ciphertext fragments X1, X2, xa, and Xb, which are each formed by privacy encryption as an example, ciphertext fragment X1 is stored in memory C1 (not shown), ciphertext fragment X2 is stored in memory C2 (not shown), ciphertext fragment Xa is stored in memory Ca (not shown), and ciphertext fragment Xb is stored in memory Cb (not shown). These memories C1, C2, ca, cb (not shown) may serve as storage nodes.
In addition, for storage nodes, these storage nodes may be configured in a single computer device, a computer cluster, or a cloud architecture-based service system, or the like.
By dispersing and storing a plurality of ciphertext fragments formed by privacy encryption of input data in each storage node, attacks which can be possibly faced after all storage nodes are invaded by hackers can be resisted.
Privacy calculation:
the four computing nodes S1, S2, sa, sb follow the privacy operation protocol without collusion, and calculate multiparty computation corresponding to a computing task by cooperative computation of the four computing nodes. For example, a computing task may comprise a mathematical computing task of two or more input data. Each computing node performs a local computation using the shared random number to obtain intermediate data or computation results that can be counteracted, thereby ensuring that data transferred between the computing nodes, between the computing nodes and other devices, is not compromised.
Taking the mathematical calculation task of two input data as an example, basic operations such as X+Y, XY, X > Y and the like can be calculated based on ciphertext fragments without recovering plaintext input data X, Y. In some examples, when z=x+y is to be calculated, only the calculation nodes S1 and S2 need to locally calculate z1=x1+y1 and z2=x2+y2, respectively, and send the random numbers to the result receiver after adding the Z1 and the Z2 to the random numbers, so that Z is obtained by decryption, i.e., z=z1+z2=x1+y1+x2+y2= (x1+x2) + (y1+y2) =x+y. In some examples, if z=xy= (x1+x2) (y1+y2) is to be calculated, the formula may be expanded: z=xy= (x1+x2) (y1+y2) =x1y1+x1y2+x2y1+x2y2, wherein non-intersecting terms (X1Y 1, X2Y 2) and intersecting terms (X2Y 1, X1Y 2). The computing nodes S1, S2 may locally compute non-intersecting terms (X1Y 1, X2Y 2) respectively based on the primary privacy-encrypted ciphertext fragment, and the computing nodes Sa, sb may locally compute intersecting terms (X2Y 1, X1Y 2) respectively based on the secondary privacy-encrypted ciphertext fragment. The non-cross items (X1Y 1, X2Y 2) and the cross items (X2Y 1, X1Y 2) are added with random numbers and then sent to a result receiver, and then Z can be obtained through decryption. The correctness of the result can be proved mathematically, and any computing node cannot recover the X/Y/Z without collusion with the corresponding node, so that the security of basic privacy computation is ensured.
It should be noted that, according to the design requirement of the privacy computing architecture, the number of participating computing nodes is not limited to the above example, and the number of computing nodes providing the computing result is not limited to the above example.
In some embodiments, the service data includes first verification information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be verified, where the privacy encryption module performs privacy encryption on the first verification information in the service data to form a plurality of ciphertext fragments of the first verification information, where the ciphertext fragments of the first verification information may be stored in a plurality of storage nodes (e.g., computing nodes) in a scattered manner. The privacy encryption module 13 is described taking the example of privacy encryption of the first authentication information in the service data.
It should be noted that, in the foregoing various service scenarios, the terminal collects the first verification information by using the set or associated collection device, and the terminal sends the service request including the first verification information to the verification platform, and the verification platform uses the privacy encryption module 13 to perform privacy encryption on the decrypted first verification information.
The manner of privacy encrypting the first authentication information in the service data by using the privacy encryption module 13 may include: the first authentication information X is privacy-encrypted to form ciphertext fragments X1, X2, xa, xb of the first authentication information.
Taking the storage node as an example, the computing node is adopted, so that ciphertext fragments X1, X2, xa and Xb of the first verification information formed after privacy encryption is performed on the first verification information X by the privacy encryption module 13 can be stored in four computing nodes S1, S2, sa and Sb in a scattered manner, specifically, ciphertext fragment X1 of the first verification information is stored in the computing node S1, ciphertext fragment X2 of the first verification information is stored in the computing node S2, ciphertext fragment Xa of the first verification information is stored in the computing node Sa, and ciphertext fragment Xb of the first verification information is stored in the computing node Sb, so that the security of the first verification information can be ensured.
In some embodiments, the service data includes first authentication information and second authentication information, and the privacy encryption module 13 is configured to perform privacy encryption on the service data to be authenticated includes performing privacy encryption on at least one of the first authentication information and the second authentication information in the service data.
The manner of privacy encrypting the first authentication information in the service data by using the privacy encryption module 13 may include: the first authentication information X is privacy-encrypted to form ciphertext fragments X1, X2, xa, xb of the first authentication information. Taking the storage node as an example, the ciphertext fragments X1, X2, xa, xb of the first verification information may be stored in the four computing nodes S1, S2, sa, sb in a dispersed manner, specifically, the ciphertext fragment X1 of the first verification information is stored in the computing node S1, the ciphertext fragment X2 of the first verification information is stored in the computing node S2, the ciphertext fragment Xa of the first verification information is stored in the computing node Sa, and the ciphertext fragment Xb of the first verification information is stored in the computing node Sb.
The manner of privacy encrypting the second authentication information in the service data by using the privacy encryption module 13 may include: the second verification information Y is subjected to privacy encryption to form ciphertext fragments Y1, Y2, ya and Yb of the second verification information. Taking the storage node as an example, the ciphertext fragments Y1, Y2, ya and Yb of the second verification information may be stored in the four computing nodes S1, S2, sa and Sb in a dispersed manner, specifically, the ciphertext fragment Y1 of the second verification information is stored in the computing node S1, the ciphertext fragment Y2 of the second verification information is stored in the computing node S2, the ciphertext fragment Ya of the second verification information is stored in the computing node Sa, and the ciphertext fragment Yb of the second verification information is stored in the computing node Sb.
Still taking the card-less payment service as an example, the first authentication information in the service data is, for example, password information, and the second authentication information is, for example, biological information.
The privacy encryption module 13 is described taking the case of privacy encryption of the password information in the service data.
It should be noted that, in the foregoing card-less payment service, the POS machine at the merchant end collects the password information by using a set or associated collection device (such as a pure numeric keyboard, a computer keyboard, a touch screen, etc.), and the POS machine at the merchant end encrypts the collected password information to form encrypted password information before uploading the service request, so the service data verification platform may further include an encryption machine for decrypting the encrypted password information to recover the password information. Subsequently, the decrypted password information is subjected to privacy encryption by the privacy encryption module 13.
Still taking four computing nodes as an example, the manner of using the privacy encryption module 13 to perform privacy encryption on the cryptographic information in the service data may include: the cryptographic information X is privacy-encrypted to form cryptographic information ciphertext fragments X1, X2, xa, xb.
In this way, the cryptographic information ciphertext fragments X1, X2, xa, xb formed by privacy encryption of the cryptographic information X by the privacy encryption module 13 are stored in four storage nodes (for example, the computing nodes S1, S2, sa, sb) in a dispersed manner, so that the security of the cryptographic information can be ensured.
Similarly, the privacy encryption module 13 is described as an example of privacy encryption of biometric information in service data.
In the present informatization age, how to accurately identify a person and protect information security becomes a key social problem which must be solved. Traditional identity authentication (such as identity cards, driver's license, social security cards, bank cards and the like) is more and more difficult to meet the social demands due to the fact that the identity authentication is extremely easy to lose and forge.
The most convenient and safe solution is undoubtedly the biological identification technology. The biological recognition technology is closely combined with high-tech means such as optics, acoustics, biological sensors, a biological statistics principle and the like through a computer, and the identity of the person is identified by utilizing the biological characteristics of the human body. The human body biological characteristics have the advantages of no loss, no forgetting, uniqueness, invariance, good anti-counterfeiting performance, convenient use and the like, so that the biological recognition technology is more and more accepted and widely applied by society. Commonly, biometric information applicable to biometric technology may include, but is not limited to: face information, fingerprint information, palm print information, iris information, heart rate information and the like, and the corresponding biological recognition technologies are face recognition technology, fingerprint recognition technology, palm print recognition technology, iris recognition technology, heart rate recognition technology and the like.
Generally, the biological information can be classified into natural biological raw data and biological characteristic data obtained by extracting characteristics of the biological raw data.
In some examples, taking the biological information as face information as an example, the face information may include a face image as biological raw data and a face feature as biological feature data, where the face feature is obtained by extracting features from the face image.
In some examples, taking the biometric information as an example, the fingerprint information may include a fingerprint image as the biometric original data and a fingerprint feature as the biometric feature data, where the face feature is obtained by feature extraction of the fingerprint image.
In some examples, the biological information is palm print information, which may include a palm print image as biological raw data and palm print features as biological feature data, where the palm print features are obtained by feature extraction of the palm print image.
In some examples, taking the biological information as an example, the iris information may include an iris image as biological raw data and an iris feature as biological feature data, wherein the iris feature is obtained by feature extraction of the iris image.
Among these biometric technologies, the face recognition technology has the following features compared with other types of biometric technologies: non-mandatory: the user can obtain the face image almost in an unconscious state without specially matching with the face acquisition equipment; non-contact: the user can acquire the face image without directly contacting the equipment; simple and convenient: the face acquisition equipment is simple and easy to popularize, and the face acquisition mode is simple and easy to realize.
In practical application, the merchant terminal collects the biological information of the service requester by using the set or associated biological information collection device, and the POS machine of the merchant terminal sends the biological information to the verification platform of the service data through the order receiving system in the formed service request. Here, the biometric information refers to biometric raw data such as a face image, a fingerprint image, a palm print image, an iris image, and the like.
In some examples, the POS machine or the order receiving system at the merchant end can also encrypt the collected biological original data to a certain degree.
However, in order to simplify the complexity of the device of the client, reduce the cost, promote the application, and the like, the merchant terminal or the order receiving system generally does not perform the feature extraction operation on the acquired biological original data. Thus, the verification platform of the service data may further comprise a biometric extraction module (not shown in the drawings) for performing feature extraction on the biometric raw data in the service request to obtain a biometric feature.
In some examples, taking face recognition as an example, the biometric extraction module may perform feature extraction on a face image that is raw biometric data to obtain a face feature.
In some examples, taking fingerprint recognition as an example, the biometric extraction module may perform feature extraction on a fingerprint image that is raw biometric data to obtain a fingerprint feature.
In some examples, taking palm print recognition as an example, the biometric extraction module may perform feature extraction on palm print images as the biometric raw data to obtain palm print features.
In some examples, taking iris recognition as an example, the biometric extraction module may perform feature extraction on an iris image as the biometric raw data to obtain iris features.
Still take face-brushing payment using face recognition technology as an example, generally, only a camera is required to be set or associated with a merchant end as face collection equipment. In some examples, the camera may be, for example, a 2D camera, and obtain an image including a photographed object, but not limited to, and in some examples, the camera may be, for example, a 3D camera, and may obtain depth information of the photographed object, that is, three-dimensional position and size information, compared to a common 2D camera, so as to enhance a face and object recognition function of the camera.
The merchant terminal collects the face image of the service requester by using the set or associated camera, and the POS machine of the merchant terminal sends the face image to the verification platform of the service data through the acquiring system in the formed service request. Therefore, the verification platform of the service data may further include a face feature extraction module, configured to perform feature extraction on the face image in the service request to obtain a face feature.
In some embodiments, the process of extracting features from the face image in the service request by the service data verification platform to obtain the face feature may specifically include: and extracting the facial feature vector of the facial image in the service request by using a pre-constructed and trained deep learning model. Wherein the deep learning model may be, for example, a deep learning model based on a multi-layer neural network. In a deep learning model based on a multi-layer neural network, a plurality of base layers can be generally input, and each base layer can be used as an independent feature extraction layer to extract local features of a face image. In implementation, the multi-layer neural network may employ a convolutional pattern, i.e., a convolutional neural network.
Taking training a convolutional neural network model as an example: preparing a certain number of face image samples, and classifying the face image samples by a user; and (3) inputting the face image samples serving as training samples into the convolutional neural network model for training, and continuously adjusting the weight parameters of the connection between the nodes on each base layer of the convolutional neural network model according to the classification result output by the convolutional neural network model. In the continuous adjustment process, after the convolutional neural network model is trained based on the input training sample, the accuracy of the output classification result is gradually improved compared with the classification result calibrated by the user. Meanwhile, a user can preset an accuracy threshold, and in the continuous adjustment process, if the accuracy of the classification result output by the deep learning model is compared with the classification result calibrated by the user, and after the accuracy reaches the preset accuracy threshold, the weight parameters connected between all base layer nodes in the convolutional neural network model are all optimal weight parameters, so that the convolutional neural network model can be considered to be trained.
After training, the convolutional neural network model can be directly used for extracting face feature vectors of face images to be identified in service requests.
Still taking four computing nodes as an example, the manner of privacy encryption of the biological information in the service data by the privacy encryption module 13 may include: the biological information Y is subjected to privacy encryption to form biological information ciphertext fragments Y1, Y2, ya and Yb. Here, the biometric information actually refers to biometric data obtained by feature extraction of the biometric raw data.
Taking privacy encryption module 13 as an example, privacy encryption is performed on the face information in the service data, and face features of the face appearing in the face image are obtained through face feature extraction. The privacy encryption module 13 performs privacy encryption on the face information in the service data, namely includes performing privacy encryption on the extracted face features. Specifically, the privacy encryption of the extracted face features by the privacy encryption module 13 may include: and carrying out privacy encryption on the face feature Y to form ciphertext fragments Y1, Y2, ya and Yb of the face feature.
In some embodiments, taking a convolutional neural network model as an example of extracting face features from a face image, the convolutional neural network model may be used to extract face feature vectors from the face image in the service request. Thus, the privacy encryption module 13 performs privacy encryption on the face feature vector extracted by the convolutional neural network model, which may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, ya and Yb of the face feature vector.
In this way, the biological information ciphertext fragments Y1, Y2, ya, yb obtained by privacy encryption of the biological information Y by the privacy encryption module 13 are stored in the four computing nodes S1, S2, sa, sb in a dispersed manner, so that the security of the biological information can be ensured.
The verification module 17 is configured to verify whether or not a service account corresponding to the encrypted service data exists in each of the stored registration information.
The registration information comprises a service account and associated service registration data, wherein the service registration data corresponds to the service data.
In some embodiments, the service data in the service request includes first authentication information, and in response thereto, the registration information includes a service account and associated service registration data, the service registration data also including the first authentication information. The first verification information in the service registration data is privacy-encrypted to form a plurality of ciphertext fragments of the first verification information, and the ciphertext fragments of the first verification information are stored in a plurality of storage nodes (e.g., computing nodes) of the storage module 15 in a scattered manner.
In some embodiments, the service data in the service request includes first and second authentication information, and the registration information includes a service account and associated service registration data, which also includes the first and second authentication information, respectively. The first verification information and/or the second verification information in the service registration data are subjected to privacy encryption to form a plurality of ciphertext fragments of the first verification information and/or a plurality of ciphertext fragments of the second verification information. In some examples, the first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. In some examples, the second authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information. In some examples, the first authentication information and the second authentication information in the service registration data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively. These ciphertext fragments of the first authentication information and/or ciphertext fragments of the second authentication information are stored in a plurality of storage nodes (e.g., computing nodes) of the storage module 15 in a decentralized manner.
Taking the card-less payment service as an example, the problem of matching a service request with a service account of a corresponding service requester needs to be solved, and at least the following aspects are involved: how to achieve matching of the service requester information in the service request with the service account of the corresponding service requester; how to increase the matching speed.
In a cardless payment service, the service data in the service request includes first authentication information, which may be, for example, password information, and second authentication information, which may be, for example, biometric information. The verification module 17 can realize the matching of the service request and the service account of the corresponding service requester through the password information and the biological information, and complete payment verification.
Under the condition that the technical conditions are mature, in principle, the service request and the service account of the corresponding service requester can be matched through biological information alone, however, in view of the characteristics of huge sample size of the user with the service account established and biological characteristics of biological information, the corresponding service requester is matched from massive user data in the user database by using the biological information alone, the calculation amount is huge and the time is very consumed, and the scene requirement of card-free payment cannot be met. Therefore, in this embodiment, the service data in the service request includes password information and biometric information, where the massive user data subsets are searched and filtered by using the password information, and user data subsets with the same password information are screened out from the massive user data subsets, where the user data amount of the user data subsets with the same password information is far smaller than the user data amount of the user data subsets, and then matching operation is performed in the screened user data subsets by using the biometric information. In this process, since the password information is relatively simple, the user data subset can be quickly and accurately searched and filtered by using the password information, and in addition, since the data size of the screened user data subset is far smaller than the data size of the user data subset, the user data subset can be quickly matched by using the biological information. It can be seen that the service data including the password information and the biological information can achieve faster verification efficiency than the service data including only the biological information, and can relatively improve the reliability of the data.
Also, with the verification module 17, it is possible to verify whether or not there is a service account corresponding to the encrypted service data in each of the stored registration information. Therefore, in this embodiment, the verification platform of the service data of the present application further stores registration information including user data, and the transceiver module 11 is further configured to receive the registration information.
As previously described, in a card-less payment service, the service data in the service request includes first authentication information (e.g., password information) and second authentication information (e.g., biometric information), and in response thereto, the registration information includes the service account and its associated service registration data, which also includes the first authentication information (e.g., password information) and the second authentication information (e.g., biometric information). The first authentication information (e.g., cryptographic information) and the second authentication information (e.g., biometric information) in the service registration data are privacy-encrypted to form a plurality of ciphertext fragments (e.g., cryptographic information ciphertext fragments) of the first authentication information and/or a plurality of ciphertext fragments (e.g., biometric information ciphertext fragments) of the second authentication information, and the ciphertext fragments (e.g., cryptographic information ciphertext fragments) of the first authentication information and/or the ciphertext fragments (e.g., biometric information ciphertext fragments) of the second authentication information are stored in a plurality of storage nodes (e.g., computing nodes) of the storage module 15 in a dispersed manner.
The application further discloses a registration system of the service registration data, which is used for executing the registration of the service registration data.
Referring to fig. 3, a schematic diagram of a registration system for service registration data according to the present application is shown in an embodiment.
The registration system of the service registration data shown in fig. 3 is used for performing a registration operation of the service registration data for subsequent service verification by the verification platform according to the registration operation.
Wherein the service registration data is associated with a service account, so that, in general, the service registration data is obtained by a service actuator to which the service account belongs.
In an access control service, for example, the service executives can be monitoring centers, for example.
For example, in an attendance service, the service actuator may be, for example, an attendance management center.
In a ticketing service, for example, the service executives can be ticketing verification centers, for example.
For example, in a financial payment transaction, the transaction executive may be, for example, a financial institution. The institution is, for example, a bank, but not limited to, and the financial institution may be, for example, a securities company, an insurance company, a funds management company, or the like. Generally, taking a bank as an example, the same bank is configured with a registration system of the same service registration data, and different banks are configured with a registration system of the same or different service registration data. In some examples, a bank performs a registration operation of the business registration data through a configured registration system of the business registration data and directly uploads the business registration data and its associated business account to a verification platform of the business data. In some examples, a bank performs a registration operation of the service registration data through a configured registration system of the service registration data, and uploads the service registration data and its associated service account to a data center of a headquarter, and then the data of the headquarter uploads the registration information to a verification platform of the service data.
The registration system of the service registration data can be an electronic device comprising a storage device, a processing device, an interface device and the like, wherein the electronic device is a single computer device, a computer cluster or a service system based on a cloud architecture. The single computer device may be an autonomously configured computer device capable of executing the methods of the present application, and may be located in a private machine room or in a rented machine location in a public machine room. The computer clusters are a group of mutually independent computer devices interconnected through a high-speed network, which constitute a group and are managed in a single system mode. The Cloud architecture Service system comprises a Public Cloud (Public Cloud) Service end and a Private Cloud (Private Cloud) Service end, wherein the Public or Private Cloud Service end comprises Software-as-a-Service (Software as a Service, abbreviated as SaaS), platform-as-a-Service (Platform as a Service, abbreviated as PaaS), infrastructure-as-a-Service (Infrastructure as a Service, abbreviated as IaaS) and the like. The private cloud service end is, for example, an ali cloud computing service platform, an Amazon (Amazon) cloud computing service platform, a hundred degree cloud computing platform, a Tencel cloud computing platform, and the like.
According to the hardware device for actually running the above methods, each device constituting the electronic device may be located on a single server, or located in a plurality of servers and completed cooperatively by data communication between the servers.
For this purpose, the interface device is connected to the processing device in a data manner, which can be connected via a bus or can be data-transferred via a communication network. To this end, the interface means include, but are not limited to, a network card, a mobile network access module, a bus interface connected to the processing means via a bus, etc. For example, the interface device of the corresponding second computer system is communicatively connected to the interface device of the first computer system, the interface device of the user equipment, and the like. The interface devices communicate data through the Internet, a mobile network and a local area network.
The storage device is used for storing at least one program capable of executing any one or more of the methods. The storage means corresponding to the same electronic device may be located on the same physical server as the processing means or in different physical servers and the program is transferred to the processing means running the program via the interface means of the respective servers. The storage may include high-speed random access memory, and may also include non-volatile memory, such as one or more disk storage devices, flash memory devices, or other non-volatile solid-state storage devices. In some embodiments, the memory may also include memory remote from the one or more processors, such as network-attached memory accessed via RF circuitry or external ports and a communication network (not shown), which may be the internet, one or more intranets, a Local Area Network (LAN), a wide area network (WLAN), a Storage Area Network (SAN), etc., or suitable combinations thereof. The storage also includes a memory controller that can control access to memory by other components of the device, such as the CPU and peripheral interfaces. Among other software components stored in the storage device include an operating system, a communication module (or instruction set), a text input module (or instruction set), and an application (or instruction set).
The processing device is operatively coupled with the storage device. More specifically, the processing apparatus may execute programs stored in the memory and/or the nonvolatile storage device to perform operations in the task platform. As such, the processing device may include one or more general purpose microprocessors, one or more application specific processors (ASICs), one or more field programmable logic arrays (FPGAs), or any combinations thereof. Wherein, the plurality of CPUs contained in the processing device can be positioned in the same entity server or distributed in a plurality of entity servers, and realize data communication by means of the interface device so as to cooperatively execute the steps of each method.
As shown in fig. 3, the registration system for service registration data of the present application may include: the privacy encryption module 21 and the storage module 23, wherein the privacy encryption module 21 can be configured at the service execution mechanism end, and the storage module 23 can be configured at the verification platform end.
The privacy encryption module 21 is configured to perform privacy encryption on service registration data associated with a service account in the registration information to form encrypted service registration data.
In some embodiments, if the service registration data includes the first verification information, the privacy encryption module 21 is configured to perform privacy encryption on the service registration data associated with the service account in the registration information includes performing privacy encryption on the first verification information in the service registration data to form a plurality of ciphertext fragments of the first verification information.
For example, in a business scenario such as entrance guard, attendance checking, public transportation, ticketing, etc., the first verification information may be, for example, password information, a mobile phone number of a user, two-dimensional code information, an electronic card, etc. In some examples, the password information may be, for example, a 6-bit or 8-bit or more digital password, but is not limited to, and the password information may be more complex if the terminal device can provide corresponding technical support, for example, 8-16-bit characters, at least including three types of numbers, capital letters, lowercase letters, and special characters, and has higher security. In some examples, the cryptographic information may be associated with the user's identity information, or with the user's cell phone number, etc., e.g., the cryptographic information may be part or all of the identity card number, or the cell phone number, or some combination of the identity card number, cell phone number, and other information, etc.
Of course, the first verification information is not limited to this, and for example, the first verification information may be biological information. The biological information has the unique property of being unable to be copied, stolen or forgotten, which is inherent to human body. The method utilizes the biological recognition technology to carry out identity authentication, and has the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human body biological characteristics, and along with rapid development of technologies such as photoelectric technology, microcomputer technology, image processing technology, pattern recognition and the like, the biological information is also applied to service realization.
For example, in an access service scenario, the privacy encryption module 21 may privacy encrypt first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the service registration data.
For example, in an attendance business scenario, the privacy encryption module 21 may privacy encrypt first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the business registration data.
For example, in a ticketing services scenario, the privacy encryption module 21 may privacy encrypt first authentication information (e.g., password information, bar code information, two-dimensional code information, fingerprint information, etc.) in the service registration data.
In some embodiments, the service registration data includes first authentication information and second authentication information, and the privacy encryption module 21 is configured to privacy encrypt the service registration data includes privacy encrypting at least one of the first authentication information and the second authentication information in the service registration data. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on the first authentication information in the service registration data to form a plurality of ciphertext fragments of the first authentication information. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on the second authentication information in the service registration data to form a plurality of ciphertext fragments of the second authentication information. In some examples, the privacy encryption module 21 is configured to perform privacy encryption on both the first authentication information and the second authentication information in the service registration data to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information. In this way, by privacy encrypting at least one of the first authentication information and the second authentication information by the privacy encrypting module 21, the protection of the sensitive information including the first authentication information and the second authentication information is realized, and the association relationship between the sensitive information (for example, between the first authentication information and the second authentication information) can also be protected, so that the security and reliability of the service registration data are ensured.
For example, in a bank card payment service, the service registration data includes bank card information and a payment password. Accordingly, the privacy encryption module 21 performs privacy encryption on at least one of the bank card information and the payment password. In some examples, the privacy encryption module 21 is configured to privacy encrypt the bank card information in the business registration data. In some examples, the privacy encryption module 21 is configured to privacy encrypt the payment password in the business registration data. In some examples, the privacy encryption module 21 is configured to privacy encrypt both the bank card information and the payment password in the business registration data.
For example, in a card-less payment service, the service registration data includes password information and biometric information. Accordingly, the privacy encryption module 21 performs privacy encryption on at least one of the password information and the biometric information. In some examples, the privacy encryption module 21 is configured to privacy encrypt the cryptographic information in the service registration data. In some examples, the privacy encryption module 21 is configured to privacy encrypt biometric information in the service registration data. In some examples, the privacy encryption module 21 is configured to privacy encrypt both cryptographic information and biometric information in the service registration data.
Still further describing in detail the example of face payment, the business registration data includes a payment password and face information. The privacy encryption module 21 performs privacy encryption on at least one of the payment password and the face information. In some examples, the privacy encryption module 21 is configured to privacy encrypt the payment password in the business registration data. In some examples, the privacy encryption module 21 is configured to privacy encrypt face information in the service registration data. In some examples, the privacy encryption module 21 is configured to privacy encrypt both the payment password and the face information in the business registration data.
The privacy encryption module 21 in the registration system of the service registration data of the present application may be similar to the privacy encryption module 13 in the verification platform of the aforementioned service data. Therefore, the working principle and the structure of the privacy encryption module 21 in the registration system of the service registration data of the present application can be referred to fig. 2 and the corresponding description.
Still taking the card-less payment service as an example, the case where the privacy encryption module 21 performs privacy encryption on the password information in the service registration data is as follows.
In some examples, when a user applies for a business account at a financial institution, the financial institution may collect both cryptographic information and biometric information associated with the applied business account. In some examples, at least one of the cryptographic information and the biometric information may also be collected at some time after the business account is created.
In the foregoing, the financial institution terminal collects the password information (e.g., payment password) by using a set or associated password information collection device (e.g., a pure numeric keyboard, a computer keyboard, a touch screen, etc.), and the financial institution terminal performs privacy encryption on the collected password information by using the privacy encryption module 21 before uploading the password information.
The cryptographic information is privacy-encrypted by the privacy encryption module 21 to form a plurality of cryptographic information ciphertext fragments.
The storage module 23 is used for storing registration information including encrypted service registration data to complete registration.
The storage module 23 includes a plurality of storage nodes for storing the encrypted service registration data in a distributed manner.
Taking four computing nodes as an example, the manner of privacy encrypting the collected password information by using the privacy encryption module 21 may include: the cryptographic information X is privacy-encrypted to form cryptographic information ciphertext fragments X1, X2, xa, xb.
In some embodiments, a plurality of cryptographic information ciphertext fragments formed by private encryption may be maintained by each computing node. For example, the cipher-information ciphertext fragment X1 is stored by the computing node S1, the cipher-information ciphertext fragment X2 is stored by the computing node S2, the cipher-information ciphertext fragment Xa is stored by the computing node Sa, and the cipher-information ciphertext fragment Xb is stored by the computing node Sb. Therefore, these computing nodes S1, S2, sa, sb may act as storage nodes.
In some embodiments, the plurality of ciphertext fragments of the cryptographic information formed by the private encryption may also be maintained by other memories. For example, the cipher-information ciphertext fragment X1 is stored in the memory C1 (not shown), the cipher-information ciphertext fragment X2 is stored in the memory C2 (not shown), the cipher-information ciphertext fragment Xa is stored in the memory Ca (not shown), and the cipher-information ciphertext fragment Xb is stored in the memory Cb (not shown). These memories C1, C2, ca, cb (not shown) may serve as storage nodes.
For storage nodes, these storage nodes may be configured in a single computer device, a computer cluster, or a cloud architecture based service system, or the like.
In addition, the registration system of the service registration data of the present application may further include a re-encryption module (not shown in the drawings) for re-encrypting the encrypted service registration data in the registration information, so as to ensure the security of the transmission that is subsequently sent to the verification platform of the service data through the transceiver module.
In some embodiments, the service registration data includes first authentication information, and then re-encrypting the encrypted service registration data in the registration information using the re-encryption module includes re-encrypting ciphertext fragments of the first authentication information formed by privacy encryption in the registration information.
In some embodiments, the service registration data includes first authentication information and second authentication information, and the re-encrypting the encrypted service registration data in the registration information using the re-encryption module includes re-encrypting ciphertext fragments of the first authentication information and/or ciphertext fragments of the second authentication information formed by privacy encryption in the registration information. That is, in some examples, the ciphertext fragment of the first authentication information formed by the private encryption in the registration information is re-encrypted using a re-encryption module. In some examples, the ciphertext fragment of the second authentication information that is formed by the private encryption in the registration information is re-encrypted using a re-encryption module. And re-encrypting the ciphertext fragment of the first verification information and the ciphertext fragment of the second verification information, which are formed by privacy encryption, in the registration information by using a re-encryption module.
Taking a card-free payment service as an example, the service registration data comprises password information, and the password information is subjected to privacy encryption to form a plurality of password information ciphertext fragments. Therefore, the re-encrypting the encrypted service registration data in the registration information by the re-encryption module comprises re-encrypting the cipher information ciphertext fragment in the registration information.
Commonly, biometric information applicable to biometric technology may include, but is not limited to: face information, fingerprint information, palm print information, iris information, heart rate information and the like, and the corresponding biological recognition technologies are face recognition technology, fingerprint recognition technology, palm print recognition technology, iris recognition technology, heart rate recognition technology and the like.
Generally, the biological information can be classified into natural biological raw data and biological characteristic data obtained by extracting characteristics of the biological raw data.
In some examples, taking the biological information as face information as an example, the face information may include a face image as biological raw data and a face feature as biological feature data, where the face feature is obtained by extracting features from the face image.
In some examples, taking the biometric information as an example, the fingerprint information may include a fingerprint image as the biometric original data and a fingerprint feature as the biometric feature data, where the face feature is obtained by feature extraction of the fingerprint image.
In some examples, the biological information is palm print information, which may include a palm print image as biological raw data and palm print features as biological feature data, where the palm print features are obtained by feature extraction of the palm print image.
In some examples, taking the biological information as an example, the iris information may include an iris image as biological raw data and an iris feature as biological feature data, wherein the iris feature is obtained by feature extraction of the iris image.
Among these biometric technologies, the face recognition technology has the following features compared with other types of biometric technologies: non-mandatory: the user can obtain the face image almost in an unconscious state without specially matching with the face acquisition equipment; non-contact: the user can acquire the face image without directly contacting the equipment; simple and convenient: the face acquisition equipment is simple and easy to popularize, and the face acquisition mode is simple and easy to realize.
In practical application, the financial institution terminal collects the biological information of the business account applicant by using a set or associated biological information collection device.
Taking face-brushing payment using face recognition technology as an example, in general, a camera is provided or associated with a financial institution as a face collection device. In some examples, the camera may be, for example, a 2D camera, and obtain an image including a photographed object, but not limited to, and in some examples, the camera may be, for example, a 3D camera, and may obtain depth information of the photographed object, that is, three-dimensional position and size information, compared to a common 2D camera, so as to enhance a face and object recognition function of the camera.
As described above, the biometric information may include natural-meaning biometric original data and biometric data obtained by extracting features from the biometric original data. Thus, there may be different ways to process the biological information.
In some embodiments, the registration system of the service registration data does not perform privacy encryption on the collected biological information, but directly sends the biological original data of the collected biological information to the verification platform of the service data through the transceiver module.
In this case, the registration system of the service registration data of the present application re-encrypts the bio-original data (e.g., face image, fingerprint image, palm print image, iris image, etc.) of the collected bio-information through the re-encryption module, so as to ensure the transmission security of the authentication platform transmitted to the service data through the transceiving module.
Subsequently, the verification platform of the service data receives the encrypted biological original data, decrypts the encrypted biological original data, performs feature extraction on the biological original data to obtain biological feature data, and performs privacy encryption on the extracted biological feature data.
The processing mode of the biological information has extremely high safety, the registration system of the service registration data is simplified because the privacy encryption of the biological information is avoided, the operation and maintenance management of the system is transferred and concentrated on the verification platform of the service data, and the unified management is convenient, but the technology implementation difficulty is still high.
In some embodiments, the registration system of the business registration data privacy encrypts the collected biometric information.
The privacy encryption module 21 will now be described by taking the example of privacy encryption of biometric information in service registration data. In practice, the privacy encryption module 21 performs privacy encryption on the biometric information in the service registration data, which means that the biometric data in the biometric information is subjected to privacy encryption.
The registration system of the service registration data may further include a biometric extraction module (not shown in the drawings) for performing feature extraction on the biometric raw data of the biometric information collection device to obtain a biometric feature.
In some examples, taking face recognition as an example, the biometric extraction module may perform feature extraction on a face image that is raw biometric data to obtain a face feature.
In some examples, taking fingerprint recognition as an example, the biometric extraction module may perform feature extraction on a fingerprint image that is raw biometric data to obtain a fingerprint feature.
In some examples, taking palm print recognition as an example, the biometric extraction module may perform feature extraction on palm print images as the biometric raw data to obtain palm print features.
In some examples, taking iris recognition as an example, the biometric extraction module may perform feature extraction on an iris image as the biometric raw data to obtain iris features.
Taking face recognition as an example, in some embodiments, the process of extracting features from a face image in a service request by a registration system of service registration data to obtain face features may specifically include: and extracting the facial feature vector of the facial image in the service request by using a pre-constructed and trained deep learning model. Wherein the deep learning model may be, for example, a deep learning model based on a multi-layer neural network. In a deep learning model based on a multi-layer neural network, a plurality of base layers can be generally input, and each base layer can be used as an independent feature extraction layer to extract local features of a face image. In implementation, the multi-layer neural network may employ a convolutional pattern, i.e., a convolutional neural network.
Taking training a convolutional neural network model as an example: preparing a certain number of face image samples, and classifying the face image samples by a user; and (3) inputting the face image samples serving as training samples into the convolutional neural network model for training, and continuously adjusting the weight parameters of the connection between the nodes on each base layer of the convolutional neural network model according to the classification result output by the convolutional neural network model. In the continuous adjustment process, after the convolutional neural network model is trained based on the input training sample, the accuracy of the output classification result is gradually improved compared with the classification result calibrated by the user. Meanwhile, a user can preset an accuracy threshold, and in the continuous adjustment process, if the accuracy of the classification result output by the deep learning model is compared with the classification result calibrated by the user, and after the accuracy reaches the preset accuracy threshold, the weight parameters connected between all base layer nodes in the convolutional neural network model are all optimal weight parameters, so that the convolutional neural network model can be considered to be trained.
After training, the convolutional neural network model can be directly used for extracting face feature vectors of face images to be identified in service requests.
Taking four computing nodes as an example, the manner of privacy encryption of the biological information in the service registration data by the privacy encryption module 21 may include: the biological information Y is subjected to privacy encryption to form biological information ciphertext fragments Y1, Y2, ya and Yb. Here, the biometric information actually refers to biometric data obtained by feature extraction of the biometric raw data.
Taking privacy encryption module 21 as an example, privacy encryption is performed on the face information in the service registration data, and face features of the face appearing in the face image are obtained through face feature extraction. The privacy encryption module 21 performs privacy encryption on the face information in the service registration data, namely includes performing privacy encryption on the extracted face features. Specifically, the privacy encryption of the extracted face features by the privacy encryption module 21 may include: and carrying out privacy encryption on the face feature Y to form ciphertext fragments Y1, Y2, ya and Yb of the face feature.
In some embodiments, taking a convolutional neural network model as an example of extracting face features from a face image, the convolutional neural network model may be used to extract face feature vectors from the face image in the service request. Thus, the privacy encryption module 21 performs privacy encryption on the face feature vector extracted by the convolutional neural network model, which may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, ya and Yb of the face feature vector.
In this way, the privacy encryption module 21 performs privacy encryption on the biological information Y to form a plurality of biological information ciphertext fragments. These pieces of ciphertext of biological information are stored in each storage node after being sent to the authentication platform of the business data through the transceiver module. Taking a storage node as an example, the calculation nodes are adopted as the storage nodes, the biological information ciphertext fragments Y1 and Y2 can be stored in the calculation nodes S1 and S2 of the verification platform of the service data after being uploaded, and the biological information ciphertext fragments Ya and Yb can be stored in the calculation nodes Sa and Sb of the verification platform of the service data after being uploaded, so that the safety of biological information can be ensured.
The processing mode for the biological information is high in safety, can meet the requirement of privacy protection, can eliminate the concern of financial institutions on data safety and privacy protection, and can meet the application requirement in efficiency and accuracy.
Likewise, the registration system for service registration data of the present application may further include a re-encryption module (not shown in the drawings) for re-encrypting the encrypted service registration data in the registration information.
Taking a card-free payment service as an example, the service registration data includes biological information, and the biological information is subjected to privacy encryption to form a plurality of biological information ciphertext fragments. Therefore, re-encrypting the encrypted service registration data in the registration information using the re-encryption module includes re-encrypting the ciphertext fragment of the biological information in the registration information.
Referring to fig. 4, a schematic diagram of a registration system for service registration data according to the present application is shown in another embodiment.
As shown in fig. 4, the registration system for service registration data of the present application may include: the privacy encryption module 22 and the storage module 24 are configured on the service executor side in the registration system of the service registration data shown in fig. 4, compared with the registration system of the service registration data shown in fig. 3.
The privacy encryption module 22 is configured to perform privacy encryption on service registration data associated with a service account in the registration information to form encrypted service registration data.
The implementation manner of the privacy encryption module 22 to perform privacy encryption on the service registration data associated with the service account in the registration information to form encrypted service registration data can refer to the content description of the privacy encryption module 21 in fig. 3, which is not described herein.
The storage module 24 includes a plurality of storage nodes for storing the encrypted service registration data in a decentralized manner.
The implementation manner of the storage module 24 for privacy encrypting the service registration data associated with the service account in the registration information to form encrypted service registration data may refer to the content description of the storage module 23 in fig. 3, which is not described herein.
In the registration system of service registration data shown in fig. 4, the encrypted service registration data in the storage module 23 may be sent to the authentication platform for storage through the transceiver module.
Referring to fig. 5, a flow chart of a registration method of service registration data in the present application is shown. The registration method of the service registration data is executed by a registration system based on the service registration data.
Step S101, the business data associated with the business account in the registration information is subjected to privacy encryption to form encrypted business registration data.
In some embodiments, the service registration data includes first authentication information. Accordingly, in step S101, privacy encrypting the service registration data associated with the service account includes privacy encrypting the first authentication information in the service registration data to form a plurality of ciphertext fragments of the first authentication information.
For example, in a business scenario such as entrance guard, attendance checking, public transportation, ticketing, etc., the first verification information may be, for example, password information, a mobile phone number of a user, two-dimensional code information, an electronic card, etc. In some examples, the password information may be, for example, a 6-bit or 8-bit or more digital password, but is not limited to, and the password information may be more complex if the terminal device can provide corresponding technical support, for example, 8-16-bit characters, at least including three types of numbers, capital letters, lowercase letters, and special characters, and has higher security. In some examples, the cryptographic information may be associated with the user's identity information, or with the user's cell phone number, etc., e.g., the cryptographic information may be part or all of the identity card number, or the cell phone number, or some combination of the identity card number, cell phone number, and other information, etc.
Of course, the first verification information is not limited to this, and for example, the first verification information may be biological information. The biological information has the unique property of being unable to be copied, stolen or forgotten, which is inherent to human body. The method utilizes the biological recognition technology to carry out identity authentication, and has the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human body biological characteristics, and along with rapid development of technologies such as photoelectric technology, microcomputer technology, image processing technology, pattern recognition and the like, the biological information is also applied to service realization.
For example, in an access service scenario, privacy encrypting service registration data associated with a service account includes privacy encrypting first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the service registration data.
For example, in an attendance business scenario, privacy encrypting business registration data associated with a business account includes privacy encrypting first authentication information (e.g., password information, electronic card information, fingerprint information, etc.) in the business registration data.
For example, in a ticketing services scenario, privacy encrypting the service registration data associated with the service account includes privacy encrypting first authentication information (e.g., password information, bar code information, two-dimensional code information, fingerprint information, etc.) in the service registration data.
In some embodiments, the service registration data includes first authentication information and second authentication information. Accordingly, in step S101, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of the first authentication information and the second authentication information in the service registration data.
In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting the first authentication information in the business registration data to form a plurality of ciphertext fragments of the first authentication information. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting the second authentication information in the business registration data to form a plurality of ciphertext fragments of the second authentication information. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting both the first authentication information and the second authentication information in the business registration data to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information. Therefore, by carrying out privacy encryption on at least one of the first verification information and the second verification information, the protection of the sensitive information comprising the first verification information and the second verification information is realized, the association relationship between the sensitive information (for example, between the first verification information and the second verification information) can be protected, and the safety and the reliability of the service registration data are ensured.
For example, in a bank card payment service, the service registration data includes bank card information and a payment password. Thus, privacy encrypting the business registration data associated with the business account includes privacy encrypting at least one of the bank card information and the payment password. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting bank card information in the business registration data. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting a payment password in the business registration data. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting both the bank card information and the payment password in the business registration data.
For example, in a card-less payment service, the service registration data includes password information and biometric information. Thus, privacy encrypting the business registration data associated with the business account includes privacy encrypting at least one of the cryptographic information and the biometric information. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting the cryptographic information in the business registration data to form a plurality of cryptographic information ciphertext fragments. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting the biometric information in the business registration data to form a plurality of biometric information ciphertext fragments. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting both the cryptographic information and the biometric information in the business registration data to form a plurality of cryptographic information ciphertext fragments and a plurality of biometric information ciphertext fragments.
Still further describing in detail the example of face payment, the business registration data includes a payment password and face information. Thus, privacy encrypting the business registration data associated with the business account includes privacy encrypting at least one of a payment password and face information. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting a payment password in the business registration data to form a plurality of payment password ciphertext fragments. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting face information in the business registration data to form a plurality of face information ciphertext fragments. In some examples, privacy encrypting the business registration data associated with the business account includes privacy encrypting both the payment password and the face information in the business registration data to form a plurality of payment password ciphertext fragments and a plurality of face information ciphertext fragments.
Still taking the card-less payment service as an example, privacy encrypting the service registration data associated with the service account includes privacy encrypting at least one of the cryptographic information and the biometric information.
The business account is an account which is opened by a financial institution for account applicants and can realize various financial transactions. The financial institution may be, for example, a bank, a securities company, an insurance company, a funds management company, etc., and the business account opened by the bank for the account applicant may be, for example, at least one bank card number.
The cryptographic information may be associated with a business account. In some examples, the password information may be, for example, a payment password, which may be, for example, a 6-bit or 8-bit digital password, but is not limited thereto, and the payment password may be more complex, for example, an 8-to 16-bit character, at least including three types of digits, uppercase letters, lowercase letters, and special characters, and has higher security. In some examples, the password information may also be in other forms, such as gesture passwords, and the like.
The biological information has the unique property of being unable to be copied, stolen or forgotten, which is inherent to human body. The method utilizes the biological recognition technology to carry out identity authentication, and has the advantages of safety, reliability, accuracy, convenience and the like. Biological information including face information, fingerprint information, palm print information, iris information, heart rate information and the like belong to human body biological characteristics.
In some examples, when a user applies for a business account at a financial institution, the financial institution may collect both cryptographic information and biometric information associated with the applied business account. In some examples, at least one of the cryptographic information and the biometric information may also be collected at some time after the business account is created.
The financial institution terminal collects the password information (such as payment password) by using the set or associated password information collection device (such as a pure digital keyboard, a computer keyboard, a touch screen and the like)
The manner of privacy encryption of the collected cryptographic information may include: and carrying out privacy encryption on the password information X to form a plurality of password information ciphertext fragments.
The working principle of privacy encryption of the cryptographic information can be referred to in fig. 2 and the corresponding description.
Taking four computing nodes as an example, the manner of privacy encryption of the collected password information may include: the cryptographic information X is privacy-encrypted to form cryptographic information ciphertext fragments X1, X2, xa, xb.
Thus, a plurality of cipher information ciphertext fragments can be formed after the cipher information is subjected to privacy encryption. The cipher information ciphertext fragments are sent to a verification platform of the service data and then stored in each storage node. Taking a storage node as an example, the cryptographic information ciphertext fragments X1 and X2 can be stored in the computing nodes S1 and S2 of the verification platform of the service data after uploading, and the cryptographic information ciphertext fragments Xa and Xb can be stored in the computing nodes Sa and Sb of the verification platform of the service data after uploading, so that the security of the cryptographic information can be ensured.
The financial institution terminal collects the biological information of the business account applicant by using the set or associated biological information collection device.
Commonly, biometric information applicable to biometric technology may include, but is not limited to: face information, fingerprint information, palm print information, iris information, heart rate information and the like, and the corresponding biological recognition technologies are face recognition technology, fingerprint recognition technology, palm print recognition technology, iris recognition technology, heart rate recognition technology and the like.
Generally, the biological information can be classified into natural biological raw data and biological characteristic data obtained by extracting characteristics of the biological raw data.
In some examples, taking the biological information as face information as an example, the face information may include a face image as biological raw data and a face feature as biological feature data, where the face feature is obtained by extracting features from the face image.
In some examples, taking the biometric information as an example, the fingerprint information may include a fingerprint image as the biometric original data and a fingerprint feature as the biometric feature data, where the face feature is obtained by feature extraction of the fingerprint image.
In some examples, the biological information is palm print information, which may include a palm print image as biological raw data and palm print features as biological feature data, where the palm print features are obtained by feature extraction of the palm print image.
In some examples, taking the biological information as an example, the iris information may include an iris image as biological raw data and an iris feature as biological feature data, wherein the iris feature is obtained by feature extraction of the iris image.
Among these biometric technologies, the face recognition technology has the following features compared with other types of biometric technologies: non-mandatory: the user can obtain the face image almost in an unconscious state without specially matching with the face acquisition equipment; non-contact: the user can acquire the face image without directly contacting the equipment; simple and convenient: the face acquisition equipment is simple and easy to popularize, and the face acquisition mode is simple and easy to realize.
Taking face-brushing payment using face recognition technology as an example, in general, a camera is provided or associated with a financial institution as a face collection device. In some examples, the camera may be, for example, a 3D camera, and depth information of a photographed object, that is, three-dimensional position and size information, may be acquired compared to a general 2D camera, so as to enhance a face and object recognition function of the camera.
As described above, the biometric information may include natural-meaning biometric original data and biometric data obtained by extracting features from the biometric original data. Thus, there may be different ways to process the biological information.
In some embodiments, the collected biometric information is not privacy encrypted, but rather the biometric raw data of the collected biometric information is sent directly to the verification platform of the business data.
In this case, the bio-original data (e.g., face image, fingerprint image, palm print image, iris image, etc.) of the collected bio-information is re-encrypted to ensure the transmission security of the authentication platform transmitted to the service data.
Subsequently, the verification platform of the service data receives the encrypted biological original data, decrypts the encrypted biological original data, performs feature extraction on the biological original data to obtain biological feature data, and performs privacy encryption on the obtained biological feature data.
The processing mode of the biological information has extremely high safety, but has the problems of difficult technical realization and the like.
In some embodiments, the collected biometric information is privacy encrypted.
The following description will take, as an example, privacy encryption of biometric information in service registration data. In practice, the privacy encryption of the biometric information in the service registration data refers to privacy encryption of the biometric data in the biometric information.
The method may further comprise the step of extracting features from the biological raw data of the biological information acquisition device to obtain biological features before the step of privacy encrypting the biological information.
In some examples, taking face recognition as an example, feature extraction may be performed on a face image as biological raw data to obtain face features.
In some examples, taking fingerprint recognition as an example, feature extraction may be performed on a fingerprint image as the biological raw data to obtain fingerprint features.
In some examples, using palm print recognition as an example, feature extraction may be performed on palm print images as the bio-raw data to obtain palm print features.
In some examples, taking iris recognition as an example, feature extraction may be performed on iris images as raw biological data to obtain iris features.
The manner of privacy encryption of the biometric information in the service registration data may include: and carrying out privacy encryption on the biological information Y to form a plurality of biological information ciphertext fragments.
Taking four computing nodes as an example, the manner of privacy encryption of the collected biological information may include: the biological information Y is subjected to privacy encryption to form biological information ciphertext fragments Y1, Y2, ya and Yb. Here, the biometric information actually refers to biometric data obtained by feature extraction of the biometric raw data. The biological information refers to biological feature data obtained by extracting features of biological original data.
Taking privacy encryption for the collected face information as an example, the face features of the face appearing in the face image are obtained through face feature extraction. The privacy encryption of the collected face information comprises the privacy encryption of the face characteristics obtained by extraction. Specifically, performing privacy encryption on the extracted face features may include: and carrying out privacy encryption on the face feature Y to form ciphertext fragments Y1, Y2, ya and Yb of the face feature.
In some embodiments, taking a convolutional neural network model as an example of extracting face features from a face image, the convolutional neural network model may be used to extract face feature vectors from the face image in the service request. Thus, privacy encryption of face feature vectors extracted by convolutional neural network models may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, ya and Yb of the face feature vector.
Thus, a plurality of ciphertext fragments of the biological information can be formed after the biological information is subjected to privacy encryption. These pieces of biometric information ciphertext are transmitted to the authentication platform of the business data and stored in the respective storage nodes. Taking a storage node as an example, the calculation nodes are adopted as the storage nodes, the biological information ciphertext fragments Y1 and Y2 can be stored in the calculation nodes S1 and S2 of the verification platform of the service data after being uploaded, and the biological information ciphertext fragments Ya and Yb can be stored in the calculation nodes Sa and Sb of the verification platform of the service data after being uploaded, so that the safety of biological information can be ensured.
The processing mode for the biological information is high in safety, can meet the requirement of privacy protection, can eliminate the concern of financial institutions on data safety and privacy protection, and can meet the application requirement in efficiency and accuracy.
Step S103, storing the registration information containing the encrypted service registration data to finish registration.
In some embodiments, the service registration data includes first authentication information. Therefore, in step S103, registration information including encrypted service registration data is stored, including storing the service account and the formed plurality of pieces of secret text of the first authentication information.
In some embodiments, the service registration data includes first authentication information and second authentication information. Accordingly, in step S103, storing registration information including encrypted service registration data includes storing a service account and first and second authentication information, wherein at least one of the first and second authentication information is privacy-encrypted.
In some examples, the first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. Accordingly, storing registration information including encrypted service registration data includes storing a service account, a plurality of ciphertext fragments of first authentication information, and second authentication information.
In some examples, the second authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information. Accordingly, storing registration information including encrypted service registration data includes storing ciphertext fragments of the service account, the first authentication information, and the plurality of second authentication information.
In some examples, the first authentication information and the second authentication information in the service registration data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively. Accordingly, storing registration information including encrypted service registration data includes storing a service account, a plurality of ciphertext fragments of first authentication information, and a plurality of ciphertext fragments of second authentication information.
For example, in a bank card payment service, the service registration data includes bank card information and a payment password. Thus, privacy encrypting the business registration data associated with the business account includes privacy encrypting at least one of the bank card information and the payment password. In some examples, the bank card information in the business registration data is privacy encrypted. Thus, storing registration information including encrypted service registration data includes storing a service account, privacy-encrypted bank card information, and a payment password. In some examples, the payment password in the business registration data is privacy encrypted. Thus, storing registration information including encrypted service registration data stores the service account, the bank card information, and the privacy-encrypted payment password. In some examples, the bank card information and payment password in the business registration data are privacy encrypted. Thus, storing registration information including encrypted service registration data includes storing a service account, privacy-encrypted bank card information, and a payment password.
For example, in a card-less payment service, the service registration data includes password information and biometric information. Thus, privacy encrypting the business registration data associated with the business account includes privacy encrypting at least one of the cryptographic information and the biometric information. In some examples, the cryptographic information in the service registration data is privacy encrypted to form a plurality of cryptographic information ciphertext fragments. Therefore, storing registration information including encrypted service registration data includes storing a service account, a plurality of cipher information ciphertext fragments, and biometric information. In some examples, the biometric information in the service enrollment data is privacy encrypted to form a plurality of biometric information ciphertext fragments. Therefore, storing registration information including encrypted service registration data includes storing a service account, password information, and a plurality of biometric information ciphertext fragments. In some examples, the cryptographic information and the biometric information in the service registration data are privacy encrypted to form a plurality of biometric information ciphertext fragments and a plurality of biometric information ciphertext fragments. Accordingly, storing registration information including encrypted service registration data includes storing a service account, a plurality of biometric information ciphertext fragments, and a plurality of biometric information ciphertext fragments.
Still further describing in detail the example of face payment, the business registration data includes a payment password and face information. Thus, privacy encrypting the business registration data associated with the business account includes privacy encrypting at least one of a payment password and face information. In some examples, the payment password in the business registration data is privacy encrypted to form a plurality of payment password ciphertext fragments. Therefore, storing registration information including encrypted service registration data includes storing a service account, a plurality of payment password ciphertext fragments, and face information. In some examples, face information in the service registration data is privacy encrypted to form a plurality of face information ciphertext fragments. Accordingly, storing registration information including encrypted service registration data includes storing a service account, a payment password, and a plurality of face information ciphertext fragments. In some examples, the payment password and the face information in the business registration data are privacy encrypted to form a plurality of payment password ciphertext fragments and a plurality of face information ciphertext fragments. Accordingly, storing registration information including encrypted service registration data includes storing a service account, a plurality of payment password ciphertext fragments, and a plurality of face information ciphertext fragments.
In practical applications, to ensure the security of the data during the transmission process, the service account and the encrypted service registration data may be further pre-encrypted before executing step S103.
In some embodiments, the service registration data includes first authentication information. Thus, pre-encrypting the service account and encrypted service registration data includes re-encrypting the service account and the ciphertext fragments of the plurality of first authentication information.
In some embodiments, the service registration data includes first authentication information and second authentication information. Thus, pre-encrypting the service account and encrypted service registration data includes re-encrypting the service account and the ciphertext fragments of the plurality of first authentication information and/or the ciphertext fragments of the plurality of second authentication information. In some examples, the first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information, and thus pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account, the plurality of ciphertext fragments of the first authentication information, and the second authentication information. In some examples, the second authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information, and thus pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account, the first authentication information, and the ciphertext fragments of the plurality of second authentication information. In some examples, the first authentication information and the second authentication information in the service registration data are privacy encrypted to form ciphertext fragments of the first authentication information and ciphertext fragments of the second authentication information, respectively, and therefore pre-encrypting the service account and the encrypted service registration data includes re-encrypting the service account, the ciphertext fragments of the first authentication information, and the ciphertext fragments of the second authentication information.
The registration method and the registration system for the service registration data are utilized to carry out privacy encryption on the service registration data in service implementation, and the service registration data are also verified in a privacy encryption mode during verification, are not displayed in plaintext all the time, so that the safety and reliability of the service registration data are ensured, and the risk prevention and control problem of the safety of the service data in the prior art is solved.
Returning to the authentication platform for the service data, the transceiver module 11 is also configured to receive registration information. The registration information includes a service account and associated service registration data, wherein the service registration data is privacy encrypted to form encrypted service registration data.
In some embodiments, the service registration data includes first authentication information. Thus, receiving registration information includes receiving a service account and a plurality of ciphertext fragments of first authentication information.
In some embodiments, the service registration data includes first authentication information and second authentication information. Thus, in some examples, receiving registration information includes receiving a business account, a plurality of ciphertext fragments of first authentication information, and second authentication information. In some examples, receiving registration information includes receiving a service account, first authentication information, and a plurality of ciphertext fragments of second authentication information. In some examples, receiving registration information includes receiving a service account and a plurality of ciphertext fragments of first authentication information and a plurality of ciphertext fragments of second authentication information.
For example, in a card-less payment service, the service registration data includes password information and biometric information. Thus, in some examples, receiving registration information includes receiving a business account, biometric information, and a plurality of cryptographic information ciphertext fragments. In some examples, receiving registration information includes receiving a business account, password information, and a plurality of biometric information ciphertext fragments. In some examples, receiving registration information includes receiving a service account, a plurality of cryptographic information ciphertext fragments, and a plurality of biological information ciphertext fragments.
In practical applications, after receiving the registration information by using the transceiver module 11, the encrypted service registration data is also stored in a plurality of storage nodes in the storage module 15 in a scattered manner.
In some embodiments, the service registration data includes first authentication information. Thus, the ciphertext fragments of the plurality of first authentication information are stored in the plurality of storage nodes in a dispersed manner.
In some embodiments, the service registration data includes first authentication information and second authentication information. Thus, in some examples, the ciphertext fragments of the plurality of first authentication information are stored in a plurality of storage nodes in a decentralized manner. In some examples, the plurality of ciphertext fragments of the second authentication information are stored in a plurality of storage nodes in a decentralized manner. In some examples, the plurality of ciphertext fragments of the first authentication information and the plurality of ciphertext fragments of the second authentication information are stored in a plurality of storage nodes in a decentralized manner.
It is noted that, for the biological information, the biological information may include biological raw data of natural meaning and biological feature data after feature extraction of the biological raw data. Thus, there may be different ways to process the biological information.
In some embodiments, the registration system of the service registration data performs privacy encryption on the collected biometric information and sends a plurality of biometric information ciphertext fragments to the verification platform of the service data. Therefore, the receiving-transmitting module 11 can be utilized to receive the multiple pieces of biological information ciphertext in the service registration data, and the multiple pieces of biological information ciphertext are stored in the multiple storage nodes in a scattered manner.
And the service registration data registration system re-encrypts the service account and the encrypted service registration data, and then the service data verification platform receives the re-encrypted service account and the encrypted service registration data and dispersedly stores the re-encrypted service account and the encrypted service registration data in a plurality of storage nodes.
In some embodiments, the registration system of the business registration data does not privacy encrypt the collected biometric information, but directly sends the biometric raw data of the collected biometric information to the verification platform of the business data. In this manner, the received biometric information may be privacy encrypted by the authentication platform of the business data.
The process of privacy encryption of the received biometric information by the authentication platform of the business data may include:
the biometric information of the service registration data is received by means of the transceiver module 11.
And decrypting the received biological information ciphertext by using an encryption machine to obtain biological original data of the biological information.
And carrying out feature extraction on the biological original data by utilizing a feature extraction module so as to obtain biological feature data.
The biometric data is privacy encrypted using the privacy encryption module 13.
And re-encrypting the plurality of biological information ciphertext fragments by using an encryption machine.
The re-encrypted multiple pieces of biometric information ciphertext are stored in a plurality of storage nodes in a decentralized manner.
By storing encrypted registration information or re-encrypted registration information in a plurality of storage nodes in a decentralized manner, secure storage of such sensitive data is ensured such that such sensitive data does not appear in the clear.
Meanwhile, in this embodiment, the service data verification platform may store encrypted registration information or re-encrypted registration information in a plurality of storage nodes in a distributed manner, and each storage node stores these registration information in a corresponding database.
The following describes in detail an example in which the service registration data includes the first authentication information and the second authentication information in the embodiment.
Wherein, it is assumed that the first authentication information and the second authentication information in the service registration data are both privacy encrypted and conventional re-encrypted.
In some embodiments, in the verification platform of the service data, each storage node is set or associated with a corresponding database, i.e. each storage node is set or associated with a database. The database may be configured to store registration information on a corresponding storage node, the database storing a plurality of records having a data structure, each record comprising a record sequence number Seq, a ciphertext fragment of the re-encrypted first authentication information, a ciphertext fragment of the re-encrypted second authentication information, and a re-encrypted service account. As shown in table one below.
List one
With the stored registration information, the verification platform of the service data may retrieve, via the verification module 17, the service account corresponding to the service data from the stored registration information based on the first verification information and the second verification information in the new service request when receiving the new service request.
In order to realize quick retrieval of information, in this embodiment, a data encryption retrieval technique is applied.
The data encryption retrieval technology is used for quickly searching records meeting the conditions from various databases stored in an encrypted mode, and comprises three parts of index creation, maintenance and retrieval.
In the index creation and maintenance stage, privacy-encrypted data is taken as input, a unique security index is built for each record keyword through privacy calculation and privacy comparison, and records with the same keyword are grouped into a group. In the searching process, the key words to be searched are input in the form of data which are encrypted by privacy, and the group is determined by privacy calculation and privacy comparison, so that the encrypted objects with the same key words are output quickly.
In this embodiment, a data structure similar to a hash table on plaintext data is implemented through privacy calculation, and data security and efficient retrieval are implemented, where ciphertext fragments of first verification information in a service request are used as query keys of the hash table.
In this embodiment, the verification platform of the service data may further include a hash table creation module (not shown in the drawings) configured to perform a hash operation on the service account and the associated service registration data in each of the stored registration information with the first verification information as a key to create a hash table.
In this embodiment, in order to improve the retrieval efficiency, each computing node first invokes the encryptor to decrypt the stored encrypted service registration data (the encrypted service registration data may be, for example, a ciphertext fragment of the first verification information and/or a ciphertext fragment of the second verification information) to obtain the encrypted service registration data, and then may use the hash table creation module to create a hash table (or a hash table).
By means of the created hash table, the process of retrieving the service account corresponding to the first authentication information and the second authentication information from the stored registration information by the authentication module 17 according to the first authentication information and the second authentication information in the new service request may include:
firstly, searching from stored registration information based on first verification information in service data, and positioning a packet in which the first verification information is located; wherein all entries in the group have the same first authentication information characteristic.
In this embodiment, the step of retrieving, based on the first verification information in the service data, from the stored registration information, and locating the packet in which the first verification information is located includes: and positioning a packet corresponding to the first verification information in the service data in a hash table through privacy calculation based on the first verification information in the service data.
In this embodiment, based on the ciphertext fragment of the first verification information in the service data, a data security search technique is used to find a record corresponding to the hash address value in the hash table. In this way, the group in which the first verification information is located can be quickly located, wherein all record items in the group have the same first verification information feature, i.e. the same first verification information or the same first verification information equivalent feature. In this way, by retrieving the first authentication information, the number of users in the matching range from the original user data aggregate set can be reduced to a subset of user data having the same first authentication information, wherein the user data size of the subset of user data having the same first authentication information is much smaller than the user data size of the user data aggregate set. This can also be understood as follows: and searching the second verification information routing library N by taking the first verification information as a keyword, so that the range of the second verification information routing library N for subsequent second verification information searching is reduced to M subsets, wherein M is far smaller than N. The efficiency of the whole retrieval process is greatly improved.
Of course, if the record corresponding to the hash address value is not found in the hash table, the verification operation is ended.
In some embodiments, the service data includes first authentication information, and the first authentication information in the service data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information.
Thus, in some embodiments, verifying whether a service account corresponding to the encrypted service data exists in each stored registration information comprises: and searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, screening service registration data corresponding to the first verification information from the stored registration information, and subsequently, continuously obtaining matched service registration data from the screened service registration data corresponding to the first verification information, and obtaining a service account in the matched service registration data.
Taking a hash table structure as an example, specifically, when a ciphertext fragment of first verification information in the encrypted service data is taken as a keyword to perform hash operation to obtain a hash address value, and after a packet corresponding to the hash address value is positioned in a hash table based on the obtained hash address value, in some examples, a matched record item can be directly obtained from the positioned packet, and a service account in the matched record item can be obtained.
In some embodiments, the business data comprises first authentication information and second authentication information, wherein privacy encrypting the business data comprises privacy encrypting at least one of the first authentication information and the second authentication information to form a plurality of ciphertext fragments of the first authentication information and/or a plurality of ciphertext fragments of the second authentication information.
In some examples, privacy encrypting the business data includes privacy encrypting first authentication information in the business data to form ciphertext fragments of the plurality of first authentication information, and privacy encrypting second authentication information in the business data to form ciphertext fragments of the plurality of second authentication information. Thus, the manner of verifying whether or not there is a service account corresponding to the encrypted service data in each of the stored registration information includes: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
Taking a hash table structure as an example, specifically, when performing hash operation with a ciphertext fragment of the first verification information in the encrypted service data as a key to obtain a hash address value, and positioning a packet corresponding to the hash address value in a hash table based on the obtained hash address value, the method may further include: and taking the ciphertext fragment of the second verification information in the encrypted service data as a keyword, and obtaining a matched record in the positioned packet, wherein the matched record contains the second verification information matched with the service data, so as to obtain the service account in the matched record.
It should be noted that, in some embodiments of the foregoing embodiments, when the data includes the first verification information and the second verification information, the first verification information and the second verification information in the service data are both privacy-encrypted to form ciphertext fragments of the first verification information and ciphertext fragments of the second verification information, respectively, but not limited thereto, and in other embodiments, other variations are possible.
For example, in some embodiments, privacy encrypting the business data includes privacy encrypting first authentication information in the business data to form a plurality of ciphertext fragments of the first authentication information. Thus, the manner of verifying whether or not there is a service account corresponding to the encrypted service data in each of the stored registration information includes: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
For example, in some embodiments, privacy encrypting the business data includes privacy encrypting second authentication information in the business data to form a plurality of ciphertext fragments of the second authentication information. Thus, the manner of verifying whether or not there is a service account corresponding to the encrypted service data in each of the stored registration information includes: searching by taking first verification information in the encrypted service data as a keyword, and screening service registration data corresponding to the first verification information from all stored registration information; the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
The first verification information is used as a keyword to search, so that the range of the group corresponding to the first verification information is greatly reduced, and subsequently, the matching can be performed from the obtained group based on the second verification information to determine the matched business account.
In practical applications, the matching in the packet may have different implementations based on the content of the second authentication information. In some examples, the second verification information may be, for example, password information, bar code information, two-dimensional code information, etc., and the matching in the group may be in a conventional retrieval manner. In some examples, the second verification information may be, for example, biometric information, and the matching in the groupings may be achieved using biometric similarity calculations.
The following description is made with respect to a card-less payment service as an example. In the card-less payment service, the service registration data includes password information and biometric information, and the service data includes password information and biometric information.
The password information may be, for example, a numeric password or at least comprise three types of multi-bit characters of digits, uppercase letters, lowercase letters, special characters, and the like. The biometric information may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, etc.
It is assumed that both the password information and the biometric information in the service registration data are privacy encrypted and conventionally re-encrypted.
In some examples, each record in the database contains a record sequence number Seq, a re-encrypted ciphertext fragment of the cryptographic information, a re-encrypted ciphertext fragment of the biological information, and a re-encrypted service account. As shown in table two below.
Watch II
/>
When receiving a new service request, the verification platform of the service data can verify the password information and the biological information in the new service request into each stored registration information through the verification module 17 so as to determine the corresponding service account.
In a payment scenario, in addition to the requirement of achieving accurate matching, the verification of the service data may also require rapidness, and the response time is required to be as short as possible (e.g., the response time is within 500 milliseconds) to improve the user experience.
In order to realize quick verification of information, in this embodiment, a data encryption retrieval technique is applied.
The data encryption retrieval technology is used for quickly searching records meeting the conditions from an encryption stored database and comprises three parts of index creation, maintenance and retrieval.
In the index creation and maintenance stage, privacy-encrypted data is taken as input, a unique security index is built for each record keyword through privacy calculation and privacy comparison, and records with the same keyword are grouped into a group. In the searching process, the key words to be searched are input in the form of data which are encrypted by privacy, and the group is determined by privacy calculation and privacy comparison, so that the encrypted objects with the same key words are output quickly.
In this embodiment, through privacy calculation, a data structure similar to a hash table on plaintext data is realized, and safe and efficient retrieval of data is realized, wherein a query keyword of the hash table is a cipher information ciphertext fragment when a service request is made.
In this embodiment, the verification platform of the service data may further include a hash table creation module (not shown in the drawings) configured to perform a hash operation on the service account and its associated service registration data in each stored registration information with the password information as a key to create a hash table.
In this embodiment, in order to improve the retrieval efficiency, each computing node firstly invokes the encryptor to decrypt the stored encrypted service registration data (for example, the password information and/or the biological information) to obtain the encrypted service registration data, and then can create a hash table (or a hash table) by using the hash table creation module.
The process of verifying the password information and the biometric information in the new service request to the stored registration information by the verification module 17 by means of the created hash table may include:
firstly, searching from stored registration information based on password information in service data, and positioning to a group where the password information is located; wherein all entries in the group have the same cryptographic information characteristics;
in this embodiment, the step of retrieving, based on the password information in the service data, from the stored registration information and locating the packet in which the password information is located includes: based on the password information in the service data, positioning the packet corresponding to the password information in the service data in a hash table through privacy calculation.
In this embodiment, based on the cipher information ciphertext fragment in the service data, the hash address value is calculated by privacy by using a data security search technique, and a record corresponding to the hash address value is found in the hash table. In this way, a packet in which the cryptographic information is located can be quickly located, wherein all entries in the packet have the same cryptographic information characteristics, i.e., the same cryptographic information or the same cryptographic information equivalent characteristics. In this way, by retrieving the cryptographic information, the number of users in the matching range from the original user data set to the user data subset having the same cryptographic information can be reduced, wherein the user data amount of the user data subset having the same cryptographic information is much smaller than the user data amount of the user data set. This can also be understood as follows: the biological information routing library N is searched by taking the password information as a keyword, so that the range for subsequent biological information identification is reduced to M subsets, wherein M is far smaller than N. In this process, since the password information is relatively simple, the user data subset can be quickly and accurately searched and filtered by using the password information, and in addition, since the data size of the screened user data subset is far smaller than the data size of the user data subset, the user data subset can be quickly matched by using the biological information.
Of course, if the record corresponding to the hash address value is not found in the hash table, the verification operation is ended.
In some embodiments, the service data includes cryptographic information.
When the cipher information ciphertext fragment in the encrypted service data is used as a keyword to carry out hash operation to obtain a hash address value, after a packet corresponding to the hash address value is positioned in a hash table based on the obtained hash address value, a matched record item can be obtained from the positioned packet, and a service account in the matched record item can be obtained.
For example, the first verification information is password information, and when a password information ciphertext fragment corresponding to the password information is used as a keyword to perform hash operation to obtain a hash address value, a packet corresponding to the hash address value is located in a hash table based on the obtained hash address value. In some examples, the cryptographic information may be associated with the user's identity information, or with the user's cell phone number, etc., e.g., the cryptographic information may be part or all of the identity card number, or the cell phone number, or some combination of the identity card number, cell phone number, and other information, etc. In this case, the matching entry can be obtained directly from the located packet, and the service account in the matching entry can be obtained. Alternatively, in some examples, although matching entries cannot be obtained directly from the located packet simply with cryptographic information, matching entries may be obtained from the located packet by other information in the service data (e.g., terminal information that collects service data, service type in service data, etc.), and a service account in the matching entries may be obtained.
In certain embodiments, the business data includes password information and biometric information.
Therefore, when the hash operation is performed by using the cipher information ciphertext fragment in the encrypted service data as a key word to obtain a hash address value, and after the obtained hash address value is positioned to a packet corresponding to the hash address value in the hash table, the method further comprises the steps of: and taking the biological information ciphertext fragment in the encrypted service data as a keyword, and obtaining a matched record item in the positioned group, wherein the matched record item contains biological information matched with the service data, so as to obtain the service account in the matched record item.
In this embodiment, the step of obtaining the matched record item in the located packet by using the ciphertext fragment of the biological information in the encrypted service data as a key includes: and based on the biological information in the service data, performing similarity calculation with the biological information of all record items positioned in the hash table in the group corresponding to the password information in the service data, and determining the matched record items.
In some examples, taking face recognition as an example, similarity calculation is performed with the biometric information of all the entries in the group based on the biometric information in the business data, including: and based on the privacy-encrypted face features in the service data, performing feature similarity calculation with the privacy-encrypted face features in all record items in the group, and determining the matched record items.
Specifically, in the foregoing, the face features of the face image in the service data are extracted by face feature extraction, and these features may be converted into corresponding face feature vectors. The privacy encryption of the face features comprises the privacy encryption of face feature vectors corresponding to the face features.
Whether for face information in the service registration data or for face information in the service data, privacy encrypting the face feature vector corresponding to the face feature may include: and carrying out privacy encryption on the face feature vector Y to form ciphertext fragments Y1, Y2, ya and Yb of the face feature vector.
Therefore, when the face feature similarity calculation is performed, the method may include: the privacy encryption module 13 performs privacy computation on the ciphertext fragments Y1, Y2, ya, yb of the face feature vector formed by the privacy encryption and the ciphertext fragments Y1', Y2', ya ', yb' of the face feature vector positioned in each record item in the group to obtain the similarity between the face feature vector to be identified and the face feature vector in each record item in the group.
In some embodiments, when performing similarity calculation based on the face feature vectors, the similarity of the face images to be identified and the face feature vectors of the face images in the database can be represented by using the vector distance between the face images.
For example, by the vector distance between the privacy-encrypted face feature vector to be identified and the privacy-encrypted face feature vector in each entry in the group. In some examples, the calculated vector distance is converted into a corresponding similarity value according to a preset similarity conversion strategy. The similarity conversion strategy may be, for example, to pre-establish a corresponding relationship list of vector distances and similarity values according to the relationship between feature vectors and similarities, where the corresponding relationship list may be divided into a plurality of different similarity levels according to a preset vector distance threshold, and a corresponding similarity value is set for each similarity level. In this way, the similarity value corresponding to the calculated vector distance can be obtained by directly querying the corresponding relation list. In some examples, the minimum value of the vector distance is selected from the calculated vector distances, so that the record item corresponding to the minimum value of the Euclidean distance can be considered as the record item matched with the face information in the service data. The vector distance may be a cosine distance or a euclidean distance, and is not particularly limited in this embodiment.
In some examples, taking fingerprinting as an example, similarity calculation is performed with the biometric information of all the entries in the group based on the biometric information in the business data, including: and calculating the feature similarity between the privacy-encrypted fingerprint features in the service data and the privacy-encrypted fingerprint features in all record items in the group, and determining the matched record items.
In some examples, taking palmprint as an example, similarity calculation is performed with the biometric information of all the entries in the group based on the biometric information in the business data, including: and calculating the feature similarity between the feature of the privacy-encrypted palmprint in the service data and the feature of the privacy-encrypted palmprint in all record items in the group, and determining the matched record items.
In some examples, taking iris as an example, similarity calculation is performed with the biometric information of all the record items in the group based on the biometric information in the business data, including: and calculating the feature similarity between the privacy-encrypted iris features in the business data and the privacy-encrypted iris features in all record items in the group, and determining the matched record items.
From the above, the calculation of the feature similarity of the biological information is only performed in the screened group (i.e., M subset), so that the efficiency is greatly improved compared with the calculation of the feature similarity in all databases, and the requirement of quick response of payment can be satisfied.
As for the biological information, as described above, in some embodiments, after the biological information in all the service registration data is sent to the service data verification platform, the service data verification platform performs privacy encryption on the biological information in the service registration data through the privacy encryption module 13, so that only the characteristic extraction of the biological information in the service request is needed at the service data verification platform.
And after the matched record items are determined, obtaining the business accounts in the matched record items.
Referring to the second table, after the matched record item is determined, a service account can be obtained from the record item, and the service account is determined to belong to the service requester corresponding to the service request.
The verification platform of the service data further comprises a service message generation module, wherein the service message generation module is used for generating a service message based on the first verification information and the service account after the matched service account is determined.
The verification platform of the service data can further comprise a transceiver module, wherein the transceiver module is used for sending the service message to a service execution mechanism corresponding to the service account, and the service execution mechanism executes corresponding operation according to the service message.
For example, in the access control business, verification information (such as password information, electronic card information, fingerprint information, etc.) collected by the access control terminal is uploaded to the monitoring center, the monitoring center verifies whether the verification information is legal verification information, after the verification is passed, confirmation can be returned to the access control terminal, and the access control terminal opens the access control.
For example, in the attendance service, verification information (such as password information, electronic card information, fingerprint information, etc.) collected by the attendance terminal is uploaded to the attendance management and control center, the attendance management and control center verifies whether the verification information is legal verification information, and after verification, the attendance can be replied to confirm, and the attendance terminal confirms that the attendance operation is completed.
For example, in a ticketing service, verification information (such as password information, bar code information, two-dimensional code information, fingerprint information, etc.) collected by a ticketing terminal is uploaded to a ticketing verification center, the ticketing verification center verifies whether the verification information is legal, and after the verification is passed, a confirmation can be returned to the ticketing terminal.
In the bank card payment business, a merchant sends acquired bank card information and a payment password to a verification platform through a POS machine, the verification platform obtains a bank account number corresponding to a consumer after verification, a payment message formed by the bank account number and the payment password of the consumer is sent to an issuing bank, and the issuing bank deducts money to complete payment.
In the card-free payment service, a merchant sends acquired password information and biological information to a verification platform through a POS machine, the verification platform obtains a bank account number corresponding to a consumer after verification, a payment message formed by the bank account number and the password information of the consumer is sent to a card issuing bank, and the card issuing bank deducts money to complete payment.
Of course, in some embodiments, the service message may also be encrypted with an encryptor before being sent to the service actuator corresponding to the service account.
Referring to fig. 6, a flowchart of a verification method of service data of the present application is shown, where the verification method is executed on a computer system.
As shown in fig. 6, the service data verification method includes the following steps:
step S301, privacy encryption is carried out on the service data to be verified in the service request, and encrypted service data are obtained.
In some embodiments, the service data in the service request includes first authentication information. In some examples, the first authentication information may be password information, which may be, for example, a numeric password or at least three types of multi-digit characters including digits, uppercase letters, lowercase letters, special characters, and the like. In some examples, the first verification information may be biometric information, which may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, and the like.
In some embodiments, the service data in the service request includes first authentication information and second authentication information. In some examples, the first authentication information may be password information, which may be, for example, a numeric password or at least three types of multi-digit characters including digits, uppercase letters, lowercase letters, special characters, and the like. The second authentication information may be biometric information, which may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, etc.
In practical application, the service data in the service request is collected by the terminal.
After the terminal collects the service data, the service data can be combined with the characteristic information of the terminal to form a service request, and the service request is uploaded to a service data verification platform.
After receiving the service request, the verification platform of the service data can carry out privacy encryption on the service data to be verified in the service request.
In some embodiments, the service data in the service request includes first authentication information, and therefore, the privacy encrypting the service data to be authenticated in the service request includes privacy encrypting the first authentication information in the service data.
In some embodiments, the service data in the service request includes first authentication information and second authentication information, and therefore, the privacy encrypting the service data to be authenticated in the service request includes privacy encrypting at least one of the first authentication information and the second authentication information in the service data. In some examples, the privacy encrypting the service data to be verified in the service request includes privacy encrypting first verification information in the service data. In some examples, the privacy encrypting the service data to be verified in the service request includes privacy encrypting second verification information in the service data. In some examples, the privacy encrypting the service data to be authenticated in the service request includes privacy encrypting both the first authentication information and the second authentication information in the service data. By privacy encryption of at least one of the first verification information and the second verification information, protection of sensitive information containing the first verification information and the second verification information is achieved, association relations among the sensitive information (for example, between the first verification information and the second verification information) can be protected, and safety and reliability of service data are guaranteed.
In this embodiment, the principle of privacy encryption for the first authentication information and/or the second authentication information in the service data can be seen in fig. 2.
Step S303, verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information.
In some embodiments, the service data in the service request includes first authentication information, and in response thereto, the registration information includes a service account and associated service registration data, the service registration data also including the first authentication information. The first verification information in the service registration data is subjected to privacy encryption to form a plurality of ciphertext fragments of the first verification information, and the ciphertext fragments of the first verification information are stored in a plurality of storage nodes in a scattered mode.
In some embodiments, the service data in the service request includes first and second authentication information, and the registration information includes a service account and associated service registration data, which also includes the first and second authentication information, respectively. The first authentication information and/or the second authentication information in the service registration data is privacy encrypted. In some examples, the first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. In some examples, the second authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information. In some examples, the first authentication information and the second authentication information in the service registration data are privacy encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively.
The first authentication information and/or the second authentication information in the service registration data may be encrypted in a private manner and stored in a distributed manner, and the content description of the registration system and the registration method of the service registration data may be referred to above.
The ciphertext fragments of the first verification information and/or the ciphertext fragments of the second verification information are stored in a plurality of storage nodes in a scattered mode, and therefore the security of the first verification information and/or the second verification information can be ensured.
In some examples, the first authentication information may be password information, which may be, for example, a numeric password or at least three types of multi-digit characters including digits, uppercase letters, lowercase letters, special characters, and the like. The second authentication information may be biometric information, which may be, for example, face information, fingerprint information, palm print information, iris information, heart rate information, etc.
In some embodiments, the service registration data in the registration information is further encrypted conventionally after being encrypted by privacy to obtain encrypted registration service data, and the encrypted registration data after being encrypted is stored in a plurality of storage nodes in a scattered manner, and each storage node stores the registration information in a corresponding database.
In addition, each storage node may store the privacy-encrypted service registration information in a corresponding database.
In some embodiments, the service registration data in the registration information includes first authentication information, and the database therefore includes a plurality of records having a data structure, each record including a record number, a service account, and a ciphertext fragment of the first authentication information associated therewith.
In some embodiments, the service registration data in the registration information includes first authentication information and second authentication information, and the database therefore includes a plurality of records having a data structure, each record including a record number, a service account and its associated ciphertext fragment of the first authentication information, and/or a ciphertext fragment of the second authentication information.
In order to realize quick verification of information, in this embodiment, a data encryption retrieval technique is applied.
The data encryption retrieval technology is used for quickly searching records meeting the conditions from an encryption stored database and comprises three parts of index creation, maintenance and retrieval.
In the index creation and maintenance stage, privacy-encrypted data is taken as input, a unique security index is built for each record keyword through privacy calculation and privacy comparison, and records with the same keyword are grouped into a group. In the searching process, the key words to be searched are input in the form of data which are encrypted by privacy, and the group is determined by privacy calculation and privacy comparison, so that the encrypted objects with the same key words are output quickly.
In some embodiments, the service data in the service request includes first authentication information, and in response thereto, the registration information includes a service account and associated service registration data, the service registration data also including the first authentication information. The first verification information in the service registration data is subjected to privacy encryption to form a plurality of ciphertext fragments of the first verification information, and the ciphertext fragments of the first verification information are stored in a plurality of storage nodes in a scattered mode. The first verification information in the service data is subjected to privacy encryption to form a plurality of ciphertext fragments of the first verification information.
Thus, in some embodiments, verifying whether a service account corresponding to the encrypted service data exists in each stored registration information comprises: and searching by taking the ciphertext fragment of the first verification information in the encrypted service data as a keyword, screening service registration data corresponding to the first verification information from the stored registration information, and subsequently, continuously obtaining matched service registration data from the screened service registration data corresponding to the first verification information, and obtaining a service account in the matched service registration data.
In some embodiments, the service data in the service request includes first and second authentication information, and the registration information includes a service account and associated service registration data, which also includes the first and second authentication information, respectively. The first authentication information and/or the second authentication information in the service registration data is privacy encrypted.
In some examples, the first authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information, and correspondingly, the first authentication information in the service data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. Thus, in some examples, verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
In some examples, the second authentication information in the service registration data is privacy encrypted to form a plurality of ciphertext fragments of the second authentication information, and correspondingly, the second authentication information in the service data is privacy encrypted to form a plurality of ciphertext fragments of the first authentication information. Thus, in some examples, verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking first verification information in the encrypted service data as a keyword, and screening service registration data corresponding to the first verification information from all stored registration information; the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
In some examples, the first authentication information and the second authentication information in the service registration data are privacy-encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively, and correspondingly, the first authentication information and the second authentication information in the service data are privacy-encrypted to form a plurality of ciphertext fragments of the first authentication information and a plurality of ciphertext fragments of the second authentication information, respectively. Thus, in some examples, verifying whether a service account corresponding to the encrypted service data exists in each of the stored registration information includes: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information; and obtaining the service account in the service registration data matched with the second verification information.
In the embodiment, through privacy calculation, a data structure similar to a hash table on plaintext data is realized, and safe and efficient retrieval of data is realized.
Taking an example that service registration data in registration information includes first verification information and second verification information (assume that the first verification information in the service registration data is encrypted by privacy to form a plurality of ciphertext fragments of the first verification information, and the second verification information is encrypted by privacy to form a plurality of ciphertext fragments of the second verification information), a query keyword of a hash table is the first verification information when a service is requested.
In this embodiment, the method for verifying service data may further include a step of performing a hash operation on the service account and its associated service registration data in each of the stored registration information with the first verification information as a key to create a hash table.
The process of creating and maintaining the hash table may refer to the corresponding description of the verification platform portion of the aforementioned business data.
With the created hash table, in step S303, the step of verifying whether or not there is a service account corresponding to the encrypted service data in each of the stored registration information includes:
firstly, searching from stored registration information based on first verification information in service data, and positioning a packet in which the first verification information is located; wherein all entries in the group have the same first authentication information characteristic.
In this embodiment, the step of retrieving, based on the first verification information in the service data, from the stored registration information, and locating the packet in which the first verification information is located includes: and positioning a packet corresponding to the first verification information in the service data in a hash table through privacy calculation based on the first verification information in the service data.
Specifically, a hash operation is performed by taking a ciphertext fragment of first verification information in the encrypted service data as a keyword to obtain a hash address value, and a packet corresponding to the hash address value is positioned in a hash table based on the obtained hash address value. That is, based on the ciphertext fragment of the first verification information in the service data, the hash address value is calculated through privacy by using a data security retrieval technology, and a record corresponding to the hash address value is found in the hash table. In this way, the group in which the first verification information is located can be quickly located, wherein all record items in the group have the same first verification information feature, i.e. the same first verification information or the same first verification information equivalent feature. In this way, by retrieving the first authentication information, the number of users in the matching range from the original user data aggregate set can be reduced to a subset of user data having the same first authentication information, wherein the user data size of the subset of user data having the same first authentication information is much smaller than the user data size of the user data aggregate set. Taking the first verification information as the password information as an example, in the processing flow, the password information can be used for quickly and accurately searching and filtering in the user data total set due to the relative simplicity of the password information. In addition, since the data volume of the screened user data subset is far smaller than the data volume of the user data total set, the user data subset can be quickly matched by using the second verification information (for example, the second verification information is biological information).
Of course, if the record corresponding to the hash address value is not found in the hash table, the verification operation is ended.
And then, matching is carried out based on second verification information in the service data, and a service account matched with the second verification information is determined from the grouping.
Specifically, the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and a matched record item is obtained in the positioned group, wherein the matched record item contains the second verification information matched with the service data.
Taking the second verification information as biological information as an example, in this embodiment, the step of determining, from the group, the service account matching with the biological information based on matching of the biological information in the service data includes: and based on the biological information in the service data, performing similarity calculation with the biological information of all record items positioned in the hash table in the group corresponding to the first verification information (for example, the first verification information is password information) in the service data, and determining the matched record items.
From the above, the calculation of the feature similarity of the biological information is only performed in the screened group (i.e., M subset), so that the efficiency is greatly improved compared with the calculation of the feature similarity in all databases, and the requirement of quick response of payment can be satisfied.
After the verification is passed, step S305 may be performed.
Step S305, generating a service message based on the service account.
After the matched record item is determined, namely, after verification is passed, a service account can be obtained from the record item, and the service account is determined to belong to a service requester corresponding to the service request. Therefore, in step S305, a service packet is generated based on the first verification information and the service account, the service packet is sent to a service execution mechanism corresponding to the service account, and the service execution mechanism executes a corresponding operation according to the service packet.
The present application also discloses a computer-readable storage medium storing at least one program that, when invoked, participates in performing a verification method of service data or a registration method of service registration data. The verification method of the service data can refer to fig. 6 and the related description about fig. 6, and the registration method of the service registration data can refer to fig. 5 and the related description about fig. 5, which are not repeated here. It should be further noted that, from the description of the above embodiments, it is clear to those skilled in the art that some or all of the present application may be implemented by means of software in combination with a necessary general hardware platform. With such understanding, the computer readable storage medium stores at least one program that, when invoked, performs any of the methods described above. Based on such understanding, the technical solutions of the present application may be embodied essentially or in part in the form of a software product that may include one or more machine-readable media having stored thereon machine-executable instructions that, when executed by one or more machines such as a computer, computer network, or other electronic device, may cause the one or more machines to perform operations in accordance with embodiments of the present application. For example, each step in the positioning method of the robot is performed. The machine-readable medium may include, but is not limited to, floppy diskettes, optical disks, CD-ROMs (compact disk-read only memories), magneto-optical disks, ROMs (read only memories), RAMs (random access memories), EPROMs (erasable programmable read only memories), EEPROMs (electrically erasable programmable read only memories), magnetic or optical cards, flash memory, or other type of media/machine-readable medium suitable for storing machine-executable instructions. Wherein the computer readable storage medium may be located in a server or in a third party server, for example in an alicloud service system. The subject application is operational with numerous general purpose or special purpose computing system environments or configurations. For example: mainframe computers, distributed computing environments that include any of the above systems or devices, and so on. The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
As described above, the service data verification method, the service data verification platform, the computer system and the computer readable storage medium disclosed in the application perform privacy encryption on service data in service implementation, perform verification in a privacy encryption manner during verification, and do not display in plaintext all the time, thereby ensuring the safety and reliability of the service data, and being used for solving the risk prevention and control problem of the safety of the service data in the existing service implementation.
Based on the technical framework reflected by examples described by the above service data verification method, verification platform, computer system and computer readable storage medium, the present application discloses the following technical solutions:
1. the service data verification method is characterized by comprising the following steps:
carrying out privacy encryption on service data to be verified in the service request to obtain encrypted service data;
verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information; the registration information comprises a service account and associated service registration data thereof, wherein the service registration data corresponds to the service data;
if so, the verification passes.
2. The authentication method according to embodiment 1, further comprising the step of receiving registration information and storing the registration information.
3. The authentication method according to embodiment 2, wherein the step of receiving registration information and storing the registration information includes:
receiving registration information, and carrying out privacy encryption on service registration data in the registration information to obtain encrypted service registration data;
and dispersing the registration information containing the encrypted service registration data into a plurality of ciphertext fragments and storing the ciphertext fragments in a plurality of storage nodes.
4. The authentication method according to embodiment 1, wherein the service data to be authenticated includes first authentication information; the step of carrying out privacy encryption on the business data to be verified comprises the following steps: and carrying out privacy encryption on the first verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information.
5. The authentication method according to embodiment 4, wherein the step of verifying whether or not a service account corresponding to the encrypted service data exists in each of the stored registration information includes:
searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information;
And obtaining matched service registration data from the service registration data corresponding to the first verification information, and obtaining a service account in the matched service registration data.
6. The authentication method according to embodiment 1, wherein the service data to be authenticated includes first authentication information and second authentication information; the step of carrying out privacy encryption on the business data to be verified comprises the following steps: and carrying out privacy encryption on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or a plurality of ciphertext fragments of the second verification information.
7. The authentication method according to embodiment 6, wherein the step of authenticating whether or not a service account corresponding to the encrypted service data exists in each of the stored registration information includes:
searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information;
the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information;
And obtaining the service account in the service registration data matched with the second verification information.
8. The authentication method according to embodiment 5 or 7, further comprising the step of generating a service message based on the service account after the matched service account is obtained.
9. A service data verification platform, comprising:
the privacy encryption module is used for carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data;
the verification module is used for verifying whether the stored registration information contains a service account corresponding to the encrypted service data; the registration information comprises a service account and associated service registration data, wherein the service registration data corresponds to the service data.
10. The authentication platform of embodiment 9, wherein the authentication platform of service data further comprises a storage module, the storage module comprising a plurality of storage nodes; the registration information containing the encrypted service registration data is dispersed into a plurality of ciphertext fragments and stored in a plurality of storage nodes.
11. The verification platform according to embodiment 9, wherein the service data to be verified includes first verification information, and the privacy encryption module is configured to perform privacy encryption on the service data to be verified in the service request, where the privacy encryption module includes: and carrying out privacy encryption on the first verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information.
12. The verification platform according to embodiment 11, wherein the verification module verifies whether the service account corresponding to the encrypted service data exists in each of the stored registration information, by including:
searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information;
and obtaining matched service registration data from the service registration data corresponding to the first verification information, and obtaining a service account in the matched service registration data.
13. The verification platform according to embodiment 9, wherein the service data to be verified includes first verification information and second verification information, and the privacy encryption module is configured to perform privacy encryption on the service data to be verified in the service request, where the privacy encryption module includes: and carrying out privacy encryption on the first verification information and/or the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the first verification information and/or a plurality of ciphertext fragments of the second verification information.
14. The verification platform according to embodiment 13, wherein the verification module verifies whether the service account corresponding to the encrypted service data exists in each of the stored registration information, by including:
searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information;
the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information;
and obtaining the service account in the service registration data matched with the second verification information.
15. The authentication platform of embodiment 12 or 14, further comprising: and the service message generation module is used for generating a service message based on the first verification information and the service account after the matched service account is determined.
16. A computer system, comprising:
a storage device for storing at least one program;
an interface device;
and the processing device is connected with the storage device and the interface device, wherein the processing device is integrated with a trusted processing environment, and the processing environment executes the service data verification method in any one of the foregoing 1 to 8 according to at least one stored program.
17. A computer readable storage medium storing computer instructions that when invoked participate in performing the method of validating business data as set forth in any one of the preceding claims 1 through 8.
The foregoing embodiments are merely illustrative of the principles of the present application and their effectiveness, and are not intended to limit the application. Modifications and variations may be made to the above-described embodiments by those of ordinary skill in the art without departing from the spirit and scope of the present application. Accordingly, it is intended that all equivalent modifications and variations which may be accomplished by persons skilled in the art without departing from the spirit and technical spirit of the disclosure be covered by the claims of this application.

Claims (13)

1. The service data verification method is characterized by comprising the following steps:
carrying out privacy encryption on service data to be verified in the service request to obtain encrypted service data; the service data to be verified comprises first verification information; the step of privacy encryption of the service data to be verified in the service request comprises the following steps: carrying out privacy encryption on first verification information in service data to be verified to form a plurality of ciphertext fragments of the first verification information;
Verifying whether a service account corresponding to the encrypted service data exists in each piece of stored registration information;
the registration information comprises a service account and associated service registration data, wherein the service registration data corresponds to the service data, and the service registration data is a plurality of ciphertext fragments scattered after privacy encryption; the step of verifying whether the service account corresponding to the encrypted service data exists in each piece of stored registration information includes: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; obtaining matched service registration data from service registration data corresponding to the first verification information, and obtaining a service account in the matched service registration data;
if so, the verification passes.
2. The method of claim 1, further comprising the step of receiving registration information and storing the registration information.
3. The method of verifying service data as set forth in claim 2, wherein the step of receiving registration information and storing the registration information comprises:
Receiving registration information, and carrying out privacy encryption on service registration data in the registration information to obtain encrypted service registration data;
registration information including encrypted service registration data is dispersed into a plurality of ciphertext fragments and stored in a plurality of storage nodes.
4. The method for verifying service data according to claim 1, wherein the service data to be verified further comprises second verification information; the step of privacy encrypting the service data to be verified in the service request further comprises: and carrying out privacy encryption on the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the second verification information.
5. The method according to claim 4, wherein when verifying whether or not a service account corresponding to the encrypted service data exists in each of the stored registration information, the step of obtaining matched service registration data from the service registration data screened out corresponding to the first verification information, and obtaining the service account in the matched service registration data, comprises:
the ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information;
And obtaining the service account in the service registration data matched with the second verification information.
6. The method of claim 1 or 5, further comprising the step of generating a service message based on the service account after the matched service account is obtained.
7. A service data verification platform, comprising:
the privacy encryption module is used for carrying out privacy encryption on the service data to be verified in the service request to obtain encrypted service data; the service data to be verified comprises first verification information, and the privacy encryption module is used for carrying out privacy encryption on the service data to be verified in the service request, wherein the mode comprises the following steps: carrying out privacy encryption on first verification information in service data to be verified in a service request to form a plurality of ciphertext fragments of the first verification information;
the verification module is used for verifying whether the stored registration information contains a service account corresponding to the encrypted service data; the registration information comprises a service account and associated service registration data, wherein the service registration data corresponds to the service data, and the service registration data is a plurality of ciphertext fragments scattered after privacy encryption; the verification module verifies whether the stored registration information has a service account corresponding to the encrypted service data or not by the method comprising the following steps: searching by taking ciphertext fragments of first verification information in the encrypted service data as keywords, and screening service registration data corresponding to the first verification information from stored registration information; and obtaining matched service registration data from the service registration data corresponding to the first verification information, and obtaining a service account in the matched service registration data.
8. The service data verification platform of claim 7, further comprising a storage module, the storage module comprising a plurality of storage nodes; the service registration data in the registration information is encrypted service registration data formed by privacy encryption, and the registration information containing the encrypted service registration data is scattered into a plurality of ciphertext fragments to be stored in a plurality of storage nodes.
9. The service data verification platform according to claim 7, wherein the service data to be verified further includes second verification information, and the privacy encryption module is configured to perform privacy encryption on the service data to be verified in the service request, and further includes: and carrying out privacy encryption on the second verification information in the service data to be verified to form a plurality of ciphertext fragments of the second verification information.
10. The service data verification platform according to claim 9, wherein when verifying whether the service account corresponding to the encrypted service data exists in each piece of stored registration information by using the verification module, the method for obtaining the matched service registration data from the service registration data corresponding to the first verification information and obtaining the service account in the matched service registration data includes:
The ciphertext fragment of the second verification information in the encrypted service data is used as a keyword, and service registration data matched with the second verification information is obtained from the screened service registration data corresponding to the first verification information;
and obtaining the service account in the service registration data matched with the second verification information.
11. The service data verification platform according to claim 7 or 10, further comprising: and the service message generation module is used for generating a service message based on the first verification information and the service account after the matched service account is determined.
12. A computer system, comprising:
a storage device for storing at least one program;
an interface device;
processing means connected to said storage means and interface means, wherein said processing means is integrated with a trusted processing environment, said processing environment executing the method for verifying traffic data according to any one of claims 1 to 6 in accordance with the stored at least one program.
13. A computer readable storage medium storing computer instructions which, when invoked, participate in performing a method of validating business data as claimed in any one of claims 1 to 6.
CN201910523115.1A 2019-05-08 2019-06-17 Service data verification method and verification platform Active CN111915306B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2019103812070 2019-05-08
CN201910381207 2019-05-08

Publications (2)

Publication Number Publication Date
CN111915306A CN111915306A (en) 2020-11-10
CN111915306B true CN111915306B (en) 2023-12-19

Family

ID=73241795

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201910523115.1A Active CN111915306B (en) 2019-05-08 2019-06-17 Service data verification method and verification platform
CN201910523129.3A Pending CN111914264A (en) 2019-05-08 2019-06-17 Index creation method and device, and data verification method and device

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN201910523129.3A Pending CN111914264A (en) 2019-05-08 2019-06-17 Index creation method and device, and data verification method and device

Country Status (1)

Country Link
CN (2) CN111915306B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434125A (en) * 2020-11-30 2021-03-02 中国人寿保险股份有限公司 Index structure, and method, device and equipment for searching unstructured data
CN114090638B (en) * 2022-01-20 2022-04-22 支付宝(杭州)信息技术有限公司 Combined data query method and device based on privacy protection
CN114581095A (en) * 2022-03-16 2022-06-03 网银在线(北京)科技有限公司 Payment method, collection terminal and system
CN117499569A (en) * 2022-07-26 2024-02-02 中兴通讯股份有限公司 Video call method, electronic device and storage medium
CN114996748B (en) * 2022-08-04 2022-10-28 广州市森锐科技股份有限公司 Paperless application management method and device, computer equipment and storage medium
CN115329390B (en) * 2022-10-18 2023-03-24 北京锘崴信息科技有限公司 Financial privacy information security auditing method and device based on privacy protection calculation

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1052582A2 (en) * 1999-05-13 2000-11-15 Xerox Corporation Method for enabling privacy and trust in electronic communities
CN102176694A (en) * 2011-03-14 2011-09-07 张龙其 Fingerprint module with encryption unit
KR20140070143A (en) * 2012-11-30 2014-06-10 주식회사 하나은행 User terminal and password registration apparatus
CA3123658A1 (en) * 2015-07-21 2017-01-26 10353744 Canada Ltd. Online transaction method, device and system
WO2017069950A1 (en) * 2015-10-23 2017-04-27 Mastercard International Incorporated Biometric verification systems and methods for payment transactions
CN107181714A (en) * 2016-03-09 2017-09-19 阿里巴巴集团控股有限公司 Verification method and device, the generation method of service code and device based on service code
CN107465730A (en) * 2017-07-26 2017-12-12 深圳市金立通信设备有限公司 A kind of service request method and terminal
CN108446680A (en) * 2018-05-07 2018-08-24 西安电子科技大学 A kind of method for secret protection in face authentication system based on edge calculations
CN108667605A (en) * 2018-04-25 2018-10-16 拉扎斯网络科技(上海)有限公司 A kind of data encryption, decryption method and device
CN108737442A (en) * 2018-06-12 2018-11-02 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method
WO2019067357A1 (en) * 2017-09-29 2019-04-04 Alibaba Group Holding Limited Fourth Floor, One Capital Place Data storage method, data query method and apparatuses
CN109711184A (en) * 2018-12-28 2019-05-03 国网电子商务有限公司 Block chain data access control method and device based on attribute encryption

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102572314B (en) * 2011-12-22 2015-01-14 格科微电子(上海)有限公司 Image sensor and payment authentication method
EP2639997B1 (en) * 2012-03-15 2014-09-03 ATS Group (IP Holdings) Limited Method and system for secure access of a first computer to a second computer
US9432188B2 (en) * 2012-07-05 2016-08-30 Nippon Telegraph And Telephone Corporation Secret sharing system, data distribution apparatus, distributed data transform apparatus, secret sharing method and program
US20170277774A1 (en) * 2012-10-30 2017-09-28 FHOOSH, Inc. Systems and methods for secure storage of user information in a user profile
JP6040313B2 (en) * 2013-08-22 2016-12-07 日本電信電話株式会社 Multi-party secure authentication system, authentication server, multi-party secure authentication method and program
JP6017392B2 (en) * 2013-09-27 2016-11-02 株式会社東芝 Information processing apparatus, host device, and system
US9256549B2 (en) * 2014-01-17 2016-02-09 Netapp, Inc. Set-associative hash table organization for efficient storage and retrieval of data in a storage system
JP2017519433A (en) * 2014-05-30 2017-07-13 クアルコム,インコーポレイテッド Multi-table hash-based lookup for packet processing
EP3218800B1 (en) * 2014-11-12 2023-06-07 David CEREZO SANCHEZ Secure multiparty computation on spreadsheets
US10740733B2 (en) * 2017-05-25 2020-08-11 Oracle International Corporaton Sharded permissioned distributed ledgers
US10826707B2 (en) * 2017-10-16 2020-11-03 Assa Abloy Ab Privacy preserving tag

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1052582A2 (en) * 1999-05-13 2000-11-15 Xerox Corporation Method for enabling privacy and trust in electronic communities
CN102176694A (en) * 2011-03-14 2011-09-07 张龙其 Fingerprint module with encryption unit
KR20140070143A (en) * 2012-11-30 2014-06-10 주식회사 하나은행 User terminal and password registration apparatus
CA3123658A1 (en) * 2015-07-21 2017-01-26 10353744 Canada Ltd. Online transaction method, device and system
WO2017069950A1 (en) * 2015-10-23 2017-04-27 Mastercard International Incorporated Biometric verification systems and methods for payment transactions
CN107181714A (en) * 2016-03-09 2017-09-19 阿里巴巴集团控股有限公司 Verification method and device, the generation method of service code and device based on service code
CN107465730A (en) * 2017-07-26 2017-12-12 深圳市金立通信设备有限公司 A kind of service request method and terminal
WO2019067357A1 (en) * 2017-09-29 2019-04-04 Alibaba Group Holding Limited Fourth Floor, One Capital Place Data storage method, data query method and apparatuses
CN108667605A (en) * 2018-04-25 2018-10-16 拉扎斯网络科技(上海)有限公司 A kind of data encryption, decryption method and device
CN108446680A (en) * 2018-05-07 2018-08-24 西安电子科技大学 A kind of method for secret protection in face authentication system based on edge calculations
CN108737442A (en) * 2018-06-12 2018-11-02 北京多采多宜网络科技有限公司 A kind of cryptographic check processing method
CN109711184A (en) * 2018-12-28 2019-05-03 国网电子商务有限公司 Block chain data access control method and device based on attribute encryption

Also Published As

Publication number Publication date
CN111914264A (en) 2020-11-10
CN111915306A (en) 2020-11-10

Similar Documents

Publication Publication Date Title
CN111915306B (en) Service data verification method and verification platform
US20210056195A1 (en) Method and System for Securing User Access, Data at Rest, and Sensitive Transactions Using Biometrics for Mobile Devices with Protected Local Templates
RU2747947C2 (en) Systems and methods of personal identification and verification
US20110126024A1 (en) Method and system for combining a PIN and a biometric sample to provide template encryption and a trusted stand-alone computing device
EP4073974A1 (en) Privacy-preserving biometric authentication
EP4185976A1 (en) Facial recognition tokenization
Pathak et al. Blockchain based e-voting system
CN111917695B (en) Registration method and registration system of service registration data
Papaioannou et al. User authentication and authorization for next generation mobile passenger ID devices for land and sea border control
EP3915221B1 (en) Offline interception-free interaction with a cryptocurrency network using a network-disabled device
Wong et al. An enhanced user authentication solution for mobile payment systems using wearables
Selimović et al. Authentication based on the image encryption using delaunay triangulation and catalan objects
Albahbooh et al. A mobile phone device as a biometrics authentication method for an ATM terminal
US20230131437A1 (en) Method, system, and computer program product for authentication
Bhanushali et al. Fingerprint based ATM system
US20240121098A1 (en) Scalable Authentication System with Synthesized Signed Challenge
Meraoumia et al. Can finger knuckle patterns help strengthen the e-banking security?
Meraoumia et al. Enhancing Security and Privacy in Enterprises Network by Using Biometrics Technologies
Saharan et al. Issues and Advantages of Biometric In Online Payment of E-Commerce
Liu et al. A Review on Biometric Encryption System in Cloud Computing
Nagaraju et al. A Secure Authentication and Authorization Scheme for Online Banking Systems in Cloud
Awotunde et al. Fingerprint Authentication System: Toward Enhancing ATM Security
Shailesh et al. VARIED PIN ENTRY SYSTEM USING DYNAMIC PASSWORD
Praveen Implementation of Secured Multiple Random Fingerprint Password Electronic Accessing System.
Dinesh Babu Cloud Data security enhancements through the biometric and encryption system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant