CN114124494B - Data processing method, device, equipment and storage medium - Google Patents

Abstract

The invention provides a data processing method, a device, equipment and a storage medium, relates to the technical field of communication, and solves the technical problem that the storage capacity and the calculation capacity of a SIM card are limited, so that the SIM card can not effectively calculate and generate a data signature and/or data acquired by a storage terminal, and the data processing efficiency is reduced in the prior art. The method comprises the following steps: acquiring original data, a first pass, a second pass and a first key; encrypting the first private key based on the first key under the condition that the first pass is the same as the second pass, and generating a second private key; decrypting the second private key based on the second key to obtain the first private key; generating a target digital signature based on the original data, a preset hash algorithm and the first private key; a target data set is sent to the business device, the target data set comprising the original data and the target digital signature.

Description

Data processing method, device, equipment and storage medium

Technical Field

The present invention relates to the field of communications technologies, and in particular, to a data processing method, apparatus, device, and storage medium.

Background

At present, the terminal can input the collected data into a subscriber identity module card (subscriber identity module, SIM) card in the terminal, and a private key in the SIM card can encrypt and calculate the data to generate a data signature, so that the SIM card can store the collected data and the data signature, and further verify whether the collected data is tampered or not based on a related public key.

However, in the above method, because the storage capability and the computing capability of the SIM card are limited, the SIM card may not be able to effectively calculate and generate the data signature and/or the data collected by the storage terminal, which may reduce the efficiency of data processing, and further affect the accuracy of data verification.

Disclosure of Invention

The invention provides a data processing method, a device, equipment and a storage medium, which solve the technical problem that the storage capacity and the calculation capacity of a SIM card are limited in the prior art, the SIM card can not effectively calculate and generate a data signature and/or data acquired by a storage terminal, and the data processing efficiency is reduced.

In a first aspect, the present invention provides a data processing method, including: acquiring original data, a first pass, a second pass and a first key, wherein the first pass is a pass sent by a trusted execution device, the second pass is a pass sent by a service device, and the first key is a key sent by the trusted execution device; encrypting a first private key based on the first secret key under the condition that the first pass is identical to the second pass, and generating a second private key, wherein the first private key is a private key stored by the first terminal; decrypting the second private key based on a second key to obtain the first private key, wherein the second key is a symmetric key of the first key; generating a target digital signature based on the original data, a preset hash algorithm and the first private key; a target data set is sent to the business device, the target data set comprising the original data and the target digital signature.

In a second aspect, the present invention provides a data processing method, including: receiving a pass application request sent by service equipment, wherein the pass application request comprises an identifier of a first application program and an identifier of a first terminal, and the pass application request is used for applying a pass corresponding to the identifier of the first application program and the identifier of the first terminal; sending the certification application request to the trusted execution equipment; receiving a certification application response sent by the trusted execution device, wherein the certification application response comprises a first certification, and the first certification is a certification corresponding to the identification of the first application program and the identification of the first terminal; storing the identification of the first application program, the identification of the first terminal and the first pass into a pass application account book, and sending an application success notification message to the service equipment, wherein the application success notification message is used for notifying the service equipment that the first pass has been applied for success.

In a third aspect, the present invention provides a data processing method, including: receiving a certification application request sent by a blockchain device, wherein the certification application request comprises an identifier of a first application program and an identifier of a first terminal, and the certification application request is used for applying for certification corresponding to the identifier of the first application program and the identifier of the first terminal; under the condition that the pass corresponding to the identification of the first application program and the identification of the first terminal exists in the first corresponding relation, acquiring the pass corresponding to the identification of the first application program and the identification of the first terminal, and determining the acquired pass as a first pass; transmitting a certification application response to the blockchain device, the certification application response including the first certification; and sending the first pass and the first key to the first terminal.

In a fourth aspect, the present invention provides a data processing apparatus comprising: the device comprises an acquisition module, a processing module and a sending module; the acquisition module is used for acquiring original data, a first pass, a second pass and a first key, wherein the first pass is a pass sent by the trusted execution device, the second pass is a pass sent by the service device, and the first key is a key sent by the trusted execution device; the processing module is used for encrypting the first private key based on the first secret key under the condition that the first pass is the same as the second pass, and generating a second private key, wherein the first private key is a private key stored by the first terminal; the processing module is further configured to decrypt a second private key based on the second private key to obtain the first private key, where the second private key is a symmetric key of the first private key; the processing module is further used for generating a target digital signature based on the original data, a preset hash algorithm and the first private key; the sending module is used for sending a target data set to the business equipment, wherein the target data set comprises the original data and the target digital signature.

In a fifth aspect, the present invention provides a data processing apparatus comprising: the device comprises a receiving module, a sending module and a storage module; the receiving module is used for receiving a pass application request sent by the service equipment, wherein the pass application request comprises an identifier of a first application program and an identifier of a first terminal, and the pass application request is used for applying a pass corresponding to the identifier of the first application program and the identifier of the first terminal; the sending module is used for sending the certification application request to the trusted execution equipment; the receiving module is further configured to receive a certification application response sent by the trusted execution device, where the certification application response includes a first certification, and the first certification is a certification corresponding to both the identifier of the first application program and the identifier of the first terminal; the storage module is used for storing the identification of the first application program, the identification of the first terminal and the first pass into a pass application account book; the sending module is further configured to send an application success notification message to the service device, where the application success notification message is used to notify the service device that the first certificate has been applied for success.

In a sixth aspect, the present invention provides a data processing apparatus comprising: the device comprises a receiving module, an acquisition module, a determination module and a sending module; the receiving module is used for receiving a certification application request sent by the blockchain device, wherein the certification application request comprises an identifier of a first application program and an identifier of a first terminal, and the certification application request is used for applying for certification corresponding to the identifier of the first application program and the identifier of the first terminal; the acquiring module is used for acquiring the pass corresponding to the identification of the first application program and the identification of the first terminal under the condition that the pass corresponding to the identification of the first application program and the identification of the first terminal exist in the first corresponding relation; the determining module is used for determining the acquired pass as a first pass; the sending module is used for sending a certification application response to the blockchain device, wherein the certification application response comprises the first certification; the sending module is further configured to send the first certificate and the first key to the first terminal.

In a seventh aspect, the present invention provides a terminal, including: a processor and a memory configured to store processor-executable instructions; wherein the processor is configured to execute the instructions to implement any of the optional data processing methods of the first aspect described above.

In an eighth aspect, the present invention provides a server comprising: a processor and a memory configured to store processor-executable instructions; wherein the processor is configured to execute the instructions to implement any of the above second aspect of the optional data processing method, or to implement any of the above third aspect of the optional data processing method.

In a ninth aspect, the invention provides a computer readable storage medium having instructions stored thereon which, when executed by an apparatus, cause the apparatus to perform any of the above-described optional data processing methods of the first aspect, or to perform any of the above-described optional data processing methods of the second aspect, or to perform any of the above-described optional data processing methods of the third aspect.

According to the data processing method, the device, the equipment and the storage medium, the first terminal can acquire the original data, the first pass, the second pass and the first key, wherein the first pass is the pass sent by the trusted execution equipment, and the second pass is the pass sent by the service equipment; in the case that the first pass is identical to the second pass, it is stated that the second pass is indeed sent by the trusted execution device to the blockchain device and is obtained by the service device from the blockchain device, i.e. the second pass is authorized by the trusted execution device, so that the first terminal can encrypt the original data. Specifically, the terminal may encrypt and decrypt a first private key stored in the first terminal (specifically, in the SIM card) based on the first key, so as to obtain the first private key; the first private key is ensured not to be output from the SIM card, and the first terminal can use the first private key outside the SIM card, namely, a target digital signature is generated based on the original data, a preset hash algorithm and the first private key; and the first terminal may also transmit the original data and the target digital signature to the service device so that the service device may store the original data and the target digital signature. The data collected by the terminal can be effectively processed and stored, and the data processing efficiency is improved. Furthermore, the terminal can also determine whether the original data is tampered or not based on the original data, the target digital signature and the corresponding public key, so that the accuracy of data verification can be improved.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.

FIG. 1 is a diagram illustrating a network architecture of a data processing system according to an embodiment of the present invention;

fig. 2 is a schematic hardware diagram of a mobile phone according to an embodiment of the present invention;

FIG. 3 is a hardware schematic of a blockchain device according to an embodiment of the present invention;

FIG. 4 is a schematic flow chart of a data processing method according to an embodiment of the present invention;

FIG. 5 is a flowchart illustrating another data processing method according to an embodiment of the present invention;

FIG. 6 is a flowchart illustrating another data processing method according to an embodiment of the present invention;

FIG. 7 is a flowchart of another data processing method according to an embodiment of the present invention;

FIG. 8 is a flowchart illustrating another data processing method according to an embodiment of the present invention;

FIG. 9 is a flowchart of another data processing method according to an embodiment of the present invention;

fig. 10 is a schematic diagram of an internal structure of a terminal according to an embodiment of the present invention;

FIG. 11 is a schematic diagram of a data processing apparatus according to an embodiment of the present invention;

FIG. 12 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;

FIG. 13 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;

FIG. 14 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;

FIG. 15 is a schematic diagram of another data processing apparatus according to an embodiment of the present invention;

fig. 16 is a schematic structural diagram of another data processing apparatus according to an embodiment of the present invention.

Detailed Description

The data processing method, apparatus, device and storage medium provided by the embodiments of the present invention will be described in detail below with reference to the accompanying drawings.

Furthermore, references to the terms "comprising" and "having" and any variations thereof in the description of the present application are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed but may optionally include other steps or elements not listed or inherent to such process, method, article, or apparatus.

It should be noted that, in the embodiments of the present invention, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "e.g." in an embodiment of the present invention is not to be taken as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

The term "and/or" as used herein includes the use of either or both of these methods.

In the description of the present application, unless otherwise indicated, the meaning of "a plurality" means two or more.

Based on the description in the background art, because the storage capacity and the computing capacity of the SIM card are limited in the prior art, the SIM card may not be able to effectively calculate and generate a data signature and/or data collected by the storage terminal, which may reduce the efficiency of data processing, and further affect the accuracy of data verification. Based on the above, the embodiment of the invention provides a data processing method, a device, equipment and a storage medium, which can effectively process and store data acquired by a terminal, thereby improving the efficiency of data processing. Furthermore, the terminal can also determine whether the original data is tampered or not based on the original data, the target digital signature and the corresponding public key, so that the accuracy of data verification can be improved.

The data processing method, apparatus, device and storage medium provided in the embodiments of the present invention may be applied to a data processing system, as shown in fig. 1, where the data processing system includes a service device 101, a blockchain device 102, a trusted execution device 103 and a terminal 104. In general, in practical applications, the connection between the above-mentioned devices or service functions may be a wireless connection, and for convenience and intuitiveness, the connection relationship between the devices is schematically shown by a solid line in fig. 1.

The service device 101 is configured to send a certification application request to the blockchain device 102, where the certification application request is used to apply for a certification corresponding to both the identifier of the first application program and the identifier of the first terminal.

The blockchain device 102 is configured to receive a certification application request sent by the service device 101. In the embodiment of the present invention, the blockchain device 102 is further configured to store the identifier of the first application program, the identifier of the first terminal, and the first pass in the pass application ledger.

The trusted execution device 103 is configured to receive a certification application request sent by the blockchain device 102. In the embodiment of the present invention, the trusted execution device 103 is further configured to obtain a pass corresponding to both the identifier of the first application program and the identifier of the first terminal, and determine the obtained pass as the first pass when the pass corresponding to both the identifier of the first application program and the identifier of the first terminal exists in the first correspondence.

The terminal 104 is configured to receive the pass sent by the service device 101, and is also configured to receive the pass sent by the trusted execution device 103. In the embodiment of the present invention, the terminal 104 is further configured to receive the first key sent by the trusted execution device 103.

It should be noted that 1 service device, 1 blockchain device, 1 trusted execution device, and 1 terminal shown in fig. 1 are only one example of the embodiment of the present invention. The number of the above-described respective devices is not particularly limited in the embodiment of the present invention.

In an embodiment of the present invention, the terminal 104 shown in fig. 1 may be: a cell phone, tablet, notebook, ultra mobile personal computer (Ultra-mobile Personal Computer, UMPC), netbook or personal digital assistant (Personal Digital Assistant, PDA), internet of things terminal, etc.

In the embodiment of the present invention, the terminal 104 shown in fig. 1 is taken as an example of a mobile phone, and the hardware structure of the terminal provided in the embodiment of the present invention is described in an exemplary manner. As shown in fig. 2, a mobile phone provided in an embodiment of the present invention includes: a processor 20, a Radio Frequency (RF) circuit 21, a power supply 22, a memory 23, an input unit 24, a display unit 25, an audio circuit 26, and the like. Those skilled in the art will appreciate that the structure of the handset shown in fig. 2 is not limiting of the handset, and may include more or fewer components than those shown in fig. 2, or may combine some of the components shown in fig. 2, or may differ in arrangement of components from those shown in fig. 2.

The processor 20 is a control center of the mobile phone, and connects various parts of the entire mobile phone using various interfaces and lines, and performs various functions and processes of the mobile phone by running or executing software programs and/or modules stored in the memory 23, and calling data stored in the memory 23, thereby performing overall monitoring of the mobile phone. Alternatively, the processor 20 may include one or more processing units. Alternatively, the processor 20 may integrate an application processor and a modem processor, wherein the application processor primarily processes operating systems, user interfaces, application programs, and the like; the modem processor primarily handles wireless communications. It will be appreciated that the modem processor described above may also be a processor that exists separately from processor 20.

The RF circuit 21 may be used to receive and transmit signals during the course of receiving and transmitting information or a conversation. For example, after receiving the downlink information of the base station, the downlink information is processed by the processor 20; and, the uplink data is transmitted to the base station. Typically, RF circuitry includes, but is not limited to, antennas, at least one amplifier, transceivers, couplers, low noise amplifiers (Low Noise Amplifier, LNAs), and diplexers, among others. In addition, the handset may also communicate wirelessly with other devices in the network via the RF circuitry 21. The wireless communication may use any communication standard or protocol including, but not limited to, global system for mobile communications (Global System of Mobile Communication, GSM), general packet radio service (General Packet Radio Service, GPRS), code division multiple access (Code Division Multiple Access, CDMA), wideband code division multiple access (Wideband Code Division Multiple Access, WCDMA), LTE, email, short message service (Short Messaging Service, SMS), and the like.

The power supply 22 may be used to power the various components of the handset and the power supply 22 may be a battery. Alternatively, the power source may be logically connected to the processor 20 through a power management system, so that functions of managing charging, discharging, and power consumption are performed through the power management system.

The memory 23 may be used to store software programs and modules, and the processor 20 executes various functional applications and data processing of the cellular phone by running the software programs and modules stored in the memory 23. The memory 23 may mainly include a storage program area that may store an operating system, application programs required for at least one function (such as a sound playing function, an image playing function, etc.), and a storage data area; the storage data area may store data (such as audio data, image data, phonebook, etc.) created according to the use of the cellular phone, etc. In addition, memory 23 may include high-speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.

The input unit 24 is operable to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the handset. In particular, the input unit 24 may include a touch screen 241 and other input devices 242. The touch screen 241, also referred to as a touch panel, may collect touch operations thereon or thereabout by a user (e.g., operations of the user on the touch screen 241 or thereabout using any suitable object or accessory such as a finger, stylus, etc.), and drive the corresponding connection device according to a predetermined program. Alternatively, the touch screen 241 may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch azimuth of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device and converts it into touch point coordinates, which are then sent to the processor 20, and can receive commands from the processor 20 and execute them. Further, the touch screen 241 may be implemented in various types such as resistive, capacitive, infrared, and surface acoustic wave. Other input devices 242 may include, but are not limited to, one or more of a physical keyboard, function keys (e.g., volume control keys, power switch keys, etc.), a trackball, a mouse, and a joystick, among others.

The display unit 25 may be used to display information input by a user or information provided to the user and various menus of the mobile phone. The display unit 25 may include a display panel 251. Alternatively, the display panel 251 may be configured in the form of a liquid crystal display (Liquid Crystal Display, LCD), an Organic Light-emitting Diode (OLED), or the like. Further, the touch screen 241 may cover the display panel 251, and when the touch screen 241 detects a touch operation thereon or thereabout, it is transferred to the processor 20 to determine the type of touch event, and then the processor 20 provides a corresponding visual output on the display panel 251 according to the type of touch event. Although in fig. 2, the touch screen 241 and the display panel 251 are two separate components to implement the input and output functions of the mobile phone, in some embodiments, the touch screen 241 may be integrated with the display panel 251 to implement the input and output functions of the mobile phone.

Audio circuitry 26, speaker 261, and microphone 262 for providing an audio interface between a user and the handset. In one aspect, the audio circuit 26 may transmit the received electrical signal after conversion of the audio data to the speaker 261, where the electrical signal is converted to a sound signal by the speaker 261 for output. On the other hand, the microphone 262 converts the collected sound signals into electrical signals, which are received by the audio circuit 26 and converted into audio data, which are output to the RF circuit 21 through the processor 20 for transmission to, for example, another cellular phone, or which are output to the memory 23 through the processor 20 for further processing.

Optionally, the handset as shown in fig. 2 may also include various sensors. Such as gyroscopic sensors, hygrometric sensors, infrared sensors, magnetometer sensors, etc., are not described in detail herein.

Optionally, the mobile phone shown in fig. 2 may further include a wireless fidelity (Wireless Gidelity, wiFi) module, a bluetooth module, etc., which will not be described herein.

Fig. 3 is a schematic diagram of a hardware structure of a blockchain device according to an embodiment of the present invention. As shown in fig. 3, the blockchain device 30 includes a processor 301, a memory 302, a network interface 303, and the like.

The processor 301 is a core component of the blockchain device 30, and the processor 301 is configured to run an operating system of the blockchain device 30 and applications (including a system application and a third party application) on the blockchain device 30 to implement a data processing method of the blockchain device 30.

In an embodiment of the present invention, the processor 301 may be a central processing unit (central processing unit, CPU), microprocessor, digital signal processor (digital signal processor, DSP), application-specific integrated circuit (application-specific integrated circuit, ASIC), field programmable gate array (field programmable gate array, FPGA) or other programmable logic device, transistor logic device, hardware components, or any combination thereof, capable of implementing or executing the various exemplary logic blocks, modules and circuits described in connection with the disclosure of embodiments of the present invention; a processor may also be a combination that performs computing functions, e.g., including one or more microprocessors, a combination of a DSP and a microprocessor, and the like.

Optionally, the processor 301 of the blockchain device 30 includes one or more CPUs, either single-core or multi-core.

Memory 302 includes, but is not limited to, random access memory (random access memory, RAM), read Only Memory (ROM), erasable Programmable Read Only Memory (EPROM), flash memory, or optical memory, among others. The memory 302 stores the code of the operating system.

Optionally, the processor 301 implements the data processing method in the embodiment of the present invention by reading the instruction stored in the memory 302, or the processor 301 implements the data processing method provided in the embodiment of the present invention by an instruction stored internally. In the case where the processor 301 implements the data processing method provided by the embodiment of the present invention by reading the execution stored in the memory, the instruction for implementing the data processing method provided by the embodiment of the present invention is stored in the memory.

The network interface 303 is a wired interface such as a fiber-optic distributed data interface (fiber distributed data interface, FDDI), gigabit Ethernet (GE) interface. Alternatively, the network interface 303 is a wireless interface. The network interface 303 is used for the blockchain device 30 to communicate with other devices.

The memory 302 is used for storing an identification of the first application, an identification of the first terminal, and a first pass. The at least one processor 301 further performs the method described in the embodiments of the present invention based on the identification of the first application, the identification of the first terminal, and the first certificate stored in the memory 302. For more details on the implementation of the above-described functions by the processor 301, reference is made to the description of the various method embodiments described below.

Optionally, the blockchain device 30 also includes a bus, and the processor 301 and the memory 302 are connected to each other by a bus 304, or connected to each other in other manners.

Optionally, the blockchain device 30 further includes an input/output interface 305, where the input/output interface 305 is configured to connect with an input device, and receive a data processing request (i.e. a certification application request) input by a user through the input device. Input devices include, but are not limited to, a keyboard, touch screen, microphone, and the like. The input-output interface 305 is also used to connect with an output device, and output the data processing result of the processor 301 (i.e. send an application success notification message to the service device). Output devices include, but are not limited to, displays, printers, and the like.

It should be understood that, in the embodiment of the present invention, the hardware structure of the trusted execution device and the hardware structure of the service device are similar to those of the blockchain device 30 shown in fig. 3, and the description of the hardware structure of the trusted execution device and the hardware structure of the service device may refer to the description of the hardware structure of the blockchain device 30, which is not described in detail herein.

The data processing method, the device, the equipment and the storage medium provided by the embodiment of the invention are applied to the application scene of data processing (particularly, data signature generation by calculating the data collected by the terminal and data signature storage). When the terminal acquires the original data, the target digital signature can be further generated based on the first pass sent by the service equipment, the second pass and the first key sent by the trusted execution equipment, and the original data and the target digital signature are sent to the service equipment. The data collected by the terminal can be effectively processed and stored, and the data processing efficiency is improved. Furthermore, the terminal can also determine whether the original data is tampered or not based on the original data, the target digital signature and the corresponding public key, so that the accuracy of data verification can be improved.

As shown in fig. 4, when the data processing method is applied to the service device 101, the data processing method provided by the embodiment of the present invention may include S101-S105.

S101, the service equipment sends a certification application request to the blockchain equipment.

The license application request comprises an identifier of a first application program and an identifier of a first terminal, and is used for applying for a license corresponding to the identifier of the first application program and the identifier of the first terminal.

It should be understood that a plurality of applications may be included (or installed) in the first terminal, the first application being one of the plurality of applications. The service device sends a certification application request to the blockchain device, and then the blockchain device can send the certification application request to the trusted execution device to request the trusted execution device to allocate and issue a corresponding certification for the service device.

The license in the embodiment of the invention is used for indicating that a certain application program (such as a first application program) in a certain terminal (such as a first terminal) is authorized by the trusted execution device. Specifically, when the service device (even the terminal) receives the pass, it is indicated that the data collected by the first application program in the first terminal may be processed in a trusted execution environment, where the trusted execution environment is an execution environment corresponding to the trusted execution device in the terminal.

S102, the business equipment receives the application success notification message sent by the block chain equipment.

The application success notification message is used for notifying the service device that the first pass is applied for success, and the first pass is a pass corresponding to both the identification of the first application program and the identification of the first terminal.

It should be appreciated that, after receiving the aforementioned certification application request, the trusted execution device may determine the first certification based on the identification of the first application and the identification of the first terminal, and send the first certification to the blockchain device. As such, the blockchain device may store the first pass and send the application success notification message to the business device.

S103, the business equipment sends a blockchain account book query request to the blockchain equipment.

The blockchain account book query request comprises an identifier of the first application program and an identifier of the first terminal, and is used for requesting to acquire the first pass.

It should be understood that, after receiving the above-mentioned application success notification message, the service device may determine that the first pass has been applied for success, and then send the blockchain ledger inquiry request to the blockchain device, so as to request to obtain the first pass from the pass application ledger.

S104, the business equipment receives the blockchain account book query response sent by the blockchain equipment.

Wherein the blockchain ledger inquiry response includes the first pass.

It is understood that after the blockchain device receives the first pass sent by the trusted execution device, the identifier of the first application program, the identifier of the first terminal and the first pass may be stored in the pass account book, and it is understood that a plurality of passes may be stored in the pass account book. In the embodiment of the invention, the blockchain device can determine the first pass from the plurality of passes based on the identification of the first application program and the identification of the first terminal, and send the blockchain ledger inquiry response to the service device, namely send the first pass to the service device.

S105, the service equipment sends a first pass to the first terminal.

It will be appreciated that the service device sends the first pass to the first terminal so that the terminal may receive the first pass. Furthermore, the terminal may determine, based on the first certificate and the certificate sent by the trusted execution device, whether the first certificate is a certificate assigned (or issued) by the trusted execution device, and further determine whether to encrypt the data collected by the first terminal.

The technical scheme provided by the embodiment at least has the following beneficial effects: as known from S101-S105, the service device may send a certification application request to the blockchain device, and receive a success application notification message sent by the blockchain device, that is, notify the service device that a certification (i.e., a first certification) corresponding to both the identifier of the first application program and the identifier of the first terminal has been applied for success. Thus, the service device can send a blockchain ledger inquiry request to the blockchain device, namely, request to acquire the first pass; then, the service device can receive the blockchain account book query response sent by the blockchain, namely, the first pass is obtained, and the first pass is sent to the first terminal, so that the application and distribution efficiency of the pass can be improved. Furthermore, the terminal can determine whether to encrypt the data collected by the first terminal based on the first certificate and the certificate sent by the trusted execution device, so that the effectiveness of data encryption can be improved.

In an implementation manner of the embodiment of the present invention, the service device may further receive original data and a target digital signature sent by the first terminal, where the original data is data collected by the first terminal, and the target digital signature is generated by the first terminal based on the original data, a preset hash algorithm, and a private key stored by the first terminal.

As shown in fig. 5, when the data processing method is applied to the above-described blockchain device 102, the data processing method may include S201 to S207.

S201, the block chain device receives a certification application request sent by the service device.

The license application request comprises an identifier of a first application program and an identifier of a first terminal, and is used for applying for a license corresponding to the identifier of the first application program and the identifier of the first terminal.

S202, the blockchain device sends a certification application request to the trusted execution device.

It should be appreciated that the blockchain device, upon receiving the certification application request, sends the certification application request to the trusted execution device, so that the trusted execution device may determine whether to assign (or issue) a corresponding certification.

S203, the blockchain device receives a certification application response sent by the trusted execution device.

The first pass application response comprises a first pass, wherein the first pass is a pass corresponding to both the identification of the first application program and the identification of the first terminal.

Optionally, the passcode application response may further include a passcode age of the first passcode, the passcode age being used to characterize an effective use time of the first passcode.

It can be understood that the first license included in the license application response received by the blockchain device is specifically a license that is determined by the trusted execution device and corresponds to both the identifier of the first application program and the identifier of the first terminal.

S204, the blockchain device stores the identification of the first application program, the identification of the first terminal and the first pass into a pass application account book, and sends an application success notification message to the service device.

In combination with the description of the above embodiment, the application success notification message is used to notify the service device that the first certificate has been applied for success.

It should be appreciated that the evidence-based application ledger is used to store a plurality of evidence-based application records. Specifically, for an application record of one of the certificates (e.g., the first certificate), the application record may include an identifier of the first application program, an identifier of the first terminal, the first certificate, a certificate failure of the first certificate, a timestamp corresponding to the application record (i.e., a time when the blockchain device stores the application record), and so on. Further, after receiving the blockchain ledger query request sent by the service device, the blockchain device may determine and obtain the first pass from the pass application ledger (specifically, the application record of the first pass) based on the identifier of the first application program and the identifier of the first terminal.

S205, the blockchain device receives a blockchain ledger inquiry request sent by the service device.

The blockchain account book query request comprises an identifier of the first application program and an identifier of the first terminal, and is used for requesting to acquire the first pass.

In connection with the above description of the embodiments, it should be understood that the first certificate is a certificate corresponding to both the identification of the first application program and the identification of the first terminal.

S206, the blockchain device acquires the first pass from the pass application account book based on the identification of the first application program and the identification of the first terminal.

It can be appreciated that the blockchain device may determine the application record of the first pass from the pass application ledger (specifically, the application records of the multiple passes) based on the identifier of the first application program and the identifier of the first terminal, so as to obtain the first pass from the application record of the first pass.

S207, the blockchain device sends a blockchain ledger inquiry response to the business device.

Wherein the blockchain ledger inquiry response includes the first pass.

In this way, the service device may receive the first pass and send the pass to the first terminal.

The technical scheme provided by the embodiment at least has the following beneficial effects: as known from S201-S207, the blockchain device may receive a certification application request sent by the service device, and send the certification application request to the trusted execution device, so that the trusted execution device may determine a first certification based on the identifier of the first application and the identifier of the first terminal, and send a certification application response to the blockchain device, where the certification application response includes the first certification, so that the blockchain device may acquire (or receive) the first certification. The blockchain device stores the identification of the first application program, the identification of the first terminal and the first pass into a pass application account book, and sends a success application notification message to the service device, namely notifies the service device that the first pass has been applied for success. Thus, after receiving the application success notification message, the service device may send a blockchain ledger inquiry request to the blockchain device, and obtain the first pass. The method and the device can reasonably and effectively acquire the pass from the trusted execution device, and improve the efficiency of pass storage.

Further, the blockchain device may receive a blockchain ledger query request sent by the service device, determine and obtain the first pass from the pass application ledger (specifically, an application record of the first pass) based on the identifier of the first application program and the identifier of the first terminal, and then send a blockchain query response to the service device. Thus, the service device can obtain the first pass and then send the first pass to the first terminal. The method and the device can improve the acquisition efficiency of the pass, and further improve the efficiency of data processing.

As shown in fig. 6, when the data processing method is applied to the above-described trusted execution device 103, the data processing method provided by the embodiment of the present invention may include S301 to S304.

S301, the trusted execution device receives a certification application request sent by the blockchain device.

In connection with the above description of the embodiments, it should be understood that the certification application request includes the identifier of the first application program and the identifier of the first terminal, and the certification application request is used for applying for certification corresponding to both the identifier of the first application program and the identifier of the first terminal.

S302, under the condition that the pass corresponding to the identification of the first application program and the identification of the first terminal exists in the first corresponding relation, the trusted execution device acquires the pass corresponding to the identification of the first application program and the identification of the first terminal, and determines the acquired pass as the first pass.

It will be appreciated that the identifier of an application may correspond to a plurality of certificates, and the identifier of a terminal may also correspond to a plurality of certificates. In the embodiment of the present invention, the trusted execution device needs to determine a first pass from a plurality of passes based on an identifier of a certain application (for example, a first application) and an identifier of a certain terminal (for example, a first terminal).

For example, table 1 below is an example of a first correspondence provided in an embodiment of the present invention. As shown in table 1, the pass corresponding to each of the identifiers 1 and 6 is pass 1, the pass corresponding to each of the identifiers 1 and 7 is pass 2, the pass corresponding to each of the identifiers 2 and 6 is pass 3, and the pass corresponding to each of the identifiers 3 and 8 is pass 4. The identifier 1, the identifier 2 and the identifier 3 are used for representing the identifier of a certain application program, and the identifier 6, the identifier 7 and the identifier 8 are used for representing the identifier of a certain terminal.

TABLE 1

Identification of application programs	Identification of terminal	Syndrome of general purpose
			Sign 1	Sign 6	Syndrome of general flow 1
Sign 1	Sign 7	Syndrome of general conduction 2
			Sign 2	Sign 6	Syndrome of general conduction 3
Sign 3	Sign 8	Syndrome of general conduction 4

Assuming that the identifier of the first application is identifier 1 and the identifier of the first terminal is identifier 6, the trusted execution device obtains a pass 1, and determines the pass 1 as a first pass.

S303, the trusted execution device sends a certification application response to the blockchain device.

Wherein the passcode application response includes the first passcode.

In connection with the description of the above embodiments, it should be understood that the trusted execution device sends the passlicense application response to the blockchain device so that the blockchain device may obtain the first passlicense, and stores the application record of the first passlicense in the passlicense application ledger so that the service device may query the passlicense application ledger to obtain the first passlicense.

And S304, the trusted execution device sends the first pass card and the first key to the first terminal.

It can be understood that the trusted execution device sends the first pass to the first terminal, so that the first terminal can determine whether to encrypt the data collected by the first terminal in combination with the pass sent by the service device. The first key is used for encrypting a private key stored by the first terminal.

It should be noted that the embodiment of the present invention is not limited to the execution sequence of S303 and S304. For example, S303 may be performed first and then S304 may be performed, S304 may be performed first and then S303 may be performed, or S303 and S304 may be performed simultaneously. For convenience of explanation, an example is illustrated in fig. 6 in which S303 is performed first and S304 is performed later.

The technical scheme provided by the embodiment at least has the following beneficial effects: s301 to S304 indicate that the trusted execution device may receive a request for applying for a pass sent by a blockchain, obtain and determine a first pass from a first correspondence based on an identifier of a first application and an identifier of a first terminal (i.e., a pass corresponding to both the identifier of the first application and the identifier of the first terminal), and send a response for applying for a pass to the blockchain device, so that the blockchain device may obtain the first pass, and further, the service device may obtain the first pass, and the service device may send the first pass to the first terminal; and the trusted execution device may also send the first certificate and the first key to the first terminal. The terminal can accurately determine the pass required by the terminal and quickly and reasonably send the pass to the terminal. Furthermore, the first terminal may determine whether to encrypt the data collected by the first terminal based on the pass certificate sent by the service device and the pass certificate sent by the executable device, and encrypt the private key stored by the first terminal based on the first key, thereby encrypting the collected data. The data processing efficiency can be improved, and the data encryption safety can be improved.

Referring to fig. 6, as shown in fig. 7, in an implementation manner of the embodiment of the present invention, the acquiring the pass corresponding to both the identifier of the first application program and the identifier of the first terminal includes S3021 to S3022.

S3021, the trusted execution device determines whether the first application is an application corresponding to the first terminal when the identifier of the first terminal exists in the second correspondence relationship.

The second corresponding relation comprises identifiers of a plurality of terminals and identifiers of application programs corresponding to the identifiers of the terminals respectively.

It should be understood that the plurality of terminals are terminals approved by the trusted execution device. When the identifier of the first terminal exists in the second corresponding relationship, the first terminal is a terminal approved by the trusted execution device (i.e. the first terminal is one of the plurality of terminals), so that the trusted execution device can determine whether the first application is an application corresponding to the first terminal based on the identifier of the first application.

S3022, when the first application program is an application program corresponding to the first terminal, the trusted execution device, that is, the identifier of the first application program and the identifier of the first terminal, acquire a first pass from the first corresponding relationship.

It may be appreciated that a terminal may correspond to at least one application program, and the trusted execution device may determine, from the second correspondence, an identifier of the at least one application program corresponding to the first terminal based on the identifier of the first terminal, and when the identifier of the at least one application program corresponding to the first terminal includes the identifier of the first application program, indicate that the first application program is the application program corresponding to the first terminal.

Illustratively, table 2 below is an example of the above-described second correspondence relationship. As shown in table 2, the second correspondence relationship includes the identifications of the 3 terminals (i.e., the identifications 6, 7, and 8), and the identifications of the application programs to which the identifications of the 3 terminals respectively correspond. Specifically, the identifier of the application program corresponding to the identifier 6 includes an identifier 1, an identifier 2 and an identifier 3; the identifier of the application program corresponding to the identifier 7 comprises an identifier 1; the identifier of the application program corresponding to the identifier 8 comprises an identifier 2 and an identifier 3.

TABLE 2

Identification of terminal	Identification of application program corresponding to identification of terminal
		Sign 6	Sign 1, sign 2, sign 3
Sign 7	Sign 1
		Sign 8	Sign 2, sign 3

Assuming that the identifier of the first terminal is identifier 8 and the identifier of the first application program is identifier 2, the trusted execution device determines that the first application program is the application program corresponding to the first terminal.

As shown in fig. 8, when the data processing method is applied to the terminal 104, the data processing method provided by the embodiment of the present invention may include S401 to S405.

S401, the first terminal acquires the original data, the first pass, the second pass and the first key.

The first pass is a pass sent by the trusted execution device, the second pass is a pass sent by the service device, and the first key is a key sent by the trusted execution device.

In combination with the description of the above embodiment, both the service device and the trusted execution device may send a pass to the first terminal. The pass (i.e., the first pass) sent by the trusted execution device is that the trusted execution device directly sends the first pass to the first terminal after determining the first pass based on the identifier of the first application program and the identifier of the first terminal, where the first pass is used to ensure that data (i.e., original data) collected by the first terminal (specifically, the first application program included in the first terminal) can be processed in the trusted execution environment. The pass (i.e., the second pass) sent by the service device is a pass (also the first pass in the above embodiment) that the service device inquires and obtains from the blockchain device (specifically, the above pass application ledger).

It should be appreciated that the first pass may be the same as the second pass or may be different from the second pass.

In one case, where the first pass is the same as the second pass, it is stated that the pass sent by the business device to the first terminal (i.e., the second pass) is indeed sent by the trusted execution device to the blockchain device and is obtained by the business device from the blockchain device, and is a pass corresponding to both the identity of the first application and the identity of the first terminal (i.e., authorized by the trusted execution device). At this time, the first terminal may encrypt the original data.

In another case, the first pass is different from the second pass, which indicates that the second pass sent by the service device to the first terminal is not a pass that was sent by the trusted execution device to the blockchain device and corresponds to both the identification of the first application and the identification of the first terminal. That is, the service device may obtain an incorrect pass, or the obtained pass does not correspond to the identifier of the first application and the identifier of the first terminal. As such, the first terminal cannot encrypt the original data.

S402, under the condition that the first pass is identical to the second pass, the first terminal encrypts the first private key based on the first secret key to generate a second private key.

The first private key is a private key stored in the first terminal.

It will be appreciated that the first private key is stored in particular in the SIM card of the first terminal.

S403, the first terminal decrypts the second private key based on the second private key to obtain the first private key.

Wherein the second key is a symmetric key of the first key.

It is understood that the first terminal obtains the first private key in an encryption and decryption mode, so that the first private key is still stored in the SIM and is not output from the SIM card, and meanwhile, the first terminal can use the first private key outside the SIM card, and the effectiveness of data processing can be improved.

And S404, the first terminal generates a target digital signature based on the original data, the preset hash algorithm and the first private key.

S405, the first terminal sends a target data set to the service equipment.

Wherein the target data set includes the original data and the target digital signature.

The technical scheme provided by the embodiment at least has the following beneficial effects: s401 to S405 indicate that the first terminal may obtain the original data, a first pass, a second pass, and a first key, where the first pass is a pass sent by the trusted execution device, and the second pass is a pass sent by the service device; in the case that the first pass is identical to the second pass, it is stated that the second pass is indeed sent by the trusted execution device to the blockchain device and is obtained by the service device from the blockchain device, i.e. the second pass is authorized by the trusted execution device, so that the first terminal can encrypt the original data. Specifically, the terminal may encrypt and decrypt a first private key stored in the first terminal (specifically, in the SIM card) based on the first key, so as to obtain the first private key; the first private key is ensured not to be output from the SIM card, and the first terminal can use the first private key outside the SIM card, namely, a target digital signature is generated based on the original data, a preset hash algorithm and the first private key; and the first terminal may also transmit the original data and the target digital signature to the service device so that the service device may store the original data and the target digital signature. The data collected by the terminal can be effectively processed and stored, and the data processing efficiency is improved. Furthermore, the terminal can also determine whether the original data is tampered or not based on the original data, the target digital signature and the corresponding public key, so that the accuracy of data verification can be improved.

Referring to fig. 8, as shown in fig. 9, the above-mentioned generation of the target digital signature based on the original data, the preset hash algorithm, and the first private key includes S4041-S4042.

S4041, the first terminal generates a first abstract based on the original data and a preset hash algorithm.

S4042, the first terminal generates a target digital signature based on the first digest and the first private key.

In one implementation manner of the embodiment of the present invention, after the first terminal generates and stores the target digital signature (or the service device receives the original data and the target digital signature), a second digest may be generated based on the original data and the preset hash algorithm, and the target digital signature is signed based on the first public key (i.e., the public key stored in the SIM in the terminal) to generate a third digest; then determining whether the third digest is identical to the second digest; when the third digest is identical to the second digest, it is indicated that the original data is preserved intact, i.e., not tampered.

As shown in fig. 10, in the embodiment of the present invention, the first terminal may include a first application program, a trusted execution application program, an operating system, and a SIM card.

Specifically, the first application program is an application program corresponding to the service device, and the application program may collect related data (i.e. obtain original data), and send the original data to the operating system (specifically, a trusted execution environment in the operating system), that is, corresponds to "original data" in fig. 10. In the embodiment of the present invention, the first application is further configured to receive a pass (i.e., the second pass) sent by the service device.

The trusted execution application is an application corresponding to the trusted execution device, and the trusted execution application is configured to receive a pass (i.e., a first pass) and a first key sent by the trusted execution device. In the embodiment of the present invention, the trusted execution application Chen Xu application is further configured to send the first key to the SIM card, specifically, the trusted execution application module included in the SIM card, that is, corresponds to the "first key" in fig. 10 "

The operating system includes the trusted execution environment, which is used for encrypting the original data, specifically, generating the target data signature based on the original data, the preset digest algorithm, and the first private key (generated by the "second key" and the second private key in fig. 10).

The SIM card comprises the trusted execution application module, the trusted execution application module comprises the first secret key, and the SIM card also comprises the first private key and the first public key.

The embodiment of the invention can divide the functional modules of the first terminal, the blockchain device, the trusted execution device, the service device and the like according to the method example, for example, each functional module can be divided corresponding to each function, and two or more functions can be integrated in one processing module. The integrated modules may be implemented in hardware or in software functional modules. It should be noted that, in the embodiment of the present invention, the division of the modules is schematic, which is merely a logic function division, and other division manners may be implemented in actual implementation.

In the case of dividing the respective functional modules by the respective functions, fig. 11 shows a schematic diagram of one possible configuration of the data processing apparatus (specifically, the first terminal) involved in the above-described embodiment, and as shown in fig. 11, the data processing apparatus 40 may include: an acquisition module 401, a processing module 402 and a sending module 403.

The obtaining module 401 is configured to obtain original data, a first pass, a second pass, and a first key, where the first pass is a pass sent by a trusted execution device, the second pass is a pass sent by a service device, and the first key is a key sent by the trusted execution device.

And the processing module 402 is configured to encrypt a first private key based on the first key to generate a second private key when the first pass is the same as the second pass, where the first private key is a private key stored in the first terminal.

The processing module 402 is further configured to decrypt a second private key based on the second key to obtain the first private key, where the second key is a symmetric key of the first key.

The processing module 402 is further configured to generate a target digital signature based on the original data, the preset hash algorithm, and the first private key.

A sending module 403, configured to send a target data set to a service device, where the target data set includes the original data and the target digital signature.

Optionally, the processing module 402 is specifically configured to generate the first digest based on the original data and the preset hash algorithm.

The processing module 402 is specifically further configured to generate the target digital signature based on the first digest and the first private key.

In case of an integrated unit, fig. 12 shows a possible structural schematic diagram of the data processing device (in particular, the first terminal) involved in the above-described embodiment. As shown in fig. 12, the data processing apparatus 50 may include: a processing module 501 and a communication module 502. The processing module 501 may be used to control and manage the operation of the data processing apparatus 50. The communication module 502 may be used to support communication of the data processing apparatus 50 with other entities. Optionally, as shown in fig. 12, the data processing device 50 may further include a storage module 503 for storing program codes and data of the data processing device 50.

The processing module 501 may be a processor or a controller (e.g., may be the processor 301 described above and shown in fig. 3). The communication module 502 may be a transceiver, a transceiver circuit, a communication interface, or the like (e.g., may be the network interface 303 described above and shown in fig. 3). The storage module 503 may be a memory (e.g., may be the memory 302 described above and shown in fig. 3).

Where the processing module 501 is a processor, the communication module 502 is a transceiver, and the storage module 503 is a memory, the processor, the transceiver, and the memory may be connected by a bus. The bus may be a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, or the like. The buses may be divided into address buses, data buses, control buses, etc.

In the case of dividing the respective functional modules by the respective functions, fig. 13 shows a schematic diagram of one possible configuration of the data processing apparatus (specifically, the blockchain device) involved in the above-described embodiment, and as shown in fig. 13, the data processing apparatus 60 may include: a receiving module 601, a transmitting module 602 and a storage module 603.

The receiving module 601 is configured to receive a certification application request sent by a service device, where the certification application request includes an identifier of a first application program and an identifier of a first terminal, and the certification application request is used to apply for a certification corresponding to both the identifier of the first application program and the identifier of the first terminal.

And the sending module 602 is configured to send the certification application request to the trusted execution device.

The receiving module 601 is further configured to receive a certification application response sent by the trusted execution device, where the certification application response includes a first certification, and the first certification is a certification corresponding to both the identifier of the first application program and the identifier of the first terminal.

The storage module 603 is configured to store the identifier of the first application program, the identifier of the first terminal, and the first pass in a pass application ledger.

The sending module 602 is further configured to send an application success notification message to the service device, where the application success notification message is used to notify the service device that the first certificate has been applied for success.

Optionally, the data processing apparatus 60 further comprises an acquisition module 604.

The receiving module 601 is further configured to receive a blockchain ledger query request sent by the service device, where the blockchain ledger query request includes an identifier of the first application program and an identifier of the first terminal, and the blockchain ledger query request is used to request to obtain the first pass.

And the obtaining module 604 is configured to obtain the first pass from the pass application account book based on the identifier of the first application program and the identifier of the first terminal.

The sending module 602 is further configured to send a blockchain ledger query response to the service device, where the blockchain ledger query response includes the first pass.

In case of an integrated unit, fig. 14 shows a possible structural schematic diagram of the data processing apparatus (in particular, the blockchain device) involved in the above embodiment. As shown in fig. 14, the data processing apparatus 70 may include: a processing module 701 and a communication module 702. The processing module 701 may be used to control and manage the actions of the data processing apparatus 70. The communication module 702 may be used to support communication of the data processing apparatus 70 with other entities. Optionally, as shown in fig. 14, the data processing device 70 may further include a storage module 703 for storing program codes and data of the data processing device 70.

The processing module 701 may be a processor or a controller (e.g., may be the processor 301 shown in fig. 3 and described above). The communication module 702 may be a transceiver, a transceiver circuit, a communication interface, or the like (e.g., may be the network interface 303 described above and shown in fig. 3). The memory module 703 may be a memory (e.g., memory 302 as described above in fig. 3).

When the processing module 701 is a processor, the communication module 702 is a transceiver, and the storage module 703 is a memory, the processor, the transceiver and the memory may be connected through a bus. The bus may be a PCI bus or an EISA bus, etc. The buses may be divided into address buses, data buses, control buses, etc.

In the case of dividing the respective functional modules by the respective functions, fig. 15 shows a schematic diagram of one possible configuration of the data processing apparatus (specifically, the trusted execution device) involved in the above-described embodiment, and as shown in fig. 15, the data processing apparatus 80 may include: a receiving module 801, an acquiring module 802, a determining module 803 and a transmitting module 804.

The receiving module 801 is configured to receive a certification application request sent by a blockchain device, where the certification application request includes an identifier of a first application program and an identifier of a first terminal, and the certification application request is used to apply for a certification corresponding to both the identifier of the first application program and the identifier of the first terminal.

The obtaining module 802 is configured to obtain, when a pass corresponding to both the identifier of the first application and the identifier of the first terminal exists in the first correspondence, a pass corresponding to both the identifier of the first application and the identifier of the first terminal.

A determining module 803, configured to determine the obtained pass as a first pass.

A sending module 804, configured to send a certification application response to the blockchain device, where the certification application response includes the first certification.

The sending module 804 is further configured to send the first certificate and the first key to the first terminal.

Optionally, the determining module 803 is specifically configured to determine whether the first application is an application corresponding to the first terminal if the identifier of the first terminal exists in a second correspondence, where the second correspondence includes identifiers of a plurality of terminals and identifiers of application corresponding to the identifiers of the plurality of terminals.

The obtaining module 802 is specifically configured to obtain, when the first application is an application corresponding to the first terminal, the first pass from the first correspondence based on the identifier of the first application and the identifier of the first terminal.

In case of an integrated unit, fig. 16 shows a possible structural schematic diagram of the data processing apparatus (in particular, the trusted execution device) involved in the above-described embodiment. As shown in fig. 16, the data processing apparatus 90 may include: a processing module 901 and a communication module 902. The processing module 901 may be used to control and manage the operation of the data processing apparatus 90. The communication module 902 may be used to support communication of the data processing apparatus 90 with other entities. Optionally, as shown in fig. 16, the data processing device 90 may further include a storage module 903 for storing program code and data of the data processing device 90.

The processing module 901 may be a processor or a controller (e.g., may be the processor 301 shown in fig. 3 and described above). The communication module 902 may be a transceiver, a transceiver circuit, a communication interface, or the like (e.g., may be the network interface 303 described above and shown in fig. 3). The storage module 903 may be a memory (e.g., may be the memory 302 described above and shown in fig. 3).

When the processing module 901 is a processor, the communication module 902 is a transceiver, and the storage module 903 is a memory, the processor, the transceiver, and the memory may be connected through a bus. The bus may be a PCI bus or an EISA bus, etc. The buses may be divided into address buses, data buses, control buses, etc.

It should be understood that, in various embodiments of the present invention, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic thereof, and should not constitute any limitation on the implementation process of the embodiments of the present invention.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber terminal line (Digital Subscriber Line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.) means. The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device including one or more servers, data centers, etc. that can be integrated with the medium. The usable medium may be a magnetic medium (e.g., a floppy Disk, a hard Disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (9)

1. A data processing method, applied to a first terminal, the method comprising:

acquiring original data, a first pass, a second pass and a first secret key, wherein the first pass is a pass sent by a trusted execution device, the second pass is a pass sent by a service device, the first secret key is a secret key sent by the trusted execution device, the first pass is a pass corresponding to both an identifier of a first application program and an identifier of a first terminal, and the second pass is a pass inquired and acquired by the service device from a blockchain device;

encrypting a first private key based on the first secret key under the condition that the first pass is identical to the second pass, and generating a second private key, wherein the first private key is a private key stored by the first terminal;

Decrypting a second private key based on the second key to obtain the first private key, wherein the second key is a symmetric key of the first key;

generating a target digital signature based on the original data, a preset hash algorithm and the first private key;

and sending a target data set to service equipment, wherein the target data set comprises the original data and the target digital signature.

2. The data processing method of claim 1, wherein the generating a target digital signature based on the original data, a hash algorithm, and the first private key comprises:

generating a first digest based on the original data and the preset hash algorithm;

the target digital signature is generated based on the first digest and the first private key.

3. A data processing method for use with a blockchain device, the method comprising:

receiving a pass application request sent by service equipment, wherein the pass application request comprises an identifier of a first application program and an identifier of a first terminal, and the pass application request is used for applying for pass corresponding to the identifier of the first application program and the identifier of the first terminal;

Sending the certification application request to a trusted execution device;

receiving a certification application response sent by the trusted execution device, wherein the certification application response comprises a first certification, and the first certification is a certification corresponding to the identification of the first application program and the identification of the first terminal;

storing the identification of the first application program, the identification of the first terminal and the first pass into a pass application account book, and sending an application success notification message to the service equipment, wherein the application success notification message is used for notifying the service equipment that the first pass has been applied successfully;

receiving a blockchain account book query request sent by the service equipment, wherein the blockchain account book query request comprises an identifier of the first application program and an identifier of the first terminal, and the blockchain account book query request is used for requesting to acquire the first pass;

acquiring the first pass from the pass application ledger based on the identification of the first application program and the identification of the first terminal;

and sending a blockchain ledger inquiry response to the business equipment, wherein the blockchain ledger inquiry response comprises the first pass.

4. A data processing apparatus, comprising: the device comprises an acquisition module, a processing module and a sending module;

the acquiring module is configured to acquire original data, a first pass, a second pass and a first key, where the first pass is a pass sent by a trusted execution device, the second pass is a pass sent by a service device, the first key is a key sent by the trusted execution device, the first pass is a pass corresponding to both an identifier of a first application program and an identifier of a first terminal, and the second pass is a pass queried and acquired by the service device from a blockchain device;

the processing module is used for encrypting a first private key based on the first secret key under the condition that the first pass is the same as the second pass, and generating a second private key, wherein the first private key is a private key stored by the first terminal;

the processing module is further configured to decrypt a second private key based on a second key to obtain the first private key, where the second key is a symmetric key of the first key;

the processing module is further used for generating a target digital signature based on the original data, a preset hash algorithm and the first private key;

The sending module is configured to send a target data set to a service device, where the target data set includes the original data and the target digital signature.

5. The data processing apparatus according to claim 4, wherein,

the processing module is specifically configured to generate a first digest based on the original data and the preset hash algorithm;

the processing module is specifically further configured to generate the target digital signature based on the first digest and the first private key.

6. A data processing apparatus, comprising: the device comprises a receiving module, a sending module, a storage module and an acquisition module;

the receiving module is used for receiving a pass application request sent by the service equipment, wherein the pass application request comprises an identifier of a first application program and an identifier of a first terminal, and the pass application request is used for applying passes corresponding to both the identifier of the first application program and the identifier of the first terminal;

the sending module is used for sending the certification application request to the trusted execution equipment;

the receiving module is further configured to receive a certification application response sent by the trusted execution device, where the certification application response includes a first certification, and the first certification is a certification corresponding to both the identifier of the first application program and the identifier of the first terminal;

The storage module is used for storing the identification of the first application program, the identification of the first terminal and the first pass into a pass application account book;

the sending module is further configured to send an application success notification message to the service device, where the application success notification message is used to notify the service device that the first certificate has been applied for success;

the receiving module is further configured to receive a blockchain ledger query request sent by the service device, where the blockchain ledger query request includes an identifier of the first application program and an identifier of the first terminal, and the blockchain ledger query request is used to request to obtain the first pass;

the acquisition module is used for acquiring the first pass from the pass application account book based on the identification of the first application program and the identification of the first terminal;

the sending module is further configured to send a blockchain ledger query response to the service device, where the blockchain ledger query response includes the first pass.

7. A terminal, the terminal comprising:

a processor;

a memory configured to store the processor-executable instructions;

Wherein the processor is configured to execute the instructions to implement the data processing method of claim 1 or 2.

8. A server, the server comprising:

a processor;

a memory configured to store the processor-executable instructions;

wherein the processor is configured to execute the instructions to implement the data processing method of claim 3.

9. A computer readable storage medium having instructions stored thereon, which, when executed by a device, cause the device to perform the data processing method of claim 1 or 2 or the data processing method of claim 3.

Images