CN112199661A

CN112199661A - Privacy protection-based equipment identity processing method, device and equipment

Info

Publication number: CN112199661A
Application number: CN202011255452.6A
Authority: CN
Inventors: 孙宜进; 辛知
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Information Technology Co Ltd
Priority date: 2020-11-11
Filing date: 2020-11-11
Publication date: 2021-01-08

Abstract

The embodiment of the specification discloses a privacy protection-based equipment identity processing method, a privacy protection-based equipment identity processing device and equipment, which are applied to terminal equipment with a trusted execution environment, and the method comprises the following steps: detecting whether a trusted execution environment of the terminal equipment contains equipment identity information of the terminal equipment; if the trusted execution environment does not contain the equipment identity information of the terminal equipment, sending a creation request of the equipment identity information of the terminal equipment to the server so that the server generates first verification information aiming at the terminal equipment based on the creation request; when first verification information of the terminal equipment sent by the server is received, obtaining verification information of the terminal equipment, sending the verification information of the terminal equipment to the server so that the server verifies the verification information, and generating equipment identity information for the terminal equipment after the verification is passed; and receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

Description

Privacy protection-based equipment identity processing method, device and equipment

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for processing an equipment identity based on privacy protection.

Background

With the rapid rise of the mobile internet financial industry, the black industrial chain parasitizing on the mobile internet financial industry also reaches the flooding step. Under the great inducement of black-out profits, corresponding fraud technologies are also rapidly developed, and part of black-out industries cheat the popularization and marketing expenses, commodities and loans of enterprises through modes of advertisement flow fraud, false transactions, forged identities, financial credit fraud and the like.

The device fingerprint is used as a core basic component of a wind control system and various anti-cheating systems, and plays an important role in the aspect of hitting black products. The device fingerprint is mainly generated for each terminal device by collecting characteristic attributes of the terminal device and combining a specific algorithm. However, as the protection of data privacy is strengthened by operating system manufacturers, the difficulty in acquiring the non-resettable Device identification (MAC address, IMEI, Device ID, etc.) relied on by the Device fingerprint and the randomization of Device identification acquisition make the acquisition of the characteristic attribute of the terminal Device more difficult. Because the execution of the processing procedures such as generating the device fingerprint and generating the device identifier of the terminal device required to be obtained by the device fingerprint is completed in the REE environment, the device fingerprint is easily attacked by black products, and new device fingerprints can be continuously generated in the same terminal device by means of tampering the device identifier of the terminal device, modifying an IP address or refreshing system parameters of the terminal device, so that the accuracy of obtaining the device fingerprint of the terminal device is reduced. Based on this, a technical scheme with higher accuracy of acquiring the device fingerprint of the terminal device needs to be provided.

Disclosure of Invention

The purpose of the embodiments of the present description is to provide a technical solution for obtaining a device fingerprint of a terminal device with higher accuracy.

In order to implement the above technical solution, the embodiments of the present specification are implemented as follows:

an apparatus identity processing method based on privacy protection provided in an embodiment of the present specification is applied to a terminal apparatus provided with a trusted execution environment, and the method includes: and detecting whether the trusted execution environment of the terminal equipment contains the equipment identity information of the terminal equipment. If the trusted execution environment does not contain the equipment identity information of the terminal equipment, sending a creation request of the equipment identity information of the terminal equipment to a server so that the server generates first verification information aiming at the terminal equipment based on the creation request. When first verification information of the terminal equipment sent by the server is received, verification information of the terminal equipment is obtained, the verification information of the terminal equipment is sent to the server, so that the server verifies the verification information, and after the verification is passed, equipment identity information is generated for the terminal equipment. And receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

An apparatus identity processing method based on privacy protection provided by an embodiment of the present specification is applied to a server, and the method includes: receiving a creation request of equipment identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the equipment identity information of the terminal device. Generating first verification information aiming at the terminal equipment based on the creation request, and sending the first verification information to the terminal equipment; receiving verification information sent by the terminal equipment, verifying the verification information, and generating equipment identity information for the terminal equipment if the verification is passed; and sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

An apparatus identity processing method based on privacy protection provided in an embodiment of the present specification is applied to a terminal apparatus provided with a trusted execution environment, and the method includes: detecting whether a trusted execution environment of the terminal equipment contains equipment identity information of the terminal equipment; if the trusted execution environment does not contain the equipment identity information of the terminal equipment, sending a creation request of the equipment identity information of the terminal equipment to a server so that the server generates the equipment identity information for the terminal equipment based on the creation request, wherein the equipment identity information is information which is generated by the server based on a preset algorithm and uniquely identifies the terminal equipment, and data used for generating the equipment identity information does not contain the equipment attribute information of the terminal equipment and the personal information of a user of the terminal equipment; and receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

An apparatus identity processing method based on privacy protection provided by an embodiment of the present specification is applied to a server, and the method includes: receiving a creation request of equipment identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the equipment identity information of the terminal device; generating the equipment identity information for the terminal equipment through a preset algorithm based on the creation request, wherein data used for generating the equipment identity information does not contain equipment attribute information of the terminal equipment and personal information of a user of the terminal equipment; and sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

An apparatus for processing an equipment identity based on privacy protection provided by an embodiment of this specification, a trusted execution environment is provided in the apparatus, and the apparatus includes: the information detection module detects whether the trusted execution environment of the device contains the equipment identity information of the device. A creation request module that, if the device identity information of the apparatus is not included in the trusted execution environment, sends a creation request of the device identity information of the apparatus to a server, so that the server generates first authentication information for the apparatus based on the creation request. And the verification information acquisition module is used for acquiring the verification information of the device when receiving the first verification information of the device sent by the server, sending the verification information of the device to the server so as to enable the server to verify the verification information, and generating the equipment identity information for the device after the verification is passed. And the equipment identity acquisition module is used for receiving the equipment identity information sent by the server and storing the equipment identity information in the trusted execution environment.

An apparatus for processing an equipment identity based on privacy protection provided by an embodiment of the present specification, the apparatus includes: the terminal device comprises a creation request receiving module for receiving a creation request of device identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the device identity information of the terminal device. And the first information generation module generates first verification information aiming at the terminal equipment based on the creation request and sends the first verification information to the terminal equipment. And the first checking module is used for receiving the checking information sent by the terminal equipment, checking the checking information, and generating the equipment identity information for the terminal equipment if the checking is passed. And the equipment identity sending module is used for sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

An apparatus for processing an equipment identity based on privacy protection provided by an embodiment of this specification, a trusted execution environment is provided in the apparatus, and the apparatus includes: a detection module that detects whether device identity information of the apparatus is included in a trusted execution environment of the apparatus. And if the trusted execution environment does not contain the equipment identity information of the device, sending a creation request of the equipment identity information of the device to a server, so that the server generates the equipment identity information for the device based on the creation request, wherein the equipment identity information is information which is generated by the server based on a preset algorithm and uniquely identifies the device, and data used for generating the equipment identity information does not contain the equipment attribute information of the device and the personal information of the user of the device. And the equipment identity receiving module is used for receiving the equipment identity information sent by the server and storing the equipment identity information in the trusted execution environment.

An apparatus for processing an equipment identity based on privacy protection provided by an embodiment of the present specification, the apparatus includes: the terminal device comprises a creation request receiving module for receiving a creation request of device identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the device identity information of the terminal device. And the equipment identity generating module is used for generating the equipment identity information for the terminal equipment through a preset algorithm based on the creating request, wherein the data used for generating the equipment identity information does not contain the equipment attribute information of the terminal equipment and the personal information of the user of the terminal equipment. And the equipment identity sending module is used for sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

An embodiment of this specification provides an equipment identity processing equipment based on privacy protection, equipment identity processing equipment based on privacy protection is provided with trusted execution environment, includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: detecting whether the trusted execution environment of the device contains device identity information of the device. If the trusted execution environment does not contain the equipment identity information of the equipment, sending a creation request of the equipment identity information of the equipment to a server so as to enable the server to generate first verification information aiming at the equipment based on the creation request. When first verification information of the equipment sent by the server is received, verification information of the equipment is obtained, the verification information of the equipment is sent to the server, so that the server verifies the verification information, and after the verification is passed, equipment identity information is generated for the equipment. And receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

An apparatus identity processing apparatus based on privacy protection provided in an embodiment of this specification, the apparatus identity processing apparatus based on privacy protection includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: receiving a creation request of equipment identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the equipment identity information of the terminal device. And generating first verification information aiming at the terminal equipment based on the creation request, and sending the first verification information to the terminal equipment. And receiving verification information sent by the terminal equipment, verifying the verification information, and generating the equipment identity information for the terminal equipment if the verification is passed. And sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

An embodiment of this specification provides an equipment identity processing equipment based on privacy protection, equipment identity processing equipment based on privacy protection is provided with trusted execution environment, includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: detecting whether the trusted execution environment of the device contains device identity information of the device. If the trusted execution environment does not contain the equipment identity information of the equipment, sending a creation request of the equipment identity information of the equipment to a server, so that the server generates the equipment identity information for the equipment based on the creation request, wherein the equipment identity information is information which is generated by the server based on a preset algorithm and uniquely identifies the equipment, and the data used for generating the equipment identity information does not contain the equipment attribute information of the equipment and the personal information of the user of the equipment. And receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

An apparatus identity processing apparatus based on privacy protection provided in an embodiment of this specification, the apparatus identity processing apparatus based on privacy protection includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: receiving a creation request of equipment identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the equipment identity information of the terminal device. And generating the equipment identity information for the terminal equipment through a preset algorithm based on the creation request, wherein data used for generating the equipment identity information does not contain equipment attribute information of the terminal equipment and personal information of a user of the terminal equipment. And sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

Embodiments of the present specification also provide a storage medium, where the storage medium is used to store computer-executable instructions, and the executable instructions, when executed, implement the following processes: whether the trusted execution environment of the terminal equipment contains the equipment identity information of the terminal equipment is detected. If the trusted execution environment does not contain the equipment identity information of the terminal equipment, sending a creation request of the equipment identity information of the terminal equipment to a server so that the server generates first verification information aiming at the terminal equipment based on the creation request. When first verification information of the terminal equipment sent by the server is received, verification information of the terminal equipment is obtained, the verification information of the terminal equipment is sent to the server, so that the server verifies the verification information, and after the verification is passed, equipment identity information is generated for the terminal equipment. And receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

Embodiments of the present specification also provide a storage medium, where the storage medium is used to store computer-executable instructions, and the executable instructions, when executed, implement the following processes: receiving a creation request of equipment identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the equipment identity information of the terminal device. And generating first verification information aiming at the terminal equipment based on the creation request, and sending the first verification information to the terminal equipment. And receiving verification information sent by the terminal equipment, verifying the verification information, and generating the equipment identity information for the terminal equipment if the verification is passed. And sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

Embodiments of the present specification also provide a storage medium, where the storage medium is used to store computer-executable instructions, and the executable instructions, when executed, implement the following processes: whether the trusted execution environment of the terminal equipment contains the equipment identity information of the terminal equipment is detected. If the trusted execution environment does not contain the equipment identity information of the terminal equipment, sending a creation request of the equipment identity information of the terminal equipment to a server so that the server generates the equipment identity information for the terminal equipment based on the creation request, wherein the equipment identity information is information which is generated by the server based on a preset algorithm and uniquely identifies the terminal equipment, and data used for generating the equipment identity information does not contain the equipment attribute information of the terminal equipment and the personal information of a user of the terminal equipment. And receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

Embodiments of the present specification also provide a storage medium, where the storage medium is used to store computer-executable instructions, and the executable instructions, when executed, implement the following processes: receiving a creation request of equipment identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the equipment identity information of the terminal device. And generating the equipment identity information for the terminal equipment through a preset algorithm based on the creation request, wherein data used for generating the equipment identity information does not contain equipment attribute information of the terminal equipment and personal information of a user of the terminal equipment. And sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

Drawings

In order to more clearly illustrate the embodiments of the present specification or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only some embodiments described in the present specification, and for those skilled in the art, other drawings can be obtained according to the drawings without any creative effort.

Fig. 1A is a diagram illustrating an embodiment of a method for processing an equipment identity based on privacy protection according to the present disclosure;

fig. 1B is a schematic diagram of a device identity processing procedure based on privacy protection according to the present disclosure;

FIG. 2 is a schematic diagram of a system for privacy-based device identity handling according to the present disclosure;

FIG. 3 is a schematic diagram of another privacy protection-based device identity handling process described herein;

fig. 4A is a diagram illustrating another embodiment of a method for handling device identities based on privacy protection according to the present disclosure;

FIG. 4B is a diagram illustrating another privacy protection-based device identity handling process according to the present disclosure;

FIG. 5 is a schematic diagram of another privacy protection-based device identity handling process described herein;

FIG. 6 is a schematic diagram of a device identity handling process based on privacy protection according to another embodiment of the present disclosure;

fig. 7A is a diagram illustrating another embodiment of a method for handling device identities based on privacy protection according to the present disclosure;

FIG. 7B is a diagram illustrating another privacy protection-based device identity handling process according to the present disclosure;

fig. 8A is a diagram illustrating another embodiment of a method for handling device identities based on privacy protection according to the present disclosure;

FIG. 8B is a schematic diagram of another privacy protection-based device identity handling process described herein;

fig. 9 is an embodiment of a device identity processing apparatus based on privacy protection according to the present disclosure;

FIG. 10 is a diagram illustrating another embodiment of a device identity handling apparatus based on privacy protection according to the present disclosure;

FIG. 11 is a block diagram illustrating an embodiment of an apparatus for identity handling based on privacy protection;

FIG. 12 is a block diagram of another embodiment of a device identity handling apparatus based on privacy protection according to the present disclosure;

fig. 13 is an embodiment of a device identity processing device based on privacy protection according to the present specification.

Detailed Description

The embodiment of the specification provides a privacy protection-based equipment identity processing method, device and equipment.

In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present specification, and not all of the embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.

Example one

As shown in fig. 1A and fig. 1B, an embodiment of the present specification provides an apparatus identity processing method based on privacy protection, where an execution subject of the method may be a terminal apparatus, where the terminal apparatus may be a computer apparatus such as a notebook computer or a desktop computer, and may also be a mobile terminal apparatus such as a mobile phone or a tablet computer. The terminal device may be provided with a trusted Execution environment, where the trusted Execution environment may be a tee (trusted Execution environment), and the trusted Execution environment may be implemented by a program written in a predetermined programming language (that is, may be implemented in a software form), or may be implemented in a software and hardware form, and may be a secure operating environment for performing data processing. The method may specifically comprise the steps of:

in step S102, it is detected whether the trusted execution environment of the terminal device includes the device identity information of the terminal device.

The trusted execution environment of the TEE may be a data processing environment that is secure and isolated from other environments, that is, a process executed in the trusted execution environment, and data and the like generated in the data processing process cannot be accessed by other execution environments or application programs outside the executable environment. The trusted execution environment of the TEE may be implemented by creating a small operating system that may run independently in a trusted zone (e.g., TrustZone, etc.), and the TEE may directly provide services in the form of system calls (e.g., handled directly by the TrustZone kernel). The terminal device may include an REE (rich execution environment) and a TEE, an operating system installed in the terminal device may be run under the REE, such as an Android operating system, an iOS operating system, a Windows operating system, a Linux operating system, and the like, and the REE may have characteristics of strong function, good openness and extensibility, and may provide all functions of the terminal device, such as a camera function, a touch function, and the like, for an upper application program. The TEE has its own execution space, that is, there is an operating system under the TEE, the TEE has a higher security level than the REE, software and hardware resources in the terminal equipment which can be accessed by the TEE are separated from the REE, but the TEE can directly acquire the information of the REE, and the REE cannot acquire the information of the TEE. The TEE can perform authentication and other processing through the provided interface, so that user information (such as payment information, user privacy information and the like) cannot be tampered, passwords cannot be hijacked, and information such as fingerprints or faces cannot be stolen. The Device identity information may be information capable of uniquely identifying the terminal Device, and the Device identity information may be a Device fingerprint, and the Device identity information in this embodiment is not constructed based on information such as a Device attribute of the terminal Device (e.g., an IMEI, a Device ID, a MAC address, an IP address, etc.) and the like.

In implementation, with the rapid rise of the mobile internet financial industry, the black industrial chain parasitizing on the mobile internet financial industry reaches the flooding step. Under the great inducement of black-out profits, corresponding fraud technologies are also rapidly developed, and part of black-out industries cheat the popularization and marketing expenses, commodities and loans of enterprises through modes of advertisement flow fraud, false transactions, forged identities, financial credit fraud and the like.

The device fingerprint is used as a core basic component of a wind control system and various anti-cheating systems, and plays an important role in the aspect of hitting black products. The device fingerprint is mainly generated for each terminal device by collecting characteristic attributes of the terminal device and combining a specific algorithm. However, as the protection of data privacy is strengthened by operating system manufacturers, the difficulty in acquiring the non-resettable Device identification (MAC address, IMEI, Device ID, etc.) relied on by the Device fingerprint and the randomization of Device identification acquisition make the acquisition of the characteristic attribute of the terminal Device more difficult. Because the execution of the processing procedures such as generating the device fingerprint and generating the device identifier of the terminal device required to be obtained by the device fingerprint is completed in the REE environment, the device fingerprint is easily attacked by black products, and new device fingerprints can be continuously generated in the same terminal device by means of tampering the device identifier of the terminal device, modifying an IP address or refreshing system parameters of the terminal device, so that the accuracy of obtaining the device fingerprint of the terminal device is reduced. Based on this, a technical scheme with higher accuracy of acquiring the device fingerprint of the terminal device needs to be provided. The embodiment of the present specification provides an optional processing scheme, which may specifically include the following:

when a user needs to execute a certain service, if the device identity information (or may also be referred to as a device fingerprint) of the terminal device used by the user needs to be used in the execution process of the service, it may be detected whether the device identity information of the terminal device is stored in the trusted execution environment of the terminal device used by the user. In this embodiment, in order to ensure the security of the device identity information of the terminal device and prevent the device identity information from being tampered or leaked, the device identity information may be stored in a Trusted Execution Environment (TEE) of the terminal device, and since the trusted execution environment and the REE are separated from each other, the device identity information stored in the trusted execution environment has higher security than the device identity information stored in the REE, and can prevent the device identity information from being tampered or leaked. Based on the above, when a user needs to execute a certain service, a corresponding application program in the terminal device may be started, and the service execution may be triggered by the application program, and since the device identity information is needed in the process of executing the service, the terminal device may detect whether the trusted execution environment includes the device identity information of the terminal device, and if the trusted execution environment includes the device identity information of the terminal device, the device identity information of the terminal device may be extracted from the trusted execution environment, and the processing process of the service may be continuously executed based on the device identity information. If the device identity information of the terminal device is not contained in the information execution environment, it indicates that the terminal device has not created the device identity information, and at this time, the following processing of step S104 may be executed.

In step S104, if the device identity information of the terminal device is not contained in the trusted execution environment, a creation request of the device identity information of the terminal device is sent to the server, so that the server generates first authentication information for the terminal device based on the creation request.

The first verification information may be verification information created by the server for the terminal device that needs to create the device identity information, and may be a license or notification created for the device identity information of the terminal device, and the first verification information may be implemented in various ways, for example, the first verification information may be implemented in a manner of a challenge code or a random number, and the first verification information may be formed by one or more of numbers, texts, symbols, and the like.

In implementation, as shown in fig. 2, if it is detected that the trusted execution environment stores the device identity information of the terminal device, it indicates that the terminal device has not created the device identity information, and at this time, a creation request of the device identity information of the terminal device may be sent to the server to request the server to create the device identity information for the terminal device. After receiving the creation request, the server may determine whether to create device identity information for the terminal device, for example, may determine whether the terminal device is a terminal device in a preset blacklist, if not, may create device identity information for the terminal device, if so, may refuse to create device identity information for the terminal device, and the like, and may specifically set according to an actual situation. If it is determined that the device identity information can be created for the terminal device, first authentication information for the terminal device can be generated based on the creation request, indicating that the server allows the terminal device to create the device identity information, and then the first authentication information can be transmitted to the terminal device.

In step S106, when first verification information of the terminal device sent by the server is received, the verification information of the terminal device is obtained, and the verification information of the terminal device is sent to the server, so that the server verifies the verification information, and after the verification passes, device identity information is generated for the terminal device.

The verification information of the terminal device may be related information for verifying the identity of the terminal device, and the verification information may include multiple types, for example, the verification information may include the first verification information, a verification key (for example, a public key and a private key at the server side, a public key and a private key at the terminal device side, or a digital certificate at the server side and a digital certificate at the terminal device side, which may be specifically set according to an actual situation) agreed in advance by the server and the terminal device, and other related information, which may be specifically set according to an actual situation, and this is not limited in this description embodiment.

In implementation, if the terminal device is capable of receiving the first verification information of the terminal device sent by the server, indicating that the server allows the terminal device to create the device identity information, at this time, the terminal device may execute corresponding processing based on an execution process of creating the device identity information that is pre-agreed with the server, and specifically, the terminal device may obtain verification information of the terminal device, where information in the verification information may be stored in a trusted execution environment for ensuring security of the information, and a verification key or the like that is pre-agreed with the server and the terminal device may be stored in the trusted execution environment, based on which, the terminal device may extract relevant information from the storage device, and may extract relevant information from the trusted execution environment, and may use the extracted information as the verification information. Then, the terminal device may transmit the verification information of the terminal device to the server.

After receiving the verification information of the terminal device, the server may verify the verification information based on a preset algorithm, for example, a secret key included in the verification information may be verified in an encryption and/or decryption manner, for the verification information included in the verification information, the authenticity of the verification information may be verified by finding whether the verification information is recorded in the server or by a predetermined information verification mechanism, for the information such as a random number included in the verification information, whether the random number is generated by the terminal device may be verified by the predetermined random number verification mechanism, and the verification information may be verified based on the manner to obtain a corresponding verification result. It should be noted that the above processing for verifying the verification information is only some optional processing manners provided, in practical applications, the verification information may further include other types of information, and the corresponding information verification processing may also be implemented in other manners, which may be specifically set according to practical situations, and this is not limited in this embodiment of the present specification.

If the server verifies the verification information of the terminal device, the server may generate device identity information for the terminal device, wherein, the information used in the process of generating the Device identity information for the terminal Device does not include the information of the Device attribute of the terminal Device (such as IMEI, Device ID, MAC address, IP address, etc. of the terminal Device) nor the personal information of the user of the terminal Device (such as identification number of the user, mobile phone number, etc.), the specific processing of the server for generating the Device identity information for the terminal Device may be various, specifically, the server may obtain the current time (or date), the identification of the application program of the service processing, the sequence of generating the Device identity information, the verification code of the Device identity information, etc., and can generate equipment identity information based on the acquired information, and can send the generated equipment identity information to the terminal equipment.

In step S108, the device identity information sent by the server is received, and the device identity information is stored in the trusted execution environment.

In implementation, the terminal device may receive the device identity information sent by the server, the terminal device may be provided with a verification algorithm, authenticity verification may be performed on the device identity information through the verification algorithm, if verification passes, it is indicated that the device identity information is authentic and valid, and at this time, the device identity information may be stored in a trusted execution environment.

The embodiment of the specification provides an equipment identity processing method based on privacy protection, which is applied to terminal equipment provided with a trusted execution environment, detects whether the trusted execution environment of the terminal equipment contains equipment identity information of the terminal equipment, if not, sends a creation request of the equipment identity information of the terminal equipment to a server, the server generates first verification information aiming at the terminal equipment based on the creation request, acquires verification information of the terminal equipment when receiving the first verification information of the terminal equipment sent by the server, sends the verification information of the terminal equipment to the server, the server verifies the verification information, generates equipment identity information for the terminal equipment after the verification is passed, receives the equipment identity information sent by the server, and stores the equipment identity information in the trusted execution environment, thus, personal information of the terminal equipment and a user does not need to be acquired, the problems of data acquisition failure and randomization caused by upgrading of an operating system are solved, the problems of user data privacy leakage and the like do not exist, and the equipment identity information is stored in a trusted execution environment, so that the situation that a user unconsciously deletes the equipment identity information in the application program unloading or flashing scene can be prevented, and the equipment fingerprint accuracy of the terminal equipment is improved.

Example two

As shown in fig. 3, an execution subject of the method may be a terminal device, where the terminal device may be a computer device such as a notebook computer or a desktop computer, and may also be a mobile terminal device such as a mobile phone or a tablet computer. The terminal device may be provided with a trusted Execution environment, where the trusted Execution environment may be a tee (trusted Execution environment), and the trusted Execution environment may be implemented by a program written in a predetermined programming language (that is, may be implemented in a software form), or may be implemented in a software and hardware form, and may be a secure operating environment for performing data processing. The method may specifically comprise the steps of:

in step S302, it is detected whether the trusted execution environment of the terminal device includes the device identity information of the terminal device.

For a specific processing procedure of the step S302, reference may be made to relevant contents in the first embodiment, which is not described herein again.

In step S304, if the device identity information of the terminal device is not contained in the trusted execution environment, a creation request of the device identity information of the terminal device is sent to the server, so that the server generates first authentication information for the terminal device based on the creation request.

In step S306, upon receiving the first verification information of the terminal device sent by the server, the verification information of the terminal device is acquired.

The verification information of the terminal device may include first verification information, a first device key corresponding to the terminal device, and a random number, where the first device key may be a key for the terminal device agreed in advance by the terminal device and the server, and the first device key may be a public key of the terminal device or a private key of the terminal device, and may be specifically set according to an actual situation, which is not limited in this description embodiment. The random number may be a number or a character generated by a preset random processing mechanism, and may be composed of one or more numbers, one or more characters, one or more numbers, and one or more characters.

In implementation, for a case that the verification information of the terminal device includes the first verification information, the first device key corresponding to the terminal device, and the random number, the first device key corresponding to the terminal device may be stored in a trusted execution environment of the terminal device, so as to ensure security of the first device key. In addition, the random number may be stored in a trusted execution environment of the terminal device, or a random number generation mechanism may be set in the trusted execution environment, so that the random number may be generated by the random number generation mechanism in the trusted execution environment, thereby ensuring the security of the random number or the random number generation mechanism. Based on the above processing, the terminal device may further obtain the first device key and the random number from the trusted execution environment, and may use the received first authentication information, the first device key and the random number in the trusted execution environment, and the like as the verification information of the terminal device.

In step S308, the check information is encrypted by the first service key corresponding to the server, so as to obtain encrypted check information.

The first service key may be a key for the server agreed in advance by the terminal device and the server, and the first service key may be a public key of the server or a private key of the server, which may be specifically set according to an actual situation, which is not limited in this description embodiment. The first service key may be stored in a trusted execution environment of the terminal device.

In implementation, in this embodiment, the first service key is, for example, a public key of the server, and the terminal device may transmit the verification information to a trusted execution environment of the terminal device, and in the trusted execution environment, the verification information may be encrypted by using the first service key corresponding to the server, so as to obtain encrypted verification information. The encryption algorithm used may include various algorithms, such as a full-state encryption algorithm, a homomorphic encryption algorithm, a partial homomorphic encryption algorithm, or other encryption algorithms, which may be set specifically according to actual situations, and this is not limited in this specification.

In step S310, the encrypted verification information is signed by the second device key corresponding to the terminal device to obtain encrypted signed verification information, the encrypted signed verification information is sent to the server, so that the server verifies the verification information, and after the verification passes, the device identity information is generated for the terminal device.

The second device key may be a key for the terminal device agreed in advance by the terminal device and the server, and the second device key may be a public key of the terminal device or a private key of the terminal device, and in addition, the first device key may be a public key of the terminal device, and the second device key may be a private key of the terminal device, or the first device key may be a private key of the terminal device, and the second device key may be a public key of the terminal device, which may be specifically set according to an actual situation, which is not limited in this description embodiment. The second device key may be stored in a trusted execution environment of the terminal device.

In implementation, the terminal device may transmit the check information to a trusted execution environment of the terminal device, and in the trusted execution environment, the encrypted check information may be signed by using a second device key corresponding to the terminal device to obtain encrypted signed check information, and the encrypted signed check information may be sent to the server. After receiving the encrypted and signed verification information, the server may verify the verification information, specifically, for a case that the verification information of the terminal device includes the first verification information, the first device key corresponding to the terminal device, and the random number, the terminal device may decrypt the encrypted and signed verification information, if the decryption is successful, perform signature verification on the verification information based on the first device key corresponding to the decrypted terminal device, if it is determined that the signature verification is successful, the server may verify authenticity of the first verification information and authenticity of the random number, and if the verification of the authenticity of the first verification information and the authenticity of the random number is passed, the server may generate the device identity information for the terminal device, where the device identity information may be information uniquely identifying the terminal device, generated by the server based on a preset algorithm, the data used for generating the device identification information does not include the device attribute information of the terminal device and the personal information of the user of the terminal device.

In step S312, the device identity information sent by the server is received.

In step S314, first authentication information of the terminal device transmitted by the server is received.

In step S316, first authentication information is passed into the trusted execution environment by a first trusted application on the terminal device for performing data security processing.

The first trusted application may be a pre-specified trusted application that can be used to perform data security processing, such as a certain financial payment application, a certain instant messaging application, or a pre-developed application program, and the first trusted application may be an application program that needs to be installed in the terminal device, a code program that is pre-embedded in a certain hardware device of the terminal device, a program that is set in the form of a plug-in to run in the background of an operating system of the terminal device, and the like, and may be specifically set according to an actual situation. Alternatively, the first trusted application may be an application program constructed based on a trusted program in a trusted execution environment of the terminal device, the trusted execution environment TEE further provides a secure execution environment authorizing a secure application program (or may be referred to as a trusted program, TrustApp, TA), and meanwhile, confidentiality, integrity, and access rights of resources and data of the trusted program are also protected, and it can be ensured through a cryptographic technique that different trusted programs are isolated, and any trusted program cannot randomly read and operate data of other trusted programs, so that, in addition to the TEE and the REE being independent from each other, each trusted program in the TEE also needs to be authorized and operate independently from each other. In addition, integrity verification is required to be carried out on the trusted program before execution, and the trusted program is guaranteed not to be tampered. The trusted program can directly interact with external devices such as a touch screen, a camera and a fingerprint sensor, and an interface is not required to be provided through the REE of the terminal equipment, so that the data security is ensured. The first trusted application may include a client program and a trusted side program, the trusted side program may be a corresponding trusted program in the TEE, and the first trusted application may trigger the corresponding trusted program in the TEE to run, so that the first trusted application and the corresponding trusted program in the TEE may perform secure data transfer with each other.

In step S318, the first authentication information is subjected to authenticity verification in the trusted execution environment.

In step S320, if the first verification information passes the authenticity verification, the device identity information is transferred to the trusted execution environment through a first trusted application on the terminal device, and the device identity information is stored in the trusted execution environment.

The device identity information may be obtained by the server performing encryption processing using the first device key corresponding to the terminal device and performing signature processing using the second service key corresponding to the server, and in the above case, the device identity information may be processed in the following steps a2 to a 6.

In step a2, the device identity information is passed into the trusted execution environment by a first trusted application on the terminal device for performing data security processing.

In step a4, in the trusted execution environment, the device identity information is decrypted by the second device key corresponding to the terminal device, so as to obtain decrypted device identity information, and the device identity information is signed by the first service key corresponding to the server.

In step a6, if the decryption and the signature verification of the device identity information are successful, the decrypted device identity information is stored in the trusted execution environment.

In addition, the treatment may be performed in the manner of step B2 to step B6 described below, in addition to the above-described treatment.

In step B2, second verification information of the terminal device sent by the server is received, where the second verification information is obtained by encrypting the first verification information with the first device key corresponding to the terminal device and performing signature processing with the second service key corresponding to the server.

In step B4, the second authentication information is passed into the trusted execution environment by the first trusted application on the terminal device.

In step B6, in the trusted execution environment, the second authentication information is decrypted by the second device key corresponding to the terminal device to obtain the first authentication information, the authenticity of the first authentication information is verified, and the second authentication information is verified by the first service key corresponding to the server.

Based on the above, the processing of step a6 may include: and if the decryption and signature verification of the equipment identity information and the second verification information are successful and the first verification information passes the authenticity verification, storing the decrypted equipment identity information in the trusted execution environment.

After the device identity information of the terminal device is set in the trusted execution environment of the terminal device in the above manner, the terminal device may perform corresponding service processing based on the device identity information, which may be specifically referred to in the following processing from step S322 to step S328.

In step S322, it is determined whether the device identity information of the terminal device is included in the trusted execution environment of the terminal device.

In step S324, if the device identity information is included in the trusted execution environment, a use request of the device identity information is sent to the server.

In step S326, when third verification information corresponding to the use request sent by the server is received, the device identity information is obtained from the trusted execution environment, and the device identity information and the third verification information are sent to the server, so that the server verifies the device identity information and the third verification information, and sends a use notification of the device identity information to the terminal device after the verification is passed.

It should be noted that, specific processing manners for sending the device identity information and the third verification information to the server in the processing of step S326 may be various, and an alternative processing manner is provided below, which may be specifically referred to as step C2 and step C4 below.

In step C2, in the trusted execution environment, the device identity information, the third verification information, and the first device key corresponding to the terminal device are encrypted by the first service key corresponding to the server to obtain encrypted information, and the encrypted information is signed by the second device key corresponding to the terminal device to obtain encrypted and signed information;

in step C4, the encrypted and tagged information is sent to the server.

In step S328, upon receiving the usage notification sent by the server, corresponding service processing is performed based on the device identity information.

EXAMPLE III

As shown in fig. 4A and 4B, an execution subject of the method may be a server, where the server may be a background server that provides access to a certain service (e.g., a transaction service or a financial service) or a certain object, and specifically, the server may be a server of a payment service, or a server of a service related to financial or instant messaging, for example. A corresponding system for privacy-preserving based device identity handling may be as shown in fig. 2. The method may specifically comprise the steps of:

in step S402, a creation request of the device identity information sent by the terminal device is received, where the creation request is sent when the terminal device detects that the device identity information of the terminal device is not included in the trusted execution environment of the terminal device.

For a specific processing procedure of the step S402, reference may be made to relevant contents in the first embodiment, which is not described herein again.

In step S404, first authentication information for the terminal device is generated based on the above creation request, and the first authentication information is transmitted to the terminal device.

The specific processing procedure of the step S404 may refer to relevant contents in the first embodiment or the second embodiment, and is not described herein again.

In step S406, the verification information sent by the terminal device is received and verified, and if the verification passes, the device identity information is generated for the terminal device.

In step S408, the device identity information is sent to the terminal device, so that the terminal device stores the device identity information in the trusted execution environment.

Example four

As shown in fig. 5, an execution subject of the method may be a server, where the server may be a background server that provides access to a certain service (e.g., a transaction service or a financial service) or a certain object, and specifically, the server may be a server for a payment service, or a server for a service related to financial or instant messaging, for example. A corresponding system for privacy-preserving based device identity handling may be as shown in fig. 2. The method may specifically comprise the steps of:

in step S502, a creation request of the device identity information sent by the terminal device is received, where the creation request is sent when the terminal device detects that the device identity information of the terminal device is not included in the trusted execution environment of the terminal device.

In step S504, first authentication information for the terminal device is generated based on the creation request, and the first authentication information is transmitted to the terminal device.

In step S506, the verification information transmitted by the terminal device is received.

The verification information may include the first verification information, a first device key corresponding to the terminal device, and a random number.

In step S508, the verification information is decrypted by the second service key corresponding to the server, so as to obtain the first verification information, the first device key corresponding to the terminal device, and the random number.

In step S510, the authenticity of the first verification information and the random number is verified, and the verification information is verified by the first device key corresponding to the terminal device.

In step S512, if the signature of the verification information is successful and the first verification information and the random number pass the authenticity verification, generating device identity information for the terminal device.

It should be noted that, if the verification passes, the device identity information capable of uniquely identifying the terminal device may be generated based on a preset algorithm, where data used for generating the device identity information does not include the device attribute information of the terminal device and the personal information of the user of the terminal device.

In step S514, the device identity information is encrypted by the first device key corresponding to the terminal device, so as to obtain encrypted device identity information.

In step S516, the encrypted device identity information is signed by the second device key corresponding to the server to obtain encrypted signed device identity information, and the encrypted signed device identity information is sent to the terminal device, so that the terminal device stores the device identity information in the trusted execution environment.

In step S518, a request for use of the device identification information transmitted by the terminal device is received.

In step S520, third verification information corresponding to the usage request is generated based on the usage request, the third verification information is sent to the terminal device, so that the terminal device obtains device identity information from the trusted execution environment, and the device identity information and the third verification information are sent to the server.

The third verification information may be verification information created by the server for the terminal device that needs to use the device identity information, and may be permission or verification information used for the device identity information of the terminal device, and the third verification information may be implemented in various ways, for example, the third verification information may be implemented in a manner of a challenge code or a random number, and the third verification information may be composed of one or more of numbers, texts, symbols, and the like. The third authentication information may be the same as the first authentication information or may be different from the first authentication information.

In step S522, the device identity information and the third verification information sent by the terminal device are received, and the device identity information and the third verification information are verified.

In step S524, if the check passes, a use notification of the device identity information is sent to the terminal device.

EXAMPLE five

As shown in fig. 6, an Execution subject of the method may be a terminal device and a server, where the terminal device may be, for example, a mobile phone, a tablet computer, a personal computer, and the like, and the terminal device may have a trusted Execution environment, where the trusted Execution environment may be tee (trusted Execution environment), and the trusted Execution environment may be implemented by a program written in a predetermined programming language (that is, may be implemented in a form of software), or may be implemented in a form of software and hardware, and the trusted Execution environment may be a secure operating environment for performing data processing. The server may be a background server providing access to a certain service (e.g., a transaction service or a financial service) or an object, and specifically, the server may be a server for a payment service, or a server for related services such as financial or instant messaging. The method may specifically comprise the steps of:

in step S602, the terminal device detects whether the trusted execution environment of the terminal device includes device identity information of the terminal device.

In step S604, if the trusted execution environment does not include the device identity information of the terminal device, the terminal device sends a request for creating the device identity information of the terminal device to the server.

In step S606, the server generates first authentication information for the terminal device based on the creation request, and transmits the first authentication information to the terminal device.

In step S608, when the terminal device receives the first verification information of the terminal device sent by the server, the verification information of the terminal device is acquired.

The verification information comprises first verification information, a first device key corresponding to the terminal device and a random number.

In step S610, the terminal device encrypts the verification information through the first service key corresponding to the server, to obtain encrypted verification information.

In step S612, the terminal device signs the encrypted verification information through the second device key corresponding to the terminal device to obtain the encrypted signed verification information, and sends the encrypted signed verification information to the server.

In step S614, the server decrypts the verification information by using the second service key corresponding to the server, so as to obtain the first verification information, the first device key corresponding to the terminal device, and the random number.

In step S616, the server performs authenticity verification on the first verification information and the random number, and performs signature verification processing on the verification information through the first device key corresponding to the terminal device.

In step S618, if the signature of the verification information is successful and the first verification information and the random number pass the authenticity verification, the server generates device identity information for the terminal device.

In step S620, the server encrypts the device identity information through the first device key corresponding to the terminal device, so as to obtain encrypted device identity information.

In step S622, the server signs the encrypted device identity information through the second device key corresponding to the server, so as to obtain the encrypted signed device identity information.

In step S624, the terminal device receives the device identity information sent by the server.

In step S626, the terminal device receives the first authentication information of the terminal device sent by the server.

In step S628, the terminal device passes the first verification information into the trusted execution environment through the first trusted application on the terminal device for executing the data security processing.

In step S630, the terminal device performs authenticity verification on the first authentication information in the trusted execution environment.

In step S632, if the first verification information passes the authenticity verification, the terminal device passes the device identity information to the trusted execution environment through a first trusted application on the terminal device.

In step S634, in the trusted execution environment, the terminal device decrypts the device identity information by using the second device key corresponding to the terminal device, so as to obtain the decrypted device identity information, and performs signature verification on the device identity information by using the first service key corresponding to the server.

In step S636, if the decryption and signature verification of the device identity information are successful, the terminal device stores the decrypted device identity information in the trusted execution environment.

In addition, in addition to the above, the following may be specifically included: the terminal equipment receives second verification information of the terminal equipment, which is sent by the server, wherein the second verification information is obtained by encrypting the first verification information through a first equipment key corresponding to the terminal equipment and carrying out signature processing through a second service key corresponding to the server; transmitting second verification information to the trusted execution environment through a first trusted application on the terminal device; in the trusted execution environment, decrypting the second verification information through a second device key corresponding to the terminal device to obtain first verification information, verifying the authenticity of the first verification information, and verifying the signature of the second verification information through a first service key corresponding to the server; and if the decryption and signature verification of the equipment identity information and the second verification information are successful and the first verification information passes the authenticity verification, storing the decrypted equipment identity information in the trusted execution environment.

After the device identity information of the terminal device is set in the trusted execution environment of the terminal device in the above manner, the terminal device may perform corresponding service processing based on the device identity information, which may be specifically referred to in the following processing from step S638 to step S328.

In step S638, the terminal device determines whether the device identity information of the terminal device is included in the trusted execution environment of the terminal device.

In step S640, if the trusted execution environment includes the device identity information, the terminal device sends a request for using the device identity information to the server.

In step S642, the server generates third authentication information corresponding to the usage request based on the usage request, and transmits the third authentication information to the terminal device.

In step S644, upon receiving the third authentication information corresponding to the usage request sent by the server, the terminal device acquires the device identity information from the trusted execution environment.

In step S646, in the trusted execution environment, the terminal device encrypts the device identity information, the third verification information, and the first device key corresponding to the terminal device through the first service key corresponding to the server to obtain encrypted information, and signs the encrypted information through the second device key corresponding to the terminal device to obtain encrypted and signed information.

In step S648, the terminal device transmits the encrypted and signed information to the server.

In step S650, the server verifies the device identity information and the third verification information, and if the verification passes, sends a use notification of the device identity information to the terminal device.

In step S652, when the terminal device receives the usage notification sent by the server, corresponding service processing is performed based on the device identity information.

EXAMPLE six

As shown in fig. 7, an execution subject of the method may be a terminal device, where the terminal device may be a computer device such as a notebook computer or a desktop computer, and may also be a mobile terminal device such as a mobile phone or a tablet computer. The terminal device may be provided with a trusted Execution environment, where the trusted Execution environment may be a tee (trusted Execution environment), and the trusted Execution environment may be implemented by a program written in a predetermined programming language (that is, may be implemented in a software form), or may be implemented in a software and hardware form, and may be a secure operating environment for performing data processing.

Based on the foregoing embodiment, the processing procedure in the foregoing embodiment may also be simplified, so that the following achievable method may be obtained, and the method may specifically include the following steps:

in step S702, it is detected whether the trusted execution environment of the terminal device includes the device identity information of the terminal device.

In step S704, if the trusted execution environment does not include the device identity information of the terminal device, a request for creating the device identity information of the terminal device is sent to the server, so that the server generates the device identity information for the terminal device based on the creation request, where the device identity information is information that is generated by the server based on a preset algorithm and uniquely identifies the terminal device, and the data used by the device identity information generation does not include the device attribute information of the terminal device and the personal information of the user of the terminal device.

In step S706, the device identity information sent by the server is received and stored in the trusted execution environment.

The processing manner provided in this embodiment is a further simplified processing manner in the above embodiment, and in practical applications, the processing in steps S702 to S706 may also be refined, and specific processing manners may refer to specific contents in the first embodiment, the second embodiment, and the fifth embodiment, and are not described again here.

EXAMPLE seven

As shown in fig. 8A and 8B, an execution subject of the method may be a server, where the server may be a background server that provides access to a certain service (e.g., a transaction service or a financial service) or a certain object, and specifically, the server may be a server of a payment service, or a server of a service related to financial or instant messaging, for example. A corresponding system for privacy-preserving based device identity handling may be as shown in fig. 2.

Based on the processing of the sixth embodiment, a corresponding server-side processing method may include the following steps:

in step S802, a creation request of the device identity information sent by the terminal device is received, where the creation request is sent when the terminal device detects that the device identity information of the terminal device is not included in the trusted execution environment of the terminal device.

In step S804, based on the creation request, device identity information is generated for the terminal device through a preset algorithm, where data used for generating the device identity information does not include device attribute information of the terminal device and personal information of a user of the terminal device.

In step S806, the device identity information is sent to the terminal device, so that the terminal device stores the device identity information in the trusted execution environment.

The processing manner provided in this embodiment is a further simplified processing manner in the above embodiment, and in practical applications, the processing in steps S802 to S806 may also be refined, and specific processing manners may refer to specific contents in embodiments three to five, and are not described herein again.

Example eight

Based on the same idea, the method for processing the device identity based on privacy protection provided by the embodiment of the present specification further provides a device for processing the device identity based on privacy protection, where a trusted execution environment is provided in the device, as shown in fig. 9.

The device identity processing device based on privacy protection comprises: an information detection module 901, a creation request module 902, a verification information acquisition module 903 and an equipment identity acquisition module 904, wherein:

an information detection module 901, configured to detect whether the trusted execution environment of the terminal device includes device identity information of the terminal device;

a creation request module 902, configured to send a creation request of the device identity information of the terminal device to a server if the device identity information of the terminal device is not included in the trusted execution environment, so that the server generates first verification information for the terminal device based on the creation request;

a verification information obtaining module 903, configured to obtain verification information of the terminal device when receiving first verification information of the terminal device sent by the server, and send the verification information of the terminal device to the server, so that the server verifies the verification information, and after the verification passes, generate device identity information for the terminal device;

the device identity obtaining module 904 receives the device identity information sent by the server, and stores the device identity information in the trusted execution environment.

In this embodiment of the present specification, the verification information of the terminal device includes the first authentication information, a first device key corresponding to the terminal device, and a random number,

the verification information obtaining module 903 includes:

the encryption unit is used for encrypting the check information through a first service key corresponding to the server to obtain encrypted check information;

and the signing unit is used for signing the encrypted verification information through a second equipment key corresponding to the terminal equipment to obtain the encrypted signed verification information and sending the encrypted signed verification information to the server.

In an embodiment of this specification, the apparatus further includes:

the first verification receiving module is used for receiving first verification information of the terminal equipment, which is sent by the server;

a first delivery module that delivers the first authentication information into the trusted execution environment through a first trusted application on the terminal device for performing data security processing;

the first verification module is used for verifying the authenticity of the first verification information in the trusted execution environment;

and the second transfer module is used for transferring the equipment identity information to the trusted execution environment through the first trusted application on the terminal equipment if the first verification information passes the authenticity verification.

In this embodiment of the present specification, the apparatus includes:

a third transfer module, configured to transfer the device identity information to the trusted execution environment through a first trusted application on the terminal device, where the first trusted application is used to perform data security processing;

the signature verification module is used for decrypting the equipment identity information through a second equipment key corresponding to the terminal equipment in the trusted execution environment to obtain the decrypted equipment identity information and verifying the signature of the equipment identity information through a first service key corresponding to the server;

the device identity obtaining module 904, if the decryption and the signature verification of the device identity information are successful, stores the decrypted device identity information in the trusted execution environment.

In an embodiment of this specification, the apparatus further includes:

the verification information receiving module is used for receiving second verification information of the terminal equipment, which is sent by the server, wherein the second verification information is obtained by encrypting the first verification information through a first equipment key corresponding to the terminal equipment and carrying out signature processing through a second service key corresponding to the server;

the verification information transmission module transmits the second verification information to the trusted execution environment through a first trusted application on the terminal equipment;

the second verification module is used for decrypting the second verification information through a second device key corresponding to the terminal device in the trusted execution environment to obtain the first verification information, verifying the authenticity of the first verification information and verifying the signature of the second verification information through a first service key corresponding to the server;

the device identity obtaining module 904, if the decryption and the signature verification of the device identity information and the second verification information are successful and the first verification information passes the authenticity verification, stores the decrypted device identity information in the trusted execution environment.

In an embodiment of this specification, the device identity information is information that is generated by the server based on a preset algorithm and uniquely identifies the terminal device, and data used for generating the device identity information does not include device attribute information of the terminal device and personal information of a user of the terminal device.

In an embodiment of this specification, the apparatus further includes:

the judging module is used for judging whether the trusted execution environment of the terminal equipment contains the equipment identity information of the terminal equipment;

the use request module is used for sending a use request of the equipment identity information to the server if the trusted execution environment comprises the equipment identity information;

a third information sending module, configured to, when third verification information corresponding to the usage request sent by the server is received, obtain the device identity information from the trusted execution environment, and send the device identity information and the third verification information to the server, so that the server verifies the device identity information and the third verification information, and after the verification passes, send a usage notification of the device identity information to the terminal device;

and the service processing module is used for carrying out corresponding service processing based on the equipment identity information when receiving the use notification sent by the server.

In this embodiment of the present specification, in the trusted execution environment, the third information sending module performs encryption processing on the device identity information, the third verification information, and the first device key corresponding to the terminal device through the first service key corresponding to the server to obtain encrypted information, and performs signature processing on the encrypted information through the second device key corresponding to the terminal device to obtain encrypted and signed information; and sending the encrypted and signed information to the server.

The embodiment of the specification provides a device identity processing device based on privacy protection, which is applied to a terminal device provided with a trusted execution environment, detects whether the trusted execution environment of the terminal device contains device identity information of the terminal device, if not, sends a creation request of the device identity information of the terminal device to a server, the server generates first verification information aiming at the terminal device based on the creation request, acquires verification information of the terminal device when receiving the first verification information of the terminal device sent by the server, sends the verification information of the terminal device to the server, the server verifies the verification information, generates device identity information for the terminal device after the verification is passed, receives the device identity information sent by the server, and stores the device identity information in the trusted execution environment, so that personal information of the terminal device and a user does not need to be acquired, the problems of data acquisition failure and randomization caused by upgrading of an operating system are solved, the problems of user data privacy leakage and the like do not exist, and the equipment identity information is stored in a trusted execution environment, so that the situation that a user unconsciously deletes the equipment identity information in the application program unloading or flashing scene can be prevented, and the equipment fingerprint accuracy of the terminal equipment is improved.

Example nine

Based on the same idea, embodiments of the present specification further provide an apparatus for processing an equipment identity based on privacy protection, as shown in fig. 10.

The device identity processing device based on privacy protection comprises: a creation request receiving module 1001, a first information generating module 1002, a first checking module 1003 and an equipment identity sending module 1004, wherein:

a creation request receiving module 1001 configured to receive a creation request of device identity information sent by a terminal device, where the creation request is sent by the terminal device when the terminal device detects that the trusted execution environment of the terminal device does not include the device identity information of the terminal device;

a first information generation module 1002, configured to generate first verification information for the terminal device based on the creation request, and send the first verification information to the terminal device;

the first checking module 1003 is configured to receive checking information sent by the terminal device, check the checking information, and generate the device identity information for the terminal device if the checking passes;

the device identity sending module 1004 is configured to send the device identity information to the terminal device, so that the terminal device stores the device identity information in the trusted execution environment.

In this embodiment of the present specification, the verification information includes first verification information of the terminal device, a first device key corresponding to the terminal device, and a random number, and the verification information is information that is encrypted by the terminal device through a first service key corresponding to the apparatus and signed by a second device key corresponding to the terminal device,

the first checking module 1003 includes:

a decryption unit, configured to decrypt the verification information through a second service key corresponding to the apparatus to obtain the first verification information, a first device key corresponding to the terminal device, and a random number;

the signature verification unit is used for verifying the authenticity of the first verification information and the random number and verifying the signature of the verification information through a first equipment key corresponding to the terminal equipment;

and the verification unit is used for generating the equipment identity information for the terminal equipment if the verification of the verification information is successful and the first verification information and the random number pass authenticity verification.

In this embodiment of this specification, the device identity sending module 1004 includes:

the encryption unit is used for encrypting the equipment identity information through a first equipment key corresponding to the terminal equipment to obtain encrypted equipment identity information;

and the equipment identity sending unit is used for signing the encrypted equipment identity information through a second equipment key corresponding to the device to obtain encrypted signed equipment identity information and sending the encrypted signed equipment identity information to the terminal equipment.

In an embodiment of this specification, the apparatus further includes:

the use request receiving module is used for receiving the use request of the equipment identity information sent by the terminal equipment;

a third information generating module, configured to generate third verification information corresponding to the usage request based on the usage request, send the third verification information to the terminal device, so that the terminal device obtains the device identity information from the trusted execution environment, and send the device identity information and the third verification information to the apparatus;

the second verification module is used for receiving the equipment identity information and the third verification information sent by the terminal equipment and verifying the equipment identity information and the third verification information;

and the use notification module is used for sending the use notification of the equipment identity information to the terminal equipment if the verification is passed.

In this embodiment of the present specification, if the verification passes, the first verification module 1003 generates, based on a preset algorithm, device identity information capable of uniquely identifying the terminal device, where data used for generating the device identity information does not include device attribute information of the terminal device and personal information of a user of the terminal device.

Example ten

Based on the same idea, embodiments of the present specification further provide an apparatus for processing an equipment identity based on privacy protection, where a trusted execution environment is disposed in the apparatus, as shown in fig. 11.

The device identity processing device based on privacy protection comprises: a detection module 1101, a device identity request module 1102 and a device identity receiving module 1103, wherein:

a detection module 1101, configured to detect whether the trusted execution environment of the terminal device includes device identity information of the terminal device;

an equipment identity request module 1102, configured to send a creation request of equipment identity information of the terminal equipment to a server if the trusted execution environment does not include the equipment identity information of the terminal equipment, so that the server generates the equipment identity information for the terminal equipment based on the creation request, where the equipment identity information is information that is generated by the server based on a preset algorithm and uniquely identifies the terminal equipment, and data used by the equipment identity information is generated without including equipment attribute information of the terminal equipment and personal information of a user of the terminal equipment;

the device identity receiving module 1103 receives the device identity information sent by the server, and stores the device identity information in the trusted execution environment.

EXAMPLE eleven

Based on the same idea, embodiments of the present specification further provide an apparatus for processing an equipment identity based on privacy protection, as shown in fig. 12.

The device identity processing device based on privacy protection comprises: a creation request receiving module 1201, an apparatus identity generating module 1202, and an apparatus identity sending module 1203, where:

a creation request receiving module 1201, configured to receive a creation request of device identity information sent by a terminal device, where the creation request is sent by the terminal device when the terminal device detects that the trusted execution environment of the terminal device does not include the device identity information of the terminal device;

an equipment identity generating module 1202, configured to generate the equipment identity information for the terminal equipment through a preset algorithm based on the creation request, where data used for generating the equipment identity information does not include the equipment attribute information of the terminal equipment and the personal information of the user of the terminal equipment;

an equipment identity sending module 1203, sending the equipment identity information to the terminal equipment, so that the terminal equipment stores the equipment identity information in the trusted execution environment.

Example twelve

Based on the same idea, the device identity processing apparatus based on privacy protection provided by the embodiment of the present specification further provides a device identity processing device based on privacy protection, which is provided with a trusted execution environment, as shown in fig. 13.

The device identity processing device based on privacy protection may be the terminal device or the server provided in the above embodiments.

Privacy protection based device identity handling devices may vary significantly depending on configuration or performance and may include one or more processors 1301 and memory 1302, where memory 1302 may have one or more stored applications or data stored therein. Memory 1302 may be, among other things, transient or persistent storage. The application stored in memory 1302 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for processing the device based on the privacy-preserving device identity. Still further, the processor 1301 may be configured to communicate with the memory 1302 to execute a series of computer-executable instructions in the memory 1302 on a privacy-based device identity processing device. The privacy-preserving-based device identity processing device may also include one or more power supplies 1303, one or more wired or wireless network interfaces 1304, one or more input-output interfaces 1305, and one or more keyboards 1306.

In particular, in this embodiment, the privacy-based device identity processing device includes a memory, and one or more programs, where the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the privacy-based device identity processing device, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for:

detecting whether a trusted execution environment of the terminal equipment contains equipment identity information of the terminal equipment;

if the trusted execution environment does not contain the equipment identity information of the terminal equipment, sending a creation request of the equipment identity information of the terminal equipment to a server so that the server generates first verification information aiming at the terminal equipment based on the creation request;

when first verification information of the terminal equipment sent by the server is received, obtaining verification information of the terminal equipment, sending the verification information of the terminal equipment to the server so that the server verifies the verification information, and generating equipment identity information for the terminal equipment after the verification is passed;

and receiving the equipment identity information sent by the server, and storing the equipment identity information in the trusted execution environment.

the sending the verification information of the terminal device to the server includes:

encrypting the verification information through a first service key corresponding to the server to obtain encrypted verification information;

and signing the encrypted verification information through a second device key corresponding to the terminal device to obtain encrypted signed verification information, and sending the encrypted signed verification information to the server.

In the embodiment of this specification, the method further includes:

judging whether the trusted execution environment of the terminal equipment contains the equipment identity information of the terminal equipment;

if the trusted execution environment comprises the equipment identity information, sending a use request of the equipment identity information to the server;

when third verification information corresponding to the use request sent by the server is received, acquiring the equipment identity information from the trusted execution environment, and sending the equipment identity information and the third verification information to the server, so that the server verifies the equipment identity information and the third verification information, and sends a use notice of the equipment identity information to the terminal equipment after the verification is passed;

and when the use notice sent by the server is received, carrying out corresponding service processing based on the equipment identity information.

Further, in particular in this embodiment, the privacy protection based device identity processing device includes a memory, and one or more programs, wherein the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the privacy protection based device identity processing device, and the one or more programs configured to be executed by the one or more processors include computer-executable instructions for:

receiving a creation request of equipment identity information sent by a terminal device, wherein the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not contain the equipment identity information of the terminal device;

generating first verification information aiming at the terminal equipment based on the creation request, and sending the first verification information to the terminal equipment;

receiving verification information sent by the terminal equipment, verifying the verification information, and generating equipment identity information for the terminal equipment if the verification is passed;

and sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

In this embodiment of the present specification, the verification information includes first verification information of the terminal device, a first device key corresponding to the terminal device, and a random number, and the verification information is information that is encrypted by the terminal device through a first service key corresponding to the server and signed by a second device key corresponding to the terminal device,

the verifying the verification information, and if the verification passes, generating the device identity information for the terminal device, including:

decrypting the verification information through a second service key corresponding to the server to obtain the first verification information, a first device key corresponding to the terminal device and a random number;

verifying the authenticity of the first verification information and the random number, and verifying the signature of the verification information through a first equipment key corresponding to the terminal equipment;

and if the signature verification of the verification information is successful and the first verification information and the random number pass the authenticity verification, generating the equipment identity information for the terminal equipment.

In the embodiment of this specification, the method further includes:

receiving a use request of the equipment identity information sent by the terminal equipment;

generating third verification information corresponding to the use request based on the use request, sending the third verification information to the terminal device, so that the terminal device acquires the device identity information from the trusted execution environment, and sends the device identity information and the third verification information to the server;

receiving the equipment identity information and the third verification information sent by the terminal equipment, and verifying the equipment identity information and the third verification information;

and if the verification is passed, sending a use notice of the equipment identity information to the terminal equipment.

In this embodiment of the present specification, if the verification passes, generating the device identity information for the terminal device includes:

and if the verification is passed, generating equipment identity information capable of uniquely identifying the terminal equipment based on a preset algorithm, wherein the data used for generating the equipment identity information does not contain the equipment attribute information of the terminal equipment and the personal information of the user of the terminal equipment.

detecting whether a trusted execution environment of a terminal device contains device identity information of the terminal device;

if the trusted execution environment does not contain the equipment identity information of the terminal equipment, sending a creation request of the equipment identity information of the terminal equipment to a server so that the server generates the equipment identity information for the terminal equipment based on the creation request, wherein the equipment identity information is information which is generated by the server based on a preset algorithm and uniquely identifies the terminal equipment, and data used for generating the equipment identity information does not contain the equipment attribute information of the terminal equipment and the personal information of a user of the terminal equipment;

generating the equipment identity information for the terminal equipment through a preset algorithm based on the creation request, wherein data used for generating the equipment identity information does not contain equipment attribute information of the terminal equipment and personal information of a user of the terminal equipment;

The embodiment of the specification provides equipment identity processing equipment based on privacy protection, which is applied to terminal equipment provided with a trusted execution environment, detects whether the trusted execution environment of the terminal equipment contains equipment identity information of the terminal equipment, if not, sends a creation request of the equipment identity information of the terminal equipment to a server, the server generates first verification information aiming at the terminal equipment based on the creation request, acquires verification information of the terminal equipment when receiving the first verification information of the terminal equipment sent by the server, sends the verification information of the terminal equipment to the server, the server verifies the verification information, generates equipment identity information for the terminal equipment after the verification is passed, receives the equipment identity information sent by the server, stores the equipment identity information in the trusted execution environment, and thus, personal information of the terminal equipment and a user does not need to be acquired, the problems of data acquisition failure and randomization caused by upgrading of an operating system are solved, the problems of user data privacy leakage and the like do not exist, and the equipment identity information is stored in a trusted execution environment, so that the situation that a user unconsciously deletes the equipment identity information in the application program unloading or flashing scene can be prevented, and the equipment fingerprint accuracy of the terminal equipment is improved.

EXAMPLE thirteen

Further, based on the methods shown in fig. 1 to fig. 8, one or more embodiments of the present specification further provide a storage medium for storing computer-executable instruction information, in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, or the like, and when the storage medium stores the computer-executable instruction information, the storage medium implements the following processes:

In the embodiment of this specification, the method further includes:

In addition, in a specific embodiment, the storage medium may be a usb disk, an optical disk, a hard disk, or the like, and when executed by the processor, the storage medium stores information of computer-executable instructions, which implement the following processes:

In the embodiment of this specification, the method further includes:

The embodiment of the specification provides a storage medium, which is applied to a terminal device provided with a trusted execution environment, detects whether the trusted execution environment of the terminal device contains device identity information of the terminal device, if not, sends a creation request of the device identity information of the terminal device to a server, the server generates first verification information aiming at the terminal device based on the creation request, acquires verification information of the terminal device when receiving the first verification information of the terminal device sent by the server, sends the verification information of the terminal device to the server, the server verifies the verification information, generates device identity information for the terminal device after the verification is passed, receives the device identity information sent by the server, and stores the device identity information in the trusted execution environment, so that personal information of the terminal device and a user does not need to be acquired, the problems of data acquisition failure and randomization caused by upgrading of an operating system are solved, the problems of user data privacy leakage and the like do not exist, and the equipment identity information is stored in a trusted execution environment, so that the situation that a user unconsciously deletes the equipment identity information in the application program unloading or flashing scene can be prevented, and the equipment fingerprint accuracy of the terminal equipment is improved.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the various elements may be implemented in the same one or more software and/or hardware implementations in implementing one or more embodiments of the present description.

As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

Embodiments of the present description are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable fraud case serial-parallel apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable fraud case serial-parallel apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable fraud case to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable fraud case serial-parallel apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

One or more embodiments of the present description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.

Claims

1. A device identity processing method based on privacy protection is applied to terminal equipment provided with a trusted execution environment, and comprises the following steps:

2. The method of claim 1, wherein the verification information of the terminal device comprises the first authentication information, a corresponding first device key of the terminal device and a random number,

3. The method according to claim 1 or 2, after receiving the device identity information sent by the server, the method further comprising:

receiving first verification information of the terminal equipment sent by the server;

passing the first authentication information into the trusted execution environment through a first trusted application on the terminal device for performing data security processing;

verifying authenticity of the first authentication information in the trusted execution environment;

and if the first verification information passes the authenticity verification, transmitting the equipment identity information to the trusted execution environment through a first trusted application on the terminal equipment.

4. The method of claim 3, wherein the device identity information is encrypted by the server using a first device key corresponding to the terminal device and signed using a second service key corresponding to the server, and the method further comprises:

transferring the device identity information into the trusted execution environment through a first trusted application on the terminal device for performing data security processing;

in the trusted execution environment, decrypting the equipment identity information through a second equipment key corresponding to the terminal equipment to obtain decrypted equipment identity information, and performing signature verification processing on the equipment identity information through a first service key corresponding to the server;

the storing the device identity information in the trusted execution environment comprises:

and if the decryption and the signature verification of the equipment identity information are successful, storing the decrypted equipment identity information in the trusted execution environment.

5. The method of claim 4, further comprising:

receiving second verification information of the terminal equipment, which is sent by the server, wherein the second verification information is obtained by encrypting the first verification information through a first equipment key corresponding to the terminal equipment and performing signature processing through a second service key corresponding to the server;

communicating, by a first trusted application on the terminal device, the second authentication information into the trusted execution environment;

in the trusted execution environment, decrypting the second verification information through a second device key corresponding to the terminal device to obtain the first verification information, verifying authenticity of the first verification information, and verifying and signing the second verification information through a first service key corresponding to the server;

if the decryption and signature verification of the equipment identity information are successful, storing the decrypted equipment identity information in the trusted execution environment, including:

and if the decryption and signature verification of the equipment identity information and the second verification information are successful and the first verification information passes the authenticity verification, storing the decrypted equipment identity information in the trusted execution environment.

6. The method according to claim 1, wherein the device identity information is information that is generated by the server based on a preset algorithm and uniquely identifies the terminal device, and data used for generating the device identity information does not include device attribute information of the terminal device and personal information of a user of the terminal device.

7. The method of claim 1, further comprising:

8. The method of claim 7, the sending the device identity information and the third authentication information to the server, comprising:

in the trusted execution environment, encrypting the device identity information, the third verification information and a first device key corresponding to the terminal device through a first service key corresponding to the server to obtain encrypted information, and signing the encrypted information through a second device key corresponding to the terminal device to obtain encrypted and signed information;

and sending the encrypted and signed information to the server.

9. A privacy protection-based equipment identity processing method is applied to a server, and comprises the following steps:

10. The method according to claim 9, wherein the verification information includes first verification information of the terminal device, a first device key corresponding to the terminal device, and a random number, and the verification information is information that is encrypted by the terminal device through a first service key corresponding to the server and signed through a second device key corresponding to the terminal device,

11. The method of claim 10, the sending the device identity information to the terminal device, comprising:

encrypting the equipment identity information through a first equipment key corresponding to the terminal equipment to obtain encrypted equipment identity information;

and signing the encrypted equipment identity information through a second equipment key corresponding to the server to obtain encrypted signed equipment identity information, and sending the encrypted signed equipment identity information to the terminal equipment.

12. The method of claim 9, further comprising:

13. The method according to any of claims 9-12, wherein generating the device identity information for the terminal device if the check passes comprises:

14. A device identity processing method based on privacy protection is applied to terminal equipment provided with a trusted execution environment, and comprises the following steps:

15. A privacy protection-based equipment identity processing method is applied to a server, and comprises the following steps:

16. An apparatus for processing device identity based on privacy protection, wherein a trusted execution environment is arranged in the apparatus, and the apparatus comprises:

the information detection module is used for detecting whether the trusted execution environment of the device contains the equipment identity information of the device;

a creation request module that, if the device identity information of the apparatus is not contained in the trusted execution environment, sends a creation request of the device identity information of the apparatus to a server to cause the server to generate first authentication information for the apparatus based on the creation request;

the verification information acquisition module is used for acquiring verification information of the device when first verification information of the device sent by the server is received, sending the verification information of the device to the server so that the server verifies the verification information, and generating equipment identity information for the device after the verification is passed;

and the equipment identity acquisition module is used for receiving the equipment identity information sent by the server and storing the equipment identity information in the trusted execution environment.

17. An apparatus for processing device identity based on privacy protection, the apparatus comprising:

a creation request receiving module, configured to receive a creation request of device identity information sent by a terminal device, where the creation request is sent when the terminal device detects that the trusted execution environment of the terminal device does not include the device identity information of the terminal device;

a first information generation module which generates first verification information for the terminal device based on the creation request and sends the first verification information to the terminal device;

the first checking module is used for receiving checking information sent by the terminal equipment, checking the checking information, and generating equipment identity information for the terminal equipment if the checking is passed;

and the equipment identity sending module is used for sending the equipment identity information to the terminal equipment so that the terminal equipment stores the equipment identity information in the trusted execution environment.

18. An apparatus for processing device identity based on privacy protection, wherein a trusted execution environment is arranged in the apparatus, and the apparatus comprises:

a detection module for detecting whether the trusted execution environment of the device contains the equipment identity information of the device;

the equipment identity request module is used for sending a creation request of the equipment identity information of the device to a server if the trusted execution environment does not contain the equipment identity information of the device, so that the server generates the equipment identity information for the device based on the creation request, wherein the equipment identity information is information which is generated by the server based on a preset algorithm and uniquely identifies the device, and the equipment attribute information of the device and the personal information of a user of the device are not contained in data used for generating the equipment identity information;

and the equipment identity receiving module is used for receiving the equipment identity information sent by the server and storing the equipment identity information in the trusted execution environment.

19. An apparatus for processing device identity based on privacy protection, the apparatus comprising:

the equipment identity generating module is used for generating the equipment identity information for the terminal equipment through a preset algorithm based on the creating request, wherein the data used for generating the equipment identity information does not contain the equipment attribute information of the terminal equipment and the personal information of the user of the terminal equipment;

20. An equipment identity processing device based on privacy protection, the equipment identity processing device based on privacy protection is provided with trusted execution environment, includes:

a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to:

detecting whether the trusted execution environment of the device contains device identity information of the device;

if the trusted execution environment does not contain the equipment identity information of the equipment, sending a creation request of the equipment identity information of the equipment to a server so as to enable the server to generate first verification information for the equipment based on the creation request;

when first verification information of the equipment sent by the server is received, obtaining verification information of the equipment, sending the verification information of the equipment to the server so that the server verifies the verification information, and generating equipment identity information for the equipment after the verification is passed;

21. A privacy-based device identity processing device, the privacy-based device identity processing device comprising:

a processor; and

22. An equipment identity processing device based on privacy protection, the equipment identity processing device based on privacy protection is provided with trusted execution environment, includes:

a processor; and

if the trusted execution environment does not contain the equipment identity information of the equipment, sending a creation request of the equipment identity information of the equipment to a server so that the server generates the equipment identity information for the equipment based on the creation request, wherein the equipment identity information is information which is generated by the server based on a preset algorithm and uniquely identifies the equipment, and the data used for generating the equipment identity information does not contain the equipment attribute information of the equipment and the personal information of a user of the equipment;

23. A privacy-based device identity processing device, the privacy-based device identity processing device comprising:

a processor; and

24. A storage medium for storing computer-executable instructions, which when executed implement the following:

25. A storage medium for storing computer-executable instructions, which when executed implement the following:

26. A storage medium for storing computer-executable instructions, which when executed implement the following:

27. A storage medium for storing computer-executable instructions, which when executed implement the following: