CN116629855A - Data access method, application information configuration method, related device and equipment - Google Patents

Data access method, application information configuration method, related device and equipment Download PDF

Info

Publication number
CN116629855A
CN116629855A CN202310504363.8A CN202310504363A CN116629855A CN 116629855 A CN116629855 A CN 116629855A CN 202310504363 A CN202310504363 A CN 202310504363A CN 116629855 A CN116629855 A CN 116629855A
Authority
CN
China
Prior art keywords
payment
application
payment application
identifier
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310504363.8A
Other languages
Chinese (zh)
Inventor
崔晓夏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba China Co Ltd
Original Assignee
Alibaba China Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba China Co Ltd filed Critical Alibaba China Co Ltd
Priority to CN202310504363.8A priority Critical patent/CN116629855A/en
Publication of CN116629855A publication Critical patent/CN116629855A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/326Payment applications installed on the mobile devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions

Abstract

The embodiment of the invention provides a data access method, an application information configuration method, a related device and equipment, wherein in the data access method, when a payment application sends an access request, a security component verifies that the payment application is a legal application based on an identifier of the payment application, then the identifier and identity verification information of the payment application are sent to a security domain, and after the identifier and the identity verification information of the payment application are verified by the security domain, access corresponding to the payment asset is executed based on a payment asset associated with the payment application. The embodiment of the invention can ensure the data security of the wearable equipment.

Description

Data access method, application information configuration method, related device and equipment
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a data access method, an application information configuration method, and related devices and equipment.
Background
With the development of mobile payment technology, a user can realize a payment function on a wearable device, for example, by binding a payment account number, a payment application authorized to the wearable device has a certain payment authority, such as deduction shopping smaller than a preset amount, ticket payment while taking public transportation, and the like.
However, when the wearable device has multiple payment applications, then device data security is difficult to guarantee.
Disclosure of Invention
In view of this, the embodiments of the present invention provide a data access method, an application information configuration method, and related devices and apparatuses, so as to ensure the data security of the apparatuses.
In order to achieve the above object, the embodiment of the present invention provides the following technical solutions:
the embodiment of the invention provides a data access method, which is applied to a security component and comprises the following steps:
acquiring an access request of a payment application, wherein the access request comprises an identifier of the payment application and authentication information corresponding to the payment application;
determining, based on the identifier, whether the payment application is a legitimate application;
if yes, forwarding the access request to a security domain, so that the security domain executes access corresponding to the payment asset based on the payment asset associated with the payment application after verifying the identifier and the identity verification information of the payment application.
Optionally, after obtaining the access result to the payment asset, forwarding the access result to the payment application.
Optionally, the determining, based on the identifier, whether the payment application is a legal application includes:
Determining whether the identifier is consistent with one of the identifiers of legal applications recorded in the security component, and if so, determining that the payment application is a legal application; and if the acquired identifier is inconsistent with the identifier of the legal application recorded in the security component, the payment application is an illegal application.
Optionally, if the payment application is an illegal application, the data access flow is exited.
Optionally, the security component forwards the access request to a security domain, specifically, the security component forwards the access request to the security domain based on a security interface.
The embodiment of the invention also provides a data access method which is applied to the security domain and comprises the following steps:
acquiring an access request of a payment application, wherein the access request comprises an identifier of the payment application and authentication information corresponding to the payment application;
determining, based on the identifier, identity authentication information associated with the identifier;
verifying whether the identity verification information is legal or not based on the identity verification information;
if yes, access to the payment asset corresponding to the payment application is executed, wherein the payment application only allows access to the payment asset corresponding to the payment application.
Optionally, the result of the access to the payment asset is returned to the security component.
Optionally, the identity authentication information is an identity authentication certificate, and the identity authentication certificate comprises an identity authentication private key certificate for identity authentication;
and verifying whether the identity verification information is legal or not based on the identity verification information, specifically, verifying whether the identity verification information is legal or not based on the identity verification private key certificate and the identifier.
Optionally, the executing the access to the payment asset corresponding to the payment application includes:
accessing and acquiring a private key certificate corresponding to the payment asset;
or alternatively, the process may be performed,
and accessing and acquiring payment seeds corresponding to the payment assets.
The embodiment of the invention also provides a data access method which is applied to the payment application and comprises the following steps:
sending an access request to a security component, wherein the access request comprises an identifier of the payment application and authentication information corresponding to the payment application, so that the security component forwards the access request to a security domain when determining that the payment application is a legal application based on the identifier, and enables the security domain to execute access corresponding to the payment asset based on the payment asset associated with the payment application after verifying the identifier and the authentication information of the payment application;
And obtaining the access result forwarded by the security component.
The embodiment of the invention also provides an application information configuration method which is applied to the safety component and comprises the following steps:
acquiring a configuration request of a payment application, wherein the configuration request at least comprises an identifier of the payment application;
sending the configuration request to a security domain, so that the security domain creates identity authentication information corresponding to the payment application and identity authentication information corresponding to the payment application, and configures a payment asset corresponding to the payment application; wherein the payment application only accesses the payment asset corresponding thereto;
after the identity verification information is acquired, recording that the identifier is an identifier of legal application;
forwarding the authentication information to the payment application.
Optionally, after the obtaining the configuration request of the payment application, before the sending the configuration request to the security domain, the method further includes:
and determining whether the payment application is a security application or not based on the identifier, and if so, executing the step of sending the configuration request to a security domain.
Optionally, the determining, based on the identifier, whether the payment application is a secure application specifically is:
Determining whether the payment application is a secure application based on the issuer information carried in the identifier;
or alternatively, the process may be performed,
and determining whether the character carried in the identifier at the preset position is a preset character or not based on whether the character is a safety application or not.
Optionally, the sending the configuration request to the security domain, specifically, based on a security interface, sends the configuration request to the security domain.
The embodiment of the invention also provides an application information configuration method which is applied to the security domain and comprises the following steps:
acquiring a configuration request of a payment application, wherein the configuration request at least comprises an identifier of the payment application;
creating identity authentication information corresponding to the payment application based on the identifier, and associating the identifier to the identity authentication information;
based on the identity authentication information, generating identity authentication information corresponding to the payment application, and configuring a payment asset corresponding to the payment application; wherein the payment application only accesses the payment asset corresponding thereto;
and returning the authentication information of the payment application.
Optionally, the identity authentication information is an identity authentication certificate, and the identity authentication certificate comprises an identity authentication private key certificate for identity authentication;
The authentication information corresponding to the payment application is generated based on the authentication information, specifically, based on the authentication private key certificate and the identifier.
Optionally, the configuring a payment asset corresponding to the payment application includes:
and configuring the access rights of the payment application to the corresponding payment asset, wherein the access rights comprise: in the access of the payment application to its corresponding payment asset, the payment credentials are not updateable and/or the payment token plaintext is not readable.
The embodiment of the invention also provides an application information configuration method which is applied to the payment application and comprises the following steps:
sending a configuration request to a security component, wherein the configuration request at least comprises an identifier of the payment application, so that the security component sends the configuration request to a security domain, creates identity authentication information corresponding to the payment application and identity authentication information corresponding to the payment application by the security domain, and configures a payment asset corresponding to the payment application; wherein the payment application only accesses the payment asset corresponding thereto;
and after the security component acquires the authentication information and records that the identifier is the identifier of the legal application, acquiring the authentication information forwarded by the security component.
The embodiment of the invention also provides a safety assembly, which comprises:
the password security library application unit is used for determining whether the payment application is a legal application or not based on the identifier of the payment application carried in the access request after the access request of the payment application is acquired; wherein the access request includes an identifier of the payment application and authentication information corresponding to the payment application;
the security domain client is used for forwarding an access request of the payment application to the security domain when the payment application is a legal application, so that the security domain performs access corresponding to the payment asset based on the payment asset associated with the payment application after verifying the identifier and the identity verification information of the payment application; and forwarding the access result to the payment application after the access result to the payment asset is obtained.
The embodiment of the invention also provides a security domain, which comprises:
the management unit is used for determining identity authentication information associated with the identifier based on the identifier carried by the acquired access request of the payment application; wherein the access request includes an identifier of a payment application and authentication information corresponding to the payment application;
The verification unit is used for verifying whether the identity authentication information is legal or not based on the identity authentication information;
if the identity verification information is legal, the management unit executes access to the payment asset corresponding to the payment application and returns the access result to the payment asset to the security component; wherein the payment application only allows access to payment assets corresponding thereto.
The embodiment of the invention also provides a security domain, which comprises:
the management unit is used for creating identity authentication information corresponding to the payment application based on an identifier carried by the acquired configuration request of the payment application and associating the identifier to the identity authentication information;
the verification unit is used for generating identity verification information corresponding to the payment application based on the identity verification information;
the management unit is used for configuring the payment asset corresponding to the payment application after the authentication unit generates the authentication information corresponding to the payment application, and returning the authentication information of the payment application; wherein the payment application only accesses the payment asset corresponding thereto.
The embodiment of the invention also provides wearable equipment, which comprises: at least one memory and at least one processor, the memory storing a program, the processor invoking the program to perform the data access method applied to the security component in the above embodiment and/or to perform the data access method applied to the security domain in the above embodiment and/or to perform the data access method applied to the payment application in the above embodiment and/or to perform the application information configuration method applied to the security component in the above embodiment and/or to perform the application information configuration method applied to the security domain in the above embodiment and/or to perform the application information configuration method applied to the payment application in the above embodiment.
The embodiment of the present invention further provides a storage medium storing a program for executing the data access method applied to the security component in the above embodiment, and/or storing a program for executing the data access method applied to the security domain in the above embodiment, and/or storing a program for executing the data access method applied to the payment application in the above embodiment, and/or storing a program for executing the application information configuration method applied to the security component in the above embodiment, and/or storing a program for executing the application information configuration method applied to the security domain in the above embodiment, and/or storing a program for executing the application information configuration method applied to the payment application in the above embodiment.
The embodiment of the invention also provides a wearable device, which comprises at least one memory and at least one processor, wherein the memory stores a program, and the processor calls the program to execute the data access method and/or the application information configuration method.
The embodiment of the invention also provides a storage medium which stores a program for executing the data access method and/or the application information configuration method.
An embodiment of the present invention provides a computer program, where the computer program is executed to implement a data access method applied to a security component in the above embodiment, and/or a data access method applied to a security domain in the above embodiment, and/or a data access method applied to a payment application in the above embodiment, and/or an application information configuration method applied to a security component in the above embodiment, and/or an application information configuration method applied to a security domain in the above embodiment, and/or an application information configuration method applied to a payment application in the above embodiment.
In the data access method, when a payment application sends an access request, a security component verifies that the payment application is a legal application based on an identifier of the payment application, then sends the identifier and identity verification information of the payment application to a security domain, verifies the identifier and the identity verification information of the payment application by the security domain, and then executes access corresponding to the payment asset based on a payment asset associated with the payment application.
It can be seen that the security component in the embodiment of the invention can verify whether the payment application is a legal application, so that the illegal application is prevented from performing access operation related to the payment asset, meanwhile, in the security domain, the payment application is related to the payment asset, and after verifying the identifier and the identity verification information of the payment application, the security domain executes access corresponding to the payment asset based on the payment asset related to the payment application, thereby further preventing the illegal application from performing access operation related to the payment asset, simultaneously, avoiding mutual access/theft of information of the payment asset among different payment applications, and guaranteeing the data security of the wearable device.
Drawings
Fig. 1 is a schematic diagram of an alternative architecture of a wearable device according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a system architecture with a TEE according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a system architecture with SE according to an embodiment of the present invention;
FIG. 4 is an optional flowchart of an application information configuration method according to an embodiment of the present invention;
FIG. 5 is an alternative flow chart of a method for accessing data according to an embodiment of the present invention;
fig. 6 is an exemplary diagram of an alternative architecture of a wearable device according to an embodiment of the present invention;
Fig. 7 is a diagram illustrating a hardware structure of a wearable device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The related concepts related to the following embodiments of the present invention may be understood with reference to the following description:
wearable device: the wearable technology is applied to carry out intelligent design on daily wearing and further develop general names of wearable devices, such as intelligent glasses, intelligent gloves, intelligent watches, intelligent clothes and the like.
Payment account number: and the payer information corresponding to the user identity information is used for realizing operations such as deduction in the payment function, so that the payment function is realized based on the payment account.
Payment application: and the Application program (APP) is used for realizing the payment function, is used for interacting with the server based on the request of the user, and is further used for realizing the corresponding payment function based on the corresponding interaction information.
As described in the background, when the wearable device has a plurality of payment applications, then payment security is difficult to secure. When the wearable device has a plurality of payment applications, if the wearable device binds only one payment account and enables the payment account to support the use of the plurality of payment applications, the risk of accessing and using the payment account by an illegal payment application in the wearable device exists; if the wearable device binds a plurality of payment accounts for a plurality of payment applications, the risk exists that different payment applications access and steal payment information/account information of other payment applications; therefore, when the wearable device has a plurality of payment applications, the data security of the wearable device is difficult to guarantee.
In view of this, an embodiment of the present invention provides a data access method, an application information configuration method, and related devices and equipment, where in the data access method, when a payment application issues an access request, after a security component verifies that the payment application is a legal application based on an identifier of the payment application, the security component sends the identifier and authentication information of the payment application to a security domain, and after the identifier and authentication information of the payment application are verified by the security domain, access corresponding to the payment asset is performed based on a payment asset associated with the payment application.
It can be seen that the security component in the embodiment of the invention can verify whether the payment application is a legal application, so that the illegal application is prevented from performing access operation related to the payment asset, meanwhile, in the security domain, the payment application is related to the payment asset, and after verifying the identifier and the identity verification information of the payment application, the security domain executes access corresponding to the payment asset based on the payment asset related to the payment application, thereby further preventing the illegal application from performing access operation related to the payment asset, simultaneously, avoiding mutual access/theft of information of the payment asset among different payment applications, and guaranteeing the data security of the wearable device.
It will be appreciated that prior to performing the data access method, corresponding application information (e.g., verification information of payment application identifiers, correspondence information of application identifiers and associated payment assets) may be pre-configured to the security component and security domain. In view of this, an embodiment of the present invention further provides an application information configuration method, where a security component may send an identifier of a payment application to a security domain, and after the security domain obtains the identifier of the payment application, may create identity authentication information corresponding to the payment application, and generate identity authentication information corresponding to the payment application based on the identity authentication information, and then associate a payment asset corresponding to the payment application, and return the identity authentication information of the payment application to the security component, and at the same time, record, by the security component, that the identifier is an identifier of a legal application, and forward the identity authentication information to the payment application, so that data security of a wearable device may be ensured based on the security component and the security domain.
As an optional implementation, fig. 1 shows an optional architecture schematic diagram of a wearable device provided by an embodiment of the present invention, where the wearable device may include: payment applications (as indicated by reference numerals 11, 12 and 13), security component 2, and security domain 3.
Wherein, wearable equipment can be intelligent bracelet, intelligent wrist-watch, intelligent glasses etc.. The payment application can be understood as an application with a payment function, and after corresponding authorization is obtained, the payment application can access the payment asset associated with the application, so that the functions of payment, transfer and the like are realized. In particular examples, the payment application may provide, for example, an offline payment code, a ride code, an online payment code, and the like.
The security component 2 is used to provide access to assets and services in the security domain 3, while providing payment application identifier validation. Specifically, a call interface of the security domain 3 may be provided in the security component, and when the payment application is confirmed to be a legal application, access to relevant data is performed based on the call interface of the security domain 3.
The security domain 3 may be understood as a secure environment in which code with high security requirements may be run and data with high security requirements may be stored. In an alternative implementation, the security domain 3 may be a trusted execution environment (Trusted Execution Environment, TEE) or a Secure Element (SE). Referring to the schematic diagram of the system architecture with a TEE shown in fig. 2, the TEE is an independent secure area on a main processor of the device, is a secure operating system coexisting with an existing mobile Operating System (OS), and provides a secure function for a mobile OS environment through software and hardware isolation; referring to FIG. 3, a system architecture diagram with an SE that is a host processor independent chip on a device and that provides a secure operating environment for the device by providing encryption/decryption logic therein is shown.
It may be appreciated that, before implementing data access to related payment assets, a payment application of a wearable device (hereinafter referred to as a device) may first configure corresponding application information (such as correspondence information between a payment application identifier and authentication information) to a security component and a security domain in advance. An optional flow of the application information configuration method provided by the embodiment of the present invention shown in fig. 4 may include:
step S10, a payment application sends a configuration request to a security component, wherein the configuration request at least comprises an identifier of the payment application;
the configuration request is used for requesting the security component and the security domain to perform information configuration of the payment application, so that data access rights of the corresponding payment asset are acquired. The identifier may be understood as a unique identification corresponding to the payment application, with different identifiers corresponding to the payment applications on different devices. Based on the uniqueness of the identifier of the payment application, it may be determined whether the payment application is legitimate.
The identifier may be, for example, a section of a character, and in some alternative examples, the characters at different positions may represent different meanings, for example, the character at a certain position may be used to mark an issuer of the payment application, the character at another position may be used to mark a device number where the payment application is located, the character at another position may be used to mark a name of the payment application, etc., so that the determination of the information related to the payment application may be made based on the identifier. Alternatively, in other alternative examples, the identifier may also be provided with a character directly at a preset location to indicate that the payment application is a secure application.
The identifier may be provided by a publisher or may be generated by a payment application based on a combination of information carried by the payment application and information of the device.
It will be appreciated that after the payment application sends a configuration request to the security component, the security component may accordingly obtain the configuration request of the payment application.
Step S12, the security component sends the configuration request to a security domain;
the security component, upon obtaining a configuration request, may forward the configuration request to the security domain.
In an alternative example, the security component may make a security decision of the payment application before sending the configuration request to the security domain, e.g. step S11 may be performed, based on the identifier, to determine whether the payment application is a security application. In a specific example, the security component may be preset with determination information related to the identifier, for example, the security component may determine whether the payment application is a security application based on the issuer information carried in the identifier, where the determination may be based on the issuer carried in the identifier being a trusted issuer; or determining whether the identifier is a security application based on whether the character carried in the preset position in the identifier is a preset character.
It will be appreciated that making security decisions for payment applications based on the security component may avoid access to the security domain by unsecure applications (e.g., payment applications of unknown origin), thereby ensuring data security of the device. When the payment application is determined to be a secure application, step S12 may be executed, and when the payment application is determined not to be a secure application, the application information configuration flow may be exited, and a prompt message may be sent.
In a further example, the sending the configuration request to the security domain may be performed based on a security interface, thereby guaranteeing data security of the device.
Step S13, the security domain creates identity authentication information corresponding to the payment application based on the identifier, and associates the identifier to the identity authentication information;
after the security domain obtains the identifier sent by the security component, the creation of the identity authentication information may be performed based on the identifier.
Specifically, based on the identifier, authentication information uniquely corresponding to the identifier may be created. It will be appreciated that after the authentication information is created, an association of an identifier to the authentication information may be performed, for example, binding an identifier to the authentication information, so that, when the payment application is authenticated, confirmation of the payment application identity may be performed based on the uniquely associated authentication information.
The identity authentication information may be an identity authentication certificate, and the identity authentication certificate may include an identity authentication private key certificate for performing identity authentication, so that identity authentication information uniquely corresponding to the payment application identifier may be generated based on the identity authentication private key certificate in step S14.
Step S14, the security domain generates identity verification information corresponding to the payment application based on the identity verification information, and configures a payment asset corresponding to the payment application;
after creating the identity authentication information corresponding to the identifier, the generation of the identity authentication information may be performed based on the identity authentication information.
In a specific example, when an authentication private key certificate for performing authentication may be included in the authentication certificate, authentication information of a corresponding payment application may be generated based on the authentication private key certificate and the identifier. In a specific example, the authentication information may be, for example, an identity token, based on which authentication of the payment application may be achieved. Wherein the identity token may be understood as an ID sequence or string uniquely representing the payment application.
After the identity verification information of the corresponding payment application is generated, the payment asset corresponding to the payment application can be configured, and the payment application only accesses the payment asset corresponding to the payment application from the perspective of access authority, so that the random access of the payment application to other payment assets is avoided, and the data security of equipment is ensured.
In a specific example, the payment asset may be, for example, a payment credential, a payment token, etc., which may be, for example, a credential required for making a third party payment cloud service. In further examples, specific access rights of the payment application to its corresponding payment asset may also be configured, e.g., in the payment application's access to its corresponding payment asset, the payment credentials are not updateable, the payment token plaintext is not readable, etc.
Step S15, the security domain returns the authentication information of the payment application;
after the payment resources corresponding to the payment application are configured, corresponding identity verification information can be returned, so that the payment application can verify the identity based on the identity verification information of the payment application, and access of the related payment assets is performed.
Accordingly, after the security domain returns the authentication information of the payment application, the security component may obtain the authentication information and perform step S16.
S16, the security component records that the identifier is an identifier of a legal payment application;
wherein the security component can determine whether the payment application is a security application in a flow of the payment application accessing the payment asset based on the recorded identifier.
Step S17, the security component forwards the authentication information to the payment application.
In a further optional implementation, the embodiment of the present invention further provides a data access method, and referring to an optional flow of the data access method provided by the embodiment of the present invention shown in fig. 5, the flow may include:
step S20, a payment application sends an access request to a security component, wherein the access request comprises an identifier of the payment application and authentication information corresponding to the payment application;
the access request is used for requesting to access the payment asset corresponding to the payment application, so that the payment function of the payment application is realized based on the payment asset. The identifier of the payment application and the authentication information corresponding to the payment application are used for realizing the authentication of the payment application, thereby ensuring the data security of the payment asset accessed by the payment application.
The authentication information may be, for example, an identity token.
Step S21, a security component determines whether the payment application is a legal application or not based on the identifier;
after the security component obtains the access request of the payment application, the security component can obtain the identifier of the corresponding payment application and the authentication information of the corresponding payment application.
Whether the payment application is a legal application or not can be judged based on the acquired identifier. In a specific example, the validation may be based on the obtained identifier being compared to an identifier of the legitimate application recorded in the security component. It may be understood that the security component may record identifiers of a plurality of legal applications, and accordingly, the determining process may specifically be that whether the obtained identifier is consistent with one of the identifiers of the legal applications recorded in the security component is determined, and if so, the payment application is considered to be a legal application, and step S22 is executed; and if the acquired identifier is inconsistent with the identifier of the legal application recorded in the security component, the payment application is considered to be an illegal application.
When the payment application is illegal, the data access flow can be exited, and further, prompt information can be sent out to indicate that the payment application is illegal.
Step S22, the security component forwards the access request to a security domain;
upon determining that the payment application is a legitimate application, the security component may forward the access request to the security domain to cause the security domain to perform a corresponding identity validation and data access.
In an alternative example, a security interface is further provided in the security component, and the security component may forward the access request to the security domain based on the security interface, so as to ensure data security of the device.
Step S23, the security domain determines identity authentication information associated with the identifier based on the identifier;
it will be appreciated that the access request includes an identifier of the payment application and authentication information corresponding to the payment application, and that the identifier of the payment application and the authentication information corresponding to the payment application may be obtained after the secure domain obtains the access request of the payment application.
Based on the foregoing configuration flow, the security domain performs association between the identifier and the identity authentication information in advance, and accordingly, the security domain may determine the identity authentication information associated with the identifier based on the identifier of the payment application.
Step S24, the security domain verifies whether the identity verification information is legal or not based on the identity verification information;
It will be appreciated that after the identity authentication information is determined, verification of the identity authentication information may be performed based on the identity authentication information. In a specific example, the authentication information may be an identity token of a payment application.
In an alternative example, the identity authentication information may be an identity authentication certificate, and the identity authentication certificate may include an identity authentication private key certificate for performing identity authentication, the identity authentication information may be generated based on the identity authentication private key certificate and the identifier, and accordingly, the authentication of the identity authentication information may be implemented based on the identity authentication private key certificate and the identifier.
When the identity verification information is legal, the payment application is indicated to pass the identity verification, and step S25 is executed; and when the authentication information is illegal, indicating that the payment application fails authentication, exiting the data access flow and sending prompt information to indicate that the payment application is illegal.
Step S25, the security domain executes access to the payment assets corresponding to the payment application;
and when the payment application is determined to be a legal application, indicating that the payment application passes the authentication, so that the payment application can be accessed to the payment asset corresponding to the payment application.
It should be noted that, even if the payment application passes the authentication, the payment application only allows access to the payment asset corresponding thereto, and accordingly, after the payment application passes the authentication, the security domain performs access to the payment asset corresponding to the payment application.
Wherein when performing access to the payment asset, different access operations may be performed based on information in the access request, e.g., a private key credential corresponding to the payment asset may be accessed; or accessing and acquiring the payment seed corresponding to the payment asset. It may be appreciated that the payment assets corresponding to different payment applications may be different, and the corresponding access flow or access content may also be different, and in a specific example, if the payment application is used to obtain two-dimensional code payment, static data, such as a private key credential corresponding to the payment asset, stored in the security domain, of the associated payment asset may be accessed; if the payment application is used for acquiring the traffic payment code, the payment seed corresponding to the associated payment asset can be accessed, the traffic payment code is dynamically generated in the security domain based on the payment seed, and the traffic payment code is returned as an access result.
Step S26, the security domain returns the access result of the payment asset to the security component;
the access result may be, for example, a two-dimensional code, a riding code, or the like for payment.
Step S27, the security component forwards the access result to the payment application;
after the security component obtains the access result to the payment asset, forwarding of the access result may be performed.
It can be seen that the security component in the embodiment of the invention can verify whether the payment application is a legal application, so that the illegal application is prevented from performing access operation related to the payment asset, meanwhile, in the security domain, the payment application is related to the payment asset, and after verifying the identifier and the identity verification information of the payment application, the security domain executes access corresponding to the payment asset based on the payment asset related to the payment application, thereby further preventing the illegal application from performing access operation related to the payment asset, simultaneously, avoiding mutual access/theft of information of the payment asset among different payment applications, and guaranteeing the data security of the wearable device.
It should be noted that, the embodiment of the invention can perform security expansion (i.e. security domain setting) independent of the security mechanism of the OS based on the security mechanism of the low-resource chip (such as BLE low-power consumption bluetooth and MCU micro-control unit), can provide asset access and use schemes meeting the security of payment applications, and ensures the security of different payment applications for users.
In addition, the embodiment of the invention can flexibly deploy the third party payment application and can protect the data security of the third party payment asset.
In the embodiment of the present invention, on the basis of the optional architecture of the wearable device shown in fig. 1, an optional architecture example of the wearable device is further provided, and referring to the optional architecture example diagram of the wearable device provided in the embodiment of the present invention shown in fig. 6, in the wearable device, the security component 2 may include a password security library application unit 21 and a security domain client 22, and the security domain 3 may include a management unit 31, a verification unit 32, and payment assets (33-1, 33-2, and 33-3 in the drawing). Wherein payment asset 33-1 may correspond to payment application 11, payment asset 33-2 may correspond to payment application 12, and payment asset 33-3 may correspond to payment application 13.
The cryptographic security library application unit 21 is configured to provide validity verification of the payment application and provide access rights to assets and services in the security domain. In a specific implementation, the cryptographic security library application unit 21 is configured to determine, based on the identifier, whether the payment application is a legal application.
The secure domain client 22 is configured to provide an interface for communicating with a secure domain, where the interface may be a dedicated secure interface, so as to ensure data security in the secure domain. In a specific implementation, the secure domain client 22 may forward the access request of the payment application to the secure domain in the data access flow of the payment application, and when the interface is a secure interface, the secure domain client 22 may invoke the secure interface to forward the access request of the payment application to the secure domain. In the application information configuration flow, the secure domain client 22 may send a configuration request for a payment application to the secure domain.
The management unit 31 is used for managing and configuring access rights to the payment assets. The verification unit 32 is configured to verify the identity of the payment application and provide an identification service for the payment application. The payment asset may be understood as asset information that implements a payment function.
In a specific implementation, for a data access flow of a payment application, the management unit 31 is configured to determine, based on an identifier carried by an access request of the obtained payment application, identity authentication information associated with the identifier; wherein the access request includes an identifier of a payment application and authentication information corresponding to the payment application;
a verification unit 32, configured to verify whether the identity authentication information is legal based on the identity authentication information;
if the authentication information is legal, the management unit 31 executes access to the payment asset corresponding to the payment application, and returns the access result to the payment asset to the security component; wherein the payment application only allows access to payment assets corresponding thereto.
For the application information configuration flow, the management unit 31 may be further configured to create identity authentication information corresponding to the payment application based on an identifier carried by the acquired configuration request of the payment application, and associate the identifier to the identity authentication information;
A verification unit 32, further configured to generate authentication information corresponding to the payment application based on the authentication information;
after the authentication unit 32 generates the authentication information corresponding to the payment application, the management unit 31 may further configure a payment asset corresponding to the payment application, and return the authentication information of the payment application; wherein the payment application only accesses the payment asset corresponding thereto.
The embodiment of the invention also provides the wearable device, which can load the payment application, the security component and the security domain in the form of a loader to execute the data access method and/or the application information configuration method provided by the embodiment of the invention.
Optionally, the hardware structure of the wearable device provided by the embodiment of the present invention may be as shown in fig. 7, including: at least one processor 01, at least one communication interface 02, at least one memory 03 and at least one communication bus 04;
alternatively, the communication interface 02 may be an interface of a communication module for performing network communication;
the processor 01 may be a processor CPU, microprocessor MCU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention.
The memory 03 may comprise a high-speed RAM memory or may further comprise a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory.
The memory 03 stores a program, and the processor 01 calls the program stored in the memory 03 to execute the data access method and/or the application information configuration method provided by the embodiment of the present invention.
The embodiment of the invention also provides a storage medium, which stores a program for executing the data access method and/or the application information configuration method provided by the embodiment of the invention.
The embodiment of the present invention further provides a computer program, where the computer program when executed implements a data access method applied to a security component as in the above embodiment, and/or a data access method applied to a security domain as in the above embodiment, and/or a data access method applied to a payment application as in the above embodiment, and/or an application information configuration method applied to a security component as in the above embodiment, and/or an application information configuration method applied to a security domain as in the above embodiment, and/or an application information configuration method applied to a payment application as in the above embodiment.
Although the present invention is disclosed above, the present invention is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the invention, and the scope of the invention should be assessed accordingly to that of the appended claims.

Claims (14)

1. A method of data access, for use with a security component, comprising:
acquiring an access request of a payment application, wherein the access request comprises an identifier of the payment application and authentication information corresponding to the payment application;
determining, based on the identifier, whether the payment application is a legitimate application;
if yes, forwarding the access request to a security domain, so that the security domain executes access corresponding to the payment asset based on the payment asset associated with the payment application after verifying the identifier and the identity verification information of the payment application.
2. The data access method of claim 1, wherein,
after the performing the access to the payment asset, further comprising: after the access result of the payment asset is obtained, forwarding the access result to the payment application;
wherein the determining, based on the identifier, whether the payment application is a legitimate application comprises: determining whether the identifier is consistent with one of the identifiers of legal applications recorded in the security component, and if so, determining that the payment application is a legal application; if the obtained identifier is inconsistent with the identifier of the legal application recorded in the security component, the payment application is an illegal application; and if the payment application is an illegal application, exiting the data access flow.
3. The data access method according to claim 1, wherein the security component forwards the access request to a security domain, in particular wherein the security component forwards the access request to a security domain based on a security interface.
4. A method of data access, applied to a security domain, comprising:
acquiring an access request of a payment application, wherein the access request comprises an identifier of the payment application and authentication information corresponding to the payment application;
determining, based on the identifier, identity authentication information associated with the identifier;
verifying whether the identity verification information is legal or not based on the identity verification information;
if yes, access to the payment asset corresponding to the payment application is executed, wherein the payment application only allows access to the payment asset corresponding to the payment application.
5. The data access method of claim 4, wherein,
after the access to the payment asset corresponding to the payment application is executed, returning the access result to the payment asset to a security component;
the identity authentication information is an identity authentication certificate, and the identity authentication certificate comprises an identity authentication private key certificate used for identity authentication; and verifying whether the identity verification information is legal or not based on the identity verification information, specifically, verifying whether the identity verification information is legal or not based on the identity verification private key certificate and the identifier.
6. The data access method of claim 4, wherein the performing access to the payment asset corresponding to the payment application comprises:
accessing and acquiring a private key certificate corresponding to the payment asset;
or alternatively, the process may be performed,
and accessing and acquiring payment seeds corresponding to the payment assets.
7. A data access method, for use in a payment application, comprising:
sending an access request to a security component, wherein the access request comprises an identifier of the payment application and authentication information corresponding to the payment application, so that the security component forwards the access request to a security domain when determining that the payment application is a legal application based on the identifier, and enables the security domain to execute access corresponding to the payment asset based on the payment asset associated with the payment application after verifying the identifier and the authentication information of the payment application;
and obtaining the access result forwarded by the security component.
8. An application information configuration method, applied to a security component, comprising:
acquiring a configuration request of a payment application, wherein the configuration request at least comprises an identifier of the payment application;
Sending the configuration request to a security domain, so that the security domain creates identity authentication information corresponding to the payment application and identity authentication information corresponding to the payment application, and configures a payment asset corresponding to the payment application; wherein the payment application only accesses the payment asset corresponding thereto;
after the identity verification information is acquired, recording that the identifier is an identifier of legal application;
forwarding the authentication information to the payment application.
9. The application information configuration method according to claim 8, wherein after the acquiring the configuration request of the payment application, before the sending the configuration request to the security domain, further comprising:
and determining whether the payment application is a security application or not based on the identifier, and if so, executing the step of sending the configuration request to a security domain.
10. An application information configuration method, applied to a security domain, comprising:
acquiring a configuration request of a payment application, wherein the configuration request at least comprises an identifier of the payment application;
creating identity authentication information corresponding to the payment application based on the identifier, and associating the identifier to the identity authentication information;
Based on the identity authentication information, generating identity authentication information corresponding to the payment application, and configuring a payment asset corresponding to the payment application; wherein the payment application only accesses the payment asset corresponding thereto;
and returning the authentication information of the payment application.
11. An application information configuration method, applied to a payment application, comprising:
sending a configuration request to a security component, wherein the configuration request at least comprises an identifier of the payment application, so that the security component sends the configuration request to a security domain, creates identity authentication information corresponding to the payment application and identity authentication information corresponding to the payment application by the security domain, and configures a payment asset corresponding to the payment application; wherein the payment application only accesses the payment asset corresponding thereto;
and after the security component acquires the authentication information and records that the identifier is the identifier of the legal application, acquiring the authentication information forwarded by the security component.
12. A safety assembly, comprising:
the password security library application unit is used for determining whether the payment application is a legal application or not based on the identifier of the payment application carried in the access request after the access request of the payment application is acquired; wherein the access request includes an identifier of the payment application and authentication information corresponding to the payment application;
The security domain client is used for forwarding an access request of the payment application to the security domain when the payment application is a legal application, so that the security domain performs access corresponding to the payment asset based on the payment asset associated with the payment application after verifying the identifier and the identity verification information of the payment application; and forwarding the access result to the payment application after the access result to the payment asset is obtained.
13. A security domain, comprising:
the management unit is used for determining identity authentication information associated with the identifier based on the identifier carried by the acquired access request of the payment application; wherein the access request includes an identifier of a payment application and authentication information corresponding to the payment application;
the verification unit is used for verifying whether the identity authentication information is legal or not based on the identity authentication information;
if the identity verification information is legal, the management unit executes access to the payment asset corresponding to the payment application; wherein the payment application only allows access to payment assets corresponding thereto.
14. A wearable device or storage medium, the wearable device comprising: at least one memory and at least one processor, the memory storing a program, the processor invoking the program to perform the data access method of any of claims 1-3, and/or to perform the data access method of any of claims 4-6, and/or to perform the data access method of claim 7, and/or to perform the application information configuration method of any of claims 8-9, and/or to perform the application information configuration method of claim 10, and/or to perform the application information configuration method of claim 11;
Or alternatively, the process may be performed,
the storage medium stores a program for executing the data access method of any one of claims 1 to 3, and/or stores a program for executing the data access method of any one of claims 4 to 6, and/or stores a program for executing the data access method of claim 7, and/or stores a program for executing the application information configuration method of any one of claims 8 to 9, and/or stores a program for executing the application information configuration method of claim 10, and/or stores a program for executing the application information configuration method of claim 11.
CN202310504363.8A 2023-05-05 2023-05-05 Data access method, application information configuration method, related device and equipment Pending CN116629855A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310504363.8A CN116629855A (en) 2023-05-05 2023-05-05 Data access method, application information configuration method, related device and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310504363.8A CN116629855A (en) 2023-05-05 2023-05-05 Data access method, application information configuration method, related device and equipment

Publications (1)

Publication Number Publication Date
CN116629855A true CN116629855A (en) 2023-08-22

Family

ID=87616256

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310504363.8A Pending CN116629855A (en) 2023-05-05 2023-05-05 Data access method, application information configuration method, related device and equipment

Country Status (1)

Country Link
CN (1) CN116629855A (en)

Similar Documents

Publication Publication Date Title
CN110036613B (en) System and method for providing identity authentication for decentralized applications
EP3312756A1 (en) Establishing cryptographic identity for an electronic device
US8447889B2 (en) Portable mass storage device with virtual machine activation
KR101584510B1 (en) Method for reading attributes from an id token
JP5449905B2 (en) Information processing apparatus, program, and information processing system
CA2786271C (en) Anytime validation for verification tokens
US7526649B2 (en) Session key exchange
US20130145455A1 (en) Method for accessing a secure storage, secure storage and system comprising the secure storage
EP2251810B1 (en) Authentication information generation system, authentication information generation method, and authentication information generation program utilizing a client device and said method
KR20130125316A (en) Device, system, and method of secure entry and handling of passwords
JPH11355264A (en) Host system element for international cryptographic system
JP2009500756A (en) Mass storage using automated loading of credentials
EP3961456B1 (en) Data authorization information acquisition methods, apparatuses, and devices
US20080126705A1 (en) Methods Used In A Portable Mass Storage Device With Virtual Machine Activation
KR101125088B1 (en) System and Method for Authenticating User, Server for Authenticating User and Recording Medium
CN108335105B (en) Data processing method and related equipment
CN112398799A (en) Single sign-on method, device and system
Funfrocken Protecting mobile web-commerce agents with smartcards
Otterbein et al. The German eID as an authentication token on android devices
Akram et al. A novel consumer-centric card management architecture and potential security issues
CN116629855A (en) Data access method, application information configuration method, related device and equipment
Kasper et al. Rights management with NFC smartphones and electronic ID cards: A proof of concept for modern car sharing
JP5702458B2 (en) Information processing apparatus, program, and information processing system
WO2021073383A1 (en) User registration method, user login method and corresponding device
Tamrakar et al. On rehoming the electronic id to TEEs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination