CN115640589A - A security protection device, service execution method, device and storage medium - Google Patents

Abstract

The present specification discloses a security protection device, a service execution method, a device and a storage medium, wherein a processor of the security protection device connected with a main control chip through a designated pin is disposed in a wearable device, when a service client needs to execute a service, a service request generated by the service client and sent through the main control chip is received, sensitive data needed for executing the service is determined according to the service request, a service code pre-cured in a memory in the security protection device is operated, and the service is executed according to the sensitive data and the service data in the service request. The safety protection device provides an environment for safely executing the service for the wearable device, so that the safety of codes and sensitive data of a service client in the wearable device is improved, and meanwhile, the development cost of a wearable device producer for the safety protection of the codes and the data is reduced by providing the safety protection device which can be deployed in the wearable device.

Description

A security protection device, service execution method, device and storage medium

technical field

This specification relates to the field of computer technology, and in particular to a security protection device, a service execution method, device, and storage medium.

Background technique

At present, as people pay more and more attention to their own private data and wearable devices are widely used in people's lives, how to ensure that the sensitive data of business clients in wearable devices will not be Leakage has become one of the problems that need to be solved at present. Wherein, the sensitive data may include personal privacy data and enterprise sensitive data.

Based on this, this specification provides a safety protection device for protecting the safety of a wearable device.

Contents of the invention

This specification provides a security protection device, a service execution method, a device, and a storage medium, so as to partially solve the above-mentioned problems existing in the prior art.

This manual adopts the following technical solutions:

This specification provides a security protection device. The security protection device 103 is deployed in a wearable device. The security protection device 103 is connected to the main control chip 100 of the wearable device through designated pins. The security protection device 103 includes at least: a processor 101 and a memory 102; wherein:

The memory 102 is pre-cured with part of the business code used to execute the business and the sensitive data required to run the part of the business code;

The processor 101 is configured to receive a service request carrying service data sent by the main control chip 100 through the designated pin, and the service request is a device installed in the wearable device for executing the service. Generated by the service client; obtain the sensitive data and the part of the service code from the storage 102 according to the service request; run the part of the service code to execute the service according to the service data and the sensitive data , and obtain a service execution result; return the service execution result to the main control chip 100 through the specified pin, so that the service client continues to execute services based on the service execution result.

This specification provides a service execution method, which is applied to a security protection device, the security protection device is deployed in a wearable device, and the security protection device communicates with the main controller of the wearable device through a designated pin Chip connection, part of the business code of the business client and sensitive data required to run the part of the business code are pre-cured in the security protection device; the method includes:

receiving a service request carrying service data sent by the main control chip of the wearable device through the specified pin;

According to the business request, obtain the sensitive data required to execute the business and the part of the business code from the pre-solidified data;

Run the part of the business code, execute the business according to the business data and the sensitive data, and determine the business execution result;

Returning the service execution result to the main control chip through the designated pin.

This manual provides a business execution device,

The service execution device is applied to a security protection device, the security protection device is deployed in a wearable device, the security protection device is connected to the main control chip of the wearable device through a designated pin, and the security protection device Part of the business code of the business client and the sensitive data required to run the part of the business code are pre-cured; the device includes:

A receiving module, configured to receive a service request carrying service data sent by the main control chip of the wearable device through the designated pin;

An acquisition module, configured to acquire the sensitive data required to execute the business and the part of the business code from the pre-cured data according to the business request;

An execution module, configured to run the part of the business code, execute the business according to the business data and the sensitive data, and determine a business execution result;

A return module, configured to return the service execution result to the main control chip through the designated pin.

This specification provides a computer-readable storage medium, the storage medium stores a computer program, and when the computer program is executed by a processor, the above service execution method is realized.

The above-mentioned at least one technical solution adopted in this specification can achieve the following beneficial effects:

By deploying the processor of the security protection device connected to the main control chip in the wearable device through designated pins, when the business client needs to perform business, it receives the service request generated by the business client and sent through the main control chip, and according to The service request determines the sensitive data needed to execute the service, and then runs the pre-solidified service code in the memory of the security protection device, and executes the service according to the sensitive data and the service data in the service request.

The security protection device provides wearable devices with a safe business execution environment, which improves the security of business client codes and sensitive data in wearable devices. At the same time, by providing security protection devices that can be deployed in wearable devices, it reduces the The development cost of wearable device manufacturers for code and data security protection.

Description of drawings

The drawings described here are used to provide a further understanding of this specification and constitute a part of this specification. The schematic embodiments and descriptions of this specification are used to explain this specification and do not constitute an improper limitation of this specification. In the attached picture:

Figure 1 is a schematic structural diagram of the safety protection equipment provided in this manual;

Figure 2 is a schematic structural diagram of the safety protection equipment provided in this manual;

Figure 3 is a schematic structural diagram of the safety protection equipment provided in this manual;

Figure 4 is a schematic flow diagram of the business execution method provided in this specification;

Figure 5 is a schematic diagram of the business process for executing payment provided in this specification;

Fig. 6 is a schematic structural diagram of a service execution device provided in this specification.

Detailed ways

In order to make the purpose, technical solution and advantages of this specification clearer, the technical solution of this specification will be clearly and completely described below in conjunction with specific embodiments of this specification and corresponding drawings. Apparently, the described embodiments are only some of the embodiments in this specification, not all of them. Based on the embodiments in this specification, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of this specification.

The technical solutions provided by each embodiment of this specification will be described in detail below in conjunction with the accompanying drawings. The embodiment of this specification will execute corresponding services based on a security protection device.

Fig. 1 is a schematic structural diagram of the safety protection equipment provided in this specification. Wherein, the safety protection device 103 can be deployed in a wearable device. It is used to provide a business client installed in the wearable device with an environment for safely executing business, so that the wearable device itself can realize the ability to safely execute business by deploying the security protection device 103 without hardware providing a secure environment, so as to Reduce the cost required for wearable devices to securely perform business.

In one or more embodiments provided in this specification, the security protection device 103 can specifically be connected to the main control chip 100 of the wearable device through designated pins. Specifically, the security protection device 103 can be deployed on the main board where the main control chip 100 is located, and connect its designated pins with the pins of the main control chip 100 through the lines on the main board. Moreover, the security protection device 103 at least includes: a processor 101 and a memory 102 .

Specifically, the memory 102 is pre-solidified with part of the business code used to execute the business and the sensitive data required to run the part of the business code, wherein the part of the business code is specifically the business customer installed in the wearable device for performing the business Part of the business code on the terminal. The business client is an application that needs to execute at least some business steps in a secure environment. For example, when executing a business based on user biometric features, since user features are sensitive data, the business involves business steps for user biometric processing , for a business step that needs to be executed in a secure environment, the memory 102 may be pre-solidified with a part of the business code that implements the business step in the business client.

Similarly, since the business execution process may also involve business steps such as business verification, application identity verification, and device identity verification, and such business steps need corresponding sensitive data support before they can be executed, the memory 102 can also be pre-installed. Solidified sensitive data required to run some business codes. Of course, which data is sensitive data and which data needs to be pre-cured into the memory 102 can be set according to needs, and this specification does not make a limitation. For example, assuming that the security protection device 103 is used by a wristband that can only support fingerprint identification, then the sensitive data may only include model parameters of the fingerprint identification model used when executing services.

That is to say, in one or more embodiments of the present specification, the memory 102 may be pre-cured with codes that need to be run in the security protection device 103 and data required for running the codes to execute services.

Then when the business client installed in the wearable device needs to execute some business codes pre-cured in the memory 102 to perform business steps, the business client can generate a business request, and the main control chip 100 of the wearable device can pass the specified The pins are sent to the processor 101 of the security protection device 103 . Of course, the service request can also carry service data, for example, order information in the payment request, face image in the face verification request, and so on. Since the service data required to be carried by different service requests is different, and is artificially set according to service needs, this specification does not limit the specific data of the service data.

After the processor 101 receives a service request carrying service data sent by the main control chip 100 through a designated pin, it can obtain sensitive data and part of service codes from the memory 102 according to the service request. Afterwards, by running the part of the business code, the business can be executed according to the business data and the sensitive data, and a business execution result can be obtained. Finally, the service execution result is returned to the main control chip 100 through the designated pin, so that the service client can continue to execute services based on the service execution result.

Taking the business that the business client needs to execute as a payment business as an example, suppose that the payment business needs to execute the business code stored in the memory 102 to perform identity verification, and the memory 102 also stores the user's biological information (such as fingerprints, heart rate, etc.) ). If the wearable device is a bracelet, the service client installed in the bracelet can generate a service request carrying service data, where the service data can be collected user biometric information.

Then the main control chip 100 in the wristband can send the service request to the processor 101 through the designated pin, and the processor 101 can obtain the service code based on the user's biological information for identity verification from the memory 102, and the User biological information pre-stored in the memory 102. Then, after obtaining the service code to be served and the pre-stored user biometric information, the processor 101 may run the identity verification service code to perform identity verification according to the pre-stored user biometric information and service data. After obtaining the identity verification result, the processor 101 can return the identity verification result to the main control chip 100 through a designated pin, and the business client can continue to execute the payment service according to the received identity verification result.

Wherein, the above-mentioned processor 101 may be a chip for receiving a service request, executing the service corresponding to the service request, and returning the service execution result. The chip may be a Microcontroller Unit (Microcontroller Unit, MCU), field programmable Logic gate array (Field Programmable Gate Array, FPGA) chip, complex programmable logic device (Complex Programmable Logic Device, CPLD) chip, etc.

Above-mentioned memory 102 can be that data is solidified in advance, and when processor 101 needs data, the device that data is sent to this processor 101, this device can be flash memory (Flash Eerrom Memory) chip, read only memory (Read Only Memory) ) chip and so on.

The above-mentioned sensitive data required to run the business code can be the user's personal privacy data, and enterprise sensitive data. For example, the user's ID number, the user's ID number, etc., the sensitive data of the enterprise can be the business code developed by the enterprise, the logic of the business client to execute the business, and so on.

In one or more embodiments provided in this specification, the security protection device 103 can protect the sensitive data of the business application corresponding to the business client on the basis that: the memory 102 stores part of the business code for executing the business and the running For the sensitive data required by the part of the service code, a service client is installed in the wearable device, and at least part of the code in the memory 102 can be combined with the code corresponding to the service client in the wearable device to execute the service.

That is to say, in this specification, the program required by the business client to execute the business is divided into two parts, one part is less confidential, or only provides the entrance of business execution, which is the code corresponding to the business client, installed on the wearable In other parts of the device except the security protection device 103. Some of the highly confidential, or specific execution services, are at least part of the service codes used to execute the services and the sensitive data required to run the part of the service codes, which are pre-cured in the memory 102 .

Therefore, when the service client needs to call part of the service code stored in the memory 102 to execute the service, it can send a service request to the processor 101, and the processor 101 executes the service corresponding to the service request according to the received service request, It avoids the situation that the business code required to execute the business and the sensitive data required to run the business code are stolen when the wearable device executes the business through the business client, and protects part of the business code stored in the memory 102 and Information security for sensitive data required to execute that part of the business code.

Based on the security verification device shown in Figure 1, by deploying the processor of the security protection device connected to the main control chip in the wearable device through designated pins, when the business client needs to execute the business, the service client generates and passes The business request sent by the main control chip, and determine the sensitive data required to execute the business according to the business request, and then run the pre-cured business code in the memory of the security protection device, and execute the business according to the sensitive data and the business data in the business request . The security protection device provides wearable devices with a safe business execution environment, which improves the security of business client codes and sensitive data in wearable devices. At the same time, by providing security protection devices that can be deployed in wearable devices, it reduces the The development cost of wearable device manufacturers for code and data security protection.

Further, in order to avoid the deployment of the wearable device with the security protection device 103, in the process from the end of production to the user's use, there is a third party that changes the data stored in the memory 102 of the security protection device 103, and the security protection When the device 103 is produced, the producer of the security protection device 103 can also solidify at least part of the business code and the sensitive data required to run the part of the business code into the memory 102 of the security protection device 103 by burning . In this way, the infringement caused to the user by the third party changing the service code in the memory 102 is avoided, and the information security is further ensured.

Furthermore, in order to prevent a third party from disassembling the wearable device and attaching a device for reading data on other pins of the security protection device 103 to obtain the data stored in the security protection device 103, affecting the The security protects the information security of the device 103 . In this specification, the security protection device 103 can also disable other pins except the specified pins. That is to say, the outside world can and can only transmit data to and from the security protection device 103 through designated pins.

In addition, in this specification, the supplier of the security protection device 103 is different from the manufacturer of the smart wearable device, so only the smart wearable device authorized by the supplier to use the security protection device 103 is a legal device. However, during actual use, it may happen that the security protection device 103 is used on other electronic devices that are not authorized to use the security protection device 103 , resulting in a risk of leakage of codes and data stored in the memory 102 . In this case, the security of the sensitive data of the user using the wearable device cannot be guaranteed. Therefore, in order to avoid the occurrence of the above situation, the safety protection device 103 may also perform corresponding services according to the result of the safety verification after performing safety verification on the wearable device. At present, an effective method for security verification of a wearable device is to bind an account with the wearable device.

Specifically, the business platform to which the account used to execute the business belongs can perform security verification on the wearable device through the device serial number of the wearable device, the contract information written in advance when the wearable device is produced, etc., and when the security After the verification is passed, bind the account with the wearable device. Wherein, some of the service codes stored in the security protection device 103 have a corresponding relationship with the service platform to which the account belongs. For example, the service provider of the business platform to which the account belongs and the service provider of this part of the business code may be the same service provider.

Wherein, the business credential information is obtained when the business client in the wearable device executes the binding service, and the business credential information usually includes the device information of the wearable device, the manufacturer information of the wearable device, the wearable Whether the device is a compliant device and so on.

The binding service may be binding the service client in the wearable device with the service client in the user's terminal, or binding the user's account in the service client with the wearable device, or It can be used to bind the account with the service client, and the specific binding service performed by the above service client can be set according to the needs, which is not limited in this manual.

Therefore, after the binding is successful, the wearable device can send service credential information to the processor 101 through the main control chip 100 .

Then the processor 101 can receive the business credential information sent by the main control chip 100 through a specified pin, and send the business credential information to the memory 102, and the memory 102 stores the business credential information.

Then, when the processor 101 receives a business request, it can judge whether the business request is executable according to the business credential information. If so, the processor 101 can continue to execute the business corresponding to the business request. The processor 101 may not execute the service corresponding to the service request.

Furthermore, in order to prevent a third party from disassembling the wearable device, and attaching a device for reading data on the designated pin of the security protection device 103 to obtain the data stored in the security protection device 103, affecting the The security protects the information security of the device 103 . In this specification, the security protection device 103 can also store the data in the memory 102 according to a preset encryption algorithm.

Specifically, an encryption algorithm and a decryption algorithm corresponding to the encryption algorithm may be pre-cured in the memory 102 .

Therefore, the processor 101 can obtain the encryption algorithm pre-stored in the memory 102, and encrypt at least part of the business code stored in the memory 102 and the sensitive data required to run the part of the business code, and encrypt the encrypted data sent to memory 102.

Then the memory 102 can store the encrypted part of the business code and the sensitive data required to run the part of the business code.

The processor 101 can obtain a decryption algorithm from the memory 102 when receiving a service request, and according to the decryption algorithm, store in the memory 102 the encrypted part of the business code and the sensitive data needed to run the part of the business code. The data is decrypted to obtain the part of the business code and the sensitive data required for executing the business, and execute the part of the business code according to the sensitive data required for executing the business to realize the execution of the business corresponding to the business request.

In addition, if both the business code stored in the memory 102 and the sensitive data required to run this part of the business code are encrypted, the computing resources and storage resources required for encryption and decryption are relatively large. Based on this, the memory 102 can encrypt and store only the sensitive data required to run the part of the business code, without encrypting the business code.

Of course, the memory 102 can also divide the data stored in the memory 102 according to the degree of sensitivity, and the processor 101 encrypts the data with a higher degree of sensitivity according to a preset encryption algorithm, and stores the encryption result in the memory 102 middle. Specifically, what kind of data in the memory 102 is encrypted can be set according to needs, which is not limited in this specification.

Further, since the above-mentioned business credential information is obtained when the business client executes the bound business, therefore, for each business executed by the business client that needs to run the business code stored in the memory 102, it can be based on the above-mentioned business credential information to execute. For example, if the business credential information is that the wearable device is compliant, the processor 101 can execute the business based on the business credential information; It is determined that the business execution result corresponding to each business request is execution failure.

Therefore, when the above-mentioned memory 102 stores sensitive data based on an encryption algorithm and a decryption algorithm, the business credential information can also be encrypted and stored through an encryption algorithm, and when the processor 101 receives a service request, it can be obtained from the memory 102 The decryption algorithm is used to decrypt the encrypted business credential information, so as to execute the business based on the decrypted business credential information.

Furthermore, in order to prevent the data stored in the memory 102 from being leaked due to the encryption algorithm and decryption algorithm in the memory 102 being stolen, in this specification, the encryption logic circuit 104 and the decryption logic circuit 105 can also be used to encrypt the memory. The data stored in 102 is encrypted or decrypted.

Specifically, an encryption logic circuit 104 and a decryption logic circuit 105 may be provided between the processor 101 and the memory 102, so that the processor 101 may send sensitive data that needs to be stored through the encryption logic circuit 104 to to the memory 102. When the processor 101 needs to obtain the sensitive data stored in the memory 102 , the sensitive data is obtained from the memory 102 through the decryption logic circuit 105 . as shown in picture 2.

Fig. 2 is a schematic structural diagram of the safety protection device provided in this specification. Wherein, 101 is a processor, 102 is a memory, 104 is an encryption logic circuit, and 105 is a decryption logic circuit. Wherein, the encryption logic circuit 104 can encrypt the received data and return the encrypted data. The decryption logic circuit 105 is used to decrypt the received encrypted data and return a decryption result.

Therefore, the processor 101 may send the service credential information to the encryption logic circuit 104 after receiving the service credential information.

Then the encryption logic circuit 104 can receive the service credential information, and send the encrypted service credential information to the memory 102 . The storage 102 can store the encrypted service credential information.

After receiving the service request, the processor 101 can obtain the encrypted service credential information from the memory 102, and send the encrypted service credential information to the decryption logic circuit 105 to obtain the output of the decryption logic circuit 105. business credential information, and execute business based on the business credential information.

In addition, in the production process of each electronic device, due to poor craftsmanship in the production process, there will be slight differences between the circuits corresponding to each electronic device, which also makes the circuit characteristics of each electronic device different. Therefore, for the wearable device, when the wearable device is powered on, the circuit characteristics of the wearable device are sampled, and the encryption parameters corresponding to the wearable device are determined based on the circuit characteristics obtained from the sampling results. The encryption parameters Unavailable to third parties. Wherein, the encryption parameter may be a key or an encoding rule. Specifically, the type corresponding to the encryption parameter and how to perform encryption based on the encryption parameter may be set as required, which is not limited in this specification.

Therefore, in this specification, in order to further ensure the information security of the sensitive data stored in the security protection device 103, the memory 102 in the security protection device 103 may also be provided with a physically unclonable (Physically Unclonable Functions, PUF) memory. That is, the encryption parameters are determined using the above steps, and the sensitive data is encrypted based on the encryption parameters,

Specifically, the memory 102 can determine the circuit signal characteristics of the memory 102 itself when the wearable device is powered on for the first time, and determine encryption parameters based on the determined circuit signal characteristics.

Then, after the encryption parameters are determined, the memory 102 can encrypt part of the service codes and sensitive data according to the determined encryption parameters, and store the encryption results in the memory 102 .

Therefore, during each subsequent power-on process of the wearable device, the memory 102 needs to determine the circuit signal characteristics of the memory 102 itself, and determine encryption parameters based on the determined circuit signal characteristics.

After receiving the service request, the processor 101 can obtain the encryption parameter from the memory 102, determine the decryption parameter corresponding to the decryption parameter, and decrypt the data stored in the memory 102 based on the decryption parameter to determine the execution Sensitive data and business code required by the business.

Further, during the process of running the business code by the processor 101, there may also be situations where intermediate data needs to be stored. The intermediate data has no specific physical meaning, but the intermediate data is needed when the business code runs later, and each time an intermediate data is generated, the intermediate data is encrypted, and when the intermediate data is needed to execute the business code, the encrypted Decryption of intermediate data requires high computing and storage resources.

Therefore, a running memory 106 for storing intermediate data may also be provided in the secure processing device.

Specifically, the memory 102 in the secure processing device can be set as the running memory 106 for storing intermediate data generated by the processor 101, and the safety memory 107 for storing part of business codes and sensitive data required to run the business codes.

After the processor 101 receives the service request, it can obtain the service code and private data required for executing the service from the secure memory 107 .

During the execution of the service code by the processor 101, the generated intermediate data can be sent to the running memory 106, and the corresponding intermediate data can be obtained from the running memory 106 when the intermediate data is needed for executing the service code.

The running memory 106 may store the intermediate data, and the running memory 106 may not encrypt the intermediate data when storing the intermediate data.

Wherein, when the secure memory 107 stores the business code and the sensitive data required to run the business program, it can use the encryption algorithm to encrypt the data, the encryption logic circuit 104 to encrypt the data, and the PUF technology to encrypt the data. at least one technical means.

Furthermore, in order to ensure the information security of the data stored in the memory 102, the above-mentioned safe memory 107 can also be set as a secure flash memory.

Specifically, the secure flash memory can only be accessed by codes of specified applications.

Therefore, in the security memory 107, some business codes and sensitive data may be pre-cured, and in the running memory 106, codes of specified applications may be pre-stored.

After receiving the service request, the processor 101 can obtain the code of the specified application from the operating memory 106, and run the code of the specified application according to the service request, and transfer the code of the specified application to the security memory 107. Send a get request.

The secure memory 107 can receive the acquisition request, and judge whether the acquisition request is sent by a specified application according to the application identification carried in the acquisition request. If so, the secure memory 107 may respond to the acquisition request sent by the specified application, and send the part of the service code and sensitive data that the specified application needs to acquire to the processor 101 . If not, the secure storage 107 may not respond to the acquisition request.

Therefore, the processor 101 can execute the corresponding service according to the obtained part of the service code sent by the secure memory 107 and the sensitive data required for executing the service. As shown in Figure 3.

Fig. 3 is a schematic structural diagram of the safety protection device provided in this manual. Wherein, 101 is a processor, 106 is a safety memory, and 107 is a running memory, then the processor 101 can obtain the business code and sensitive data required for executing the business from the safety memory 106, and run the business in the processor 101 code, and store the generated intermediate data in the running memory 107.

Alternatively, the processor 101 may obtain the code corresponding to the specified application from the running memory 107, run the code of the specified application in the processor 101, and then call the code in the secure storage 106 through the thread corresponding to the code of the specified application. Store the business code and the sensitive data required for executing the business, run the business code in the processor 101 , and store the generated intermediate data in the running memory 107 .

In addition, in this specification, in order to further ensure the information security of the data stored in the storage 102, the security protection device 103 can also divide the storage 102 into a common storage space and a safe storage space, and when no service request is received, according to The data stored in the ordinary storage space executes the business, and after receiving the business request, the business is executed according to the data stored in the secure storage space. Among them, the secure storage space is used to provide a trusted execution environment (Trusted Execution Environment, TEE), and store some business codes and sensitive data.

Specifically, the processor 101 may switch itself to a safe state after receiving a service request. In the secure state, the good processor 101 may allocate a thread for executing the service according to the service request, and obtain data from the secure storage space of the memory 102 through the thread.

Then the memory 102 can judge whether the processor 101 is in a safe state when the thread calls the data stored in its own safe storage space, and if so, the memory 102 can combine some business codes in its own safe storage space with the sensitive Data is sent to the processor 101 through the thread. If not, the memory 102 may not allow the thread to call data in the secure storage space.

Then the processor 101 can run the obtained part of the service code in the trusted execution environment to execute the service corresponding to the service request according to the service data and sensitive data, and return the service execution result to the main control chip 100 .

Further, in this specification, in order to prevent third parties from obtaining data in the security protection device 103 by plugging in the pins of the security protection device 103, the security protection device 103 can also be The device 103 and the main control chip 100 are packaged in the same physical chip.

Based on the same idea, this specification also provides a schematic flowchart of a service execution method, as shown in FIG. 4 .

Fig. 4 is a schematic flow diagram of the service execution method provided in this specification, the service execution method is applied to a security protection device, the security protection device is deployed in a wearable device, and the security protection device communicates with the wearable device through a specified pin The main control chip of the wearable device is connected, and part of the business code of the business client and the sensitive data required to run the part of the business code are pre-cured in the security protection device; wherein:

S200: Receive a service request carrying service data sent by the main control chip of the wearable device through the designated pin.

In one or more embodiments of this specification, as shown in the aforementioned security protection device in FIGS. 1 to 3 , the security protection device may be deployed in a wearable device, and a service client may be installed in the wearable device. Part of the business code of the business client and the sensitive data required to run the part of the business code are pre-cured in the security protection device, so that the wearable device can also run the part of the business code and sensitive data in the security protection device. Data, perform business.

Specifically, a business client can generally be used to execute at least one kind of business, and the business execution process can be subdivided into different business steps. For example, taking the client that executes the payment service as an example, it is assumed that the business steps of the payment service may include: determining order information, determining user information, obtaining payment information input by the user, verifying the user's identity, verifying the payment information, sending The server returns business information. Among them, the process of obtaining order information, obtaining user information, obtaining payment information, and returning business information to the server involves low data sensitivity, so it can be regarded as a non-sensitive business step. The steps of identity verification and payment information verification can be regarded as sensitive business steps because of the verification process involved.

Therefore, according to the different business steps involved in the business, the code of the business client can be divided into the code for executing sensitive business and the code for executing non-sensitive business. And the same data that supports the code operation of different business steps can also be divided into sensitive data and non-sensitive data correspondingly. The service client installed in the wearable device may contain codes for executing non-sensitive services, and the wearable device may also store non-sensitive data, while part of the service codes pre-cured in the security protection device may include codes for executing sensitive services, The pre-cured sensitive data may include sensitive data required to run the part of the business code.

Then when the business client in the wearable device executes business, when the sensitive business steps are executed, since the corresponding code and data are solidified in the security protection device, the business client can pass through the wearable device The main control chip of the security protection device sends a service request to the security protection device. The service request carries business data and is used to arouse part of the service code solidified in the security protection device to execute the corresponding sensitive business steps. The security protection device can The business execution result after the execution of sensitive business steps is returned to the business client in the wearable device, so that the business client can continue to execute the business.

In one or more embodiments of this specification, by solidifying some business codes involving sensitive business steps into the security protection device, the main control chip of the wearable device cannot obtain the code of the sensitive business steps in the business client, Realized the security isolation of business clients at the code level. Similarly, since the sensitive data is also isolated in the security protection device, the wearable device cannot be obtained, thus protecting the data security. Among them, the specific function of part of the business code solidified by the security protection device is not limited in this specification, for example, the code that uses the algorithm function to execute the business, the code that realizes the business logic, and so on. Taking the model whose algorithm function is obtained through machine learning as an example, since the model parameters are adjusted based on the training samples, the model parameters inevitably carry the characteristics of the training samples, and the training samples are private data, so the algorithm function is required Code for isolation protection. Taking this business execution as an example that requires identity verification based on the user's biometrics, this part of the business code needs to perform matching verification based on the collected biometrics to be verified and the pre-stored user's biometrics. Then the security protection device needs to store the user's biometric feature, which obviously belongs to the user's private data and needs to be isolated and stored in the security protection device.

S202: According to the service request, obtain the sensitive data required to execute the service and the part of the service code from the pre-cured data.

In one or more embodiments of this specification, after the security protection device receives the service request sent by the service client through the main control chip, it can obtain the sensitive data and some Business code.

Specifically, since part of the business codes stored in the security protection device may be codes for executing multiple sensitive business steps, and these sensitive business steps may correspond to part of business processes of one or more businesses, the security protection device also Based on the service type identifier carried in the service request, it can be determined which business steps need to be executed by the service request, and the code for executing the determined business steps can be obtained.

For example, assuming that the security protection device stores the code for the biometric verification step of A service and the code for the service authority verification step of B service, when the security protection device receives the service request carrying the A service type identification , the security protection device can determine the code of the biometric verification step from part of the solidified business codes.

Similarly, the sensitive data required to execute different business steps may not be exactly the same, so the security protection device can also determine the required sensitive data according to the determined part of the business code that needs to be run. Then the security protection device may also store the corresponding relationship between each business step and each sensitive data, and determine the corresponding sensitive data after determining the business steps to be executed according to the business request.

In one or more embodiments of this specification, only the service client in the wearable device can send a service request to the security protection device through a designated pin, while other third-party clients cannot send services to the security protection device Therefore, the isolation of this part of business code and sensitive data has been realized by setting the security protection device.

Further, in order to increase the security of data isolation in the security protection device, when the security protection device solidifies the part of the business code and sensitive data, the code and sensitive data can also be encrypted and calculated by a preset encryption algorithm, and the Encrypted result storage. After receiving the service request, the security protection device can obtain the corresponding encryption result after determining the code and sensitive data that need to be called, and then decrypt the encryption result according to the decryption algorithm corresponding to the encryption algorithm, and obtain the execution service. required sensitive data and some business codes.

Wherein, the encryption algorithm and its corresponding decryption algorithm are also pre-fixed in the security protection device, and the specific algorithm used is not limited in this description, and can be set as required.

Furthermore, since the encryption algorithm and the decryption algorithm are essentially codes that need to be run, it is necessary for the security protection device to run encryption algorithm codes to implement encryption, or run decryption algorithm codes to implement decryption. In order to further ensure the security of stored codes and sensitive data, in one or more embodiments of this specification, the security protection device may further include an encryption logic circuit and a decryption logic circuit. Then, when encryption is required, the encryption result can be obtained through the encryption logic circuit, and when decryption is required, the data decryption can be performed through the decryption logic circuit.

Through the above two methods, some business codes and sensitive data are encrypted and stored, and then decrypted when needed, which improves the security of the codes and sensitive data stored in the security protection device, and further increases the strength of data isolation.

In addition, in one or more embodiments of this specification, the part of business codes and sensitive data may be additionally stored in a secure storage device, such as secure Flash or PUF memory. Wherein, the data stored in the security Flash can only be called by the specified application, that is, when the security Flash receives the call, it first judges whether the calling initiator is the specified application, if not, it does not respond to the call, and if so, it Part of the business code and sensitive data that will be stored based on the call are returned. The PUF memory uses the circuit signal characteristics generated in the device when the security protection device is powered on to determine the encryption parameters and store some business codes and sensitive data. Due to the inevitable tolerances in the production process of electronic equipment, even if a third party builds a hardware structure that is completely consistent with the security protection equipment, it is impossible to restore the data stored in the PUF memory by collecting electrical signals in the circuit.

S204: Run the part of the service code, execute the service according to the service data and the sensitive data, and determine a service execution result.

S206: Return the service execution result to the main control chip through the specified pin.

In one or more embodiments of this specification, after the security protection device obtains part of the business code and sensitive data, it can execute the business steps according to the business data and sensitive data by running the code, and use the execution result as the business execution result , and return to the main control chip of the wearable device through the specified pin, so that the business client can continue to execute the business based on the business execution result.

In one or more embodiments in this specification, the specific steps of the service execution method may be executed by the above-mentioned security protection device, and the specific process may refer to the above-mentioned description of the security protection device, which will not be repeated in this specification.

Based on the above execution business process, for the convenience of understanding, this manual provides a schematic diagram of the payment execution business process, as shown in FIG. 5 .

S300: The business client executes the payment service, determines the data to be verified, and sends the data to be verified to the security protection device through a designated pin.

Specifically, when the service client installed in the wearable device executes the payment service, it may first determine the data to be verified for verifying the identity of the user. And send the data to be verified to the safety protection device through the designated pin. Usually the data to be verified does not need to be securely isolated, and can only be determined in the environment provided by the wearable device, so the business client can execute the code acquisition of the business client through the main control chip.

The service client can generate a service request to the security protection device based on the acquired data to be verified, so that the security protection device can verify the data to be verified according to the service request and return a verification result.

S302: The security protection device determines, according to the received service request, a part of the service code of the service client that is pre-cured and encrypted and certificate data for verification.

After receiving the service request, the security protection device can obtain the encrypted part of the service code and the encrypted user fingerprint feature. By running the decryption algorithm, part of the business code and certificate data are obtained. The certificate data is used to verify the data to be verified, so it belongs to "correct" data, for example, the correct identity information of the user, the credential information of business execution, and so on. It can be seen that encrypting and storing the certificate data in the security protection device can improve data security.

Similarly, what kind of business logic and how to perform "authentication" are also sensitive information of the business client when the business client performs verification steps, so the code to realize this process is also encrypted and stored in the security protection device , to realize the security protection of business logic.

S304: The security protection device verifies the data to be verified according to the stored evidence data by running the part of the business code.

The security protection device can run the part of the business code to verify whether the data to be verified matches the stored evidence data, and determine the verification result. For example, if the verification process is to verify whether the business client of the wearable device "holds" the certificate authorized to execute the business, then the security protection device runs this part of the business code, and can compare the correct certificate stored by itself with that in the business request. Whether the voucher contained in the data to be verified is consistent, and if it is consistent, it is determined that the service client "has the right" to perform the service, otherwise it is determined that the service client should not perform the service.

S306: Determine the verification result, and return the verification result to the service client through a designated pin.

S308: For the verification result received by the business client, if the business execution result is that the verification is passed, execute the payment service; if the business execution result is that the verification fails, then the payment service is not executed.

After the security protection device determines the verification result, it can return the service execution result of whether the identity verification is passed to the service client of the wearable device through the specified pin.

And the service client can determine whether to continue to execute the payment service according to the result of passing the verification. If the verification is passed, the payment business can continue to be executed according to the order information. Or, if the identity verification fails, the service client does not execute the payment service.

Wherein, it can be seen that the part of the business code includes part of the business logic and algorithm code, and the sensitive data may include the user's biological characteristics and similarity threshold.

Taking the payment business process in FIG. 5 as an example, assuming that the business client is a client that executes the payment business based on biometric features, in step S300 the business client collects the data to be verified by the wearable device. The data to be verified includes the biological characteristics of the user, and the user may specifically be the user who initiates the payment service, usually the user wearing the wearable device. For example, the data to be verified may be the user's face image, the user's fingerprint feature, the user's voiceprint feature, the user's heart rhythm feature, and so on.

If in step S300, the service client collects the fingerprint image through the wearable device, and takes the fingerprint image as the data to be verified, then determines the service request carrying the fingerprint image, and sends the service request to the security protection device through the designated pin .

Then in steps S302-304, the security protection device can extract the biometric feature to be verified from the data to be verified by running the part of the business code, and then perform the biometric feature to be verified according to the pre-solidified user biometric feature. The similarity calculation is to determine the matching result according to the determined similarity and the stored similarity threshold. If the similarity is higher than the preset threshold, it means that the user identity verification is passed; otherwise, it is determined that the user identity verification is not passed. Then in step S308, the service client may continue to perform subsequent steps of the payment service when it is determined that the user identity verification is passed according to the received verification result, for example, payment is made through the user account according to the order information. And when it is determined that the user identity verification fails, it can be determined that there is no need to continue to execute the payment service.

It can be seen that in the security protection device, part of the pre-stored business codes may at least include: codes for extracting biometric features based on the data to be verified, and codes for calculating two different biometric similarity algorithms. In the security protection device, the pre-stored evidence data may include user biometric features, similarity thresholds for determining verification results, and the like.

Based on the same idea, this specification also provides a structural diagram of a service execution device, as shown in FIG. 6 .

Figure 6 is a schematic structural diagram of the service execution device provided in this specification, wherein the service execution device is applied to a security protection device, the security protection device is deployed in a wearable device, and the security protection device communicates with the device through a specified pin Part of the business code of the business client and the sensitive data required to run the part of the business code are pre-cured in the security protection device.

The receiving module 400 is configured to receive a service request carrying service data sent by the main control chip of the wearable device through the designated pin.

The obtaining module 402 is configured to obtain the sensitive data required for executing the service and the part of the service code from the pre-cured data according to the service request.

The execution module 404 is configured to run the part of the service code, execute the service according to the service data and the sensitive data, and determine a service execution result.

A return module 406, configured to return the service execution result to the main control chip through the specified pin.

In the 1990s, the improvement of a technology can be clearly distinguished as an improvement in hardware (for example, improvements in circuit structures such as diodes, transistors, and switches) or improvements in software (improvement in method flow). However, with the development of technology, the improvement of many current method flows can be regarded as the direct improvement of the hardware circuit structure. Designers almost always get the corresponding hardware circuit structure by programming the improved method flow into the hardware circuit. Therefore, it cannot be said that the improvement of a method flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (Programmable Logic Device, PLD) (such as a Field Programmable Gate Array (Field Programmable Gate Array, FPGA)) is such an integrated circuit, and its logic function is determined by programming the device by a user. It is programmed by the designer to "integrate" a digital system on a PLD, instead of asking a chip manufacturer to design and make a dedicated integrated circuit chip. Moreover, nowadays, instead of making integrated circuit chips by hand, this kind of programming is mostly realized by "logic compiler (logic compiler)" software, which is similar to the software compiler used when writing programs. The original code of the computer must also be written in a specific programming language, which is called a hardware description language (Hardware Description Language, HDL), and there is not only one kind of HDL, but many kinds, such as ABEL (Advanced Boolean Expression Language) , AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., currently the most commonly used is VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. It should also be clear to those skilled in the art that only a little logical programming of the method flow in the above-mentioned hardware description languages and programming into an integrated circuit can easily obtain a hardware circuit for realizing the logic method flow.

The controller may be implemented in any suitable way, for example the controller may take the form of a microprocessor or processor and a computer readable medium storing computer readable program code (such as software or firmware) executable by the (micro)processor , logic gates, switches, Application Specific Integrated Circuits (ASICs), programmable logic controllers, and embedded microcontrollers, examples of controllers include but are not limited to the following microcontrollers: ARC625D, Atmel AT91SAM, Microchip PIC18F26K20 and Silicone Labs C8051F320, the memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art also know that, in addition to realizing the controller in a purely computer-readable program code mode, it is entirely possible to make the controller use logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded The same function can be realized in the form of a microcontroller or the like. Therefore, such a controller can be regarded as a hardware component, and the devices included in it for realizing various functions can also be regarded as structures within the hardware component. Or even, means for realizing various functions can be regarded as a structure within both a software module realizing a method and a hardware component.

The systems, devices, modules, or units described in the above embodiments can be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementing device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Combinations of any of these devices.

For the convenience of description, when describing the above devices, functions are divided into various units and described separately. Of course, when implementing this specification, the functions of each unit can be implemented in one or more pieces of software and/or hardware.

Those skilled in the art should understand that the embodiments of this specification may be provided as methods, systems, or computer program products. Accordingly, this description may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The specification is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the specification. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. Memory is an example of computer readable media.

Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.

It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

Those skilled in the art should understand that the embodiments of this specification may be provided as methods, systems or computer program products. Accordingly, this description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The present description may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.

Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, refer to part of the description of the method embodiment.

The above descriptions are only examples of this specification, and are not intended to limit this specification. For those skilled in the art, various modifications and changes may occur in this description. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of this specification shall be included within the scope of the claims of this specification.

Claims (12)

1. A safety protection device, the safety protection device (103) is deployed in a wearable device, the safety protection device (103) is connected to the main control chip (100) of the wearable device through a designated pin, The safety protection device (103) includes at least: a processor (101) and a memory (102); wherein: The memory (102) is pre-solidified with part of the business code used to execute the business and sensitive data required to run the part of the business code; The processor (101) is configured to receive a service request carrying service data sent by the main control chip (100) through the specified pin, the service request is installed in the wearable device for executing Generated by the business client of the business; acquire the sensitive data and the part of the business code from the storage (102) according to the business request; run the part of the business code to obtain the sensitive data according to the business data and the Executing the business with sensitive data, and obtaining a business execution result; returning the business execution result to the main control chip (100) through the specified pin, so that the business client continues to execute the business based on the business execution result . 2. The safety protection device as claimed in claim 1, said part of the business code and sensitive data required for running said part of the business code are solidified on said part of the business code by burning when producing said safety protection device (103). in memory (102). 3. The safety protection device according to claim 1, the safety protection device (103) disables other pins except the specified pin. 4. The security protection device according to claim 1, wherein the sensitive data at least includes: business credential information; The memory (102) is also pre-solidified with an encryption algorithm and a corresponding decryption algorithm; The processor (101), configured to receive the service credential information sent by the main control chip (100) through the specified pin, acquire the encryption algorithm from the memory (102), and perform the The business credential information is encrypted and stored, wherein the business credential information is obtained when the business client binds an account for executing the business; The decryption algorithm decrypts the encrypted and stored service credential information, and executes the service according to the decrypted service credential information. 5. The security protection device according to claim 1, wherein the sensitive data at least includes: business credential information; The safety protection device (103) also includes: an encryption logic circuit (104) and a decryption logic circuit (105); The encryption logic circuit (104) is used to encrypt the received data and return the encrypted data; The decryption logic circuit (105) is configured to decrypt the received encrypted data and return a decryption result; The processor (101), configured to receive the business credential information sent by the main control chip (100) through the specified pin, send the business credential information to the encryption logic circuit (104), and send the business credential information to the encryption logic circuit (104), and The encrypted data returned by the encryption logic circuit (104) is sent to the memory (102) for storage, wherein the service credential information is obtained when the service client is bound to an account for executing the service; and when After receiving the service request, obtain the encrypted data from the memory (102), and send it to the decryption logic circuit (105), receive the decrypted business credential information returned by the decryption logic circuit (105), according to The decrypted service credential information executes the service. 6. The safety protection device according to claim 1, wherein the memory (102) comprises: a running memory (106) and a safety memory (107), and the safety memory (107) is a physically unclonable function PUF memory; The running memory (106) is configured to store intermediate data generated by the processor (101) executing services; The safety memory (107) is used to determine the circuit signal characteristics of the safety protection device (103) when the safety protection device (103) is powered on, and determine encryption parameters according to the circuit signal characteristics; according to the encryption parameters The part of the business code and the sensitive data are encrypted, and the encryption result is solidified in the safety memory (107). 7. The safety protection device as claimed in claim 1, the memory (102) comprises: a running memory (106) and a safety memory (107); the safety memory (107) is a safe flash memory, and the safety memory (107) The part of the business code and the sensitive data are pre-cured; The running memory (106) is used to store intermediate data generated by the processor (101) executing services, and codes of specified applications; The processor (101) is specifically configured to obtain the code of the specified application from the operating memory (106), and run the code of the specified application according to the service request, so as to obtain the code of the specified application from the specified application. The safety memory (107) invokes the part of the business code and the sensitive data. 8. The safety protection device according to claim 1, the storage space of the memory (102) is divided into a common storage space and a safe storage space; the safe storage space is used to provide a trusted execution environment, and store the Part of the business code and the sensitive data; The processor (101) is further configured to switch to a safe state according to the service request, and allocate a thread for executing the service according to the service request, and call the thread stored in the safe storage space of the memory (102) through the thread. The part of the business code and the sensitive data; run the part of the business code in the trusted execution environment to execute the business according to the business data and the sensitive data, and obtain the business execution result; The memory (102) is also used for judging whether the state of the processor (101) is a safe state when the data stored in the secure storage space is called by the thread, and if so, responding to the processor (101) ) of the thread's invocation. 9. The security protection device according to claim 1, wherein the main control chip (100) and the security protection device (103) are packaged in the same physical chip. 10. A service execution method, the service execution method is applied to a security protection device, the security protection device is deployed in a wearable device, and the security protection device communicates with the main control chip of the wearable device through a designated pin connection, the security protection device is pre-solidified with part of the business code of the business client and the sensitive data required to run the part of the business code; the method includes: receiving a service request carrying service data sent by the main control chip of the wearable device through the designated pin; According to the business request, obtain the sensitive data required to execute the business and the part of the business code from the pre-solidified data; Run the part of the business code, execute the business according to the business data and the sensitive data, and determine the business execution result; Returning the service execution result to the main control chip through the designated pin. 11. A business execution device, the business execution device is applied to a security protection device, the security protection device is deployed in a wearable device, and the security protection device communicates with the main control chip of the wearable device through a designated pin Part of the business code of the business client and the sensitive data required to run the part of the business code are pre-cured in the security protection device; the device includes: A receiving module, configured to receive a service request carrying service data sent by the main control chip of the wearable device through the specified pin; An acquisition module, configured to acquire the sensitive data required to execute the business and the part of the business code from the pre-cured data according to the business request; An execution module, configured to run the part of the business code, execute the business according to the business data and the sensitive data, and determine a business execution result; A return module, configured to return the service execution result to the main control chip through the designated pin. 12. A computer-readable storage medium, the storage medium stores a computer program, and when the computer program is executed by a processor, the method according to claim 10 is implemented.

Images