CN112311805B - Login-free authentication processing method and device based on trusted execution environment - Google Patents

Login-free authentication processing method and device based on trusted execution environment Download PDF

Info

Publication number
CN112311805B
CN112311805B CN202011231963.4A CN202011231963A CN112311805B CN 112311805 B CN112311805 B CN 112311805B CN 202011231963 A CN202011231963 A CN 202011231963A CN 112311805 B CN112311805 B CN 112311805B
Authority
CN
China
Prior art keywords
application
authentication
signature
trusted
login
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011231963.4A
Other languages
Chinese (zh)
Other versions
CN112311805A (en
Inventor
张武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202011231963.4A priority Critical patent/CN112311805B/en
Publication of CN112311805A publication Critical patent/CN112311805A/en
Application granted granted Critical
Publication of CN112311805B publication Critical patent/CN112311805B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The embodiment of the specification provides a login-free authentication processing method and device based on a trusted execution environment. Under the scenario that login-free authentication for the first application is realized by calling the first application through the second application on the target device, login-free authentication registration can be performed by calling the trusted application through the first application on the target device, so that the trusted application and the verification server corresponding to the trusted application respectively store the registration data of the first application. The target device is provided with a common execution environment REE and a trusted execution environment TEE, a first application and a second application are located in the REE, the trusted application is located in the TEE, and the first application and the second application share the registration data of the first application stored in the TEE. Subsequently, no matter whether the target device is still provided with the first application, when the user calls the first application in the second application, the second application can call the trusted application, so that the trusted application performs login-free authentication on the first application according to the registration data of the first application.

Description

Login-free authentication processing method and device based on trusted execution environment
Technical Field
The embodiment of the specification relates to the technical field of computers, in particular to a login-free authentication processing method and device based on a trusted execution environment.
Background
Currently, some client applications have the functionality to invoke other applications. Taking the shopping application as an example, the shopping application may support at least one payment method, and the user may invoke the payment application corresponding to the at least one payment method using the shopping application. In practice, when the payment application is called in the shopping application, if the user device used by the user does not install the payment application, the payment may not be completed, or an HTML5 login page related to the payment application is called, and the user is required to perform payment after completing login on the page. HTML5 is a specification of HTML (HyperText Markup Language). Generally, the mode of calling up the HTML5 login page has the disadvantages of complex flow, complex operation, low user experience, high order abandoning rate and high service loss.
Therefore, a reasonable and reliable scheme for implementing login-free authentication for client applications in a secure environment is urgently needed. The login-free authentication can be understood as positioning to an account and performing identity authentication without inputting account login information.
Disclosure of Invention
The embodiment of the specification provides a login-free authentication processing method and device based on a trusted execution environment.
In a first aspect, an embodiment of the present specification provides a login-free authentication processing method based on a trusted execution environment, which is applied to a first application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the first application is located in the REE, and the TEE is provided with a trusted application, and the method includes: receiving an opening request of a user for the login-free authentication service; responding to the opening request, and sending a login-free authentication registration request to the trusted application, wherein the login-free authentication registration request comprises an account identifier corresponding to the first application of the user; receiving a registration result added with a first signature from the trusted application, the first signature being added using a device private key of the target device, the registration result including a first public key of a public-private key pair generated by the trusted application for the first application, a key index of the public-private key pair, the account identification, and a device identification of the target device, wherein the trusted application maintains registration information including the first private key of the public-private key pair, the key index, and the account identification; and forwarding the registration result added with the first signature to a verification server corresponding to the trusted application through a first server of the first application, so that the verification server stores registration result information after the verification of the first signature passes, wherein the registration result information includes the first public key, the key index and the account identifier.
In some embodiments, after the forwarding, by the first service end of the first application, the registration result added with the first signature to the verification service end corresponding to the trusted application, the method further includes: receiving first prompt information for indicating that the registration is completed; and responding to the first prompt message, and displaying a second prompt message for indicating that the login-free authentication service is successfully opened to the user.
In some embodiments, the trusted application holds a second public key of the authentication server; and prior to said sending a login-exempt authentication registration request to the trusted application, the method further comprising: acquiring equipment information of the target equipment, wherein the equipment information at least comprises an equipment identifier; sending an acquisition request aiming at registration request data to the first server, wherein the acquisition request comprises the account identifier and the equipment information, so that the first server acquires the registration request data added with a second signature from the verification server according to the acquisition request, and the second signature is added by using a second private key of the verification server; receiving the registration request data added with the second signature from the first service terminal; generating the login-free authentication registration request, wherein the login-free authentication registration request comprises the account identification and the registration request data added with the second signature; and said receiving from said trusted application a registration result with a first signature added thereto, comprising: receiving, from the trusted application, a registration result with the first signature added thereto returned in response to the second signature matching the second public key.
In some embodiments, the obtaining device information of the target device includes: obtaining the device information from the trusted application.
In some embodiments, the registration request data comprises the key index.
In some embodiments, the target device is configured with an SDK provided by the authentication server, and the first application invokes an application interface of the trusted application using the SDK.
In some embodiments, the first application comprises a payment-type application.
In some embodiments, the trusted application comprises an internet financial authentication alliance trusted application IFAA TA; the verification server comprises an IFAA server.
In a second aspect, an embodiment of the present specification provides a login-free authentication processing method based on a trusted execution environment, which is applied to a trusted application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the trusted application is located in the TEE, and a first application is installed in the REE, and the method includes: receiving a login-free authentication registration request from the first application, wherein the login-free authentication registration request comprises an account identifier corresponding to the user in the first application; generating a public and private key pair aiming at the first application, and distributing a key index for the public and private key pair; generating and storing registration information, wherein the registration information comprises a first private key in the public and private key pair, the key index and the account identifier; generating a registration result, and adding a first signature to the registration result by using a device private key of the target device, where the registration result includes a first public key in the public and private key pair, the key index, the account identifier, and a device identifier of the target device; and returning the registration result added with the first signature to the first application, so that the first application uploads the registration result added with the first signature to a verification server corresponding to the trusted application, and the verification server stores registration result information after the first signature passes verification, wherein the registration result information comprises the first public key, the key index and the account identifier.
In some embodiments, the trusted application maintains a second public key of the verification server, the login-free authentication registration request includes registration request data added with a second signature, and the second signature is added by using a second private key of the verification server; and after the receiving a login-exempt authentication registration request from the first application, the method further comprises: determining whether the second signature matches the second public key; and if so, executing the public and private key pair generated aiming at the first application.
In some embodiments, the registration request data includes a key index corresponding to the first application; and the allocating a key index for the public and private key pair comprises: and allocating a key index included in the registration request data to the public-private key pair.
In some embodiments, said maintaining registration information comprises: and saving the registration information to a secure storage area in the TEE.
In a third aspect, an embodiment of the present specification provides a login-free authentication processing method based on a trusted execution environment, which is applied to a second application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the second application is located in the REE and supports invoking a first application applicable to the REE, and the TEE is provided with a trusted application, and the method includes: receiving a call request of a user for the first application; sending a login-free authentication request to the trusted application, wherein the login-free authentication request comprises an account identifier corresponding to the user in the first application; receiving an authentication result added with a third signature from the trusted application, the authentication result being generated in response to the user passing identity authentication, the third signature being added with the first private key associated with the account identification; sending a verification request to a verification server corresponding to the trusted application through a second server of the second application, where the verification request includes the account identifier and the authentication result added with the third signature, so that the verification server performs validity verification on the authentication result added with the third signature according to the verification request, and returns a verification result to the second server.
In some embodiments, the trusted application holds a second public key of the authentication server; and prior to said sending the logoff-exempt authentication request to the trusted application, the method further comprising: acquiring equipment information of the target equipment, wherein the equipment information at least comprises an equipment identifier; sending an acquisition request aiming at authentication request data to the second server, wherein the acquisition request comprises the account identifier and the equipment information, so that the second server acquires the authentication request data added with a second signature from the verification server according to the acquisition request, and the second signature is added by using a second private key of the verification server; receiving the authentication request data added with the second signature from the second server; generating the login-free authentication request, wherein the login-free authentication request comprises the account identification and the authentication request data added with the second signature; and said receiving from said trusted application an authentication result with a third signature added thereto, comprising: receiving, from the trusted application, an authentication result with a third signature added thereto returned in response to the second signature matching the second public key.
In some embodiments, after the receiving a call request of a user for the first application, the method further comprises: determining whether the first application has opened a login-free authentication service; and if so, executing the step of sending the login-free authentication request to the trusted application.
In some embodiments, the method further comprises: receiving an operation instruction which is related to the call request and is returned in response to the verification result from the second server; and executing corresponding operation according to the operation instruction.
In some embodiments, the first application comprises a payment-type application; and the operation instruction which is received from the second server and is returned in response to the verification result and related to the call request comprises: receiving a payment interface display instruction which is returned in response to the verification result representing that the verification is passed and is related to the calling request from the second server; and executing corresponding operations according to the operation instruction, wherein the operations comprise: and displaying a corresponding payment interface according to the payment interface display instruction.
In some embodiments, the target device is configured with an SDK provided by the authentication server, and the second application calls an application interface of the trusted application using the SDK.
In some embodiments, the first application comprises a payment-type application; the second application includes any one of the following applications: shopping applications, audio and video applications, electronic book applications, educational applications, gaming applications.
In a fourth aspect, an embodiment of the present specification provides a login-free authentication processing method based on a trusted execution environment, which is applied to a trusted application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the trusted application is located in the TEE, a second application is installed in the TEE, and the second application supports calling of a first application applicable to the REE, and the method includes: receiving a login-free authentication request from the second application, wherein the login-free authentication request is sent in response to a call request of a user for the first application, and the login-free authentication request comprises an account identification corresponding to the user in the first application; acquiring a first private key associated with the account identifier; performing identity authentication on the user; responding to the fact that the user passes identity authentication, generating an authentication result, and adding a third signature for the authentication result by using the first private key; and returning the authentication result added with the third signature to the second application, so that the second application uploads the authentication result added with the third signature to a verification server corresponding to the trusted application for the verification server to perform validity verification.
In some embodiments, the trusted application holds a second public key of the verification server, the login-free authentication request includes authentication request data added with a second signature, and the second signature is added by using a second private key of the verification server; and after the receiving a login-exempt authentication request from the second application, the method further comprises: determining whether the second signature matches the second public key; and if so, executing the acquisition of the first private key associated with the account identifier.
In some embodiments, the authenticating the user includes: acquiring target biological characteristic information of the user; determining whether a biological characteristic template matched with the target biological characteristic information exists in at least one stored biological characteristic template; if so, determining that the user passes the identity authentication; and if not, determining that the user does not pass the identity authentication.
In some embodiments, the target biometric information comprises any one of: face features, fingerprint features, iris features.
In a fifth aspect, an embodiment of the present specification provides a login-free authentication processing apparatus based on a trusted execution environment, which is applied to a first application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the first application is located in the REE, and the TEE is provided with a trusted application, and the apparatus includes: a receiving unit configured to receive an opening request for a login-free authentication service of a user; a trusted application calling unit configured to send a login-exempt authentication registration request to the trusted application in response to the provisioning request, wherein the login-exempt authentication registration request includes an account identifier corresponding to the first application by the user; receiving a registration result added with a first signature from the trusted application, the first signature being added using a device private key of the target device, the registration result including a first public key of a public-private key pair generated by the trusted application for the first application, a key index of the public-private key pair, the account identification, and a device identification of the target device, wherein the trusted application maintains registration information including the first private key of the public-private key pair, the key index, and the account identification; a sending unit, configured to forward, via a first service end of the first application, the registration result added with the first signature to a verification service end corresponding to the trusted application, so that the verification service end saves registration result information after the verification of the first signature passes, where the registration result information includes the first public key, the key index, and the account identifier.
In a sixth aspect, an embodiment of the present specification provides a login-free authentication processing apparatus based on a trusted execution environment, which is applied to a trusted application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the trusted application is located in the TEE, and a first application is installed in the REE, and the apparatus includes: a receiving unit configured to receive a login-free authentication registration request from the first application, wherein the login-free authentication registration request includes an account identifier corresponding to the user in the first application; a key generation unit configured to generate a public-private key pair for the first application and assign a key index to the public-private key pair; a registration information generating unit configured to generate and hold registration information including a first private key of the public-private key pair, the key index, and the account identification; a registration result generating unit configured to generate a registration result and add a first signature to the registration result by using a device private key of the target device, wherein the registration result includes a first public key in the public and private key pair, the key index, the account identifier, and a device identifier of the target device; a sending unit, configured to return the registration result added with the first signature to the first application, so that the first application uploads the registration result added with the first signature to a verification server corresponding to the trusted application, and the verification server stores registration result information after the verification of the first signature passes, where the registration result information includes the first public key, the key index, and the account identifier.
In a seventh aspect, an embodiment of the present specification provides a login-free authentication processing apparatus based on a trusted execution environment, which is applied to a second application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the second application is located in the REE and supports invoking a first application applicable to the REE, and the TEE is provided with a trusted application, and the apparatus includes: a receiving unit configured to receive a call request of a user for the first application; a trusted application calling unit configured to send a login-free authentication request to the trusted application, wherein the login-free authentication request includes an account identifier corresponding to the user in the first application; receiving an authentication result added with a third signature from the trusted application, the authentication result being generated in response to the user passing identity authentication, the third signature being added with the first private key associated with the account identification; a sending unit, configured to send, via a second server of the second application, a verification request to a verification server corresponding to the trusted application, where the verification request includes the account identifier and the authentication result added with the third signature, so that the verification server performs validity verification on the authentication result added with the third signature according to the verification request, and returns a verification result to the second server.
In an eighth aspect, an embodiment of the present specification provides a login-free authentication processing apparatus based on a trusted execution environment, which is applied to a trusted application on a target device, where the target device has a normal execution environment REE and a trusted execution environment TEE, the trusted application is located in the TEE, a second application is installed in the REE, and the second application supports calling of a first application applicable to the REE, and the apparatus includes: a receiving unit configured to receive a login-free authentication request from the second application, the login-free authentication request being sent in response to a call request of a user for the first application, the login-free authentication request including an account identification corresponding to the first application by the user; an obtaining unit configured to obtain a first private key associated with the account identifier; an identity authentication unit configured to authenticate an identity of the user; responding to the fact that the user passes identity authentication, generating an authentication result, and adding a third signature for the authentication result by using the first private key; the sending unit is configured to return the authentication result added with the third signature to the second application, so that the second application uploads the authentication result added with the third signature to a verification server corresponding to the trusted application for validity verification by the verification server.
In a ninth aspect, the present specification provides a computer-readable storage medium, on which a computer program is stored, wherein when the computer program is executed in a computer, the computer is caused to execute the method described in any implementation manner of the first to fourth aspects.
In a tenth aspect, an embodiment of the present specification provides a computing device, including a memory and a processor, where the memory stores executable code, and the processor executes the executable code to implement the method described in any implementation manner of the first aspect to the fourth aspect.
In the login-free authentication processing method and device based on the trusted execution environment provided by the above embodiments of the present specification, the first application responds to an opening request of a user for the login-free authentication service, and sends a login-free authentication registration request to the trusted application. And then responding to the login-free authentication registration request through the trusted application, generating a public and private key pair aiming at the first application, distributing a key index for the public and private key pair, then generating and storing registration information, generating a registration result, and adding a first signature for the registration result by using the device private key of the target device so as to return the registration result added with the first signature to the first application. Then, the first application forwards the registration result added with the first signature to a verification server corresponding to the trusted application through a first server of the first application, so that the verification server stores the registration result information after the first signature is verified. Therefore, the login-free authentication service of the first application can be successfully opened. Based on the feature that the REE-side application calls no isolation within the TEE, inter-application data sharing in a secure environment may be achieved, that is, the second application in the REE on the target device may share the aforementioned registration information stored in the TEE with the first application. Subsequently, whether the target device still has the first application installed or not, the second application may invoke the trusted application in response to the invocation request of the user for the first application, so that the trusted application realizes login-free account location and account verification according to the registration information. Thus, login-free authentication for the first application in a secure environment can be achieved.
In addition, when the user calls the first application in the second application, if the first application is not installed on the target device, by using the scheme provided by the above embodiment of the present specification, it is possible to avoid calling the HTML5 login page related to the first application, so that the user can perform the target operation (for example, payment operation) after completing the operations such as login authentication on the page, thereby simplifying the operation flow, saving the operation cost of the user, and improving the user experience. In addition, when the first application is a payment-type application, by adopting the scheme provided by the above embodiment of the present specification, the order abandoning rate can be reduced, and the service loss can be reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments disclosed in the present specification, the drawings needed to be used in the description of the embodiments will be briefly introduced below, it is obvious that the drawings in the following description are only embodiments disclosed in the present specification, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is an exemplary system architecture diagram to which some embodiments of the present description may be applied;
FIG. 2 is a timing diagram for one embodiment of a trusted execution environment based logoff authentication processing method in accordance with the present description;
FIG. 3 is an exemplary system architecture diagram to which some embodiments of the present description may be applied;
FIG. 4 is a timing diagram for one embodiment of a trusted execution environment based logoff authentication processing method in accordance with the present description;
fig. 5 is a schematic structural diagram of a login-free authentication processing apparatus based on a trusted execution environment according to the present specification;
fig. 6 is a schematic structural diagram of a login-free authentication processing apparatus based on a trusted execution environment according to the present specification;
fig. 7 is a schematic structural diagram of a login-free authentication processing apparatus based on a trusted execution environment according to the present specification;
fig. 8 is a schematic structural diagram of a login-free authentication processing apparatus based on a trusted execution environment according to the present specification.
Detailed Description
The present specification will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the relevant invention and not restrictive of the invention. The described embodiments are only a subset of the embodiments described herein and not all embodiments described herein. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step are within the scope of the present application.
It should be noted that, for convenience of description, only the portions related to the related invention are shown in the drawings. The embodiments and features of the embodiments in the present description may be combined with each other without conflict. In addition, the terms "first", "second", "third", and the like in the present specification are used only for information distinction and do not play any limiting role.
Some embodiments of the present description provide a login-free authentication processing method based on a trusted execution environment, by which login-free authentication for a first application in a secure environment can be achieved when a user invokes the first application in a second application. The first application may be various types of applications, and may include, but is not limited to, payment type applications, for example. The second application may be a variety of types of applications that support invoking the first application, and may include, for example and without limitation, shopping-type applications, audio-video-type applications, electronic book applications, educational-type applications, game-type applications, and the like.
It should be noted that, the solution provided in this specification relates to an opening procedure and a login-free authentication procedure of a login-free authentication service.
Next, a scheme related to the provisioning procedure of the login-free authentication service will be described. As shown in fig. 1, an exemplary system architecture diagram suitable for use with this scheme is shown.
Specifically, the system architecture shown in fig. 1 includes a first application, a trusted application, a first service end of the first application, and a verification service end corresponding to the trusted application. The first application is located in an REE (normal Execution Environment) of the target device, and the Trusted application is located in a TEE (Trusted Execution Environment) of the target device.
The target devices may be various electronic devices with REE and TEE, for example, which may include but are not limited to smart phones, tablets, smart televisions, IOT (Internet of Things) devices, desktop computers, notebook computers, and so on. Optionally, when the target device is a mobile device, the operating system loaded by the target device may include, but is not limited to, an Android operating system and the like.
The TEE is a secure area divided from the target device, and includes a secure computing area in a Central Processing Unit (CPU) and a secure storage area in a memory. The function of this secure area is to provide a more secure space for the execution of data and code and to ensure their confidentiality and integrity.
In practice, when the user wants to open the login-free authentication service of the first application, an opening request for the login-free authentication service may be triggered in the first application. Then, the first application may invoke the trusted application in response to the opening request, and send a login-exempt authentication registration request to the trusted application. Then, the trusted application can respond to the login-free authentication registration request, generate and store registration information for the first application, generate a registration result, add a first signature to the registration result, and return the registration result added with the first signature to the first application, so that the first application uploads the registration result added with the first signature to the verification server, and the verification server stores the registration result information after the first signature passes verification. Specifically, the first application may send the registration result added with the first signature to the first service end, so that the first service end forwards the registration result added with the first signature to the verification service end. The verification server can store the registration result information after the first signature is verified. Therefore, the login-free authentication service of the first application can be successfully opened.
Next, referring to fig. 1, the steps of implementing the scheme related to the provisioning procedure of the login-free authentication service are described in conjunction with a specific embodiment.
Referring to FIG. 2, a timing diagram of one embodiment of a trusted execution environment based logoff authentication processing method is shown. The method comprises the following steps:
step 201, a first application receives an opening request of a user for a login-free authentication service;
step 207, the first application responds to the opening request and sends a login-free authentication registration request to the trusted application, wherein the login-free authentication registration request comprises an account identifier corresponding to the first application by the user;
step 209, the trusted application generates a public and private key pair for the first application, and distributes a key index for the public and private key pair;
step 210, the trusted application generates and stores registration information, wherein the registration information comprises a first private key in a public and private key pair, a key index and an account identifier;
step 211, the trusted application generates a registration result, and adds a first signature to the registration result by using a device private key of the target device, where the registration result includes a first public key in a public and private key pair, a key index, an account identifier, and a device identifier of the target device;
step 212, the trusted application returns the registration result added with the first signature to the first application;
step 213, the first application sends the registration result added with the first signature to the first service end;
step 214, the first server forwards the registration result added with the first signature to the verification server;
step 215, the verification server stores the registration result information after the first signature is verified, where the registration result information includes the first public key, the key index, and the account identifier.
Next, the step 201-215 is further described.
In step 201, a user may trigger an provisioning request for the login-free authentication service in a first application, so that the first application receives the provisioning request.
In practice, the target device may be configured with a Software Development Kit (SDK) provided by the authentication server. Accordingly, in step 207, the first application may invoke an application interface of the trusted application using the SDK, and send a login-exempt authentication registration request to the trusted application through the application interface.
Optionally, after step 201 and before step 207, step 202 and step 206 may also be included.
In step 202, the first application may obtain device information of the target device, the device information including at least a device identification. Optionally, the device information may also include association information of the target device, which may include, for example, but not limited to, an information item for characterizing whether the target biometric information of the user is entered or not. The target biometric information may include, but is not limited to, a face feature, a fingerprint feature, an iris feature, or the like.
Alternatively, to ensure the security of the device information of the target device, the device information may be stored in advance in a secure storage area of the TEE. Thus, in step 202, the first application may obtain device information of the target device from the trusted application. Specifically, the first application may send a device information acquisition request to the trusted application, so that the trusted application acquires the device information of the target device from the secure storage area and returns the acquired device information to the first application.
In step 203, the first application may send an acquisition request for the registration request data to the first server, where the acquisition request includes an account identifier corresponding to the first application by the user and device information of the target device.
In step 204, the first server may obtain, according to the obtaining request, the registration request data added with the second signature from the verification server. The registration request data is generated and signed by the verification server aiming at the first application. The second signature is added by a second private key of the authentication server. Specifically, the first server may forward the acquisition request to the verification server, so that the verification server generates registration request data for the first application according to the acquisition request, adds a second signature to the registration request data by using a second private key of the verification server, and returns the registration request data added with the second signature to the first server. The registration request data may include, but is not limited to, a key index corresponding to the first application. The key index is generated for the first application by the authentication server and only points to the first application.
In step 205, the first application may receive the registration request data added with the second signature from the first service.
In step 206, the first application may generate a login-free authenticated registration request including the account identification and the registration request data with the second signature added.
In step 209, the trusted application may generate a public-private key pair for the first application in response to the login-free authenticated registration request and assign a key index to the public-private key pair. As an example, the trusted application may generate a corresponding key index for the public-private key pair.
Optionally, the trusted application may hold a second public key of the authentication server. When the login-exempt authentication registration request includes registration request data to which a second signature is added, the trusted application may determine whether the second signature matches a second public key of the verification server by performing step 208, prior to step 209. If it is determined that the second signature matches the second public key of the authentication server, step 209 may be performed.
It should be noted that, if the second signature matches the second public key of the verification server, it may indicate that the second signature is legal, and the registration request data is confirmed by the verification server.
Optionally, if the login-exempt authentication registration request includes registration request data added with the second signature, and the registration request data includes a key index corresponding to the first application, the trusted application may assign the key index to the public-private key pair.
In step 210, the trusted application may generate and save registration information for the first application. The registration information may include, but is not limited to, a first private key of the public-private key pair, a key index of the public-private key pair, and an account identifier corresponding to the user in the first application. Optionally, the registration information may further include an application identification of the first application.
In practice, the TEE includes a Secure storage area, such as a Secure File System (SFS) or a Replay Protected Memory Block (RPMB). The trusted application may save the registration information of the first application to a secure storage area in the TEE. Further, the trusted application may save the registration information to a secure file system in the TEE.
By storing the registration information of the first application in the secure storage area in the TEE, the security of the registration information can be ensured. In addition, the registration information facilitates log-on-free authentication for the first application in a secure environment.
It is noted that the trusted application may associate the account identification with the key index and associate the key index with the first private key when saving the registration information. Therefore, in the subsequent login-free authentication process, the related key index can be found according to the account identifier in the received login-free authentication request, and then the related first private key can be found according to the key index.
In step 211, the trusted application may generate a registration result for the first application and add a first signature to the registration result using a device private key of the target device. The registration result includes a first public key in the public-private key pair, a key index of the public-private key pair, an account identifier corresponding to the user in the first application, and a device identifier of the target device.
It should be noted that, by adding the first signature to the registration result by using the device private key of the target device, the verification server is facilitated to confirm whether the registration result is from the target device.
In step 212, the trusted application may send the registration result with the first signature added to the first application.
In practice, the business party usually compares the verification result of the trust verification server, so that the first application can upload the registration result added with the first signature to the verification server, so that the verification server stores the registration result information of the first application after the verification of the first signature is passed, so that the verification server can use the registration result information in the subsequent login-free authentication process. Specifically, the first application may send the registration result added with the first signature to the first service end by performing step 213, so that the first service end forwards the registration result added with the first signature to the verification service end by performing step 214.
In step 215, the verification server holds the device public key of the target device in advance. After receiving the registration result added with the first signature, the verification server may find the device public key according to the device identifier in the registration result, and then determine whether the first signature matches the device public key. If the first signature is determined to be matched with the device public key, the fact that the registration result is from the target device can be confirmed, and further, the registration result information of the first application can be stored according to the registration result. The registration result information may include, but is not limited to, the first public key in the public-private key pair, the key index of the public-private key pair, and the account identifier corresponding to the user in the first application.
In practice, when the authentication server saves the registration result information, the authentication server may associate the account identifier with the key index, and associate the key index with the first public key. Therefore, in the subsequent login-free authentication process, the verification server can search the related key index according to the account identifier in the received verification request, and then search the related first public key according to the key index.
Optionally, the registration result information may further include a device identification of the target device. The authentication server may associate the identifier pair (including the account identifier and the device identifier) with the key index and associate the key index with the first public key when saving the registration result information. Therefore, in the subsequent login-free authentication process, if the verification request received by the verification server includes the user identifier and the equipment identifier at the same time, the verification server can search the related key index according to the user identifier and the equipment identifier, and then search the related first public key according to the key index.
Alternatively, the trusted Application may include IFAA (Internet financial Authentication Alliance) TA (Trust Application). The authentication server may comprise an IFAA server.
Optionally, after sending the registration result added with the first signature to the first server, the first application may further receive first prompt information used for indicating that registration is completed, and in response to the first prompt information, present second prompt information used for indicating that the login-free authentication service is successfully opened to the user. The first prompt message may be received by the first service from the verification service and forwarded to the first application. Alternatively, the first prompt message may be generated by the first service end in response to receiving the registration success feedback message sent by the verification service end.
It should be noted that, if the first prompt information is received by the first server from the authentication server, the first prompt information may include, but is not limited to, an account identifier corresponding to the user in the first application, a first public key in the public-private key pair, a key index of the public-private key pair, and a device identifier of the target device. In addition, the first server may store part or all of the information items in the first prompt message. It should be understood that the registration success feedback information may also include the above information items in the first prompt information, and the first service end may store some or all of the information items in the registration success feedback information in response to receiving the registration success feedback information.
In addition, the second prompt message may include, but is not limited to, a flag message indicating that the login-exempt authentication service is successfully opened, for example. The second prompt information is displayed to the user, so that the user can conveniently know the opening condition of the login-free authentication service of the first application in time.
According to the scheme provided by the embodiment, through the execution of the steps, the trusted application and the verification server respectively store the registration data of the first application, such as the registration information and the registration result information in the foregoing, so that the login-free authentication service of the first application can be successfully opened. Based on the feature that the REE-side application calls no isolation within the TEE, inter-application data sharing in a secure environment may be achieved, that is, the second application in the REE on the target device may share the aforementioned registration information stored in the TEE with the first application. Subsequently, whether the target device still has the first application installed or not, the second application may invoke the trusted application in response to the invocation request of the user for the first application, so that the trusted application realizes login-free account location and account verification according to the registration information. Thus, login-free authentication for the first application in a secure environment can be achieved.
Next, a description is started of a scheme related to the login-exempt authentication procedure. As shown in fig. 3, which shows an exemplary system architecture diagram suitable for use with this scheme.
Specifically, the system architecture shown in fig. 3 includes a second application, a trusted application, a second server of the second application, and a verification server corresponding to the trusted application. Wherein the second application is located in the REE of the target device and the trusted application is located in the TEE of the target device. Here, for the explanation of each component in the system architecture, reference may be made to the related description in the foregoing, and details are not described here.
It should be noted that, the first application may be installed in the REE of the target device, or the first application may not be installed (for example, the user uninstalls the first application after opening the login-free authentication service of the first application), which is not limited herein.
In practice, in a case where the user successfully opens the login-exempt authentication service for the first application, when the user wants to invoke the first application in the second application, an invocation request for the first application may be triggered in the second application. Then, the second application can respond to the calling request, call the trusted application, and send a login-free authentication request aiming at the first application to the trusted application. And then, no matter whether the target device is provided with the first application or not, the trusted application can respond to the login-free authentication request, perform login-free authentication according to the stored registration information of the first application, generate an authentication result, add a third signature to the authentication result, and return the authentication result added with the third signature to the second application, so that the second application uploads the authentication result added with the third signature to the verification server for the verification server to perform validity verification. Specifically, the second application may send the authentication request to the second server, so that the second server forwards the authentication request to the authentication server. And the verification request comprises an account identifier corresponding to the first application of the user and an authentication result added with the third signature. The verification server side can carry out validity verification on the authentication result added with the third signature, generate a verification result and return the verification result to the second server side. Therefore, the second server can execute corresponding operation according to the received verification result.
Next, referring to fig. 3, the steps of implementing the scheme related to the login-free authentication procedure will be described in conjunction with a specific embodiment.
Referring to FIG. 4, a timing diagram of one embodiment of a login-free authentication processing method based on a trusted execution environment is shown. The method comprises the following steps:
step 401, a second application receives a call request of a user for a first application;
step 407, the second application sends a login-free authentication request to the trusted application, where the login-free authentication request includes an account identifier corresponding to the first application;
step 409, the trusted application acquires a first private key associated with the account identifier;
step 410, the trusted application performs identity authentication on the user;
step 411, the trusted application responds to the user passing the identity authentication, generates an authentication result, and adds a third signature to the authentication result by using the first private key;
step 412, the trusted application returns the authentication result added with the third signature to the second application;
step 413, the second application sends a verification request to the second server, where the verification request includes the account identifier and the authentication result added with the third signature;
step 414, the second server forwards the verification request to the verification server;
step 415, the verification server performs validity verification on the authentication result added with the third signature according to the verification request, and generates a verification result;
in step 416, the verification server returns the verification result to the second server.
Next, the steps 401 and 416 are further described.
In step 401, when a user wants to invoke a first application in a second application, an invocation request for the first application may be triggered in the second application, so that the second application receives the invocation request.
Optionally, after step 401, and before step 407, the second application may determine whether the first application has opened the login-free authentication service. If it is determined that the first application has opened the login-free authentication service, step 407 may be performed. As an example, the second application may send a confirmation request to the trusted application for confirming whether the login-exempt authentication service has been opened by the first application, and receive a confirmation result returned by the trusted application in response to the confirmation request.
As an implementation manner, the confirmation request may include an application identifier of the first application. After receiving the confirmation request, the trusted application may first search for an account identifier corresponding to the application identifier. If the account identifier is found, further searching a key index associated with the account identifier. If the key index is found, a confirmation result indicating that the logout-free authentication service is opened by the first application may be generated, where the confirmation result includes the account identifier. If the key index is not found, a confirmation result indicating that the login-free authentication service is not opened by the first application may be generated.
As another implementation manner, the confirmation request may include an account identifier corresponding to the first application. The account identifier is obtained by the second application according to the application identifier of the first application. For example, if the user successfully logs in the first application on the target device, the target device may store the binding relationship information between the application identifier and the account identifier. The second application may obtain the account identifier from the binding relationship information according to the application identifier. After receiving the confirmation request, the trusted application may first search the key index associated with the account identifier. If the key index is found, a confirmation result indicating that the login-free authentication service has been opened by the first application may be generated. If the key index is not found, a confirmation result indicating that the login-free authentication service is not opened by the first application may be generated.
In step 407, the second application may send a login-free authentication request for the first application to the trusted application in response to the invocation request. The login-free authentication request comprises an account identification corresponding to the first application of the user. In practice, the target device may be configured with an SDK provided by the verification server, and the second application may call an application interface of the trusted application by using the SDK, and send the login-free authentication request to the trusted application through the application interface.
Optionally, after step 401 and before step 407, step 402 and step 406 may also be included.
In step 402, the second application obtains device information of the target device, where the device information at least includes a device identifier.
Alternatively, to ensure the security of the device information of the target device, the device information may be stored in advance in a secure storage area of the TEE. Further, in step 402, the second application may obtain device information of the target device from the trusted application. Specifically, the second application may send a device information acquisition request to the trusted application, so that the trusted application acquires the device information of the target device from the secure storage area and returns the acquired device information to the second application.
In step 403, the second application sends an acquisition request for the authentication request data to the second server, where the acquisition request includes an account identifier corresponding to the user in the first application and device information of the target device.
In step 404, the second server obtains the authentication request data added with the second signature from the verification server according to the obtaining request. The authentication request data is generated and signed by the verification server. The second signature is added by a second private key of the authentication server. Specifically, the second server may forward the acquisition request to the verification server, so that the verification server generates the authentication request data related to the first application according to the acquisition request, adds a second signature to the authentication request data by using a second private key of the verification server, and returns the authentication request data added with the second signature to the second server.
In step 405, the second application may receive the authentication request data added with the second signature from the second server.
In step 406, the second application may generate a login-free authentication request including an account identifier corresponding to the user in the first application and authentication request data added with a second signature.
In step 409, the trusted application may respond to the login-exempt authentication request, and obtain a first private key associated with an account identifier according to the account identifier corresponding to the first application by the user in the request. It should be understood that the first private key is the first private key in the foregoing public-private key pair.
Optionally, the trusted application may hold a second public key of the authentication server. When the logoff authentication request includes authentication request data with the second signature added, the trusted application may determine whether the second signature matches the second public key of the verification server by performing step 408 before step 409. If it is determined that the second signature matches the second public key of the authentication server, step 409 may be performed.
If the second signature is matched with the second public key of the verification server, it can be shown that the second signature is legal, and the authentication request data is confirmed by the verification server.
In step 410, the trusted application may authenticate the user. For example, the trusted application may obtain target biometric information of the user. And then determining whether a biological characteristic template matched with the target biological characteristic information exists in the stored at least one biological characteristic template. If so, the user can be determined to pass the identity authentication. If not, the user may be determined to have failed the identity authentication.
Optionally, the authentication request data may include an identity authentication instruction, and the instruction may include an authentication method (e.g., face authentication, fingerprint authentication, iris authentication, or the like). Thus, further, in step 410, the trusted application may authenticate the user according to the authentication method.
If the trusted application determines that the user fails the authentication, a prompt indicating that the user fails the authentication may be presented to the user. If the trusted application determines that the user passes the identity authentication, an authentication result may be generated by performing step 411, and a third signature is added to the authentication result by using the first private key. And adding a third signature for the authentication result by using the first private key, so that the risk brought by misjudgment of the account can be avoided.
In step 412, the trusted application may return the authentication result with the third signature added to the second application. In practice, since the service party usually compares the verification result of the trust verification server, the second application may upload the authentication result added with the third signature to the verification server for the verification server to perform validity verification. Specifically, the second application may send a verification request to the second server by performing step 413, where the verification request includes an account identifier corresponding to the user in the first application and the authentication result added with the third signature, so that the second server forwards the verification request to the verification server by performing step 414.
In step 415, the verification server may perform validity verification on the authentication result added with the third signature according to the verification request, and generate a verification result. For example, the authentication server may first obtain the first public key associated with the account identifier according to the account identifier in the authentication request. Thereafter, the verification server may determine whether the third signature matches the first public key. Then, the verification server can generate a verification result according to the matching result.
As an implementation, if the matching result is that the third signature matches the first public key, a verification result indicating that the verification is passed may be generated.
As another implementation, if the matching result is that the third signature does not match the first public key, a verification result indicating that the verification failed may be generated.
As yet another implementation, if the matching result is that the third signature matches the first public key, it may be further determined whether the authentication result is legitimate, and a verification result may be generated. Specifically, if it is determined that the authentication result is legitimate, a verification result indicating that the verification is passed may be generated. If the authentication result is determined to be illegal, a verification result indicating a verification failure may be generated.
Optionally, the authentication result may include target biometric information of the user acquired by the trusted application when authenticating the user, and result information indicating whether the user is authenticated. Optionally, the authentication result may further include template information of at least one biometric template compared with the target biometric information, where the template information may include, for example, the biometric template itself, or a template identifier of the biometric template, etc. As an implementation manner, the verification server may determine whether the result information is correct according to the target biometric information and the template information in the authentication result. If the result information is correct, the authentication result can be determined to be legal. If the determination result information is incorrect, the authentication result may be determined to be illegal.
It should be understood that various validity verification methods may be employed for the authentication result added with the third signature, and this specification does not specifically limit this.
In step 416, the verification server may return the verification result to the second server, so that the second server performs a corresponding operation according to the verification result.
Optionally, after step 416, step 417 and step 418 may also be included.
Wherein, in step 417, the second server may return an operation instruction related to the call request to the second application in response to the verification result. In step 418, the second application may perform a corresponding operation according to the operation instruction.
As an example, if the verification result indicates that the verification passes, the second server may, for example, perform an operation related to invoking the first application, and return a corresponding operation instruction to the second application according to the operation result. If the verification result indicates that the verification fails, the second server may return to the second application, for example, and display an operation instruction for invoking the failure prompt information.
Optionally, if the first application is a payment-type application, in step 417, the second server may return a payment interface display instruction related to the invocation request to the second application in response to the verification result indicating that the verification is passed. Further, in step 418, the second application may display a corresponding payment interface according to the payment interface display instruction.
Optionally, when the target device does not install the first application, the payment interface display instruction may include a payment interface, which may be obtained by the second server from the first server of the first application.
Optionally, when the target device is installed with the first application, the payment interface display instruction may include an interface identifier of the payment interface, where the interface identifier may be obtained by the second server from the first server. In addition, the first server may send the payment interface corresponding to the interface identifier to the first application. The second application may jump to the payment interface based on the interface identification.
It should be understood that the operation flow after step 416 may be designed according to actual business requirements, and this specification is not limited thereto.
In the solution provided in this embodiment, the first application and the second application share the registration information of the first application in the TEE. Through the execution of the steps, whether the target device is still provided with the first application or not, the second application can be made to call the trusted application in response to the call request of the user for the first application, so that the trusted application realizes login-free account positioning and account verification according to the registration information. Thus, login-free authentication for the first application in a secure environment can be achieved.
In addition, when the user calls the first application in the second application, if the first application is not installed on the target device, by adopting the scheme provided by the embodiment, the HTML5 login page related to the first application can be avoided from being called, so that the user can perform target operation (for example, payment operation and the like) only after completing operations such as login authentication and the like on the page, and therefore, the operation flow can be simplified, the operation cost of the user is saved, and the user experience is improved. In addition, when the first application is a payment application, the scheme provided by the embodiment can be adopted, so that the order abandoning rate can be reduced, and the service loss can be reduced.
With further reference to fig. 5, a schematic structural diagram of an embodiment of the login-free authentication processing apparatus based on a trusted execution environment is shown. Wherein the apparatus is applied to a first application on a target device. The target device has a REE in which the first application is located and a TEE in which a trusted application is set.
As shown in fig. 5, the login-exempt authentication processing apparatus 500 based on the trusted execution environment of the present embodiment includes: a receiving unit 501, a trusted application calling unit 502 and a sending unit 503. Wherein the receiving unit 501 is configured to receive an opening request for a login-free authentication service of a user; the trusted application calling unit 502 is configured to send a login-free authentication registration request to the trusted application in response to the provisioning request, wherein the login-free authentication registration request includes an account identifier corresponding to the user in the first application; receiving a registration result added with a first signature from the trusted application, wherein the first signature is added by using a device private key of the target device, the registration result comprises a first public key in a public and private key pair generated by the trusted application for the first application, a key index of the public and private key pair, the account identifier, and a device identifier of the target device, and the trusted application stores registration information, and the registration information comprises the first private key in the public and private key pair, the key index, and the account identifier; the sending unit 503 is configured to forward, via the first service end of the first application, the registration result added with the first signature to the verification service end corresponding to the trusted application, so that the verification service end saves the registration result information after the verification of the first signature is passed, where the registration result information includes the first public key, the key index, and the account identifier.
In this embodiment, specific processing of the receiving unit 501, the trusted application invoking unit 502, and the sending unit 503 and technical effects brought by the processing can refer to the related description in the corresponding embodiment of fig. 2, which is not repeated herein.
Optionally, the receiving unit 501 may be further configured to: receiving first prompt information for indicating that the registration is completed; and the apparatus 500 may further include: and a presentation unit (not shown in the figure) configured to present, to the user, second prompt information indicating that the login-free authentication service is successfully opened in response to the first prompt information.
Optionally, the trusted application may hold a second public key of the authentication server; and the trusted application invocation unit 502 may be further configured to: acquiring equipment information of target equipment, wherein the equipment information at least comprises an equipment identifier; sending an acquisition request aiming at the registration request data to a first server, wherein the acquisition request comprises the account identification and the equipment information, so that the first server acquires the registration request data added with a second signature from the verification server according to the acquisition request, and the second signature is added by using a second private key of the verification server; receiving registration request data added with a second signature from a first service terminal; generating a login-free authentication registration request, wherein the login-free authentication registration request comprises the account identification and registration request data added with a second signature; sending the login-free authentication registration request to the trusted application; a registration result is received from the trusted application with the first signature added thereto returned in response to the second signature matching the second public key.
Optionally, the trusted application invoking unit 502 may be further configured to: device information of a target device is obtained from a trusted application.
Optionally, the registration request data includes the key index.
Optionally, the target device is configured with an SDK provided by the verification server, and the trusted application invoking unit 502 invokes an application interface of the trusted application using the SDK.
Optionally, the first application may comprise a payment-type application.
Optionally, the trusted application may include an IFAA TA, and the verification server may include an IFAA server.
With further reference to fig. 6, a schematic structural diagram of an embodiment of the login-free authentication processing apparatus based on a trusted execution environment is shown. The device is applied to a trusted application on a target device, the target device is provided with a REE and a TEE, the trusted application is located in the TEE, and a first application is installed in the REE.
As shown in fig. 6, the login-exempt authentication processing apparatus 600 based on the trusted execution environment of the present embodiment includes: a reception unit 601, a key generation unit 602, a registration information generation unit 603, a registration result generation unit 604, and a transmission unit 605. The receiving unit 601 is configured to receive a login-free authentication registration request from a first application, where the login-free authentication registration request includes an account identifier corresponding to a user in the first application; the key generation unit 602 is configured to generate a public-private key pair for a first application and assign a key index to the public-private key pair; the registration information generating unit 603 is configured to generate and store registration information, which includes a first private key of a public-private key pair, a key index, and the above-mentioned account identification; the registration result generating unit 604 is configured to generate a registration result, and add a first signature to the registration result by using a device private key of the target device, where the registration result includes a first public key in a public-private key pair, a key index, the above-mentioned account identifier, and a device identifier of the target device; the sending unit 605 is configured to return the registration result added with the first signature to the first application, so that the first application uploads the registration result added with the first signature to a verification server corresponding to the trusted application, and the verification server stores registration result information after the verification of the first signature is passed, where the registration result information includes the first public key, the key index, and the account identifier.
In this embodiment, specific processes of the receiving unit 601, the key generating unit 602, the registration information generating unit 603, the registration result generating unit 604, and the sending unit 605 and technical effects thereof may respectively refer to the related descriptions in the corresponding embodiment of fig. 2, and are not described herein again.
Optionally, the trusted application stores a second public key of the verification server, the login-free authentication registration request includes registration request data added with a second signature, and the second signature is added by using a second private key of the verification server; and the apparatus 600 may further include: a determining unit (not shown in the figure) configured to determine whether the second signature matches the second public key; and the key generation unit 602 may be further configured to: a public-private key pair is generated for the first application in response to the determination unit determining that the second signature matches the second public key.
Optionally, the registration request data includes a key index corresponding to the first application, and the key generating unit 602 may be further configured to: and distributing a key index included in the registration request data to the public-private key pair.
Optionally, the registration information generating unit 603 may be further configured to: and storing the registration information into a safe storage area in the TEE.
With further reference to fig. 7, a schematic structural diagram of an embodiment of the login-free authentication processing apparatus based on a trusted execution environment is shown. The device is applied to a second application on the target equipment, the target equipment is provided with an REE and a TEE, the second application is located in the REE and supports calling of the first application suitable for the REE, and the TEE is provided with a trusted application.
As shown in fig. 7, the login-exempt authentication processing apparatus 700 based on the trusted execution environment of the present embodiment includes: a receiving unit 701, a trusted application invoking unit 702 and a sending unit 703. Wherein, the receiving unit 701 is configured to receive a call request of a user for a first application; the trusted application invoking unit 702 is configured to send a login-free authentication request to the trusted application, where the login-free authentication request includes an account identifier corresponding to the user in the first application; receiving an authentication result added with a third signature from the trusted application, wherein the authentication result is generated in response to the user passing identity authentication, and the third signature is added by using the first private key associated with the account identification; the sending unit 703 is configured to send, via a second server of the second application, a verification request to a verification server corresponding to the trusted application, where the verification request includes the account identifier and the authentication result added with the third signature, and the verification server performs validity verification on the authentication result added with the third signature according to the verification request and returns the verification result to the second server.
In this embodiment, specific processes of the receiving unit 701, the trusted application invoking unit 702, and the sending unit 703 and technical effects brought by the processes may respectively refer to the related descriptions in the embodiment corresponding to fig. 4, and are not described herein again.
Optionally, the trusted application stores a second public key of the verification server; and the trusted application invoking unit 702 may be further configured to: acquiring equipment information of target equipment, wherein the equipment information at least comprises an equipment identifier; sending an acquisition request aiming at authentication request data to a second server, wherein the acquisition request comprises the account identifier and the equipment information, so that the second server acquires the authentication request data added with a second signature from the verification server according to the acquisition request, and the second signature is added by using a second private key of the verification server; receiving authentication request data added with a second signature from a second server; generating a login-free authentication request, wherein the login-free authentication request comprises the account identification and authentication request data added with a second signature; sending the login-free authentication request to the trusted application; an authentication result is received from the trusted application, with the addition of a third signature, returned in response to the second signature matching the second public key.
Optionally, the trusted application invoking unit 702 may be further configured to: device information of a target device is obtained from a trusted application.
Optionally, the trusted application invoking unit 702 may be further configured to: and determining whether the first application opens the login-free authentication service, and if so, sending a login-free authentication request to the trusted application.
Optionally, the receiving unit 701 may be further configured to: receiving an operation instruction which is related to the call request and is returned in response to the verification result from the second server; and the apparatus 700 may further include: and an execution unit (not shown in the figure) configured to execute corresponding operations according to the operation instructions.
Optionally, the first application may comprise a payment-type application; and the receiving unit 701 may be further configured to: receiving a payment interface display instruction which is returned in response to the verification result showing that the verification is passed and is related to the calling request from the second server; and the execution unit may be further configured to: and displaying a corresponding payment interface according to the payment interface display instruction.
Optionally, the target device may be configured with an SDK provided by the authentication server, and the second application calls an application interface of the trusted application using the SDK.
Optionally, the first application may comprise a payment-type application; the second application may include any one of the following applications: shopping applications, audio and video applications, electronic book applications, educational applications, gaming applications.
With further reference to fig. 8, a schematic structural diagram of an embodiment of the login-free authentication processing apparatus based on a trusted execution environment is shown. The device is applied to a trusted application on target equipment, the target equipment is provided with an REE and a TEE, the trusted application is located in the TEE, a second application is installed in the REE, and the second application supports calling of a first application suitable for the REE.
As shown in fig. 8, the login-exempt authentication processing apparatus 800 based on the trusted execution environment of the present embodiment includes: a receiving unit 801, an obtaining unit 802, an identity authentication unit 803 and a sending unit 804. Wherein the receiving unit 801 is configured to receive a login-free authentication request from the second application, the login-free authentication request being sent in response to a call request of a user for the first application, the login-free authentication request including an account identification corresponding to the first application by the user; the obtaining unit 802 is configured to obtain a first private key associated with an account identifier; the identity authentication unit 803 is configured to authenticate the user; responding to the user passing the identity authentication, generating an authentication result, and adding a third signature for the authentication result by using the first private key; the sending unit 804 is configured to return the authentication result added with the third signature to the second application, so that the second application uploads the authentication result added with the third signature to a verification server corresponding to the trusted application for validity verification by the verification server.
In this embodiment, specific processes of the receiving unit 801, the obtaining unit 802, the identity authentication unit 803, and the sending unit 804 and technical effects thereof may respectively refer to relevant descriptions in the corresponding embodiment of fig. 4, and are not described herein again.
Optionally, the trusted application stores a second public key of the verification server, the login-free authentication request includes authentication request data added with a second signature, and the second signature is added by using a second private key of the verification server; and the apparatus 800 may further include: a determining unit (not shown in the figure) configured to determine whether the second signature matches the second public key; and the obtaining unit 802 may be further configured to: and acquiring the first private key associated with the account identification in response to the determination unit determining that the second signature is matched with the second public key.
Optionally, the identity authentication unit 803 may be further configured to: acquiring target biological characteristic information of a user; determining whether a biological characteristic template matched with the target biological characteristic information exists in at least one stored biological characteristic template; if so, determining that the user passes the identity authentication; and if not, determining that the user does not pass the identity authentication.
Optionally, the target biometric information may include any one of: face features, fingerprint features, iris features.
The present specification also provides a computer readable storage medium, on which a computer program is stored, wherein when the computer program is executed in a computer, the computer program causes the computer to execute the methods respectively described in the above method embodiments.
The present specification further provides a computing device, including a memory and a processor, where the memory stores executable codes, and the processor executes the executable codes to implement the methods respectively described in the above method embodiments.
The present specification also provides a computer program product, which when executed on a data processing apparatus, causes the data processing apparatus to implement the methods respectively described in the above method embodiments.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in the embodiments disclosed herein may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.
The above-mentioned embodiments, objects, technical solutions and advantages of the embodiments disclosed in the present specification are further described in detail, it should be understood that the above-mentioned embodiments are only specific embodiments of the embodiments disclosed in the present specification, and are not intended to limit the scope of the embodiments disclosed in the present specification, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the embodiments disclosed in the present specification should be included in the scope of the embodiments disclosed in the present specification.

Claims (29)

1. A login-free authentication processing method based on a trusted execution environment is applied to a first application on a target device, the target device is provided with a common execution environment REE and a trusted execution environment TEE, the first application is located in the REE, and the TEE is provided with a trusted application, and the method comprises the following steps:
receiving an opening request of a user for the login-free authentication service;
responding to the opening request, and sending a login-free authentication registration request to the trusted application, wherein the login-free authentication registration request comprises an account identifier corresponding to the first application of the user;
receiving a registration result added with a first signature from the trusted application, the first signature being added using a device private key of the target device, the registration result including a first public key of a public-private key pair generated by the trusted application for the first application, a key index of the public-private key pair, the account identification, and a device identification of the target device, wherein the trusted application maintains registration information including the first private key of the public-private key pair, the key index, and the account identification;
and forwarding the registration result added with the first signature to a verification server corresponding to the trusted application through a first server of the first application, so that the verification server stores registration result information after the verification of the first signature passes, wherein the registration result information includes the first public key, the key index and the account identifier.
2. The method of claim 1, wherein after the forwarding, via the first service of the first application, the registration result added with the first signature to a verification service corresponding to the trusted application, the method further comprises:
receiving first prompt information for indicating that the registration is completed;
and responding to the first prompt message, and displaying a second prompt message for indicating that the login-free authentication service is successfully opened to the user.
3. The method of claim 1, wherein the trusted application holds a second public key of the authentication server; and
prior to the sending of the logoff-exempt authentication registration request to the trusted application, the method further comprises:
acquiring equipment information of the target equipment, wherein the equipment information at least comprises an equipment identifier;
sending an acquisition request aiming at registration request data to the first server, wherein the acquisition request comprises the account identifier and the equipment information, so that the first server acquires the registration request data added with a second signature from the verification server according to the acquisition request, and the second signature is added by using a second private key of the verification server;
receiving the registration request data added with the second signature from the first service terminal;
generating the login-free authentication registration request, wherein the login-free authentication registration request comprises the account identification and the registration request data added with the second signature; and
the receiving, from the trusted application, a registration result added with a first signature, comprising:
receiving, from the trusted application, a registration result with the first signature added thereto returned in response to the second signature matching the second public key.
4. The method of claim 3, wherein the obtaining device information of the target device comprises:
obtaining the device information from the trusted application.
5. A method according to claim 3, wherein the registration request data comprises the key index.
6. The method of claim 1, wherein the target device is configured with an SDK provided by the authentication server, the first application invoking an application interface of the trusted application with the SDK.
7. The method of claim 1, wherein the first application comprises a payment-type application.
8. The method of claim 1, wherein,
the trusted application comprises an internet financial identity authentication alliance trusted application IFAA TA;
the verification server comprises an IFAA server.
9. A login-free authentication processing method based on a trusted execution environment is applied to a trusted application on a target device, wherein the target device is provided with a common execution environment (REE) and a Trusted Execution Environment (TEE), the trusted application is located in the TEE, and a first application is installed in the REE, and the method comprises the following steps:
receiving a login-free authentication registration request from the first application, wherein the login-free authentication registration request comprises an account identifier corresponding to a user in the first application;
generating a public and private key pair aiming at the first application, and distributing a key index for the public and private key pair;
generating and storing registration information, wherein the registration information comprises a first private key in the public and private key pair, the key index and the account identifier;
generating a registration result, and adding a first signature to the registration result by using a device private key of the target device, where the registration result includes a first public key in the public and private key pair, the key index, the account identifier, and a device identifier of the target device;
and returning the registration result added with the first signature to the first application, so that the first application uploads the registration result added with the first signature to a verification server corresponding to the trusted application, and the verification server stores registration result information after the first signature passes verification, wherein the registration result information comprises the first public key, the key index and the account identifier.
10. The method of claim 9, wherein the trusted application holds a second public key of the verification server, the login-free authentication registration request includes registration request data added with a second signature, the second signature being added with a second private key of the verification server; and
after the receiving a login-exempt authentication registration request from the first application, the method further comprises:
determining whether the second signature matches the second public key;
and if so, executing the public and private key pair generated aiming at the first application.
11. The method of claim 10, wherein the registration request data includes a key index corresponding to the first application; and
the allocating a key index for the public and private key pair comprises:
and allocating a key index included in the registration request data to the public-private key pair.
12. The method of claim 9, wherein said maintaining registration information comprises:
and saving the registration information to a secure storage area in the TEE.
13. A login-free authentication processing method based on a trusted execution environment is applied to a second application on a target device, the target device is provided with a common execution environment REE and a trusted execution environment TEE, the second application is located in the REE and supports calling of a first application applicable to the REE, and the TEE is provided with the trusted application, and the method comprises the following steps:
receiving a call request of a user for the first application;
sending a login-free authentication request to the trusted application, wherein the login-free authentication request comprises an account identifier corresponding to the user in the first application;
receiving an authentication result added with a third signature from the trusted application, the authentication result being generated in response to the user passing identity authentication, the third signature being added with the first private key associated with the account identification;
sending a verification request to a verification server corresponding to the trusted application through a second server of the second application, where the verification request includes the account identifier and the authentication result added with the third signature, so that the verification server performs validity verification on the authentication result added with the third signature according to the verification request, and returns a verification result to the second server.
14. The method of claim 13, wherein the trusted application holds a second public key of the authentication server; and
prior to the sending of the logoff-exempt authentication request to the trusted application, the method further comprises:
acquiring equipment information of the target equipment, wherein the equipment information at least comprises an equipment identifier;
sending an acquisition request aiming at authentication request data to the second server, wherein the acquisition request comprises the account identifier and the equipment information, so that the second server acquires the authentication request data added with a second signature from the verification server according to the acquisition request, and the second signature is added by using a second private key of the verification server;
receiving the authentication request data added with the second signature from the second server;
generating the login-free authentication request, wherein the login-free authentication request comprises the account identification and the authentication request data added with the second signature; and
the receiving, from the trusted application, an authentication result added with a third signature, comprising:
receiving, from the trusted application, an authentication result with a third signature added thereto returned in response to the second signature matching the second public key.
15. The method of claim 13, wherein after the receiving a call request for the first application by a user, the method further comprises:
determining whether the first application has opened a login-free authentication service;
and if so, executing the step of sending the login-free authentication request to the trusted application.
16. The method of claim 13, wherein the method further comprises:
receiving an operation instruction which is related to the call request and is returned in response to the verification result from the second server;
and executing corresponding operation according to the operation instruction.
17. The method of claim 16, wherein the first application comprises a payment-type application; and
the receiving, from the second server, the operation instruction related to the call request returned in response to the verification result includes:
receiving a payment interface display instruction which is returned in response to the verification result representing that the verification is passed and is related to the calling request from the second server; and
and executing corresponding operations according to the operation instruction, wherein the operations comprise:
and displaying a corresponding payment interface according to the payment interface display instruction.
18. The method of claim 13, wherein the target device is configured with an SDK provided by the authentication server, and the second application invokes an application interface of the trusted application with the SDK.
19. The method of claim 13, wherein,
the first application comprises a payment-type application;
the second application includes any one of the following applications: shopping applications, audio and video applications, electronic book applications, educational applications, gaming applications.
20. A login-free authentication processing method based on a trusted execution environment is applied to a trusted application on a target device, the target device is provided with a common execution environment (REE) and a Trusted Execution Environment (TEE), the trusted application is located in the TEE, a second application is installed in the REE, and the second application supports calling of a first application applicable to the REE, and the method comprises the following steps:
receiving a login-free authentication request from the second application, wherein the login-free authentication request is sent in response to a call request of a user for the first application, and the login-free authentication request comprises an account identification corresponding to the user in the first application;
acquiring a first private key associated with the account identifier;
performing identity authentication on the user;
responding to the fact that the user passes identity authentication, generating an authentication result, and adding a third signature for the authentication result by using the first private key;
and returning the authentication result added with the third signature to the second application, so that the second application uploads the authentication result added with the third signature to a verification server corresponding to the trusted application for the verification server to perform validity verification.
21. The method of claim 20, wherein the trusted application holds a second public key of the verification server, the login-free authentication request includes authentication request data added with a second signature, and the second signature is added by a second private key of the verification server; and
after the receiving a logoff authentication request from the second application, the method further comprises:
determining whether the second signature matches the second public key;
and if so, executing the acquisition of the first private key associated with the account identifier.
22. The method of claim 20 or 21, wherein said authenticating the user comprises:
acquiring target biological characteristic information of the user;
determining whether a biological characteristic template matched with the target biological characteristic information exists in at least one stored biological characteristic template;
if so, determining that the user passes the identity authentication;
and if not, determining that the user does not pass the identity authentication.
23. The method of claim 22, wherein the target biometric information comprises any one of: face features, fingerprint features, iris features.
24. A login-free authentication processing device based on a trusted execution environment is applied to a first application on a target device, the target device is provided with a common execution environment REE and a trusted execution environment TEE, the first application is located in the REE, a trusted application is arranged in the TEE, and the device comprises:
a receiving unit configured to receive an opening request for a login-free authentication service of a user;
a trusted application calling unit configured to send a login-exempt authentication registration request to the trusted application in response to the provisioning request, wherein the login-exempt authentication registration request includes an account identifier corresponding to the first application by the user; receiving a registration result added with a first signature from the trusted application, the first signature being added using a device private key of the target device, the registration result including a first public key of a public-private key pair generated by the trusted application for the first application, a key index of the public-private key pair, the account identification, and a device identification of the target device, wherein the trusted application maintains registration information including the first private key of the public-private key pair, the key index, and the account identification;
a sending unit, configured to forward, via a first service end of the first application, the registration result added with the first signature to a verification service end corresponding to the trusted application, so that the verification service end saves registration result information after the verification of the first signature passes, where the registration result information includes the first public key, the key index, and the account identifier.
25. A login-free authentication processing device based on a trusted execution environment is applied to a trusted application on a target device, wherein the target device is provided with a common execution environment (REE) and a Trusted Execution Environment (TEE), the trusted application is located in the TEE, and a first application is installed in the REE, and the device comprises:
a receiving unit configured to receive a login-free authentication registration request from the first application, wherein the login-free authentication registration request comprises an account identifier corresponding to a user in the first application;
a key generation unit configured to generate a public-private key pair for the first application and assign a key index to the public-private key pair;
a registration information generating unit configured to generate and hold registration information including a first private key of the public-private key pair, the key index, and the account identification;
a registration result generating unit configured to generate a registration result and add a first signature to the registration result by using a device private key of the target device, wherein the registration result includes a first public key in the public and private key pair, the key index, the account identifier, and a device identifier of the target device;
a sending unit, configured to return the registration result added with the first signature to the first application, so that the first application uploads the registration result added with the first signature to a verification server corresponding to the trusted application, and the verification server stores registration result information after the verification of the first signature passes, where the registration result information includes the first public key, the key index, and the account identifier.
26. A login-free authentication processing apparatus based on a trusted execution environment, applied to a second application on a target device, where the target device has a common execution environment REE and a trusted execution environment TEE, the second application is located in the REE and supports invoking a first application applicable to the REE, and the TEE is provided with a trusted application, the apparatus comprising:
a receiving unit configured to receive a call request of a user for the first application;
a trusted application calling unit configured to send a login-free authentication request to the trusted application, wherein the login-free authentication request includes an account identifier corresponding to the user in the first application; receiving an authentication result added with a third signature from the trusted application, the authentication result being generated in response to the user passing identity authentication, the third signature being added with the first private key associated with the account identification;
a sending unit, configured to send, via a second server of the second application, a verification request to a verification server corresponding to the trusted application, where the verification request includes the account identifier and the authentication result added with the third signature, so that the verification server performs validity verification on the authentication result added with the third signature according to the verification request, and returns a verification result to the second server.
27. A login-free authentication processing apparatus based on a trusted execution environment, applied to a trusted application on a target device, where the target device has a common execution environment (REE) and a Trusted Execution Environment (TEE), and the trusted application is located in the TEE, a second application is installed in the REE, and the second application supports calling a first application applicable to the REE, and the apparatus includes:
a receiving unit configured to receive a login-free authentication request from the second application, the login-free authentication request being sent in response to a call request of a user for the first application, the login-free authentication request including an account identification corresponding to the first application by the user;
an obtaining unit configured to obtain a first private key associated with the account identifier;
an identity authentication unit configured to authenticate an identity of the user; responding to the fact that the user passes identity authentication, generating an authentication result, and adding a third signature for the authentication result by using the first private key;
the sending unit is configured to return the authentication result added with the third signature to the second application, so that the second application uploads the authentication result added with the third signature to a verification server corresponding to the trusted application for validity verification by the verification server.
28. A computer-readable storage medium, on which a computer program is stored, wherein the computer program, when executed in a computer, causes the computer to perform the method of any of claims 1-23.
29. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that when executed by the processor implements the method of any of claims 1-23.
CN202011231963.4A 2020-11-06 2020-11-06 Login-free authentication processing method and device based on trusted execution environment Active CN112311805B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011231963.4A CN112311805B (en) 2020-11-06 2020-11-06 Login-free authentication processing method and device based on trusted execution environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011231963.4A CN112311805B (en) 2020-11-06 2020-11-06 Login-free authentication processing method and device based on trusted execution environment

Publications (2)

Publication Number Publication Date
CN112311805A CN112311805A (en) 2021-02-02
CN112311805B true CN112311805B (en) 2022-04-12

Family

ID=74325236

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011231963.4A Active CN112311805B (en) 2020-11-06 2020-11-06 Login-free authentication processing method and device based on trusted execution environment

Country Status (1)

Country Link
CN (1) CN112311805B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102783115A (en) * 2010-02-09 2012-11-14 交互数字专利控股公司 Method and apparatus for trusted federated identity
CN106549920A (en) * 2015-09-21 2017-03-29 华为终端(东莞)有限公司 Log-on message input method, log-on message store method and relevant apparatus
CN107294725A (en) * 2016-04-05 2017-10-24 电子科技大学 A kind of three factor authentication methods under environment of multi-server

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209749B (en) * 2015-05-08 2020-09-25 阿里巴巴集团控股有限公司 Single sign-on method and device, and related equipment and application processing method and device
US20200313856A1 (en) * 2019-03-29 2020-10-01 0Chain, LLC Systems and methods of blockchain platform for intermediaries and passwordless login
US11057366B2 (en) * 2018-08-21 2021-07-06 HYPR Corp. Federated identity management with decentralized computing platforms
CN110635916B (en) * 2019-09-30 2022-07-12 四川虹微技术有限公司 TEE-based security application authentication method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102783115A (en) * 2010-02-09 2012-11-14 交互数字专利控股公司 Method and apparatus for trusted federated identity
CN106549920A (en) * 2015-09-21 2017-03-29 华为终端(东莞)有限公司 Log-on message input method, log-on message store method and relevant apparatus
CN107294725A (en) * 2016-04-05 2017-10-24 电子科技大学 A kind of three factor authentication methods under environment of multi-server

Also Published As

Publication number Publication date
CN112311805A (en) 2021-02-02

Similar Documents

Publication Publication Date Title
US10223520B2 (en) System and method for integrating two-factor authentication in a device
US10462118B2 (en) Systems and methods for login and authorization
RU2652425C1 (en) Payment verification method, device and system
CN108200089B (en) Method, device and system for realizing information security and storage medium
US10212151B2 (en) Method for operating a designated service, service unlocking method, and terminal
US9680841B2 (en) Network authentication method for secure user identity verification using user positioning information
CN109218260B (en) Trusted environment-based authentication protection system and method
CN110570569B (en) Activation method of virtual key configuration information, mobile terminal and server
US20190026456A1 (en) Methods and Apparatus for Authentication of Joint Account Login
TWI762293B (en) Secure service request processing method and device
US11218464B2 (en) Information registration and authentication method and device
US11709929B2 (en) Interaction method and apparatus
US20160267276A1 (en) Systems and Methods for Account Recovery Using a Platform Attestation Credential
CN112313983A (en) User authentication using companion device
CN111404695B (en) Token request verification method and device
CN111460410A (en) Server login method, device and system and computer readable storage medium
CN112738021A (en) Single sign-on method, terminal, application server, authentication server and medium
CN112311805B (en) Login-free authentication processing method and device based on trusted execution environment
CN110445791B (en) Plug-in authentication method and device, and plug-in authentication information storage method and device
US20220012730A1 (en) Service providing system, service providing device, service providing method, and service providing program
CN111371811A (en) Resource calling method, resource calling device, client and service server
CN107315610B (en) Method, device and computer readable storage medium for realizing password function
EP2916510A1 (en) Network authentication method for secure user identity verification using user positioning information
CN106533685B (en) Identity authentication method, device and system
CN115941217A (en) Method for secure communication and related product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40045460

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant