CN117688566A

CN117688566A - Data protection method and electronic equipment

Info

Publication number: CN117688566A
Application number: CN202211072325.1A
Authority: CN
Inventors: 李昂; 郑亮
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2022-09-02
Filing date: 2022-09-02
Publication date: 2024-03-12
Also published as: WO2024046418A1

Abstract

The application provides a data protection method and electronic equipment, wherein the method comprises the following steps: the electronic equipment receives registration identity authentication information input by a user; the electronic equipment generates a first secret value, the first secret value is used for encrypting and protecting a root key, and the root key is used for protecting user data on the electronic equipment; the electronic equipment encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value; the electronic device stores the registered identity authentication information and encrypts the first secret value such that after the electronic device generates the secret value. The secret value can be stored after being encrypted based on the registered identity authentication information input by the user, so that the security of the secret value is further protected.

Description

Data protection method and electronic equipment

Technical Field

The present disclosure relates to the field of data security technologies, and in particular, to a data protection method and an electronic device.

Background

The security chip is used as a high-security and credible environment of a hardware level, has security strength for preventing physical attack, and is widely applied to mobile equipment, internet of things (internet of things, IOT) equipment and other equipment with high security requirements.

Currently, security chips in devices are mainly used to store information related to user identity authentication. Although the security of the security chip is high, at present, there are cases where information related to user identity authentication stored in the security chip is stolen by an illegal means, thereby causing user data leakage. How to further improve the security of the information related to user identity authentication stored in the security chip is to be further studied.

Disclosure of Invention

The application provides a data protection method and electronic equipment, which can encrypt and store a secret value based on registered identity authentication information input by a user, so that the security of the secret value is further protected.

In a first aspect, the present application provides a data protection method, including: the electronic equipment receives registration identity authentication information input by a user; the electronic equipment generates a first secret value, the first secret value is used for encrypting and protecting a root key, and the root key is used for protecting user data on the electronic equipment; the electronic equipment encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value; the electronic device stores the registered identity authentication information and the encrypted first secret value.

The first secret value can be directly used for encrypting the protection root key, and the first secret value and other factors can also participate in the encrypting protection root key together. Other factors include, but are not limited to, one or more of registration identity authentication information, hardware unique keys, device unique IDs.

The root key may be used directly to cryptographically protect user data on the electronic device. The root key may also be derived to a data key based on which user data on the electronic device is cryptographically protected. The root key can be derived from the data key through one or more stages.

Thus, after the electronic device generates the secret value. The secret value can be stored after being encrypted based on the registered identity authentication information input by the user, so that the security of the secret value is further protected.

With reference to the first aspect, in one possible implementation manner, the electronic device receives registration identity authentication information input by a user, and specifically includes: the electronic equipment receives registration identity authentication information input by a user through an operating system; after the electronic device receives the registered identity authentication information input by the user, before the electronic device generates the first secret value, the method further comprises: the electronic equipment sends the registered identity authentication information to the security chip through the operating system; the electronic device generates a first secret value, which specifically includes: the electronic equipment generates a first secret value through the security chip; the electronic device encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value, and the method specifically comprises the following steps: the electronic equipment encrypts the first secret value based on the registered identity authentication information through the security chip to obtain an encrypted first secret value; the electronic equipment stores registered identity authentication information and encrypted first secret value, and specifically comprises the following steps: the electronic device stores the registered identity authentication information and the encrypted first secret value in a secure chip.

Therefore, under the condition that the electronic equipment is provided with the security chip, the electronic equipment can generate the secret value in the security chip, so that the situation that the secret value is generated outside the security chip, and an attacker falsifies the secret value to cause the user data leakage is avoided.

And the encrypted first secret value and the registered identity authentication information are stored in the security chip, so that the security coefficient of the security chip is higher, and the security of the encrypted first secret value and the registered identity authentication information is further protected.

With reference to the first aspect, in one possible implementation manner, before the electronic device generates the first secret value, the method further includes: the electronic equipment generates a second secret value through an operating system; the electronic device sends the second secret value to the security chip through the operating system; the electronic equipment generates a third secret value through the security chip; the electronic device generates a first secret value, which specifically includes: the electronic device generates a first secret value based on the second secret value and the third secret value through the security chip.

The present application also provides another method of generating a first secret value. That is, the first secret value is generated based on the third secret value generated inside the secure chip and the second secret value generated outside the secure chip. Even if an attacker can tamper with the second secret value generated outside the security chip, the attacker cannot tamper with the third secret value generated inside the security chip, so that the situation that the first secret value is tampered with by the attacker can be avoided.

With reference to the first aspect, in a possible implementation manner, after the electronic device stores the registered identity authentication information and the encrypted first secret value, the method further includes: under the condition that the first condition is met, the electronic equipment receives verification identity authentication information input by a user; under the condition that the verification identity authentication information and the registration identity authentication information meet preset conditions, the electronic equipment decrypts the encrypted first secret value based on the verification identity authentication information to obtain a first secret value; the electronic equipment decrypts the encryption root key based on the first secret value to obtain a root key; the electronic device decrypts the encrypted user data based on the root key to obtain unencrypted user data.

The first secret value can be directly used for decrypting the encryption root key to obtain the root key, and the first secret value can also be used for decrypting the encryption root key together with other factors to obtain the root key. Other factors include, but are not limited to, one or more of registration identity authentication information, hardware unique keys, device unique IDs.

After obtaining the root key, the root key may be used directly to decrypt the encrypted user data to obtain unencrypted user data. The data key may also be derived based on the root key, and the encrypted user data may be decrypted based on the data key to obtain unencrypted user data. The root key can be derived from the data key through one or more stages.

When verifying the authentication information input by the user, the security chip can decrypt the encrypted first secret value based on the authentication information only when the authentication information input by the user and the registration authentication information meet the preset conditions, so as to obtain an unencrypted first secret value. In this way, it is possible to avoid that an attacker tampers with the authentication logic if the first secret is not encrypted. Causing a first secret to leak.

With reference to the first aspect, in one possible implementation manner, the sending, by the electronic device, the registration identity authentication information to the security chip through the operating system specifically includes: the electronic equipment desensitizes the registered identity authentication information through an operating system to obtain desensitized registered identity authentication information; the electronic equipment sends desensitization registration identity authentication information to the security chip through an operating system; the electronic device encrypts the first secret value based on the registered identity authentication information through the security chip, and specifically comprises the following steps: the electronic device encrypts the first secret value based on the desensitized registered identity authentication information through the security chip to obtain an encrypted first secret value.

Optionally, the electronic device may encrypt the first secret directly through the security chip based on the desensitized registered identity authentication information to obtain an encrypted first secret. In other embodiments, the electronic device may also derive the desensitized registered identity authentication information by using a key, or perform hash calculation on the desensitized registered identity authentication information, and encrypt the first secret value by using the derived key or the value after hash calculation to obtain an encrypted first secret value. The embodiments of the present application are not limited in this regard.

Thus, the electronic equipment registers the identity authentication information to perform desensitization processing, and the condition that the registered identity authentication information is revealed due to the fact that the registered identity authentication information is transmitted in a plaintext manner in the transmission process is avoided.

With reference to the first aspect, in one possible implementation manner, after the electronic device receives the verification identity authentication information input by the user, before the electronic device decrypts the encrypted first secret value based on the verification identity authentication information, the method further includes: the electronic equipment desensitizes the verification identity authentication information through an operating system to obtain desensitized verification identity authentication information; the electronic equipment sends desensitization verification identity authentication information to the security chip through the operating system; the electronic device decrypts the encrypted first secret value based on the verification identity authentication information, and specifically comprises the following steps: under the condition that the desensitization verification identity authentication information and the desensitization registration identity authentication information meet preset conditions, the electronic equipment decrypts the encrypted first secret value based on the desensitization verification identity authentication information through the security chip to obtain the first secret value.

Optionally, the electronic device may decrypt the encrypted first secret value directly through the security chip based on the desensitized registered identity authentication information, to obtain an unencrypted first secret value. In other embodiments, the electronic device may decrypt the encrypted first secret value based on the key derived from the desensitized registered identity authentication information or the hashed value of the desensitized registered identity authentication information to obtain the unencrypted first secret value. The embodiments of the present application are not limited in this regard.

Thus, when the security chip stores the desensitization registration authentication information, the electronic equipment also needs to perform desensitization processing on the verification identity authentication information and compare the desensitization registration authentication information when verifying the user identity card.

With reference to the first aspect, in one possible implementation manner, the registered identity authentication information includes registered lock screen identity authentication information of the electronic device and/or registered unlock authentication information of a first application on the electronic device; the registered screen locking identity information is used for unlocking the electronic equipment under the condition that the verification screen locking identity authentication information input by the user and the registered screen locking identity information meet preset conditions;

the registration opening authentication information is used for opening the first application under the condition that the verification registration opening authentication information and the registration opening authentication information input by the user meet preset conditions.

With reference to the first aspect, in one possible implementation manner, the electronic device receives registration identity authentication information input by a user, and specifically includes: the electronic equipment receives registration screen locking identity information input by a user, wherein the registration screen locking identity information is used for unlocking the electronic equipment under the condition that verification screen locking identity authentication information input by the user and the registration screen locking identity information meet preset conditions; the electronic device generates a first secret value, the first secret value is used for encrypting and protecting a root key, and the root key is used for protecting user data on the electronic device, and specifically comprises the following steps: the electronic equipment generates a first secret value, the first secret value is used for encrypting and protecting a first root key, and the first root key is used for protecting user data on the electronic equipment; the electronic device encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value, and the method specifically comprises the following steps: the electronic equipment encrypts the first secret value based on the registered screen locking identity information to obtain an encrypted first secret value; the electronic equipment stores registered identity authentication information and encrypted first secret value, and specifically comprises the following steps: the electronic device stores registered lock screen identity information and encrypts a first secret value.

Thus, the user can set the screen locking identity information of the user unlocking the electronic equipment, and store the screen locking identity information and the first secret value in the security chip.

Optionally, the electronic device may have a plurality of different user accounts logged on. The user can also set the screen locking identity information corresponding to a plurality of different user accounts respectively.

Alternatively, root keys corresponding to a plurality of different user accounts may be different or the same, which is not limited in the embodiment of the present application.

The first secret value can be directly used for encrypting and protecting the first root key, and the first secret value and other factors can also participate in encrypting and protecting the first root key together. Other factors include, but are not limited to, one or more of registration identity authentication information, hardware unique keys, device unique IDs.

After obtaining the first root key, the first root key may be used directly to cryptographically secure user data on the electronic device. The data key may also be derived based on the first root key, and user data on the electronic device may be cryptographically protected based on the data key. Wherein the first root key may be derived from the data key by one or more stages.

With reference to the first aspect, in a possible implementation manner, after the electronic device stores the registered lock screen identity information and the encrypted first secret value, the method further includes: the electronic equipment receives registration opening authentication information input by a user, wherein the registration opening authentication information is used for opening a first application when verification registration opening authentication information and registration opening authentication information input by the user meet preset conditions; the electronic equipment generates a fourth secret value, the fourth secret value is used for encrypting and protecting a second root key, and the second root key is used for protecting application data in the first application; the electronic device encrypts the fourth secret value based on the registration opening authentication information, and the electronic device stores the registration opening authentication information and the encrypted fourth secret value to obtain the encrypted fourth secret value.

The fourth secret value can be directly used for encrypting and protecting the second root key, and the fourth secret value and other factors can also participate in encrypting and protecting the second root key together. Other factors include, but are not limited to, one or more of registration initiation authentication information, hardware unique keys, device unique IDs, application identifications.

The second root key may be used directly to cryptographically protect application data within the first application. The data key may also be derived based on the second root key, and application data decryption within the first application may be protected based on the data key encryption. The root key can be derived from the data key through one or more stages.

In this way, the user can set the open authentication information for a plurality of applications on the electronic device and store the open authentication information and the fourth secret value in the secure chip.

Optionally, for the same application, under different user account numbers, the opening authentication information of the same application may also be different, or may be the same, which is not limited in the embodiment of the present application.

With reference to the first aspect, in one possible implementation manner, the second root key and the first root key are different.

Alternatively, the second root key and the first root key may be the same, which is not limited in the embodiment of the present application.

In a second aspect, the present application provides an electronic device, including: one or more processors, one or more memories, a display screen; the one or more memories, the display screen being coupled to the one or more processors, the one or more memories being for storing computer program code comprising computer instructions that the one or more processors call to cause the electronic device to perform a data protection method provided in any of the possible implementations of the first aspect.

In a third aspect, the present application provides a computer readable storage medium for storing computer instructions that, when run on an electronic device, cause the electronic device to perform a data protection method provided in any one of the possible implementations of the first aspect.

In a fourth aspect, the present application provides a computer program product for, when run on an electronic device, causing the electronic device to perform a data protection method provided in any one of the possible implementations of the first aspect.

For the beneficial effects in the second aspect to the fourth aspect, reference may be made to the description of the beneficial effects in the first aspect, and embodiments of the present application are not described herein.

Drawings

Fig. 1-3 are schematic views of display modes of several security chips according to embodiments of the present application;

FIG. 4 is a flowchart of a method for generating and storing a secret value according to an embodiment of the present application;

fig. 5 is a flowchart of a method for authenticating identity authentication information on an electronic device 100 according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an electronic device 100 according to an embodiment of the present application;

fig. 7 is a schematic software structure of an electronic device 100 according to an embodiment of the present application;

fig. 8A-8F are schematic diagrams of a group of electronic devices 100 according to an embodiment of the present application receiving and responding to a user operation, and receiving registered lock screen identity information of the electronic device 100 registered by the user;

fig. 8G-fig. 8J are schematic diagrams of a group of electronic devices 100 according to an embodiment of the present application receiving lock screen identity information corresponding to different user accounts on the electronic devices 100 set by a user;

fig. 9A-9E are schematic diagrams of a group of electronic devices 100 according to an embodiment of the present application receiving and responding to a user operation, and receiving an open password of an application one registered by the user;

FIG. 10 is a flowchart of another method for registering identity authentication information according to an embodiment of the present disclosure;

FIG. 11 is a flowchart of another method for registering identity authentication information according to an embodiment of the present disclosure;

FIG. 12 is a schematic flow chart of a method for comparing and verifying registered identity authentication information and registered identity authentication information according to an embodiment of the present application;

FIGS. 13A-13F are diagrams of a UI provided in an embodiment of the present application;

FIG. 14 is a flowchart of another method for comparing and verifying registered identity authentication information and registered identity authentication information according to an embodiment of the present application;

fig. 15 is a flow chart of a data protection method according to an embodiment of the present application;

fig. 16 is a schematic flow chart of a data storage device according to an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and thoroughly described below with reference to the accompanying drawings. Wherein, in the description of the embodiments of the present application, "/" means or is meant unless otherwise indicated, for example, a/B may represent a or B; the text "and/or" is merely an association relation describing the associated object, and indicates that three relations may exist, for example, a and/or B may indicate: the three cases where a exists alone, a and B exist together, and B exists alone, and in addition, in the description of the embodiments of the present application, "plural" means two or more than two.

The terms "first," "second," and the like, are used below for descriptive purposes only and are not to be construed as implying or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature, and in the description of embodiments of the present application, unless otherwise indicated, the meaning of "a plurality" is two or more.

The term "User Interface (UI)" in the following embodiments of the present application is a media interface for interaction and information exchange between an application program or an operating system and a user, which enables conversion between an internal form of information and an acceptable form of the user. A commonly used presentation form of the user interface is a graphical user interface (graphic user interface, GUI), which refers to a user interface related to computer operations that is displayed in a graphical manner. It may be a visual interface element of text, icons, buttons, menus, tabs, text boxes, dialog boxes, status bars, navigation bars, widgets, etc., displayed in a display of the electronic device.

Technical terms related to the embodiments of the present application will be explained first.

1. Identity authentication information and security chip

The identity authentication information may be lock screen identity information of the electronic device 100, and the lock screen identity information of the electronic device 100 may be a pin code, a face image, a fingerprint, a voiceprint, or the like. The screen locking identity information is used for comparing the identity information input by the user with the screen locking identity information stored in the electronic equipment after the electronic equipment is in the screen locking state, and whether the identity information and the screen locking identity information meet preset conditions is judged. The preset condition may be that the screen locking identity information input by the user is completely consistent with the screen locking identity information stored in the electronic device, or that the screen locking identity information input by the user is completely consistent with the screen locking identity information stored in the electronic device after being transformed. After determining that the two conditions meet the preset conditions, the electronic equipment can execute unlocking operation.

The identity authentication information may also be start authentication information applied to the electronic device 100, and the start authentication information applied may also be a pin code, a face image, a fingerprint, a voiceprint, etc. The application starting authentication information is used for comparing the starting authentication information input by the user with starting authentication information stored in the electronic equipment when the user starts the application, and whether the starting authentication information and the starting authentication information meet preset conditions is judged. The preset condition may be that the open authentication information input by the user is completely consistent with the open authentication information stored in the electronic device, or that the open authentication information input by the user is completely consistent with the open authentication information stored in the electronic device after being transformed. After determining that the two conditions meet the preset conditions, the electronic equipment can execute an operation of starting the application.

In order to ensure the security of the identity authentication information stored in the electronic device, the identity authentication information is generally stored in a security chip in the electronic device, so as to prevent the identity authentication information stored in the electronic device from being revealed.

The security chip has the following forms in the electronic device:

form one: as shown in fig. 1, the security chip is located in a built-in security core in a main chip (SOC chip) within the electronic device.

Morphology II: as shown in fig. 2, the secure chip is located in a Secure Element (SE) of the external SOC chip, and the SE is an electronic element for preventing physical attack, and includes a microprocessor, a storage, encryption and decryption hardware, and the like, and can be used independently.

Morphology III: as shown in fig. 3, the safety chip is composed of an SOC chip and an SE of an external SOC chip together, so that some high safety services are completed, and high safety of the equipment is ensured.

The present invention is not limited to the above three modes, and the security chip may be other modes, and the embodiment of the present invention is not limited thereto.

2. Secret value, root key and data key

After the user registers the screen locking identity information, the electronic device generates a secret value. The electronic device can generate a secret value based on the screen locking identity information, the electronic device can also randomly generate the secret value, or the secret value is a preset fixed value, and the electronic device acquires the preset secret value after determining that the user registers the screen locking identity information.

The secret value and the lockscreen identity information may be used to jointly protect the root key.

Alternatively, the secret value may be used alone to protect the root key.

Alternatively, the lockscreen identity information may also be used alone to protect the root key.

Optionally, the secret value may be used to jointly protect the root key with the lockscreen identity information and other derived factors.

Alternatively, the secret value and other derived factors may be used to jointly protect the root key.

Optionally, lock screen identity information and other derived factors may be used to jointly protect the root key.

The root key may also be protected based on other means, which embodiments of the present application do not limit.

The root key is used for deriving a data key from the electronic device, encrypting the user data on the electronic device based on the data key, and preventing the user data on the electronic device from being revealed. User data may include, but is not limited to: pictures, text, video, files, audio, etc.

Alternatively, for different types of user data, the electronic device may generate different data keys based on the root key, and the electronic device may encrypt the different types of user data based on the different data keys.

Alternatively, the user data may be classified according to the application, the electronic device may generate different data keys based on the root key, and the electronic device may encrypt the user data generated by different applications based on the different data keys.

Optionally, the electronic device may not distinguish the types of the user data any more, and may encrypt all the user data on the electronic device using the same data key.

The encryption of user data on the electronic device based on the data key is to prevent leakage of user data. For example, in a powered-off state of the electronic device, the electronic device may encrypt user data on the electronic device based on the data key. After the electronic equipment is started for the first time, a user needs to input correct screen locking identity information, and the electronic equipment can execute unlocking operation only when the electronic equipment confirms that the screen locking identity information input by the user and the screen locking identity information stored in the security chip meet preset conditions, and decrypts user data on the electronic equipment based on a data key, so that the user can normally view and use the user data on the electronic equipment. When the user inputs wrong screen locking identity information, namely the screen locking identity information input by the user and the screen locking identity information stored in the security chip do not meet the preset conditions, the electronic equipment is still in the screen locking state, and the user data on the electronic equipment is still in the encryption state.

In this way, the risk of leakage of user data stored on the handset can be avoided. For example, in the case that the electronic device is lost, other users do not know the screen locking identity information of the electronic device, the other users can detach the chip of the electronic device, the other users use the professional tool to read data from the chip, if the user data on the electronic device is encrypted by the data key, even if the other users use the professional tool to read the data from the chip, the read data is encrypted user data, and the real user data cannot be obtained. If the user data on the electronic device is not encrypted by the data key, other users read the data from the chip by using a professional tool, and the read user data is not encrypted, so that the user data is leaked.

As can be seen from the foregoing description, the data key is derived based on the root key to protect the security of the user number on the electronic device, and the emphasis is on protecting the security of the root key.

In some embodiments, the root key may be engaged by the secret value, or the secret value and the identity authentication information may act together on the root key. That is, protecting the root key requires participation with the secret value.

Fig. 4 shows a flow diagram of a method of generating and preserving secret values.

S401, the operating system of the electronic equipment 100 receives the registered identity authentication information input by the user.

Registration identity authentication information includes, but is not limited to: pin code, face image information, fingerprint information, voiceprint information, etc. The following embodiments of the present application will be described by taking pin code as an example of registration identity authentication information.

When a user sets a screen locking password of the electronic device or an opening password of an application, an operating system of the electronic device 100 receives registration identity authentication information input by the user.

S402, the operating system of the electronic equipment 100 generates a secret value randomly after receiving the registered identity authentication information input by the user.

The secret value is used to participate in protecting the root key. The secret value is generated outside the secure chip.

S403, the operating system of the electronic device 100 sends the registered identity authentication information and the secret value to the security chip.

S404, the security chip on the electronic device 100 stores the registered identity authentication information and the secret value.

The secret value is generated within the secure chip. After the secret value is generated, the operating system of the electronic device 100 transmits the registered identity authentication information and the secret value into the secure chip, so that the registered identity authentication information and the secret value are stored in the secure chip, and leakage of the registered identity authentication information and the secret is avoided.

S405, the security chip on the electronic device 100 stores a notification of successful registration sent to the operating system of the electronic device 100.

After the registration identity authentication information and the secret value are stored in the secure chip, the secure chip sends a registration success notification to the operating system of the electronic device 100.

S406, the operating system of the electronic device 100 encrypts the root key based on the registered identity authentication information and the secret value.

In this way, the root key can be protected based on the registered identity authentication information and the secret value.

As can be seen from the fig. 4 embodiment, the secret value is generated by the operating system of the electronic device and then stored in the secure chip, before it is stored in the secure chip, there may be a risk of tampering by an attacker. For example, the electronic device 100 is provided with malicious code, and the malicious code may tamper with the randomly generated secret value, and then store the tampered secret value in the security chip. In this way, the root key is encrypted based on the tampered secret value. In some scenarios, if the root key is encrypted based only on the secret value, then in this case, the attacker tampers with the secret value, i.e. without subsequently verifying the correctness of the identity authentication information entered by the user, the attacker can know the tampered secret value. Thereby decrypting the root key based on the tampered secret value, thereby obtaining the root key. And then acquiring a data key based on the root key, decrypting the user data based on the data key, and acquiring real user data, so that the situation of user data leakage occurs.

Fig. 5 is a flowchart of a method for authenticating identity authentication information on an electronic device 100 according to an embodiment of the present application.

S501, the operating system of the electronic equipment 100 receives verification identity authentication information input by a user.

When the electronic device 100 needs to verify the identity of the user, the electronic device 100 may receive verification identity authentication information input by the user.

S502, the operating system of the electronic device 100 sends verification identity authentication information to the security chip.

S503, the security chip of the electronic device 100 confirms that the verification identity authentication information and the registration identity authentication information meet the preset conditions.

The security chip of the electronic device 100 confirms that the verification identity authentication information and the registration identity authentication information meet the preset condition, and indicates that the verification is passed.

The preset condition may be that the verification authentication information input by the user is completely consistent with the registration authentication information stored in the security chip, or that the verification authentication information input by the user is completely consistent with the registration authentication information stored in the electronic device after being transformed. The embodiments of the present application are not limited in this regard.

S504, after the verification is successful, the security chip on the electronic device 100 returns the secret value to the operating system on the electronic device 100.

After verification is successful, the secure chip on the electronic device 100 returns the secret value stored in the secure chip to the operating system.

S505, after the secret value is obtained, the operating system of the electronic device 100 decrypts the root key based on the verification identity authentication information and the secret value to obtain a root key, obtains a data key based on the root key, and decrypts the user data based on the data key.

As can be seen from the embodiment of fig. 5, in the process of comparing the identity authentication information, the comparison logic is relatively simple. If the comparison logic is tampered, in some embodiments, the comparison may be successfully performed regardless of the value of the verification identity authentication information input by the user, so that the secret value is successfully obtained. In some scenarios, if the root key is encrypted based only on the secret value, then in this case, the attacker may decrypt the root key based on the obtained secret value, thereby obtaining the root key. And then acquiring a data key based on the root key, decrypting the user data based on the data key, and acquiring real user data, so that the situation of user data leakage occurs.

Based on this, in order to further protect the security of user data on an electronic device, the present application provides a data protection method as long as the method consists in protecting the security of secret values.

In one aspect, embodiments of the present application place the step of generating the secret value within a secure chip. Since the security chip is much more secure than the operating system. Therefore, the secret value is generated in the security chip, and the situation that the secret value is tampered can be avoided.

On the other hand, in the embodiment of the application, the secret value is stored in the security chip and depends on participation of identity authentication information. After the secret value is generated, the security chip encrypts the secret value based on the registered identity authentication information and stores the encrypted secret value in the security chip. Thus, even if an attacker falsifies the comparison logic of the identity authentication information, the attacker cannot decrypt the secret value encrypted based on the registered identity authentication information under the condition that the attacker does not acquire the registered identity authentication information, namely cannot acquire the secret value, and the situation that the secret value is revealed is avoided.

The present application may be applied to device-level user data protection. For example, when the electronic device receives user registration lock authentication information, the security chip of the electronic device 100 will randomly generate a lock secret value after the operating system of the electronic device 100 transmits the registration lock authentication information to the security chip. Before storing the screen locking secret value on the security chip, the security chip of the electronic device 100 encrypts the screen locking secret value based on the registered screen locking authentication information to obtain an encrypted screen locking secret value, and stores the encrypted screen locking secret value in the security chip.

The application can be applied to application-level user data protection. For example, when the electronic device receives the open authentication information for the user to register the first application, the secure chip of the electronic device 100 will randomly generate the open secret value after the operating system of the electronic device 100 transmits the registered open authentication information to the secure chip. Before storing the opening secret value on the security chip, the security chip of the electronic device 100 encrypts the opening secret value based on the registration opening authentication information to obtain an encrypted opening secret value, and stores the encrypted opening secret value in the security chip.

Optionally, the user may set different starting authentication information of different applications on the electronic device, for example, for applications with higher privacy degrees, such as address book, sms, etc., the starting password may be set. Of course, the open authentication information of different applications may be the same, which is not limited in the embodiment of the present application.

Fig. 6 shows a schematic structural diagram of the electronic device 100.

The electronic device 100 may be a cell phone, tablet, desktop, laptop, handheld, notebook, ultra-mobile personal computer (ultra-mobile personal computer, UMPC), netbook, as well as a cellular telephone, personal digital assistant (personal digital assistant, PDA), augmented reality (augmented reality, AR) device, virtual Reality (VR) device, artificial intelligence (artificial intelligence, AI) device, wearable device, vehicle-mounted device, smart home device, and/or smart city device, with the specific types of such electronic devices not being particularly limited in the embodiments of the present application.

The electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (universal serial bus, USB) interface 130, a charge management module 140, a power management module 141, a battery 142, an antenna 1, an antenna 2, a mobile communication module 150, a wireless communication module 160, an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, a sensor module 180, keys 190, a motor 191, an indicator 192, a camera 193, a display 194, and a subscriber identity module (subscriber identification module, SIM) card interface 195, etc. The sensor module 180 may include a pressure sensor 180A, a gyro sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, an ambient light sensor 180L, a bone conduction sensor 180M, and the like.

It should be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation on the electronic device 100. In other embodiments of the present application, electronic device 100 may include more or fewer components than shown, or certain components may be combined, or certain components may be split, or different arrangements of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

Optionally, in some embodiments, one or more security chips may also be included on the electronic device 100.

The one or more security chips are used for storing identity authentication information and secret values encrypted based on the identity authentication information. If the electronic device 100 has multiple security chips, the identity authentication information and the secret value encrypted based on the identity authentication information may be stored on different security chips, and the identity authentication information and the secret value encrypted based on the identity authentication information may also be stored on the same security chip, which is not limited in the embodiment of the present application.

The processor 110 may include one or more processing units, such as: the processor 110 may include an application processor (application processor, AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (image signal processor, ISP), a controller, a video codec, a digital signal processor (digital signal processor, DSP), a baseband processor, and/or a neural network processor (neural-network processing unit, NPU), etc. Wherein the different processing units may be separate devices or may be integrated in one or more processors.

The controller can generate operation control signals according to the instruction operation codes and the time sequence signals to finish the control of instruction fetching and instruction execution.

A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in the processor 110 is a cache memory. The memory may hold instructions or data that the processor 110 has just used or recycled. If the processor 110 needs to reuse the instruction or data, it can be called directly from the memory. Repeated accesses are avoided and the latency of the processor 110 is reduced, thereby improving the efficiency of the system.

In some embodiments, the processor 110 may include one or more interfaces. The interfaces may include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, a universal asynchronous receiver transmitter (universal asynchronous receiver/transmitter, UART) interface, a mobile industry processor interface (mobile industry processor interface, MIPI), a general-purpose input/output (GPIO) interface, a subscriber identity module (subscriber identity module, SIM) interface, and/or a universal serial bus (universal serial bus, USB) interface, among others.

The I2C interface is a bi-directional synchronous serial bus comprising a serial data line (SDA) and a serial clock line (derail clock line, SCL). In some embodiments, the processor 110 may contain multiple sets of I2C buses. The processor 110 may be coupled to the touch sensor 180K, charger, flash, camera 193, etc., respectively, through different I2C bus interfaces. For example: the processor 110 may be coupled to the touch sensor 180K through an I2C interface, such that the processor 110 communicates with the touch sensor 180K through an I2C bus interface to implement a touch function of the electronic device 100.

The I2S interface may be used for audio communication. In some embodiments, the processor 110 may contain multiple sets of I2S buses. The processor 110 may be coupled to the audio module 170 via an I2S bus to enable communication between the processor 110 and the audio module 170. In some embodiments, the audio module 170 may transmit an audio signal to the wireless communication module 160 through the I2S interface, to implement a function of answering a call through the bluetooth headset.

PCM interfaces may also be used for audio communication to sample, quantize and encode analog signals. In some embodiments, the audio module 170 and the wireless communication module 160 may be coupled through a PCM bus interface. In some embodiments, the audio module 170 may also transmit audio signals to the wireless communication module 160 through the PCM interface to implement a function of answering a call through the bluetooth headset. Both the I2S interface and the PCM interface may be used for audio communication.

The UART interface is a universal serial data bus for asynchronous communications. The bus may be a bi-directional communication bus. It converts the data to be transmitted between serial communication and parallel communication. In some embodiments, a UART interface is typically used to connect the processor 110 with the wireless communication module 160. For example: the processor 110 communicates with a bluetooth module in the wireless communication module 160 through a UART interface to implement a bluetooth function. In some embodiments, the audio module 170 may transmit an audio signal to the wireless communication module 160 through a UART interface, to implement a function of playing music through a bluetooth headset.

The MIPI interface may be used to connect the processor 110 to peripheral devices such as a display 194, a camera 193, and the like. The MIPI interfaces include camera serial interfaces (camera serial interface, CSI), display serial interfaces (display serial interface, DSI), and the like. In some embodiments, processor 110 and camera 193 communicate through a CSI interface to implement the photographing functions of electronic device 100. The processor 110 and the display 194 communicate via a DSI interface to implement the display functionality of the electronic device 100.

The GPIO interface may be configured by software. The GPIO interface may be configured as a control signal or as a data signal. In some embodiments, a GPIO interface may be used to connect the processor 110 with the camera 193, the display 194, the wireless communication module 160, the audio module 170, the sensor module 180, and the like. The GPIO interface may also be configured as an I2C interface, an I2S interface, a UART interface, an MIPI interface, etc.

The USB interface 130 is an interface conforming to the USB standard specification, and may specifically be a Mini USB interface, a Micro USB interface, a USB Type C interface, or the like. The USB interface 130 may be used to connect a charger to charge the electronic device 100, and may also be used to transfer data between the electronic device 100 and a peripheral device. And can also be used for connecting with a headset, and playing audio through the headset. The interface may also be used to connect other electronic devices, such as AR devices, etc.

It should be understood that the interfacing relationship between the modules illustrated in the embodiments of the present invention is only illustrative, and is not meant to limit the structure of the electronic device 100. In other embodiments of the present application, the electronic device 100 may also use different interfacing manners, or a combination of multiple interfacing manners in the foregoing embodiments.

The charge management module 140 is configured to receive a charge input from a charger. The charger can be a wireless charger or a wired charger. In some wired charging embodiments, the charge management module 140 may receive a charging input of a wired charger through the USB interface 130. In some wireless charging embodiments, the charge management module 140 may receive wireless charging input through a wireless charging coil of the electronic device 100. The charging management module 140 may also supply power to the electronic device through the power management module 141 while charging the battery 142.

The power management module 141 is used for connecting the battery 142, and the charge management module 140 and the processor 110. The power management module 141 receives input from the battery 142 and/or the charge management module 140 to power the processor 110, the internal memory 121, the display 194, the camera 193, the wireless communication module 160, and the like. The power management module 141 may also be configured to monitor battery capacity, battery cycle number, battery health (leakage, impedance) and other parameters. In other embodiments, the power management module 141 may also be provided in the processor 110. In other embodiments, the power management module 141 and the charge management module 140 may be disposed in the same device.

The wireless communication function of the electronic device 100 may be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, a modem processor, a baseband processor, and the like.

The antennas 1 and 2 are used for transmitting and receiving electromagnetic wave signals. Each antenna in the electronic device 100 may be used to cover a single or multiple communication bands. Different antennas may also be multiplexed to improve the utilization of the antennas. For example: the antenna 1 may be multiplexed into a diversity antenna of a wireless local area network. In other embodiments, the antenna may be used in conjunction with a tuning switch.

The mobile communication module 150 may provide a solution for wireless communication including 2G/3G/4G/5G, etc., applied to the electronic device 100. The mobile communication module 150 may include at least one filter, switch, power amplifier, low noise amplifier (low noise amplifier, LNA), etc. The mobile communication module 150 may receive electromagnetic waves from the antenna 1, perform processes such as filtering, amplifying, and the like on the received electromagnetic waves, and transmit the processed electromagnetic waves to the modem processor for demodulation. The mobile communication module 150 can amplify the signal modulated by the modem processor, and convert the signal into electromagnetic waves through the antenna 1 to radiate. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be disposed in the processor 110. In some embodiments, at least some of the functional modules of the mobile communication module 150 may be provided in the same device as at least some of the modules of the processor 110.

The modem processor may include a modulator and a demodulator. The modulator is used for modulating the low-frequency baseband signal to be transmitted into a medium-high frequency signal. The demodulator is used for demodulating the received electromagnetic wave signal into a low-frequency baseband signal. The demodulator then transmits the demodulated low frequency baseband signal to the baseband processor for processing. The low frequency baseband signal is processed by the baseband processor and then transferred to the application processor. The application processor outputs sound signals through an audio device (not limited to the speaker 170A, the receiver 170B, etc.), or displays images or video through the display screen 194. In some embodiments, the modem processor may be a stand-alone device. In other embodiments, the modem processor may be provided in the same device as the mobile communication module 150 or other functional module, independent of the processor 110.

The wireless communication module 160 may provide solutions for wireless communication including wireless local area network (wireless local area networks, WLAN) (e.g., wireless fidelity (wireless fidelity, wi-Fi) network), bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field wireless communication technology (near field communication, NFC), infrared technology (IR), etc., as applied to the electronic device 100. The wireless communication module 160 may be one or more devices that integrate at least one communication processing module. The wireless communication module 160 receives electromagnetic waves via the antenna 2, modulates the electromagnetic wave signals, filters the electromagnetic wave signals, and transmits the processed signals to the processor 110. The wireless communication module 160 may also receive a signal to be transmitted from the processor 110, frequency modulate it, amplify it, and convert it to electromagnetic waves for radiation via the antenna 2.

In some embodiments, antenna 1 and mobile communication module 150 of electronic device 100 are coupled, and antenna 2 and wireless communication module 160 are coupled, such that electronic device 100 may communicate with a network and other devices through wireless communication techniques. The wireless communication techniques may include the Global System for Mobile communications (global system for mobile communications, GSM), general packet radio service (general packet radio service, GPRS), code division multiple access (code division multiple access, CDMA), wideband code division multiple access (wideband code division multiple access, WCDMA), time division code division multiple access (time-division code division multiple access, TD-SCDMA), long term evolution (long term evolution, LTE), BT, GNSS, WLAN, NFC, FM, and/or IR techniques, among others. The GNSS may include a global satellite positioning system (global positioning system, GPS), a global navigation satellite system (global navigation satellite system, GLONASS), a beidou satellite navigation system (beidou navigation satellite system, BDS), a quasi zenith satellite system (quasi-zenith satellite system, QZSS) and/or a satellite based augmentation system (satellite based augmentation systems, SBAS).

The electronic device 100 implements display functions through a GPU, a display screen 194, an application processor, and the like. The GPU is a microprocessor for image processing, and is connected to the display 194 and the application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. Processor 110 may include one or more GPUs that execute program instructions to generate or change display information.

The display screen 194 is used to display images, videos, and the like. The display 194 includes a display panel. The display panel may employ a liquid crystal display (liquid crystal display, LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (AMOLED) or an active-matrix organic light-emitting diode (matrix organic light emitting diode), a flexible light-emitting diode (flex), a mini, a Micro led, a Micro-OLED, a quantum dot light-emitting diode (quantum dot light emitting diodes, QLED), or the like. In some embodiments, the electronic device 100 may include 1 or N display screens 194, N being a positive integer greater than 1.

The electronic device 100 may implement photographing functions through an ISP, a camera 193, a video codec, a GPU, a display screen 194, an application processor, and the like.

The ISP is used to process data fed back by the camera 193. For example, when photographing, the shutter is opened, light is transmitted to the camera photosensitive element through the lens, the optical signal is converted into an electric signal, and the camera photosensitive element transmits the electric signal to the ISP for processing and is converted into an image visible to naked eyes. ISP can also optimize the noise, brightness and skin color of the image. The ISP can also optimize parameters such as exposure, color temperature and the like of a shooting scene. In some embodiments, the ISP may be provided in the camera 193.

The camera 193 is used to capture still images or video. The object generates an optical image through the lens and projects the optical image onto the photosensitive element. The photosensitive element may be a charge coupled device (charge coupled device, CCD) or a Complementary Metal Oxide Semiconductor (CMOS) phototransistor. The photosensitive element converts the optical signal into an electrical signal, which is then transferred to the ISP to be converted into a digital image signal. The ISP outputs the digital image signal to the DSP for processing. The DSP converts the digital image signal into an image signal in a standard RGB, YUV, or the like format. In some embodiments, electronic device 100 may include 1 or N cameras 193, N being a positive integer greater than 1.

The digital signal processor is used for processing digital signals, and can process other digital signals besides digital image signals. For example, when the electronic device 100 selects a frequency bin, the digital signal processor is used to fourier transform the frequency bin energy, or the like.

Video codecs are used to compress or decompress digital video. The electronic device 100 may support one or more video codecs. In this way, the electronic device 100 may play or record video in a variety of encoding formats, such as: dynamic picture experts group (moving picture experts group, MPEG) 1, MPEG2, MPEG3, MPEG4, etc.

The NPU is a neural-network (NN) computing processor, and can rapidly process input information by referencing a biological neural network structure, for example, referencing a transmission mode between human brain neurons, and can also continuously perform self-learning. Applications such as intelligent awareness of the electronic device 100 may be implemented through the NPU, for example: image recognition, face recognition, speech recognition, text understanding, etc.

The internal memory 121 may include one or more random access memories (random access memory, RAM) and one or more non-volatile memories (NVM). The random access memory may include a static random-access memory (SRAM), a dynamic random-access memory (dynamic random access memory, DRAM), a synchronous dynamic random-access memory (synchronous dynamic random access memory, SDRAM), a double data rate synchronous dynamic random-access memory (double data rate synchronous dynamic random access memory, DDR SDRAM, such as fifth generation DDR SDRAM is commonly referred to as DDR5 SDRAM), etc.; the nonvolatile memory may include a disk storage device, a flash memory (flash memory). The FLASH memory may include NOR FLASH, NAND FLASH, 3D NAND FLASH, etc. divided according to an operation principle, may include single-level memory cells (SLC), multi-level memory cells (MLC), triple-level memory cells (TLC), quad-level memory cells (QLC), etc. divided according to a storage specification, may include universal FLASH memory (english: universal FLASH storage, UFS), embedded multimedia memory cards (embedded multi media Card, eMMC), etc. divided according to a storage specification. The random access memory may be read directly from and written to by the processor 110, may be used to store executable programs (e.g., machine instructions) for an operating system or other on-the-fly programs, may also be used to store data for users and applications, and the like. The nonvolatile memory may store executable programs, store data of users and applications, and the like, and may be loaded into the random access memory in advance for the processor 110 to directly read and write.

The external memory interface 120 may be used to connect external non-volatile memory to enable expansion of the memory capabilities of the electronic device 100. The external nonvolatile memory communicates with the processor 110 through the external memory interface 120 to implement a data storage function. For example, files such as music and video are stored in an external nonvolatile memory.

The electronic device 100 may implement audio functions through an audio module 170, a speaker 170A, a receiver 170B, a microphone 170C, an earphone interface 170D, an application processor, and the like. Such as music playing, recording, etc.

The audio module 170 is used to convert digital audio information into an analog audio signal output and also to convert an analog audio input into a digital audio signal. The audio module 170 may also be used to encode and decode audio signals. In some embodiments, the audio module 170 may be disposed in the processor 110, or a portion of the functional modules of the audio module 170 may be disposed in the processor 110.

The speaker 170A, also referred to as a "horn," is used to convert audio electrical signals into sound signals. The electronic device 100 may listen to music, or to hands-free conversations, through the speaker 170A.

A receiver 170B, also referred to as a "earpiece", is used to convert the audio electrical signal into a sound signal. When electronic device 100 is answering a telephone call or voice message, voice may be received by placing receiver 170B in close proximity to the human ear.

Microphone 170C, also referred to as a "microphone" or "microphone", is used to convert sound signals into electrical signals. When making a call or transmitting voice information, the user can sound near the microphone 170C through the mouth, inputting a sound signal to the microphone 170C. The electronic device 100 may be provided with at least one microphone 170C. In other embodiments, the electronic device 100 may be provided with two microphones 170C, and may implement a noise reduction function in addition to collecting sound signals. In other embodiments, the electronic device 100 may also be provided with three, four, or more microphones 170C to enable collection of sound signals, noise reduction, identification of sound sources, directional recording functions, etc.

The earphone interface 170D is used to connect a wired earphone. The headset interface 170D may be a USB interface 130 or a 3.5mm open mobile electronic device platform (open mobile terminal platform, OMTP) standard interface, a american cellular telecommunications industry association (cellular telecommunications industry association of the USA, CTIA) standard interface.

The pressure sensor 180A is used to sense a pressure signal, and may convert the pressure signal into an electrical signal. In some embodiments, the pressure sensor 180A may be disposed on the display screen 194. The pressure sensor 180A is of various types, such as a resistive pressure sensor, an inductive pressure sensor, a capacitive pressure sensor, and the like. The capacitive pressure sensor may be a capacitive pressure sensor comprising at least two parallel plates with conductive material. The capacitance between the electrodes changes when a force is applied to the pressure sensor 180A. The electronic device 100 determines the strength of the pressure from the change in capacitance. When a touch operation is applied to the display screen 194, the electronic apparatus 100 detects the touch operation intensity according to the pressure sensor 180A. The electronic device 100 may also calculate the location of the touch based on the detection signal of the pressure sensor 180A. In some embodiments, touch operations that act on the same touch location, but at different touch operation strengths, may correspond to different operation instructions. For example: and executing an instruction for checking the short message when the touch operation with the touch operation intensity smaller than the first pressure threshold acts on the short message application icon. And executing an instruction for newly creating the short message when the touch operation with the touch operation intensity being greater than or equal to the first pressure threshold acts on the short message application icon.

The gyro sensor 180B may be used to determine a motion gesture of the electronic device 100. In some embodiments, the angular velocity of electronic device 100 about three axes (i.e., x, y, and z axes) may be determined by gyro sensor 180B. The gyro sensor 180B may be used for photographing anti-shake. For example, when the shutter is pressed, the gyro sensor 180B detects the shake angle of the electronic device 100, calculates the distance to be compensated by the lens module according to the angle, and makes the lens counteract the shake of the electronic device 100 through the reverse motion, so as to realize anti-shake. The gyro sensor 180B may also be used for navigating, somatosensory game scenes.

The air pressure sensor 180C is used to measure air pressure. In some embodiments, electronic device 100 calculates altitude from barometric pressure values measured by barometric pressure sensor 180C, aiding in positioning and navigation.

The magnetic sensor 180D includes a hall sensor. The electronic device 100 may detect the opening and closing of the flip cover using the magnetic sensor 180D. In some embodiments, when the electronic device 100 is a flip machine, the electronic device 100 may detect the opening and closing of the flip according to the magnetic sensor 180D. And then according to the detected opening and closing state of the leather sheath or the opening and closing state of the flip, the characteristics of automatic unlocking of the flip and the like are set.

The acceleration sensor 180E may detect the magnitude of acceleration of the electronic device 100 in various directions (typically three axes). The magnitude and direction of gravity may be detected when the electronic device 100 is stationary. The electronic equipment gesture recognition method can also be used for recognizing the gesture of the electronic equipment, and is applied to horizontal and vertical screen switching, pedometers and other applications.

A distance sensor 180F for measuring a distance. The electronic device 100 may measure the distance by infrared or laser. In some embodiments, the electronic device 100 may range using the distance sensor 180F to achieve quick focus.

The proximity light sensor 180G may include, for example, a Light Emitting Diode (LED) and a light detector, such as a photodiode. The light emitting diode may be an infrared light emitting diode. The electronic device 100 emits infrared light outward through the light emitting diode. The electronic device 100 detects infrared reflected light from nearby objects using a photodiode. When sufficient reflected light is detected, it may be determined that there is an object in the vicinity of the electronic device 100. When insufficient reflected light is detected, the electronic device 100 may determine that there is no object in the vicinity of the electronic device 100. The electronic device 100 can detect that the user holds the electronic device 100 close to the ear by using the proximity light sensor 180G, so as to automatically extinguish the screen for the purpose of saving power. The proximity light sensor 180G may also be used in holster mode, pocket mode to automatically unlock and lock the screen.

The ambient light sensor 180L is used to sense ambient light level. The electronic device 100 may adaptively adjust the brightness of the display 194 based on the perceived ambient light level. The ambient light sensor 180L may also be used to automatically adjust white balance when taking a photograph. Ambient light sensor 180L may also cooperate with proximity light sensor 180G to detect whether electronic device 100 is in a pocket to prevent false touches.

The fingerprint sensor 180H is used to collect a fingerprint. The electronic device 100 may utilize the collected fingerprint feature to unlock the fingerprint, access the application lock, photograph the fingerprint, answer the incoming call, etc.

The temperature sensor 180J is for detecting temperature. In some embodiments, the electronic device 100 performs a temperature processing strategy using the temperature detected by the temperature sensor 180J. For example, when the temperature reported by temperature sensor 180J exceeds a threshold, electronic device 100 performs a reduction in the performance of a processor located in the vicinity of temperature sensor 180J in order to reduce power consumption to implement thermal protection. In other embodiments, when the temperature is below another threshold, the electronic device 100 heats the battery 142 to avoid the low temperature causing the electronic device 100 to be abnormally shut down. In other embodiments, when the temperature is below a further threshold, the electronic device 100 performs boosting of the output voltage of the battery 142 to avoid abnormal shutdown caused by low temperatures.

The touch sensor 180K, also referred to as a "touch device". The touch sensor 180K may be disposed on the display screen 194, and the touch sensor 180K and the display screen 194 form a touch screen, which is also called a "touch screen". The touch sensor 180K is for detecting a touch operation acting thereon or thereabout. The touch sensor may communicate the detected touch operation to the application processor to determine the touch event type. Visual output related to touch operations may be provided through the display 194. In other embodiments, the touch sensor 180K may also be disposed on the surface of the electronic device 100 at a different location than the display 194.

The bone conduction sensor 180M may acquire a vibration signal. In some embodiments, bone conduction sensor 180M may acquire a vibration signal of a human vocal tract vibrating bone pieces. The bone conduction sensor 180M may also contact the pulse of the human body to receive the blood pressure pulsation signal. In some embodiments, bone conduction sensor 180M may also be provided in a headset, in combination with an osteoinductive headset. The audio module 170 may analyze the voice signal based on the vibration signal of the sound portion vibration bone block obtained by the bone conduction sensor 180M, so as to implement a voice function. The application processor may analyze the heart rate information based on the blood pressure beat signal acquired by the bone conduction sensor 180M, so as to implement a heart rate detection function.

The keys 190 include a power-on key, a volume key, etc. The keys 190 may be mechanical keys. Or may be a touch key. The electronic device 100 may receive key inputs, generating key signal inputs related to user settings and function controls of the electronic device 100.

The motor 191 may generate a vibration cue. The motor 191 may be used for incoming call vibration alerting as well as for touch vibration feedback. For example, touch operations acting on different applications (e.g., photographing, audio playing, etc.) may correspond to different vibration feedback effects. The motor 191 may also correspond to different vibration feedback effects by touching different areas of the display screen 194. Different application scenarios (such as time reminding, receiving information, alarm clock, game, etc.) can also correspond to different vibration feedback effects. The touch vibration feedback effect may also support customization.

The indicator 192 may be an indicator light, may be used to indicate a state of charge, a change in charge, a message indicating a missed call, a notification, etc.

The SIM card interface 195 is used to connect a SIM card. The SIM card may be inserted into the SIM card interface 195, or removed from the SIM card interface 195 to enable contact and separation with the electronic device 100. The electronic device 100 may support 1 or N SIM card interfaces, N being a positive integer greater than 1. The SIM card interface 195 may support Nano SIM cards, micro SIM cards, and the like. The same SIM card interface 195 may be used to insert multiple cards simultaneously. The types of the plurality of cards may be the same or different. The SIM card interface 195 may also be compatible with different types of SIM cards. The SIM card interface 195 may also be compatible with external memory cards. The electronic device 100 interacts with the network through the SIM card to realize functions such as communication and data communication. In some embodiments, the electronic device 100 employs esims, i.e.: an embedded SIM card. The eSIM card can be embedded in the electronic device 100 and cannot be separated from the electronic device 100.

Fig. 7 shows a software configuration diagram of the electronic device 100.

The software system of the electronic device 100 may employ a layered architecture, an event driven architecture, a microkernel architecture, a microservice architecture, or a cloud architecture. In the embodiment of the invention, taking an Android system with a layered architecture as an example, a software structure of the electronic device 100 is illustrated. The system of the electronic device 100 may also be an IOS system, a hong system, etc., which is not limited in this embodiment of the present application. The types of the electronic device 100 are different, and the systems of the electronic device 100 may also be different, and in this embodiment of the present application, the system of the electronic device 100 is illustrated as an Android system.

The layered architecture divides the software into several layers, each with distinct roles and branches. The layers communicate with each other through a software interface. In some embodiments, the Android system is divided into four layers, from top to bottom, an application layer, an application framework layer, an Zhuoyun row (Android run) and system libraries, and a kernel layer, respectively. The embodiment of the application does not limit the layering of the software structure of the electronic equipment. Referring to fig. 7, an Zhuoyun rows and system libraries, as well as the kernel layer, may be considered a layer, referred to as the system layer, in embodiments of the present application. It should be understood that fig. 7 further adds a hardware layer in the electronic device based on the Android system.

It should be understood that the modules included in the respective layers shown in fig. 7 are modules referred to in the embodiments of the present application, and the modules included in the respective layers below do not constitute limitations on the structure of the electronic device and the hierarchy (illustration) of the module arrangement. For example, the authentication information registration module may be deployed at an application layer or an application framework layer. In one embodiment, the modules shown in FIG. 7 may be deployed alone, or several modules may be deployed together, with the division of modules in FIG. 7 being an example. In one embodiment, the names of the modules shown in FIG. 7 are exemplary.

The application layer may include a series of application packages.

As shown in fig. 7, the application package may include applications for cameras, gallery, calendar, phone calls, maps, navigation, WLAN, bluetooth, short messages, etc.

The application framework layer provides an application programming interface (application programming interface, API) and programming framework for application programs of the application layer. The application framework layer includes a number of predefined functions.

As shown in fig. 7, the application framework layer may include a window manager, a content provider, a phone manager, a resource manager, an authentication information registration module, an authentication information verification module, and the like.

The window manager is used for managing window programs. The window manager can acquire the size of the display screen, judge whether a status bar exists, lock the screen, intercept the screen identity authentication information verification module and the like.

The content provider is used to store and retrieve data and make such data accessible to applications. The data may include video, images, audio, calls made and received, browsing history and bookmarks, phonebooks, etc.

The telephony manager is used to provide the communication functions of the electronic device 100. Such as the management of call status (including on, hung-up, etc.).

The resource manager provides various resources for the application program, such as localization strings, icons, pictures, layout files, video files, and the like.

The identity authentication information registration module is used for providing an interface for a user to set identity authentication information. In some embodiments, the authentication information registration module may also provide an interface for the user to set authentication information for different user accounts. In some embodiments, the authentication information registration module may also provide an interface for the user to set authentication information for different applications on the electronic device.

The identity authentication information verification module is used for comparing verification identity authentication information input by a user with registered identity authentication information stored in the electronic equipment to see whether the verification identity authentication information is consistent with the registered identity authentication information. And if the two types of the data are consistent, executing unlocking operation or starting the application. If the identity authentication information is inconsistent, and after the number of errors of the verification identity authentication information input by the user reaches a threshold value, the identity authentication information self-destruction module is triggered to clean the identity authentication information stored in the electronic equipment. The electronic equipment cannot be unlocked or the application cannot be started, so that the situation that user data or application data is leaked is avoided.

Because An Zhuoyun row and system libraries, and the kernel layer are considered a layer in the embodiments of the present application, android runtime and system libraries, and functional modules in the kernel layer, may be included in the system layer.

The system layer may include security chips, the number of which may be one or more.

The identity authentication information may be lock screen identity information of the electronic device 100, and the lock screen identity information of the electronic device 100 may be a pin code, a face image, a fingerprint, a voiceprint, or the like.

The identity authentication information may also be start authentication information applied to the electronic device 100, and the start authentication information applied may also be a pin code, a face image, a fingerprint, a voiceprint, etc.

The user may operate on the electronic device 100 to set the lockscreen identity information, or referred to as registering the lockscreen identity information, of the electronic device 100. The following embodiments of the present application are described with reference to a pin code, which may also be referred to as a registered lock screen password, as an example of registered lock screen identity information.

Optionally, if the electronic device 100 logs in with different user accounts, the user may also operate on the electronic device 100, and set the registered lock screen identity information of the different user accounts on the electronic device 100.

The user may also operate on the electronic device 100 to set the activation identity information, otherwise known as registration activation identity information, of the application on the electronic device 100. The following embodiments of the present application will be described by taking the registration-start identity information as a pin code, which may also be referred to as a registration-start password.

Fig. 8A-8F illustrate diagrams of electronic device 100 receiving and responding to user operations, receiving registered lock screen identity information of electronic device 100 registered by a user.

The registered lock screen identity information of the electronic device 100 may be a pin code, for example.

Fig. 8A illustrates a main interface of the electronic device 100. Icons of a plurality of applications, such as an icon of a file management application, an icon of an email application, an icon of a music application, an icon of a smart life application, an icon of a sports health application, an icon of a setup application, an icon of a camera application, an icon of an address book application, an icon of a telephone application, an icon of an information application, and the like, are shown in fig. 8A. FIG. 8A also shows page indicators, weather indicators, calendar indicators, power indicators, time indicators, signal indicators, and the like.

As shown in fig. 8A, the electronic device 100 receives an input operation (e.g., a click) by a user for setting an icon of an application, and in response to the input operation by the user, the electronic device 100 displays a user interface 701 as shown in fig. 8B. A number of settings are shown in the user interface 701, such as a flight mode setting (current flight mode has been turned off), a Wi-Fi setting (current Wi-Fi has been turned off), a bluetooth setting (current bluetooth function has been turned off), a personal hotspot setting, a mobile network setting, a do-not-disturb mode setting, a display and brightness setting, a Hua-into account setting, biometric and password options, and so forth.

As shown in fig. 8B, the electronic device 100 receives an input operation (e.g., a click) by a user for biometric identification, password options, and the like, and in response to the input operation by the user, the electronic device 100 displays a user interface 702 as shown in fig. 8C.

A plurality of settings options are shown in the user interface 702, such as biometric settings options including, but not limited to, fingerprint settings, face recognition settings, bone sound settings, and the like. Also shown in the user interface 702 are password setup options including, but not limited to, a set lock screen password option and a close lock screen password option, among others. Other settings options are also shown in the user interface 702, such as a lock screen password self-destruction settings option, a security locking device settings option, and the like.

The electronic device 100 may receive an operation of a user operation in the user interface 702, setting an unlock password. The unlock code may also be referred to as a pin code.

As shown in fig. 8C, the electronic device 100 receives an input operation (e.g., a click) by a user for setting a lock screen password option in the user interface 702, and in response to the input operation by the user, the electronic device 100 may display the user interface 703 as shown in fig. 8D.

The user interface 703 may interface with a lock screen password of the electronic device 100. The electronic device 100 may receive a user operation in the user interface 703, setting a lock screen password.

After the user enters the lock screen password in the user interface 703, the electronic device 100 may display a user interface 704 as shown in fig. 8E.

Alternatively, the electronic device 100 may prompt the user to input the same screen locking code multiple times, and in the case where the screen locking codes input multiple times by the user are all the same, the electronic device 100 may display the user interface 704 shown in fig. 8E.

As shown in fig. 8F, the electronic device 100 may receive an input operation (e.g., a single click) by a user for determining an option in the user interface 704, and in response to the input operation by the user, the electronic device 100 may use the input password as a lock screen password of the electronic device 100.

Optionally, the screen locking password may be a 6-bit number, or may be more or less numbers, or may be one or more combinations of letters, symbols, and numbers, which is not limited in the embodiment of the present application.

Optionally, in some embodiments, if there are a plurality of different user accounts on the electronic device 100, the electronic device 100 may also receive the user operation and set the screen locking password of each user separately.

The different user accounts on the electronic device 100 means that after the electronic device 100 logs in a certain user account, the content corresponding to the user account can be displayed. The content corresponding to different user accounts is different. For example, the corresponding application types and the application data generated by the applications under different user accounts are different.

Fig. 8G-8J are schematic diagrams illustrating the electronic device 100 receiving lock screen identity information corresponding to different user accounts on the electronic device 100 set by the user.

As shown in fig. 8G, the electronic device 100 receives an input operation (e.g., a single click) by a user for setting a lock screen password option in the user interface 702, and in response to the input operation by the user, the electronic device 100 may display a user interface 705 as shown in fig. 8H.

A number of different user accounts are shown in the user interface 705, such as user "Lisa" and user "iphone of young milk". The user may select a certain user account in the user interface 705 and set a screen locking password for the certain account.

As shown in fig. 8H, the electronic device 100 may receive an input operation (e.g., a single click) by a user for a user "Lisa" option in the user interface 705, and in response to the input operation by the user, the electronic device 100 may display the user interface 706 shown in fig. 8I.

The user interface 706 may interface for a screen lock password for a user "Lisa" in the electronic device 100. The electronic device 100 may receive user operations in the user interface 706, setting a screen lock password for user "Lisa".

After the user enters the lock screen password in the user interface 706, as shown in fig. 8J, the electronic device 100 may display a user interface 707.

Alternatively, the electronic device 100 may prompt the user to input the same screen locking code multiple times, and in the case where the screen locking codes input multiple times by the user are all the same, the electronic device 100 may display the user interface 707 shown in fig. 8J.

Fig. 9A-9E illustrate diagrams of the electronic device 100 receiving and responding to user operations, and receiving a startup password of a user-registered application one.

For example, the application one may be an address book application, and the starting password of the application one may also be a pin code.

As shown in fig. 9A, the electronic device 100 receives an input operation (e.g., a click) of an address book application icon by a user, and in response to the input operation by the user, the electronic device 100 may display a user interface 801 as shown in fig. 9B.

User interface 801 shows the most recent call record, such as a call with a mother at 19:38 today. At 19:20 today, a phone call is made with dad. Yesterday, with xiao Zhao, yesterday, with the small sheets. Yesterday, a phone call was also made with go.

As shown in fig. 9B, the electronic device 100 receives an input operation (e.g., a click) by a user for a setting option in the user interface 801, and in response to the input operation by the user, the electronic device 100 may display a setting interface of an address book application, for example, a user interface 802 as shown in fig. 9C.

A plurality of setting options are shown in the user interface 802. Such as password setup options including setting an on password option, closing an on password option, etc. Other settings options are also shown in the user interface 802, such as an open password self-destruction option, etc.

The electronic device 100 may receive user operations in the user interface 802, setting an unlock password. The start-up password may also be referred to as a pin code.

As shown in fig. 9C, the electronic device 100 may receive an input operation (e.g., a click) by a user for setting an open password option in the user interface 802, and in response to the input operation by the user, the electronic device 100 may display the user interface 803 as shown in fig. 9D.

The user interface 803 may provide an interface for the unlock password of the electronic device 100. The electronic device 100 may receive the user's operation in the user interface 803, and set the start password of the address book application.

The user enters the start password for the address book application in the user interface 803, and as shown in fig. 9E, the electronic device 100 may display a user interface 804.

Alternatively, the electronic device 100 may prompt the user to input the same unlock code multiple times, and in the case where the unlock codes input multiple times by the user are all the same, the electronic device 100 may display the user interface 804 as shown in fig. 9E.

The electronic device 100 may receive an input operation (e.g., a single click) by a user for determining an option in the user interface 804, and in response to the input operation by the user, the electronic device 100 may use the input password as an opening password for the address book application.

Optionally, the starting password may be a 6-bit number, or may be more or less numbers, or may be one or more combinations of letters, symbols, and numbers, which is not limited in the embodiment of the present application.

It should be noted that, the method is not limited to setting the maximum input opening number of the application in the application, but may also set the maximum input opening number of the application in the application, which is not limited in the embodiment of the present application.

Fig. 10 is a flowchart of another method for registering identity authentication information according to an embodiment of the present application.

S1001, the operating system of the electronic device 100 receives the registered identity authentication information input by the user.

The user may operate on the electronic device 100 to set the lock screen identity information of the electronic device 100.

The user may also operate on the electronic device 100 to set the start-up identity information of the application on the electronic device 100.

S1002, the electronic device 100 sends the registered identity authentication information to the security chip through the operating system.

Optionally, before the electronic device 100 sends the registered identity authentication information to the security chip through the operating system, the electronic device 100 may perform desensitization processing on the registered identity authentication information through the operating system, and send the desensitized registered identity authentication information to the security chip. Therefore, the information leakage caused by the plaintext transmission mode in the transmission process can be avoided.

Means of desensitization include, but are not limited to: a one-way HASH (HASH) algorithm, a Scrypt iterative HASH algorithm, a PBKDF2 iterative HASH algorithm, or the like. The manner of this desensitization is not limited by the embodiments of the present application.

S1003, the electronic device 100 generates a secret value of four through the security chip.

The secret value four is used to participate in protecting the root key on the electronic device 100.

In S1003, the secret value is generated in the security chip, so that the secret value can be prevented from being tampered with.

S1004, the electronic device 100 encrypts the secret value four based on the registered identity authentication information through the security chip to obtain an encrypted secret value four.

Alternatively, the electronic device 100 may encrypt the secret value four based on the desensitized registered identity authentication information through the security chip.

The secret value four is encrypted based on the registered identity authentication information, and the secret value four can be encrypted by bytes, or can be subjected to exclusive or operation, or can be subjected to HMAC and other modes, and the embodiment of the application is not limited to the encryption.

After the secret value is generated, the security chip encrypts the secret value based on the registered identity authentication information and stores the encrypted secret value in the security chip. Thus, even if an attacker falsifies the comparison logic of the identity authentication information, the attacker cannot decrypt the secret value encrypted based on the registered identity authentication information under the condition that the attacker does not acquire the registered identity authentication information, namely cannot acquire the secret value, and the situation that the secret value is revealed is avoided.

S1005, the electronic device 100 stores the encrypted secret value four and the registered identity authentication information through the security chip.

Optionally, the electronic device 100 may also store the encrypted secret value four and the desensitized registered identity authentication information through the security chip.

Because the security of the security chip is higher, the encrypted secret value IV and the identity authentication information are stored in the security chip, and the situation that the encrypted secret value IV and the identity authentication information are revealed can be prevented.

Optionally, if the electronic device 100 logs in to a plurality of different user accounts, the security chip stores encrypted secret values and album identity authentication information corresponding to the plurality of different user accounts.

TABLE 1

As shown in table 1, if the electronic device 100 has a plurality of different user accounts, the electronic device 100 may receive registration identity authentication information corresponding to the user accounts with different operation settings of the user. And the registered identity authentication information and the encrypted secret value corresponding to different user accounts are stored in the security chip. For example, for the user account Lisa, the user may set the registration identity authentication information of the user account Lisa, and store the registration identity authentication information of the user account Lisa and an encrypted secret value four in the security chip, where the secret value four is used to encrypt and protect the user data corresponding to the user account Lisa. For the user account Lucy, the user can set the registered identity authentication information of the user account Lucy, and store the registered identity authentication information of the user account Lucy and an encrypted secret value five in the security chip, wherein the secret value five is used for encrypting and protecting the user data corresponding to the user account Lucy. For the user account Tom, the user can set the registered identity authentication information of the user account Tom, and store the registered identity authentication information of the user account Tom and the encrypted secret value six in the security chip, wherein the secret value six is used for encrypting and protecting the user data corresponding to the user account Tom.

It should be noted that the electronic device 100 may further include more or fewer user accounts, which is not limited in this embodiment of the present application.

It should be noted that, the user account shown in table 1 is also not stored in the security chip, and the ID of the user account may be stored in the security chip. For example, the ID of the user account corresponding to the user account "Lisa" may be "0123". The ID of the user account corresponding to the user account "Lucy" may be "0124". The ID of the user account corresponding to the user account "Tom" may be "0125" or the like. The ID of the user account may also be in other forms, which are not limited in this embodiment of the present application.

Alternatively, the ID of the user account may or may not be stored in the security chip, and the ID having a mapping relationship with the ID of the user account may be stored. The ID of the user account may be found based on an ID having a mapping relationship with the ID of the user account. The embodiments of the present application are not limited in this regard.

The following embodiments of the present application will be described with reference to the case where a user account name is stored in a security chip.

TABLE 2

As shown in table 2, a user downloads and installs a plurality of applications, such as a first application, a second application, and a third application, under the same user account (e.g., user account Lisa) to which the electronic device 100 is logged in. The user can set the open authentication information of a plurality of applications under the user account Lisa. That is, before the application is started, the user needs to input correct start authentication information, the application can be started, or else the application cannot be started. As shown in table 2, the user may device the registration start authentication information of the first application, and store the registration start authentication information of the first application and an encrypted secret value seven in the security chip, where the secret value seven is used to encrypt and protect application data in the first application. The user can register the second application to start authentication information, and store the second application to start authentication information and the encrypted secret value eight in the security chip, wherein the secret value eight is used for encrypting and protecting application data in the second application. The user can set the registration start authentication information of the third application, and store the registration start authentication information of the third application and the encrypted secret value nine in the security chip, wherein the secret value nine is used for encrypting and protecting the application data in the third application.

Alternatively, the user may set the open authentication information of the plurality of applications under the user account Lisa to be the same, for example, set the open authentication information of the plurality of applications under the user account Lisa by one key, which may reduce the operations of the user.

It should be noted that, the application identifier shown in table 2 is also not stored in the secure chip, and the ID of the application identifier may be stored in the secure chip. For example, the ID of the application identification corresponding to the application identification "first application" may be "0X01". The ID of the application identification corresponding to the application identification "second application" may be "0X02". The ID of the application identification corresponding to the application identification "third application" may be "0X03". The ID of the application identifier may also be in other forms, which are not limited in this embodiment of the application.

Alternatively, the ID stored in the security chip may not be the ID of the application identifier, may be the ID having a mapping relationship with the ID of the application identifier, or the like. The ID of the application identity may be found based on an ID having a mapping relation with the ID of the application identity. The embodiments of the present application are not limited in this regard.

S1006, the electronic device 100 sends the secret value four to the operating system through the security chip.

Alternatively, the secret value four may be desensitized and then sent to the operating system, or the encrypted secret value four may be sent to the operating system, before the electronic device 100 sends the secret value four to the operating system via the security chip. Thus, the security chip can be prevented from sending the secret value to the operating system, and information leakage caused in the sending process can be avoided.

S1007, the electronic apparatus 100 encrypts the root key based on the secret value four through the operating system.

Alternatively, the electronic device 100 may encrypt the root key based on only the secret value four.

Alternatively, the electronic device 100 may encrypt the root key by the secret value four and the registered identity authentication information.

Alternatively, the electronic device 100 may encrypt the root key with the secret value four and the desensitized registered identity authentication information.

Alternatively, the electronic device 100 may encrypt the root key by the secret value four, the registered identity authentication information, and other factors together. The embodiment of the application does not limit the encryption mode of the root key.

Alternatively, the electronic device 100 may encrypt the root key by the secret value of four, the desensitized registered identity authentication information, and other factors together. The embodiment of the application does not limit the encryption mode of the root key.

In some embodiments, S1006 and S1007 may also be performed within a secure chip. I.e. S1006 and S1007, may be replaced with S1008.

S1008, the electronic device 100 encrypts the root key based on the secret value four through the secure chip.

Thus, the security chip can be prevented from sending the secret value to the operating system, and information leakage caused in the sending process can be avoided.

In some embodiments, in the case where the registered identity authentication information is registered lock screen identity authentication information, when the first condition is satisfied, the electronic device 100 may derive a data key based on the root key, and cryptographically protect user data on the electronic device 100 based on the data key. Only if the user inputs the correct authentication information, the electronic device 100 may decrypt the user data on the electronic device 100 based on the data key, to obtain the real user data.

The first condition may be any one or more of:

and (3) a step of: after the electronic device 100 is turned off, when the electronic device 100 is turned on for the first time, the electronic device 100 may encrypt and protect user data on the electronic device 100 based on the data key.

And II: the electronic device 100 is in a power-on and screen-locking state, but if the screen-locking time of the electronic device 100 exceeds a certain time, the electronic device 100 may encrypt and protect user data on the electronic device 100 based on the data key.

Thirdly,: the electronic device 100 is in a power-on and screen-locking state, but if the electronic device 100 verifies that the user identity is not passed after a certain number of times based on the screen-locking identity information, the electronic device 100 can encrypt and protect the user data on the electronic device 100 based on the data key.

By way of example, the first type of lock screen identity information may be a face image, a fingerprint image, a voiceprint feature, and so forth.

The second type of lock screen identity information may be a pin code. The security of the second type of lockscreen identity information is higher than the security of the first type of lockscreen identity information.

For example, when the electronic device 100 is in a power-on and screen-locking state, the user uses the face image to unlock, and under the condition that the unlocking is not successful for 5 consecutive unlocking times, the electronic device 100 can encrypt and protect the user data on the electronic device 100 based on the data key.

The first condition may also be other conditions, which are not limited in the embodiment of the present application.

In some embodiments, in the case where the registration authentication information is the registration start authentication information, when the first condition is satisfied, the electronic device 100 may derive a data key based on the root key, and perform encryption protection on application data in the application one based on the data key. Only if the user inputs the correct verification start identity authentication information, the electronic device 100 can decrypt the application data in the application one based on the data key to obtain the real application data.

The first condition may be any one or more of:

and (3) a step of: after the electronic device 100 is turned off, when the electronic device 100 is turned on for the first time, the electronic device 100 may encrypt and protect application data in the application one based on the root key.

2. The application may be unused for more than a certain time, and the electronic device 100 may cryptographically protect the application data within the application based on the root key.

3. The electronic device 100 verifies that the user identity is not passed after a certain number of times based on the start authentication information, and the electronic device 100 may encrypt and protect application data in the application one based on the root key.

For example, when the user opens the application one using the face image and does not unlock successfully for 5 consecutive unlocking times, the electronic device 100 may encrypt and protect application data in the application one based on the root key.

Alternatively, the root key at the device level and the more key at the application level may be different or the same. The manner in which the device level derives the data key based on the root key and the application level derives the data key based on the root key may be different or the same, which is not limited in the embodiment of the present application.

Fig. 11 is a flowchart of another method for registering identity authentication information according to an embodiment of the present application.

The fig. 11 embodiment is similar to the fig. 10 embodiment, except that the fig. 11 embodiment differs from the fig. 10 embodiment in the manner in which the secret value is generated.

S1101, the electronic device 100 receives the registered identity authentication information input by the user through the operating system.

For the description of S1101, reference may be made to the description of SS1001, and the embodiments of the present application are not repeated here.

S1102, the electronic device 100 generates a secret value one at random after receiving registration identity authentication information input by a user through an operating system.

S1103, the electronic device 100 sends the registered identity authentication information and the secret value to the security chip through the operating system.

Optionally, the electronic device 100 may also send the registered identity authentication information to the security chip after desensitizing.

That is, the electronic device 100 may transmit the desensitized registered identity authentication information and the secret value to the security chip through the operating system.

S1104, the electronic device 100 generates a secret value of two through the security chip.

S1105, the electronic device 100 obtains a secret value three based on the secret value one and the secret value two.

Alternatively, the electronic device 100 may obtain the third secret value through the first secret value, the second secret value and other factors, which is not limited in the embodiment of the present application.

Thus, the second secret value is generated in the security chip, the third secret value is obtained based on the first secret value and the second secret value, and the situation that the third secret value is tampered can be avoided.

S1106, the electronic device 100 encrypts the third secret value based on the identity authentication information through the security chip, to obtain an encrypted third secret value.

S1107, the electronic device 100 stores the encrypted secret value three and the identity authentication information through the security chip.

S1108, the electronic device 100 sends the secret value III to the operating system through the security chip.

S1109, the electronic device 100 encrypts the root key based on the secret value three by the operating system.

For the description of S1106-S1109, reference may be made to the descriptions in S1104-S1107, and the embodiments of the present application will not be repeated here.

Fig. 12 is a schematic flow chart of a method for comparing and verifying registered identity authentication information and registered identity authentication information according to an embodiment of the present application.

The method of comparing and verifying registered identity authentication information shown in fig. 12 is a verification method provided based on the method of registering identity authentication information shown in fig. 10.

S1201, the electronic device 100 receives verification identity authentication information input by a user through an operating system.

The identity authentication information may be screen locking authentication information of the user account "Lisa", as illustrated in fig. 13A, the electronic device 100 may display a user interface 1501, where the user interface 1501 is used to prompt the user to input the screen locking authentication information of the user account "Lisa".

Alternatively, after the screen locking authentication information input of the user account "Lisa" reaches the maximum number of input errors, the electronic device 100 displays a hint information as shown in fig. 13B, for example, the hint information may be "the device cannot be unlocked". Or the hint may be "how long to unlock after please. As the number of input errors of the screen locking authentication information increases, the user unlocking time correspondingly increases. The electronic device 100 may receive a user's operation in the user interface 1502 to switch to log on to another ader user account. For example, the electronic device 100 may receive an input operation (e.g., a single click) by a user for the selection item 1503 in the user interface 1502, and in response to the input operation by the user, the electronic device 100 may display a hint bar 1504 as shown in fig. 13C. The user may select a logged-in user account in the prompt field 1504.

As shown in fig. 13C, the electronic device 100 may receive an input operation (e.g., a single click) by a user for a user account "Lucy" option in the prompt 1504, and in response to the input operation by the user, the electronic device 100 may log in to the user account "Lucy". In response to a user input operation for the user account "Lucy" option in the prompt field 1504, the electronic device 100 may display a user interface 1505 as shown in FIG. 13D. User interface 1505 is an unlock interface for user account "Lucy". The electronic device 100 may receive lock screen authentication information corresponding to a user account "Lucy" entered by a user in the user interface 1505. Under the condition that the screen locking authentication information corresponding to the user account number "Lucy" input by the user is correct, the electronic device 100 may execute the unlocking operation and display the user data corresponding to the user account number "Lucy".

The identity authentication information may be start authentication information of an application on the hand of the electronic device 100. The certain application may be an address book application, for example.

Fig. 13E illustrates a main interface 1506 of the electronic device 100, the main interface 1506 illustrating icons of a plurality of applications, such as an icon of a file management application, an icon of an email application, an icon of a music application, an icon of a smart life application, an icon of a sports health application, an icon of a setup application, an icon of a camera application, an icon of an address book application, an icon of a telephone application, an icon of an information application, and the like. FIG. 13E also shows page indicators, weather indicators, calendar indicators, power indicators, time indicators, signal indicators, and the like.

As shown in fig. 13E, the electronic device 100 receives an input operation (e.g., a single click) of an icon of an address book application by a user, and in response to the input operation by the user, the electronic device 100 may display a user interface 1507 as shown in fig. 13F. The user interface 1507 is used to prompt the user to enter an opening password for the address book application. Under the condition that the opening password of the address book application input by the user is correct, the electronic device 100 can execute the operation of opening the address book application and display the application data in the address book application.

Alternatively, the same application may have different start passwords for different user accounts.

S1202, the electronic device 100 sends verification identity authentication information to the security chip through the operating system.

Optionally, the electronic device 100 may desensitize the verification identity authentication information through the operating system, and then send the desensitized verification identity authentication information to the security chip.

S1203, the electronic device 100 confirms that the verification identity authentication information and the registration identity authentication information satisfy the preset condition through the security chip.

The preset condition may be that the verification authentication information input by the user is completely consistent with the registration authentication information stored in the security chip, or that the verification authentication information input by the user is completely consistent with the registration authentication information stored in the electronic device after being transformed. The preset condition may be other conditions, which are not limited in the embodiment of the present application

S1204, the electronic device 100 decrypts the encrypted secret value four based on the verification identity authentication information through the security chip to obtain the secret value four.

In the embodiment S1004 of fig. 10, it is mentioned that the encrypted secret value four is encrypted based on the authentication information of the registration body. Under the condition that the security chip determines that the verification identity authentication information passes, the encrypted secret value IV can be decrypted based on the verification identity authentication information to obtain the secret value IV. So as to decrypt the root key subsequently to obtain the data key, thereby decrypting the user data to obtain the real user data.

Alternatively, if the secret value four is encrypted based on other factors in addition to the authentication information of the registration body, other factors may be used in decryption.

Optionally, if the electronic device 100 confirms through the security chip that the verification identity authentication information and the registration identity authentication information do not meet the preset condition, it indicates that the verification identity authentication information is not verified, and the electronic device 100 does not execute S1204, and cannot obtain the secret value four, and further cannot obtain the root key. In this way, the security of the encrypted user data is ensured.

S1205, the electronic device 100 sends the secret value four to the operating system through the security chip.

After the security chip confirms that the verification identity authentication information and the registration identity authentication information meet the preset conditions and verification is successful, the security chip decrypts the encrypted secret value IV based on the verification identity authentication information to obtain the secret value IV, and sends the secret value IV to the operating system, so that the operating system can decrypt the encrypted root key based on the secret value IV to obtain the root key.

S1206, the electronic device 100 decrypts the root key based on the secret value four through the operating system to obtain the root key, obtains the data key based on the root key, and decrypts the user data based on the data key.

After the electronic device 100 receives the fourth secret value through the operating system, it may decrypt the previously encrypted root key based on the fourth secret value to obtain the root key. And obtaining the data key based on the root key. Thereby decrypting the user data encrypted based on the data key to obtain unencrypted user data. So that the user can view the usage-real user data.

Optionally, if the root key is encrypted based on other factors during encryption, other factors are needed to participate in decryption during decryption, so as to obtain an unencrypted root key.

Fig. 14 is a flowchart of another method for comparing and verifying registered identity authentication information and registered identity authentication information according to an embodiment of the present application.

The method of comparing and verifying registered identity authentication information shown in fig. 14 is a verification method provided based on the method of registering identity authentication information shown in fig. 11.

S1401, the electronic device 100 receives verification identity authentication information input by a user through an operating system.

For the description of S1401, reference may be made to the description of S1201 in the embodiment of fig. 12, and the embodiment of the present application will not be repeated here.

S1402, the electronic device 100 sends verification identity authentication information to the security chip through the operating system.

S1403, the electronic device 100 confirms, through the security chip, that the verification identity authentication information and the registration identity authentication information satisfy the preset condition.

The preset condition may be that the verification authentication information input by the user is completely consistent with the registration authentication information stored in the security chip, or that the verification authentication information input by the user is completely consistent with the registration authentication information stored in the electronic device after being transformed. The preset condition may also be other conditions, which are not limited in the embodiment of the present application.

S1404, the electronic device 100 decrypts the encrypted secret value III based on the verification identity authentication information through the security chip to obtain the secret value III.

In embodiment S1106 of fig. 11, it is mentioned that the encrypted secret value three is encrypted based on the authentication information of the registration body. Under the condition that the security chip determines that the verification identity authentication information passes, the encrypted secret value III can be decrypted based on the verification identity authentication information to obtain the secret value III. So as to decrypt the root key subsequently to obtain the data key, thereby decrypting the user data to obtain the real user data.

Alternatively, if the secret value three is encrypted based on other factors in addition to the authentication information of the registration body, other factors may be used in decryption.

Optionally, if the electronic device 100 confirms through the security chip that the verification identity authentication information and the registration identity authentication information do not meet the preset condition, it indicates that the verification identity authentication information is not verified, and the electronic device 100 does not execute S1304, and cannot obtain the secret value three, and further cannot obtain the root key. In this way, the security of the encrypted user data is ensured.

S1405, the electronic device 100 sends the secret value three to the operating system through the security chip.

After the security chip confirms that the verification identity authentication information and the registration identity authentication information meet the preset conditions and verification is successful, the security chip decrypts the encrypted secret value III based on the verification identity authentication information to obtain the secret value III, and sends the secret value III to the operating system, so that the operating system can decrypt the encrypted root key based on the secret value III to obtain the root key.

S1406, the electronic device 100 decrypts the root key based on the secret value three through the operating system to obtain the root key, obtains the data key based on the root key, and decrypts the user data based on the data key.

After the electronic device 100 receives the third secret value through the operating system, it may decrypt the previously encrypted root key based on the third secret value to obtain the root key. And obtaining the data key based on the root key. Thereby decrypting the user data encrypted based on the data key to obtain unencrypted user data. So that the user can view the usage-real user data.

Other factors include, but are not limited to, one or more of registration identity authentication information, hardware unique keys, device unique IDs.

Fig. 15 is a flow chart of a data protection method according to an embodiment of the present application.

S1501, the electronic device receives registration identity authentication information input by a user.

In one possible implementation, the registered identity authentication information includes registered lock screen identity authentication information of the electronic device and/or registered unlock authentication information of a first application on the electronic device; the registered screen locking identity information is used for unlocking the electronic equipment under the condition that the verification screen locking identity authentication information input by the user and the registered screen locking identity information meet preset conditions;

S1502, the electronic device generates a first secret value, wherein the first secret value is used for encrypting and protecting a root key, and the root key is used for protecting user data on the electronic device.

S1503, the electronic equipment encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value.

S1504, the electronic device stores the registered identity authentication information and the encrypted first secret value.

In one possible implementation manner, the electronic device receives registration identity authentication information input by a user, and specifically includes: the electronic equipment receives registration identity authentication information input by a user through an operating system; after the electronic device receives the registered identity authentication information input by the user, before the electronic device generates the first secret value, the method further comprises: the electronic equipment sends the registered identity authentication information to the security chip through the operating system; the electronic device generates a first secret value, which specifically includes: the electronic equipment generates a first secret value through the security chip; the electronic device encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value, and the method specifically comprises the following steps: the electronic equipment encrypts the first secret value based on the registered identity authentication information through the security chip to obtain an encrypted first secret value; the electronic equipment stores registered identity authentication information and encrypted first secret value, and specifically comprises the following steps: the electronic device stores the registered identity authentication information and the encrypted first secret value in a secure chip.

Here, the first secret value may be the secret value four shown in fig. 10. Specifically, reference may be made to the description in the embodiment of fig. 10, and the embodiment of the present application will not be repeated here.

In one possible implementation, before the electronic device generates the first secret value, the method further comprises: the electronic equipment generates a second secret value through an operating system; the electronic device sends the second secret value to the security chip through the operating system; the electronic equipment generates a third secret value through the security chip; the electronic device generates a first secret value, which specifically includes: the electronic device generates a first secret value based on the second secret value and the third secret value through the security chip.

Here, the second secret value may be the secret value one shown in fig. 11, and the third secret value may be the secret value two shown in fig. 11. Specifically, reference may be made to the description in the embodiment of fig. 11, and the embodiment of the present application will not be repeated here.

In one possible implementation, after the electronic device stores the registered identity authentication information and the encrypted first secret value, the method further includes: under the condition that the first condition is met, the electronic equipment receives verification identity authentication information input by a user; under the condition that the verification identity authentication information and the registration identity authentication information meet preset conditions, the electronic equipment decrypts the encrypted first secret value based on the verification identity authentication information to obtain a first secret value; the electronic equipment decrypts the encryption root key based on the first secret value to obtain a root key; the electronic device decrypts the encrypted user data based on the root key to obtain unencrypted user data.

Specifically, reference may be made to the descriptions in the embodiments of fig. 12 and 13, and the embodiments of the present application are not repeated here.

In one possible implementation manner, after the electronic device receives the verification identity authentication information input by the user, before the electronic device decrypts the encrypted first secret value based on the verification identity authentication information, the method further includes: the electronic equipment desensitizes the verification identity authentication information through an operating system to obtain desensitized verification identity authentication information; the electronic equipment sends desensitization verification identity authentication information to the security chip through the operating system; the electronic device decrypts the encrypted first secret value based on the verification identity authentication information, and specifically comprises the following steps: under the condition that the desensitization verification identity authentication information and the desensitization registration identity authentication information meet preset conditions, the electronic equipment decrypts the encrypted first secret value based on the desensitization verification identity authentication information through the security chip to obtain the first secret value.

In one possible implementation, after the electronic device receives the verification identity authentication information input by the user, before the electronic device decrypts the encrypted first secret value based on the verification identity authentication information, the method further includes: the electronic equipment desensitizes the verification identity authentication information through an operating system to obtain desensitized verification identity authentication information; the electronic equipment sends desensitization verification identity authentication information to the security chip through the operating system; the electronic device decrypts the encrypted first secret value based on the verification identity authentication information, and specifically comprises the following steps: under the condition that the desensitization verification identity authentication information and the desensitization registration identity authentication information meet preset conditions, the electronic equipment decrypts the encrypted first secret value based on the desensitization verification identity authentication information through the security chip to obtain the first secret value.

In one possible implementation manner, the electronic device receives registration identity authentication information input by a user, and specifically includes: the electronic equipment receives registration screen locking identity information input by a user, wherein the registration screen locking identity information is used for unlocking the electronic equipment under the condition that verification screen locking identity authentication information input by the user and the registration screen locking identity information meet preset conditions; the method comprises the steps that the electronic equipment generates a first secret value, the first secret value is used for encrypting and protecting a root key, the root key is used for protecting user data on the electronic equipment, and the method specifically comprises the steps that the electronic equipment generates the first secret value, the first secret value is used for encrypting and protecting the first root key, and the first root key is used for protecting the user data on the electronic equipment; the electronic device encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value, and the method specifically comprises the following steps: the electronic equipment encrypts the first secret value based on the registered screen locking identity information to obtain an encrypted first secret value; the electronic equipment stores registered identity authentication information and encrypted first secret value, and specifically comprises the following steps: the electronic device stores registered lock screen identity information and encrypts a first secret value.

In one possible implementation, after the electronic device stores the registered lock screen identity information and the encrypted first secret value, the method further includes: the electronic equipment receives registration opening authentication information input by a user, wherein the registration opening authentication information is used for opening a first application when verification registration opening authentication information and registration opening authentication information input by the user meet preset conditions; the electronic equipment generates a fourth secret value, the fourth secret value is used for encrypting and protecting a second root key, and the second root key is used for protecting application data in the first application; the electronic device encrypts the fourth secret value based on the registration opening authentication information, and the electronic device stores the registration opening authentication information and the encrypted fourth secret value to obtain the encrypted fourth secret value.

In a possible implementation, the apparatus 1600 may include a receiving unit 1601, a processing unit 1602, and a storage unit 1603. The apparatus 1600 may be used to perform a data storage method as shown in the embodiment of fig. 15.

Wherein, the receiving unit 1601 is configured to receive registration identity authentication information input by a user.

The processing unit 1602 is configured to generate a first secret value, the first secret value being used to cryptographically protect a root key, the root key being used to protect user data on the electronic device.

The processing unit 1602 is further configured to encrypt the first secret value based on the registered identity authentication information, to obtain an encrypted first secret value.

A storage unit 1603 for storing the registered identity authentication information and the encrypted first secret value.

In one possible implementation, the receiving unit 1601 is specifically configured to receive, by using an operating system, registration identity authentication information input by a user.

The processing unit 1602 is further configured to send the registered identity authentication information to the security chip through the operating system.

The processing unit 1602 is specifically configured to generate a first secret value through the security chip.

The storage unit 1603 is specifically configured to encrypt, by using the security chip, the first secret value based on the registered identity authentication information, to obtain an encrypted first secret value.

The storage unit 1603 is specifically configured to store the registered identity authentication information and the encrypted first secret value in the security chip.

In one possible implementation, the processing unit 1602 is further configured to generate a second secret value by the operating system.

The processing unit 1602 is further configured to send the second secret value to the security chip through the operating system.

The processing unit 1602 is further configured to generate a third secret value through the security chip.

The processing unit 1602 is further configured to generate, by the security chip, a first secret value based on the second secret value and the third secret value.

In a possible implementation manner, the receiving unit 1601 is further configured to, in case the first condition is met, receive verification identity authentication information input by a user by using the electronic device.

The processing unit 1602 is further configured to decrypt the encrypted first secret value based on the verification identity authentication information to obtain a first secret value if the verification identity authentication information and the registration identity authentication information satisfy a preset condition.

The processing unit 1602 is further configured to decrypt the encrypted root key based on the first secret value to obtain a root key.

The processing unit 1602 is further configured to decrypt the encrypted user data based on the root key, resulting in unencrypted user data.

Alternatively, the electronic device may decrypt the encrypted user data directly based on the root key, resulting in unencrypted user data.

In one possible implementation, the processing unit 1602 is specifically configured to desensitize the registered identity authentication information by the operating system to obtain desensitized registered identity authentication information.

The processing unit 1602 is specifically configured to send desensitized registered identity authentication information to the security chip through the operating system.

The processing unit 1602 is specifically configured to encrypt, by using the security chip, the first secret value based on the desensitized registered identity authentication information, to obtain an encrypted first secret value.

In a possible implementation, the processing unit 1602 is further configured to desensitize the verification identity authentication information by the operating system to obtain desensitized verification identity authentication information.

The processing unit 1602 is further configured to send desensitization verification identity authentication information to the security chip through the operating system.

The processing unit 1602 is specifically configured to decrypt, by the security chip, the encrypted first secret value based on the desensitized verification identity authentication information to obtain a first secret value when the desensitized verification identity authentication information and the desensitized registration identity authentication information satisfy a preset condition.

In one possible implementation manner, the receiving unit 1601 is specifically configured to receive registration lock screen identity information input by a user, where the registration lock screen identity information is used to unlock the electronic device when verification lock screen identity authentication information input by the user and the registration lock screen identity information meet preset conditions.

The processing unit 1602 is specifically configured to generate a first secret value, where the first secret value is used for encrypting and protecting a first root key, and the first root key is used for protecting user data on the electronic device.

The processing unit 1602 is specifically configured to encrypt the first secret value based on the registered lock screen identity information, so as to obtain an encrypted first secret value.

The processing unit 1602 is specifically configured to store registered lock screen identity information and encrypt the first secret value.

In one possible implementation manner, the receiving unit 1601 is further configured to receive registration-start authentication information input by a user, where the registration-start authentication information is used to start the first application if verification registration-start authentication information and registration-start authentication information input by the user meet a preset condition.

The processing unit 1602 is further configured to generate a fourth secret value, the fourth secret value being used for cryptographically protecting a second root key, the second root key being used for protecting application data within the first application.

The processing unit 1602 is further configured to encrypt the fourth secret value based on the registration-start authentication information, and obtain an encrypted fourth secret value, where the electronic device stores the registration-start authentication information and the encrypted fourth secret value.

In one possible implementation, the second root key and the first root key are different.

The application provides an electronic device, the electronic device includes: one or more processors, one or more memories, a display screen; the one or more memories, the display screen, and the one or more processors are coupled, the one or more memories are configured to store computer program code, the computer program code comprising computer instructions that the one or more processors invoke to cause the electronic device to perform a data protection method as shown in fig. 15.

The present application provides a computer readable storage medium for storing computer instructions that, when executed on an electronic device, cause the electronic device to perform a data protection method as shown in fig. 15.

The present application provides a computer program product which, when run on an electronic device, causes the electronic device to perform a data protection method as shown in fig. 15.

The embodiments of the present application may be arbitrarily combined to achieve different technical effects.

In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line), or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.

Those of ordinary skill in the art will appreciate that implementing all or part of the above-described method embodiments may be accomplished by a computer program to instruct related hardware, the program may be stored in a computer readable storage medium, and the program may include the above-described method embodiments when executed. And the aforementioned storage medium includes: ROM or random access memory RAM, magnetic or optical disk, etc.

In summary, the foregoing description is only exemplary embodiments of the present invention and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made according to the disclosure of the present invention should be included in the protection scope of the present invention.

Claims

1. A method of data protection, the method comprising:

the electronic equipment receives registration identity authentication information input by a user;

the electronic equipment generates a first secret value, wherein the first secret value is used for encrypting and protecting a root key, and the root key is used for protecting user data on the electronic equipment;

the electronic equipment encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value;

The electronic device stores the registered identity authentication information and the encrypted first secret value.

2. The method according to claim 1, wherein the electronic device receives registered identity authentication information input by a user, specifically comprising:

the electronic equipment receives registration identity authentication information input by a user through an operating system;

after the electronic device receives the registered identity authentication information input by the user, before the electronic device generates the first secret value, the method further comprises:

the electronic equipment sends the registered identity authentication information to a security chip through an operating system;

the electronic device generates a first secret value, which specifically includes:

the electronic equipment generates the first secret value through the security chip;

the electronic device encrypts the first secret value based on the registered identity authentication information to obtain an encrypted first secret value, and specifically includes:

the electronic equipment encrypts the first secret value based on the registered identity authentication information through a security chip to obtain the encrypted first secret value;

the electronic device stores the registered identity authentication information and the encrypted first secret value, and specifically comprises:

The electronic device stores the registered identity authentication information and the encrypted first secret value within the secure chip.

3. The method of claim 1, wherein prior to the electronic device generating the first secret value, the method further comprises:

the electronic equipment generates a second secret value through an operating system;

the electronic equipment sends the second secret value to the security chip through the operating system;

the electronic equipment generates a third secret value through the security chip;

the electronic device generates, by the secure chip, the first secret value based on the second secret value and the third secret value.

4. A method according to any of claims 1-3, wherein after the electronic device stores the registered identity authentication information and the encrypted first secret value, the method further comprises:

under the condition that the first condition is met, the electronic equipment receives verification identity authentication information input by a user;

under the condition that the verification identity authentication information and the registration identity authentication information meet preset conditions, the electronic equipment decrypts the encrypted first secret value based on the verification identity authentication information to obtain the first secret value;

The electronic equipment decrypts the encryption root key based on the first secret value to obtain the root key;

and the electronic equipment decrypts the encrypted user data based on the root key to obtain unencrypted user data.

5. The method according to claim 2, wherein the electronic device sends the registered identity authentication information to a security chip through an operating system, specifically comprising:

the electronic equipment desensitizes the registered identity authentication information through the operating system to obtain desensitized registered identity authentication information;

the electronic equipment sends the desensitization registration identity authentication information to the security chip through the operating system;

the electronic device encrypts the first secret value based on the registered identity authentication information through a security chip, and specifically comprises the following steps:

and the electronic equipment encrypts the first secret value based on the desensitization registration identity authentication information through the security chip to obtain the encrypted first secret value.

6. The method of claim 4, wherein after the electronic device receives user-entered verification identity authentication information, the method further comprises, prior to the electronic device decrypting the encrypted first secret based on the verification identity authentication information:

The electronic equipment desensitizes the verification identity authentication information through the operating system to obtain desensitized verification identity authentication information;

the electronic equipment sends the desensitization verification identity authentication information to the security chip through the operating system;

the electronic device decrypts the encrypted first secret value based on the verification identity authentication information, and specifically comprises the following steps:

under the condition that the desensitization verification identity authentication information and the desensitization registration identity authentication information meet preset conditions, the electronic equipment decrypts the encrypted first secret value through the security chip based on the desensitization verification identity authentication information to obtain the first secret value.

7. The method according to any of claims 1-6, wherein the registered identity authentication information comprises registered lock screen identity authentication information of the electronic device and/or registered unlock authentication information of a first application on the electronic device;

the registered screen locking identity information is used for unlocking the electronic equipment under the condition that verification screen locking identity authentication information input by a user and the registered screen locking identity information meet preset conditions;

the registration opening authentication information is used for opening the first application under the condition that verification registration opening authentication information input by a user and the registration opening authentication information meet preset conditions.

8. The method according to any one of claims 1-7, wherein the electronic device receives registration identity authentication information entered by a user, in particular comprising:

the method comprises the steps that electronic equipment receives registration screen locking identity information input by a user, wherein the registration screen locking identity information is used for unlocking the electronic equipment under the condition that verification screen locking identity authentication information input by the user and the registration screen locking identity information meet preset conditions;

the electronic equipment generates a first secret value, the first secret value is used for encrypting and protecting a root key, and the root key is used for protecting user data on the electronic equipment and specifically comprises the following steps of

The electronic equipment generates a first secret value, wherein the first secret value is used for encrypting and protecting a first root key, and the first root key is used for protecting user data on the electronic equipment;

the electronic equipment encrypts the first secret value based on the registered screen locking identity information to obtain the encrypted first secret value;

And the electronic equipment stores the registered screen locking identity information and the encrypted first secret value.

9. The method of claim 8, wherein after the electronic device stores the registered lock screen identity information and the encrypted first secret value, the method further comprises:

the electronic equipment receives registration opening authentication information input by a user, wherein the registration opening authentication information is used for opening the first application when verification registration opening authentication information input by the user and the registration opening authentication information meet preset conditions;

the electronic equipment generates a fourth secret value, wherein the fourth secret value is used for encrypting and protecting a second root key, and the second root key is used for protecting application data in the first application;

and the electronic equipment encrypts the fourth secret value based on the registration opening authentication information to obtain an encrypted fourth secret value, and the electronic equipment stores the registration opening authentication information and the encrypted fourth secret value.

10. The method of claim 9, wherein the second root key and the first root key are different.

11. An electronic device, the electronic device comprising: one or more processors, one or more memories, a display screen; the one or more memories, the display screen being coupled to the one or more processors, the one or more memories being for storing computer program code comprising computer instructions that the one or more processors invoke to cause the electronic device to perform the method of any of the above claims 1-10.

12. A computer readable storage medium storing computer instructions which, when run on an electronic device, cause the electronic device to perform the method of any one of the preceding claims 1-10.

13. A computer program product, characterized in that the computer program product, when run on an electronic device, causes the electronic device to perform the method of any of the preceding claims 1-10.