CN115640589A - Security protection equipment, service execution method, device and storage medium - Google Patents

Security protection equipment, service execution method, device and storage medium Download PDF

Info

Publication number
CN115640589A
CN115640589A CN202211080913.XA CN202211080913A CN115640589A CN 115640589 A CN115640589 A CN 115640589A CN 202211080913 A CN202211080913 A CN 202211080913A CN 115640589 A CN115640589 A CN 115640589A
Authority
CN
China
Prior art keywords
service
memory
data
protection device
sensitive data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211080913.XA
Other languages
Chinese (zh)
Inventor
孟飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
AlipayCom Co ltd
Original Assignee
AlipayCom Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by AlipayCom Co ltd filed Critical AlipayCom Co ltd
Priority to CN202211080913.XA priority Critical patent/CN115640589A/en
Publication of CN115640589A publication Critical patent/CN115640589A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The present specification discloses a security protection device, a service execution method, a device and a storage medium, wherein a processor of the security protection device connected with a main control chip through a designated pin is disposed in a wearable device, when a service client needs to execute a service, a service request generated by the service client and sent through the main control chip is received, sensitive data needed for executing the service is determined according to the service request, a service code pre-cured in a memory in the security protection device is operated, and the service is executed according to the sensitive data and the service data in the service request. The safety protection device provides an environment for safely executing the service for the wearable device, so that the safety of codes and sensitive data of a service client in the wearable device is improved, and meanwhile, the development cost of a wearable device producer for the safety protection of the codes and the data is reduced by providing the safety protection device which can be deployed in the wearable device.

Description

Safety protection equipment, service execution method, device and storage medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a security protection device, a method and an apparatus for executing a service, and a storage medium.
Background
At present, with the increasing concern of people on private data and the wide application of wearable devices in life of people, how to ensure that sensitive data of a service client in the wearable device is not leaked in the process of using the wearable device to execute services becomes one of the problems to be solved at present. The sensitive data may include personal privacy data, enterprise sensitive data, and the like.
Based on this, the present specification provides a security device for securing a wearable device.
Disclosure of Invention
The present specification provides a security protection device, a service execution method, a device and a storage medium, to partially solve the above problems in the prior art.
The technical scheme adopted by the specification is as follows:
the present specification provides a security protection device, where the security protection device 103 is deployed in a wearable device, the security protection device 103 is connected to a main control chip 100 of the wearable device through a designated pin, and the security protection device 103 at least includes: a processor 101 and a memory 102; wherein:
the memory 102 is pre-solidified with a part of service codes for executing the service and sensitive data required for running the part of service codes;
the processor 101 is configured to receive a service request carrying service data and sent by the main control chip 100 through the designated pin, where the service request is generated by a service client installed in the wearable device and used for executing the service; acquiring the sensitive data and the partial service code from the memory 102 according to the service request; running the part of the service code to execute the service according to the service data and the sensitive data and obtain a service execution result; and returning the service execution result to the main control chip 100 through the designated pin, so that the service client continues to execute the service based on the service execution result.
The present specification provides a service execution method, which is applied to a security protection device, where the security protection device is deployed in a wearable device, the security protection device is connected to a main control chip of the wearable device through a designated pin, and a part of service codes of a service client and sensitive data required for running the part of service codes are pre-cured in the security protection device; the method comprises the following steps:
receiving a service request carrying service data sent by a main control chip of the wearable device through the designated pin;
acquiring sensitive data and the partial service codes required by service execution from pre-solidified data according to the service request;
running the part of the service code, executing the service according to the service data and the sensitive data, and determining a service execution result;
and returning the service execution result to the main control chip through the specified pin.
The present specification provides a service execution apparatus,
the service execution device is applied to a safety protection device, the safety protection device is deployed in a wearable device, the safety protection device is connected with a main control chip of the wearable device through a specified pin, and a part of service codes of a service client and sensitive data required by running the part of service codes are pre-cured in the safety protection device; the device comprises:
the receiving module is used for receiving a service request which is sent by a main control chip of the wearable device through the appointed pin and carries service data;
the acquisition module is used for acquiring sensitive data and the partial service codes required by the execution of the service from pre-solidified data according to the service request;
the execution module is used for operating the part of the service codes, executing the service according to the service data and the sensitive data and determining a service execution result;
and the return module is used for returning the service execution result to the main control chip through the specified pin.
The present specification provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the above-described service execution method.
The technical scheme adopted by the specification can achieve the following beneficial effects:
the method comprises the steps that a processor of the safety protection equipment which is connected with a main control chip through a designated pin is deployed in the wearable equipment, when a service client needs to execute the service, a service request which is generated by the service client and sent through the main control chip is received, sensitive data needed by the execution of the service is determined according to the service request, a pre-cured service code in a memory in the safety protection equipment is operated, and the service is executed according to the sensitive data and the service data in the service request.
The safety protection device provides an environment for the wearable device to safely execute the service, improves the safety of codes and sensitive data of a service client in the wearable device, and reduces the development cost of a wearable device producer on the aspect of safety protection of the codes and the data by providing the safety protection device which can be deployed in the wearable device.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification and are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description serve to explain the specification and not to limit the specification in a non-limiting sense. In the drawings:
fig. 1 is a schematic structural diagram of a safety protection device provided in the present specification;
fig. 2 is a schematic structural diagram of a safety protection device provided in the present specification;
fig. 3 is a schematic structural diagram of a safety protection device provided in the present specification;
fig. 4 is a schematic flow chart of a service execution method provided in the present specification;
FIG. 5 is a schematic illustration of a business process for performing payment as provided herein;
fig. 6 is a schematic structural diagram of a service execution device provided in this specification.
Detailed Description
In order to make the objects, technical solutions and advantages of the present disclosure more clear, the technical solutions of the present disclosure will be clearly and completely described below with reference to the specific embodiments of the present disclosure and the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present specification without any creative effort belong to the protection scope of the present specification.
The technical solutions provided by the embodiments of the present description are described in detail below with reference to the accompanying drawings. The embodiment of the present specification will execute a corresponding service based on a security protection device.
Fig. 1 is a schematic structural diagram of a safety protection device provided in this specification. Wherein the security device 103 is deployable in a wearable device. The environment for providing the secure service execution for the service client installed in the wearable device enables the wearable device to implement the capability of securely executing the service by deploying the security protection device 103 without providing a secure environment by hardware, so as to reduce the cost required by the wearable device to implement the secure service execution.
In one or more embodiments provided in this specification, the security protection device 103 may be specifically connected to the main control chip 100 of the wearable device through a designated pin. Specifically, the safety protection device 103 may be disposed on a motherboard where the main control chip 100 is located, and a designated pin of the safety protection device is connected to a pin of the main control chip 100 through a circuit on the motherboard. Moreover, the safety protection device 103 comprises at least: a processor 101 and a memory 102.
Specifically, the memory 102 is pre-solidified with a part of service code for executing a service and sensitive data required for running the part of service code, where the part of service code is specifically a part of service code of a service client installed in the wearable device for executing a service. The service client is an application that needs to execute at least part of service steps in the secure environment, for example, when a service based on user biometrics is executed, since the user characteristics are sensitive data, the service step related to the user biometrics processing in the service, and for the service step that needs to be executed in the secure environment, part of the service code in the service client for implementing the service step may be pre-solidified in the memory 102.
Similarly, since the service execution process may also involve performing service steps such as service authentication, application authentication, device authentication, etc., and such service steps may also need corresponding sensitive data support to be executed, the memory 102 may also pre-solidify the sensitive data required for running part of the service code. Of course, which data is sensitive data and which data needs to be pre-fixed to the memory 102 may be set as required, and this specification is not limited. For example, if the security protection device 103 is provided for a bracelet, which can only support fingerprint recognition, the sensitive data may only include model parameters of a fingerprint recognition model used when executing a service.
That is, in one or more embodiments of the present disclosure, the memory 102 may be pre-fixed with code that needs to be run in the security protection device 103 and data needed to run the code to perform a service.
When the service client installed in the wearable device executes a service step, which requires execution of a pre-solidified part of the service code in the memory 102, the service client may generate a service request, and the service request is sent to the processor 101 of the security protection device 103 through a specified pin by the main control chip 100 of the wearable device. Of course, the service request may also carry service data, for example, order information in the payment request, a face image in the face verification request, and the like. Since the service data carried by different service requests are different and are manually set according to service needs, the specification does not limit what kind of data the service data is.
After receiving a service request carrying service data sent by the main control chip 100 through a designated pin, the processor 101 may obtain sensitive data and a part of service codes from the memory 102 according to the service request. Then, the service can be executed according to the service data and the sensitive data by running the part of the service code, and a service execution result is obtained. Finally, the service execution result is returned to the main control chip 100 through the designated pin, so that the service client can continue to execute the service based on the service execution result.
Taking the service to be executed by the service client as a payment service, it is assumed that the payment service needs to execute the service code stored in the memory 102 for identity verification, and the memory 102 further stores the biometric information (e.g., fingerprint, heart rate, etc.) of the user. If the wearable device is a bracelet, a service client installed in the bracelet can generate a service request carrying service data, wherein the service data can be acquired user biological information.
The main control chip 100 in the bracelet can send the service request to the processor 101 through the designated pin, and the processor 101 obtains the service code for authentication based on the user biological information and the user biological information pre-stored in the memory 102 from the memory 102. After acquiring the to-be-authenticated service code and the pre-stored user biometric information, the processor 101 may run the authenticated service code for authentication according to the pre-stored user biometric information and the service data. After obtaining the authentication result, the processor 101 may return the authentication result to the main control chip 100 through the designated pin, and the service client continues to execute the payment service according to the received authentication result.
The processor 101 may be a chip configured to receive a service request, execute a service corresponding to the service request, and return a service execution result, where the chip may be a Micro Control Unit (MCU), a Field Programmable Gate Array (FPGA) chip, a Complex Programmable Logic Device (CPLD) chip, or the like.
The Memory 102 may be a device that solidifies data in advance and sends the data to the processor 101 when the processor 101 needs the data, and the device may be a Flash Memory (Flash Memory) chip, a Read Only Memory (Read Only Memory) chip, or the like.
The sensitive data required for operating the service code can be personal privacy data of the user, enterprise sensitive data and the like. For example, the user's identification number, etc., the enterprise sensitive data may be business codes developed by the enterprise, logic for executing business by the business client, etc.
In one or more embodiments provided in this specification, the basis that the security protection device 103 can protect sensitive data of a service application corresponding to a service client is: the memory 102 stores a part of service codes for executing a service and sensitive data required for running the part of service codes, a service client is installed in the wearable device, and at least a part of codes in the memory 102 can be combined with codes corresponding to the service client in the wearable device to execute the service.
That is, in this specification, a program required by the service client to execute the service is divided into two parts, one part has a low security level, or only a portal for executing the service is provided, and a code corresponding to the service client is installed in another part of the wearable device except the security protection device 103. A portion of the higher-fidelity, or specific execution service, is pre-cured in the memory 102 for at least a portion of the service code used to execute the service and the sensitive data needed to run the portion of the service code.
Therefore, when the service client needs to call a part of the service codes stored in the memory 102 to execute a service, the service request can be sent to the processor 101, and the processor 101 executes the service corresponding to the service request according to the received service request, so that the situation that the service codes required for executing the service and the sensitive data required for running the service codes are stolen in the process that the wearable device executes the service through the service client is avoided, and the information security of the part of the service codes stored in the memory 102 and the sensitive data required for executing the part of the service codes is protected.
Based on the security verification device shown in fig. 1, when a service client needs to execute a service, a processor of the security protection device, which is deployed in a wearable device and connected to a main control chip through a designated pin, receives a service request generated by the service client and sent through the main control chip, determines sensitive data required for executing the service according to the service request, then runs a service code pre-cured in a memory in the security protection device, and executes the service according to the sensitive data and the service data in the service request. The safety protection device provides an environment for the wearable device to safely execute the service, improves the safety of codes and sensitive data of a service client in the wearable device, and reduces the development cost of a wearable device producer on the aspect of safety protection of the codes and the data by providing the safety protection device which can be deployed in the wearable device.
Further, in order to avoid the wearable device with the security protection device 103 being deployed, during the process from the end of production to the use of the wearable device by the user, a third party may change the data stored in the memory 102 of the security protection device 103, and when the security protection device 103 is produced, the producer of the security protection device 103 may further solidify at least part of the service code and the sensitive data required for running the part of the service code into the memory 102 of the security protection device 103 through a burning form. Therefore, the infringement of a third party on the user caused by changing the service code in the memory 102 is avoided, and the information security is further ensured.
Furthermore, in order to avoid that a third party detaches the wearable device and hangs a device for reading data on other pins of the security protection device 103 to acquire the data stored in the security protection device 103, the information security of the security protection device 103 is affected. In this specification, the safety protection device 103 may also disable pins other than the designated pin. That is, the outside world can and can only transfer data with the security device 103 through the designated pins.
In addition, in this specification, the supplier of the security protection device 103 is different from the producer of the smart wearable device, and therefore only the smart wearable device for which the supplier authorizes the use of the security protection device 103 is a legitimate device. In actual use, the security protection device 103 may be used in other electronic devices that are not authorized to use the security protection device 103, so that the code and data stored in the memory 102 may be leaked. In this case, the security of the sensitive data of the user using the wearable device cannot be guaranteed. Therefore, in order to avoid the above situation, the security protection device 103 may further perform a corresponding service according to a result of the security authentication after the wearable device is subjected to the security authentication. At present, an effective method for performing security verification on a wearable device is to bind an account with the wearable device.
Specifically, a service platform to which an account for executing a service belongs may perform security verification on the wearable device through a device serial number of the wearable device, subscription information pre-written during production of the wearable device, and the like, and bind the account with the wearable device after the security verification passes. Wherein, part of the service codes stored in the security protection device 103 have a corresponding relationship for the service platform to which the account belongs. For example, the service provider of the service platform to which the account belongs and the service provider of the partial service code may be the same service provider.
The service credential information is obtained when the service client in the wearable device executes a binding service, and the service credential information generally includes device information of the wearable device, vendor information of the wearable device, whether the wearable device is a compliant device, and the like.
The binding service may be a binding between a service client in the wearable device and a service client in a terminal of a user, may also be a binding between an account of the user in the service client and the wearable device, and may also be a binding between an account and the service client, and the specific type of the binding service executed by the service client may be set as required, which is not limited in this specification.
Then, after the wearable device is successfully bound, the wearable device may send service credential information to the processor 101 through the main control chip 100.
The processor 101 may receive the service credential information sent by the main control chip 100 through the designated pin, and send the service credential information to the memory 102, where the memory 102 stores the service credential information.
Then, when the processor 101 receives the service request, it may determine whether the service request is executable according to the service credential information, if so, the processor 101 may continue to execute the service corresponding to the service request, and if not, the processor 101 may not execute the service corresponding to the service request.
Furthermore, in order to avoid that a third party detaches the wearable device and hangs a device for reading data on a designated pin of the security protection device 103 to acquire the data stored in the security protection device 103, the information security of the security protection device 103 is affected. In this specification, the security protection device 103 may further store the data in the memory 102 according to a preset encryption algorithm.
Specifically, the memory 102 may be pre-fixed with an encryption algorithm and a decryption algorithm corresponding to the encryption algorithm.
Then, the processor 101 may obtain the encryption algorithm pre-stored in the memory 102, encrypt at least a part of the service code stored in the memory 102 and sensitive data required for running the part of the service code, and send the encrypted data to the memory 102.
The memory 102 may store the encrypted portion of the service code and the sensitive data required to run the portion of the service code.
The processor 101 may obtain a decryption algorithm from the memory 102 when receiving the service request, decrypt, according to the decryption algorithm, a part of encrypted service codes stored in the memory 102 and sensitive data required for running the part of service codes to obtain the part of service codes and sensitive data required for executing the service, and execute the part of service codes according to the sensitive data required for executing the service to implement execution of the service corresponding to the service request.
In addition, if the service code stored in the memory 102 and the sensitive data required for running the part of the service code are both encrypted, the computing resource and the storage resource required for encrypting and decrypting the service code are relatively large. Based on this, the memory 102 may only encrypt and store the sensitive data required for running the part of the service code, and does not encrypt the service code.
Of course, the memory 102 may also divide each data stored in the memory 102 according to the sensitivity, encrypt the data with higher sensitivity according to a preset encryption algorithm by the processor 101, and store the encryption result in the memory 102. What kind of data in the memory 102 is encrypted may be set according to needs, and this specification does not limit this.
Further, since the service credential information is obtained when the service client executes the binding service, it can be executed based on the service credential information for each service that the service client needs to execute the service code stored in the memory 102. If the service credential information is compliant with the wearable device, the processor 101 may execute a service based on the service credential information, and if the service credential information is not compliant with the wearable device, the processor 101 may determine, based on the service credential information, that a service execution result corresponding to each service request is an execution failure.
Therefore, when the memory 102 stores sensitive data based on an encryption algorithm and a decryption algorithm, the service credential information may be encrypted by the encryption algorithm and stored, and when the processor 101 receives a service request, the processor obtains the decryption algorithm from the memory 102 and decrypts the encrypted service credential information to execute a service based on the decrypted service credential information.
Further, in order to avoid the leakage of the data stored in the memory 102 due to the theft of the encryption algorithm and the decryption algorithm in the memory 102, in the present specification, the data stored in the memory 102 may also be encrypted or decrypted by the encryption logic circuit 104 and the decryption logic circuit 105.
Specifically, an encryption logic circuit 104 and a decryption logic circuit 105 may be disposed between the processor 101 and the memory 102, so that the processor 101 may transmit the sensitive data to be stored to the memory 102 through the encryption logic circuit 104. When the processor 101 needs to retrieve sensitive data stored in the memory 102, the sensitive data is retrieved from the memory 102 through the decryption logic 105. As shown in fig. 2.
Fig. 2 is a schematic structural diagram of a safety protection device provided in this specification. Where 101 is a processor, 102 is a memory, 104 is an encryption logic circuit, and 105 is a decryption logic circuit. The encryption logic 104 may encrypt the received data and return the encrypted data. The decryption logic 105 is configured to decrypt the received encrypted data and return a decryption result.
Then, the processor 101 may send the service credential information to the encryption logic 104 after receiving the service credential information.
The encryption logic 104 may receive the service credential information and send the encrypted service credential information to the memory 102. The memory 102 may store the encrypted service credential information.
After receiving the service request, the processor 101 may obtain the encrypted service credential information from the memory 102, send the encrypted service credential information to the decryption logic 105, obtain the service credential information output by the decryption logic 105, and execute a service based on the service credential information.
In addition, in the production process of each electronic device, due to the process difference in the production process, slight differences exist between circuits corresponding to each electronic device, which makes circuit characteristics of each electronic device different. Therefore, for the wearable device, when the wearable device is powered on, the circuit characteristics of the wearable device are sampled, and the encryption parameter corresponding to the wearable device is determined based on the circuit characteristics obtained by the sampling result, and cannot be obtained by a third party. The encryption parameter may be a key or an encoding rule, and specifically, the type corresponding to the encryption parameter and how to encrypt the data based on the encryption parameter may be set as required, which is not limited in this specification.
Therefore, in this specification, in order to further ensure the information security of the sensitive data stored in the security protection device 103, the memory 102 in the security protection device 103 may be further provided with a Physically Unclonable Functions (PUF) memory. Namely, the encryption parameters are determined by adopting the steps, sensitive data are encrypted based on the encryption parameters,
specifically, the memory 102 may determine a circuit signal characteristic of the memory 102 itself when the wearable device is powered on for the first time, and determine the encryption parameter based on the determined circuit signal characteristic.
After determining the encryption parameters, the memory 102 may encrypt a part of the service code and the sensitive data according to the determined encryption parameters, and solidify the encryption result in the memory 102.
Thus, during each subsequent power-up of the wearable device, the memory 102 determines the circuit signal characteristics of the memory 102 itself, and determines the encryption parameters based on the determined circuit signal characteristics.
The processor 101 may obtain the encryption parameter from the memory 102 after receiving the service request, determine a decryption parameter corresponding to the decryption parameter, and decrypt the data stored in the memory 102 based on the decryption parameter to determine the sensitive data and the service code required for executing the service.
Further, during the process of running the service code by the processor 101, there may be a case that intermediate data needs to be stored. The intermediate data has no specific physical meaning, but the intermediate data is needed when the service code is subsequently run, the intermediate data is encrypted every time one intermediate data is generated, and the encrypted intermediate data is decrypted when the intermediate data is needed to execute the service code, so that the requirements on computing resources and storage resources are high.
Therefore, a run memory 106 for storing intermediate data may also be provided in the secure processing device.
In particular, the memory 102 in the secure processing device may be arranged as a run memory 106 for storing intermediate data generated by the processor 101, and a secure memory 107 for storing part of the service code and sensitive data required for running the service code.
After the processor 101 receives the service request, the service code and the privacy data required for executing the service can be obtained from the secure memory 107.
During the execution of the service code by the processor 101, the generated intermediate data may be sent to the execution memory 106, and when the intermediate data is needed for executing the service code, the corresponding intermediate data may be obtained from the execution memory 106.
The intermediate data may be stored by the execution memory 106 and the execution memory 106 may not encrypt when storing the intermediate data.
When the secure memory 107 stores the service code and the sensitive data required for running the service program, at least one of the above-mentioned technical means of encrypting the data by the encryption algorithm, encrypting the data by the encryption logic circuit 104, and encrypting the data by the PUF technology may be adopted.
Furthermore, in order to ensure the information security of the data stored in the memory 102, the secure memory 107 may be a secure Flash memory.
In particular, the secure Flash memory can only allow code of a specific application to access the secure Flash memory.
Thus, in the secure memory 107, a part of the service code and the sensitive data may be solidified in advance, and in the execution memory 106, a code of a specific application may be stored in advance.
The processor 101 may retrieve the code of the specified application from the execution memory 106 after receiving the service request, execute the code of the specified application according to the service request, and send an acquisition request to the secure memory 107 through the code of the specified application.
The secure memory 107 may receive the obtaining request, and determine whether the obtaining request is sent by a specific application according to the application identifier carried in the obtaining request. If yes, the secure memory 107 may send, to the processor 101, a part of the service code and the sensitive data that need to be acquired by the specified application in response to the acquisition request sent by the specified application. If not, the secure memory 107 may not respond to the fetch request.
Then, the processor 101 may execute a corresponding service according to the acquired part of the service code sent by the secure memory 107 and the sensitive data required for executing the service. As shown in fig. 3.
Fig. 3 is a schematic structural diagram of a safety protection device provided in this specification. Where 101 is a processor, 106 is a secure memory, and 107 is an execution memory, the processor 101 may obtain the service code and the sensitive data required for executing the service from the secure memory 106, execute the service code in the processor 101, and store the generated intermediate data in the execution memory 107.
Alternatively, the processor 101 may obtain the code corresponding to the specified application from the execution memory 107, execute the code of the specified application in the processor 101, call the service code stored in the secure storage 106 and the sensitive data required for executing the service through the thread corresponding to the code of the specified application, execute the service code in the processor 101, and store the generated intermediate data in the execution memory 107.
In addition, in this specification, in order to further ensure the information security of the data stored in the memory 102, the security protection device 103 may further divide the memory 102 into a normal storage space and a secure storage space, execute a service according to the data stored in the normal storage space when a service request is not received, and execute the service according to the data stored in the secure storage space after the service request is received. The secure storage space is used for providing a Trusted Execution Environment (TEE), and storing part of service codes and sensitive data.
Specifically, the processor 101 may switch itself to the secure state after receiving the service request. In the safe state, the smart processor 101 may allocate a thread executing a service according to the service request, and obtain data from the safe storage space of the memory 102 through the thread.
The memory 102 may determine whether the processor 101 is in a secure state when the thread invokes the data stored in the secure storage space, and if so, the memory 102 may send a part of the service code and the sensitive data in the secure storage space to the processor 101 through the thread. If not, the memory 102 may not allow the thread to make calls to the data in the secure memory space.
The processor 101 may run the obtained part of the service code in the trusted execution environment to execute the service corresponding to the service request according to the service data and the sensitive data, and return the service execution result to the main control chip 100.
Further, in this specification, in order to avoid a third party from externally hanging at a pin of the security protection device 103 to obtain data in the security protection device 103, the security protection device 103 and the main control chip 100 may be packaged in the same physical chip when the security protection device 103 is produced.
Based on the same idea, the present specification further provides a schematic flow diagram of a service execution method, which is specifically shown in fig. 4.
Fig. 4 is a schematic flowchart of a service execution method provided in this specification, where the service execution method is applied to a security protection device, the security protection device is deployed in a wearable device, the security protection device is connected to a main control chip of the wearable device through a designated pin, and a part of service codes of a service client and sensitive data required for running the part of service codes are pre-cured in the security protection device; wherein:
s200: and receiving a service request carrying service data sent by the main control chip of the wearable device through the designated pin.
In one or more embodiments of the present description, as illustrated in the security device of fig. 1-3, described above, the security device may be deployed in a wearable device, in which a business client may be installed. And a part of service codes of the service client and sensitive data required by running the part of service codes are pre-solidified in the safety protection device, so that the wearable device can execute services by running the part of service codes and the sensitive data in the safety protection device.
In particular, a service client may generally be used to execute at least one service, and the service execution process may be subdivided into different service steps. For example, taking a client performing a payment service as an example, assume that the service steps of the payment service may include: the method comprises the steps of determining order information, determining user information, obtaining payment information input by a user, verifying the identity of the user, verifying the payment information and returning service information to a server based on a verification result. The processes of obtaining order information, obtaining user information, obtaining payment information and returning service information to the server involve low data sensitivity, so that the processes can be regarded as non-sensitive service steps. The steps of performing authentication and payment information verification may be considered as sensitive business steps due to the authentication process involved.
Therefore, according to different service steps involved in the service, the code of the service client is divided into a code for executing the sensitive service and a code for executing the non-sensitive service. And the same data of code operation supporting different service steps can be correspondingly divided into sensitive data and non-sensitive data. The service client installed in the wearable device may contain code for executing non-sensitive services, the wearable device may also store non-sensitive data, and the pre-cured part of the service code in the security protection device may include code for executing sensitive services, and the pre-cured sensitive data may include sensitive data required for running the part of the service code.
When the service client in the wearable device executes the service, and when the sensitive service step is executed, because the corresponding code and data are both solidified in the security protection device, the service client can send a service request to the security protection device through the main control chip of the wearable device, the service request carries service data for calling up a part of the service code solidified in the security protection device, and execute the corresponding sensitive service step, and the security protection device can return a service execution result after the sensitive service step is executed to the service client in the wearable device, so that the service client can continue to execute the service.
In one or more embodiments of the present specification, by solidifying a part of a service code related to a sensitive service step into a security protection device, a main control chip of a wearable device cannot acquire a code of the sensitive service step in the service client, so that security isolation of the service client on a code level is achieved. Similarly, since sensitive data is also isolated in the safety protection device, the wearable device cannot acquire the sensitive data, and data safety is protected. The specific function of the service code solidified by the security protection device is not limited in this specification, for example, a code that executes a service and uses an algorithm function, a code that implements service logic, and the like. Taking the model obtained by machine learning as an example, the model parameters are obtained based on the adjustment of the training samples, so the model parameters inevitably carry the characteristics of the training samples, and the training samples belong to private data, so the algorithm function belongs to the code needing isolation protection. Taking the example that the service execution needs to be authenticated based on the user biological characteristics, the part of the service code needs to be matched and authenticated based on the collected biological characteristics to be authenticated and the pre-stored biological characteristics of the user. The biometric of the user needs to be stored in the security device, which obviously belongs to the private data of the user, and needs to be stored separately in the security device.
S202: and acquiring sensitive data and the part of service codes required by service execution from pre-solidified data according to the service request.
In one or more embodiments of the present specification, after receiving a service request sent by a service client through a main control chip, the security protection device may obtain sensitive data and a part of service codes required for executing a service from pre-solidified data.
Specifically, because a part of service codes stored in the security protection device may be codes for executing a plurality of sensitive service steps, and the sensitive service steps may correspond to part of service flows of one or more services, the security protection device may further determine, based on a service type identifier carried in the service request, which service steps the service request needs to be executed, and obtain a code for executing the determined service steps.
For example, assuming that the security protection device stores a code for performing a biometric authentication step for the service a and a code for performing a service authorization authentication step for the service B, when the security protection device receives a service request carrying an identifier of the service type a, the security protection device may determine the code for the biometric authentication step from a part of the solidified service codes.
Similarly, the sensitive data required for executing different service steps may not be completely the same, and the security protection device may further determine the required sensitive data according to the determined part of the service code that needs to be run. The corresponding relationship between each service step and each sensitive data may also be stored in the security protection device, and after determining the service step to be executed according to the service request, the corresponding sensitive data is determined.
In one or more embodiments of the present specification, since only the service client in the wearable device can send the service request to the security protection device through the designated pin, and other third party clients cannot send the service request to the security protection device, isolation of the part of the service code and the sensitive data is already achieved by setting the security protection device.
Furthermore, in order to increase the security of data isolation in the security protection device, when the security protection device solidifies the part of the service code and the sensitive data, the security protection device may further perform encryption calculation on the code and the sensitive data through a preset encryption algorithm, and then store the encryption result. After receiving the service request, the security protection device can obtain the corresponding encryption result after determining the code and the sensitive data which need to be called, and then decrypt the encryption result according to the decryption algorithm corresponding to the encryption algorithm to obtain the sensitive data and part of the service code which are needed by executing the service.
The encryption algorithm and the decryption algorithm corresponding to the encryption algorithm are also pre-fixed in the security protection device, and the description of which algorithm is specifically adopted is not limited, and can be set as required.
Furthermore, since the encryption algorithm and the decryption algorithm are still essentially the codes to be executed, the security protection device is required to execute the encryption algorithm codes to realize encryption, or execute the decryption algorithm codes to realize decryption. To further secure the stored code and the sensitive data, in one or more embodiments of the present disclosure, the security protection device may further include an encryption logic circuit and a decryption logic circuit. When encryption is needed, the encryption logic circuit can obtain the encryption result, and when decryption is needed, the decryption logic circuit can decrypt the data.
By the two modes, part of the service codes and sensitive data are encrypted and stored and then decrypted when the service codes and the sensitive data need to be used, so that the safety of the codes and the sensitive data stored in the safety protection equipment is improved, and the strength of data isolation is further increased.
In addition, in one or more embodiments of the present description, the portion of the service code and the sensitive data may be additionally stored in a secure storage device, which may be, for example, a secure Flash or PUF memory. The data stored in the secure Flash can be called only through a specified application, namely, when the secure Flash receives the call, whether a call initiator is the specified application is judged firstly, if not, the call is not responded, and if yes, part of the stored service codes and the sensitive data are returned based on the call. And the PUF memory determines an encryption parameter by using circuit signal characteristics generated in the safety protection equipment when the safety protection equipment is powered on, and stores part of service codes and sensitive data. And because the tolerance that can not avoid producing in the electronic equipment production process for even third party has constructed the hardware architecture that is completely the same with the safety protection equipment, also can not be through gathering the electric signal in the circuit, restore the data that PUF stores in the memorizer.
S204: and running the part of the service codes, executing the service according to the service data and the sensitive data, and determining a service execution result.
S206: and returning the service execution result to the main control chip through the specified pin.
In one or more embodiments of the present specification, after obtaining a part of the service code and the sensitive data, the security protection device may execute a service step according to the service data and the sensitive data by running the code, and return an execution result, which is a service execution result, to the main control chip of the wearable device through the designated pin, so that the service client may continue to execute the service based on the service execution result.
In one or more embodiments in this specification, specific steps of the service execution method may be executed by the security protection device, and for a specific flow, reference may be made to the description of the security protection device, which is not described herein again.
Based on the above-described execution business process, for ease of understanding, this specification provides a schematic diagram of a business process for executing payment, as shown in fig. 5.
S300: and the service client executes the payment service, determines the data to be verified, and sends the data to be verified to the safety protection equipment through the specified pin.
Specifically, when the service client installed in the wearable device executes the payment service, the data to be verified for verifying the identity of the user may be determined first. And sending the data to be verified to the safety protection equipment through the specified pin. Generally, the data to be verified does not need to be isolated safely, and can only be determined in the environment provided by the wearable device, so that the code of the service client can be obtained by the service client through the main control chip.
The service client can generate a service request sent to the safety protection device based on the acquired data to be verified, so that the safety protection device can verify the data to be verified according to the service request and return a verification result.
S302: and the safety protection equipment determines a part of encrypted service codes of the service client and certificate storing data for verification, which are solidified in advance, according to the received service request.
After receiving the service request, the security protection device can obtain part of encrypted service codes and encrypted user fingerprint characteristics. And obtaining part of service codes and evidence storage data by operating a decryption algorithm. The certificate storing data is used for verifying the data to be verified, and thus belongs to the "correct" data, for example, the correct identity information of the user, the certificate information of the service execution, and the like. Therefore, the data security can be improved by encrypting and storing the certificate storage data in the safety protection device.
Similarly, when the service client performs the verification step, which service logic is adopted and how to perform the "verification" also belong to the sensitive information of the service client, so the code for realizing the process is also encrypted and stored in the safety protection device, and the safety protection of the service logic is realized.
S304: and the safety protection equipment verifies the data to be verified according to the certificate storage data by operating the part of the service codes.
The safety protection device can run the part of the service code, verify whether the data to be verified is matched with the evidence storing data, and determine a verification result. For example, if the verification process is to verify whether a service client of the wearable device "holds" a credential authorizing execution of the service, the security protection device runs the part of the service code, and may compare a correct credential stored in the security protection device with a credential included in the data to be verified carried in the service request, and determine that the service client "has the right" to execute the service if the correct credential is consistent, otherwise, determine that the service client should not execute the service.
S306: and determining a verification result, and returning the verification result to the service client through the specified pin.
S308: and if the service execution result is that the verification is passed, executing the payment service, and if the service execution result is that the verification is not passed, not executing the payment service.
After the safety protection device determines the verification result, the service execution result indicating whether the identity verification passes or not can be returned to the service client of the wearable device through the specified pin.
And the service client can determine whether to continue to execute the payment service according to the result of passing the verification. If the verification is passed, the payment service can be executed continuously according to the order information. Or, if the authentication is not passed, the service client does not execute the payment service.
Wherein, it can be seen that the partial business code includes partial business logic and algorithm code, and the sensitive data can include the biological characteristics of the user and the similarity threshold.
Taking the payment service process of fig. 5 as an example, assuming that the service client is a client that performs a payment service based on a biometric characteristic, in step S300, the service client passes through to-be-verified data collected by a wearable device. The data to be verified includes a biometric feature of a user, and the user may specifically be a user initiating a payment service, and is typically a user wearing the wearable device. For example, the data to be verified may be a facial image of the user, a fingerprint feature of the user, a voiceprint feature of the user, a heart rhythm feature of the user, and so on.
If the service client collects a fingerprint image through the wearable device in step S300, and takes the fingerprint image as data to be verified, and determines a service request carrying the fingerprint image, and sends the service request to the security protection device through the designated pin.
In steps S302 to 304, the security protection device may extract a biometric feature to be verified from the data to be verified by running the part of the service code, then perform similarity calculation on the biometric feature to be verified according to the pre-solidified biometric feature of the user, and determine a matching result according to the determined similarity and the stored similarity threshold. If the similarity is higher than a preset threshold value, the user identity authentication is passed, and if not, the user identity authentication is determined not to be passed. Then, in step S308, the service client may continue to perform the subsequent steps of the payment service when it is determined that the user identity authentication is passed according to the received authentication result, for example, performing payment through the user account according to the order information. And when it is determined that the user authentication is not passed, it may be determined that the payment service does not need to be continuously performed.
It can be seen that, in the security protection device, the pre-stored part of the service code at least includes: extracting the code of the biological characteristic based on the data to be verified, and calculating the codes of two different biological characteristic similarity algorithms. In the security protection device, the pre-stored authentication data may include a user biometric feature, a similarity threshold value for determining the authentication result, and the like.
Based on the same idea, the present specification further provides a structure diagram of a service execution device, which is specifically shown in fig. 6.
Fig. 6 is a schematic structural diagram of a service execution apparatus provided in this specification, where the service execution apparatus is applied to a security protection device, the security protection device is deployed in a wearable device, the security protection device is connected to a main control chip of the wearable device through a designated pin, and a part of service codes of a service client and sensitive data required for running the part of service codes are pre-cured in the security protection device.
A receiving module 400, configured to receive a service request carrying service data sent by the main control chip of the wearable device through the designated pin.
An obtaining module 402, configured to obtain, according to the service request, the sensitive data and the partial service code that are needed to execute the service from the pre-solidified data.
An executing module 404, configured to run the part of the service code, execute the service according to the service data and the sensitive data, and determine a service execution result.
A returning module 406, configured to return the service execution result to the main control chip through the designated pin.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain a corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development, but the original code before compiling is also written in a specific Programming Language, which is called Hardware Description Language (HDL), and the HDL is not only one kind but many kinds, such as abll (Advanced boot Expression Language), AHDL (alternate hard Description Language), traffic, CUPL (computer universal Programming Language), HDCal (Java hard Description Language), lava, lola, HDL, PALASM, software, rhydl (Hardware Description Language), and vhul-Language (vhyg-Language), which is currently used in the field. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in purely computer readable program code means, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be conceived to be both a software module implementing the method and a structure within a hardware component.
The systems, apparatuses, modules or units described in the above embodiments may be specifically implemented by a computer chip or an entity, or implemented by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, respectively. Of course, the functionality of the various elements may be implemented in the same one or more pieces of software and/or hardware in the practice of this description.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The description has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present specification, and is not intended to limit the present specification. Various modifications and alterations to this description will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present specification should be included in the scope of the claims of the present specification.

Claims (12)

1. A security protection device, the security protection device (103) being deployed in a wearable device, the security protection device (103) being connected with a main control chip (100) of the wearable device by designated pins, the security protection device (103) comprising at least: a processor (101) and a memory (102); wherein:
the memory (102) is pre-solidified with a part of service code for executing the service and sensitive data required for running the part of service code;
the processor (101) is configured to receive a service request carrying service data, which is sent by the main control chip (100) through the designated pin, where the service request is generated by a service client installed in the wearable device and used for executing the service; -retrieving said sensitive data and said part of the service code from said memory (102) in accordance with said service request; running the part of the service code to execute the service according to the service data and the sensitive data and obtain a service execution result; and returning the service execution result to the main control chip (100) through the specified pin, so that the service client side continuously executes the service based on the service execution result.
2. The security protection device of claim 1, the portion of the service code and the sensitive data required to run the portion of the service code being solidified in the memory (102) by burning when the security protection device (103) is produced.
3. The safety protection device of claim 1, the safety protection device (103) disabling the other pins than the designated pin.
4. The security protection device of claim 1, the sensitive data comprising at least: service voucher information;
the memory (102) is also pre-fixed with an encryption algorithm and a decryption algorithm corresponding to the encryption algorithm;
the processor (101) is configured to receive the service credential information sent by the main control chip (100) through the designated pin, acquire the encryption algorithm from the memory (102), and encrypt and store the service credential information, where the service credential information is obtained when the service client binds an account for executing the service; and after receiving the service request, acquiring the decryption algorithm from the memory (102), decrypting the encrypted and stored service certificate information, and executing the service according to the decrypted service certificate information.
5. The security protection device of claim 1, the sensitive data comprising at least: service voucher information;
the safety protection device (103) further comprises: an encryption logic circuit (104) and a decryption logic circuit (105);
the encryption logic circuit (104) is used for encrypting the received data and returning the encrypted data;
the decryption logic circuit (105) is used for decrypting the received encrypted data and returning a decryption result;
the processor (101) is configured to receive service credential information sent by the main control chip (100) through the designated pin, send the service credential information to the encryption logic circuit (104), and send encrypted data returned by the encryption logic circuit (104) to the memory (102) for storage, where the service credential information is obtained when the service client binds an account for executing the service; and after receiving a service request, acquiring the encrypted data from the memory (102), sending the encrypted data to the decryption logic circuit (105), receiving decrypted service certificate information returned by the decryption logic circuit (105), and executing a service according to the decrypted service certificate information.
6. The security protection apparatus of claim 1, the memory (102) comprising: a run-time memory (106) and a secure memory (107), the secure memory (107) being a Physically Unclonable Function (PUF) memory;
the operation memory (106) is used for storing intermediate data generated by the execution of the service by the processor (101);
the safety memory (107) is used for determining the circuit signal characteristics of the safety protection device (103) when the safety protection device (103) is powered on, and determining encryption parameters according to the circuit signal characteristics; and encrypting the part of the service code and the sensitive data according to the encryption parameters, and solidifying an encryption result in the secure memory (107).
7. The security protection apparatus of claim 1, the memory (102) comprising: a run memory (106) and a secure memory (107); the secure memory (107) is a secure Flash memory, and the secure memory (107) is pre-solidified with the part of the service codes and the sensitive data;
the running memory (106) is used for storing intermediate data generated by the execution of services by the processor (101) and codes for specifying application;
the processor (101) is specifically configured to obtain the code of the specified application from the execution memory (106), and execute the code of the specified application according to the service request, so as to call the part of the service code and the sensitive data from the secure memory (107) through the specified application.
8. The security protection device of claim 1, the memory space of the memory (102) being divided into a normal memory space and a secure memory space; the secure storage space is used for providing a trusted execution environment and storing the part of the service code and the sensitive data;
the processor (101) is further configured to switch to a secure state according to the service request, allocate a thread for executing a service according to the service request, and call the portion of the service code and the sensitive data stored in the secure storage space of the memory (102) through the thread; running the part of the service code in the trusted execution environment to execute the service according to the service data and the sensitive data to obtain a service execution result;
the memory (102) is further configured to determine whether a state of the processor (101) is a safe state when the data stored in the secure storage space is called by the thread, and respond to the calling of the thread by the processor (101) if the state of the processor (101) is the safe state.
9. The security protection device of claim 1, the master control chip (100) and the security protection device (103) being packaged within the same physical chip.
10. A business execution method is applied to a safety protection device, the safety protection device is deployed in a wearable device and is connected with a main control chip of the wearable device through a designated pin, and a part of business codes of a business client and sensitive data required by running the part of business codes are pre-cured in the safety protection device; the method comprises the following steps:
receiving a service request carrying service data sent by a main control chip of the wearable device through the designated pin;
acquiring sensitive data and the partial service codes required by service execution from pre-solidified data according to the service request;
running the part of the service code, executing the service according to the service data and the sensitive data, and determining a service execution result;
and returning the service execution result to the main control chip through the specified pin.
11. A service execution device is applied to a safety protection device, the safety protection device is deployed in a wearable device, the safety protection device is connected with a main control chip of the wearable device through a specified pin, and a part of service codes of a service client and sensitive data required by running the part of service codes are pre-solidified in the safety protection device; the device comprises:
the receiving module is used for receiving a service request which is sent by a main control chip of the wearable device through the appointed pin and carries service data;
the acquisition module is used for acquiring sensitive data and the part of service codes required by service execution from pre-solidified data according to the service request;
the execution module is used for operating the part of the service codes, executing the service according to the service data and the sensitive data and determining a service execution result;
and the return module is used for returning the service execution result to the main control chip through the specified pin.
12. A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the method of claim 10.
CN202211080913.XA 2022-09-05 2022-09-05 Security protection equipment, service execution method, device and storage medium Pending CN115640589A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211080913.XA CN115640589A (en) 2022-09-05 2022-09-05 Security protection equipment, service execution method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211080913.XA CN115640589A (en) 2022-09-05 2022-09-05 Security protection equipment, service execution method, device and storage medium

Publications (1)

Publication Number Publication Date
CN115640589A true CN115640589A (en) 2023-01-24

Family

ID=84939705

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211080913.XA Pending CN115640589A (en) 2022-09-05 2022-09-05 Security protection equipment, service execution method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115640589A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115828171A (en) * 2023-02-13 2023-03-21 支付宝(杭州)信息技术有限公司 Method, device, medium and equipment for cooperatively executing business by end cloud

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115828171A (en) * 2023-02-13 2023-03-21 支付宝(杭州)信息技术有限公司 Method, device, medium and equipment for cooperatively executing business by end cloud

Similar Documents

Publication Publication Date Title
CN108055132B (en) Method, device and equipment for service authorization
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
CN111680305B (en) Data processing method, device and equipment based on block chain
CN110222531B (en) Method, system and equipment for accessing database
US20150012748A1 (en) Method And System For Protecting Data
CN105408912A (en) Process authentication and resource permissions
CN110324358B (en) Video data management and control authentication method, module, equipment and platform
EP3945695B1 (en) Method, apparatus, and device for processing blockchain data
WO2008024559A2 (en) Method and apparatus for authenticating applications to secure services
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
CN109560933B (en) Authentication method and system based on digital certificate, storage medium and electronic equipment
CN113704826A (en) Privacy protection-based business risk detection method, device and equipment
CN112468294B (en) Access method and authentication equipment of vehicle-mounted TBOX
CN113792297A (en) Service processing method, device and equipment
EP4322095A1 (en) Resource transfer
CN110308955B (en) Interface calling method, system and equipment
CN111783071A (en) Password-based and privacy data-based verification method, device, equipment and system
CN109150811B (en) Method and device for realizing trusted session and computing equipment
CN114969784A (en) Model processing method, device and equipment
CN115640589A (en) Security protection equipment, service execution method, device and storage medium
CN111600882A (en) Block chain-based account password management method and device and electronic equipment
CN115603943B (en) Offline identity verification method and device, storage medium and electronic equipment
CN115941336A (en) Data processing method, device and equipment
CN115357929A (en) Image processing method, device and equipment
CN110505295B (en) Unlocking information setting method, device and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination