KR20210010593A - Apparatus and Method for processing biometric information in a electronic device - Google Patents

Abstract

According to various embodiments, provided is a biometric information processing method of an electronic device. The biometric information processing method of an electronic device operated as a general area and a security area through one processor comprises: an operation of detecting a biometric information input event from a biosensor module in a general area; an operation of transferring the biometric information input event from the general area to a security area; an operation of acquiring sensing data from a biometric sensor module in response to the biometric information input event in the security area; and an operation of processing the sensing data acquired in the security area to transmit biometric information registration result information and biometric recognition result information to the general area.

Description

Apparatus and Method for processing biometric information in a electronic device

Various embodiments of the present disclosure relate to a method and apparatus for processing biometric information in an electronic device.

Electronic devices support complex operation of various functions based on the development of hardware and software technologies. For example, an electronic device provides a biometric recognition function that is used in a security system or an authentication system by recognizing a user's personal biometric characteristics. The biometric recognition function can perform personal authentication by comparing the data stored in the authentication system with the data entered by the user by using the user's personal body information (e.g., fingerprint, face, iris, voice, palmistry, vein, etc.). have.

Recently, there are increasing cases in which personal information of electronic devices is exposed by hacking programs or the like. Research has been conducted on the reliability and security performance of biometrics according to security systems, authentication systems, or application fields. For this reason, there is a need for an electronic device to prevent personal biometric information from being exposed to the outside for malicious purposes such as hacking.

According to various embodiments of the present disclosure, a method and apparatus for processing biometric information capable of safely processing and protecting biometric information can be provided in implementing a user authentication and function using biometric information.

In the biometric information processing method according to various embodiments of the present disclosure, in a biometric information processing method of an electronic device operated as a general area and a security area through a single processor, a biometric information input event is detected from a biometric sensor module in a general area. Action; Transmitting a biometric information input event from the general area to a security area; Acquiring sensing data from a biometric sensor module in response to a biometric information input event in the security area; And processing the sensing data obtained in the security area to transmit the biometric information registration result information and the biometric recognition result information to the general area.

A biometric information processing apparatus according to various embodiments of the present disclosure includes an electronic device operated in a general area and a security area through a single processor, comprising: a biometric sensor module for biometric recognition; And detecting a biometric information input event from the biometric sensor module in the general area, transmitting the biometric information input event to the security area in the general area, and acquiring sensing data from the biometric sensor module in response to the biometric information input event in the security area. And, it may include a processor that processes the sensing data acquired in the security area to control the biometric information registration result information and the biometric recognition result information to be transmitted to the general area.

A method and apparatus for processing biometric information according to various embodiments of the present disclosure may improve security for biometric information by implementing the biometric data to be processed and managed in a security area. A method and apparatus for processing biometric information according to various embodiments of the present disclosure may modify biometric data using information obtainable in a security area and utilize the modified data as a biometric authentication function, so that even if biometric information is maliciously leaked, personal biometric information Can be safely protected.

1 illustrates a processor of an electronic device according to various embodiments of the present disclosure.
2 is a block diagram of an electronic device according to various embodiments of the present disclosure.
3 is a block diagram of a biometric information processing module according to various embodiments of the present disclosure.
4 illustrates a method of registering biometric information of an electronic device according to various embodiments of the present disclosure.
5 illustrates a method of authenticating biometric information of an electronic device according to various embodiments of the present disclosure.
6 is a diagram illustrating a method of processing biometric information by an electronic device according to various embodiments of the present disclosure.
7 is a diagram illustrating a network environment including an electronic device according to various embodiments of the present disclosure.
8 is a block diagram of an electronic device according to various embodiments of the present disclosure.

Hereinafter, various embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. In the present disclosure, various modifications may be made and various embodiments may be provided, and specific embodiments are illustrated in the drawings. The relevant detailed description is given. However, this is not intended to limit the present invention to a specific embodiment, it is to be understood as including all changes and/or equivalents or substitutes included in the spirit and scope of the present invention. In connection with the description of the drawings, similar reference numerals have been used for similar elements.

Expressions such as "include" or "may include" that may be used in the present invention refer to the existence of the corresponding function, operation, or component, etc., and do not limit additional one or more functions, operations, or components. . In addition, in the present invention, terms such as "comprise" or "have" are intended to designate the presence of features, numbers, steps, actions, components, parts, or combinations thereof described in the specification, but one or more It is to be understood that other features or possibilities of the presence or addition of numbers, steps, actions, components, parts, or combinations thereof are not preliminarily excluded.

In the present invention, expressions such as "or" include any and all combinations of words listed together. For example, "A or B" may include A, may include B, or may include both A and B.

In the present invention, expressions such as "first," "second," "first," or "second," may modify various elements of the present invention, but do not limit the corresponding elements. For example, the expressions do not limit the order and/or importance of corresponding elements. The above expressions may be used to distinguish one component from another component. For example, a first user device and a second user device are both user devices and represent different user devices. For example, without departing from the scope of the present invention, a first element may be referred to as a second element, and similarly, a second element may be referred to as a first element.

When a component is referred to as being "connected" or "connected" to another component, it is understood that it may be directly connected or connected to the other component, but other components may exist in the middle. Should be. On the other hand, when a component is referred to as being "directly connected" or "directly connected" to another component, it should be understood that there is no other component in the middle.

The terms used in the present invention are only used to describe specific embodiments, and are not intended to limit the present invention. Singular expressions include plural expressions unless the context clearly indicates otherwise.

Unless otherwise defined, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by one of ordinary skill in the art to which the present invention belongs. Terms as defined in a commonly used dictionary should be interpreted as having a meaning consistent with the meaning in the context of the related technology, and should not be interpreted as an ideal or excessively formal meaning unless explicitly defined in the present invention. Does not.

The electronic device according to the present invention may be a device including a communication function. For example, electronic devices include smart phones, tablet personal computers (PCs), mobile phones, video phones, e-book readers, desktop personal computers (desktop personal computers), A laptop personal computer, netbook computer, personal digital assistant (PDA), portable multimedia player (PMP), MP3 player, mobile medical device, camera, or wearable device (e.g. : It may include at least one of a head-mounted-device (HMD) such as electronic glasses, an electronic clothing, an electronic bracelet, an electronic necklace, an electronic appcessory, an electronic tattoo, or a smart watch.

According to some embodiments, the electronic device may be a smart home appliance having a communication function. Smart home appliances, for example, include televisions, digital video disk (DVD) players, audio, refrigerators, air conditioners, vacuum cleaners, ovens, microwave ovens, washing machines, air purifiers, set-top boxes, and TVs. It may include at least one of a box (eg, Samsung HomeSyncTM, Apple TVTM, or Google TVTM), game consoles, electronic dictionary, electronic key, camcorder, or electronic frame.

According to some embodiments, the electronic device includes various medical devices (e.g., magnetic resonance angiography (MRA), magnetic resonance imaging (MRI), computed tomography (CT)), an imager, an ultrasound device, etc.), a navigation device, a GPS receiver ( global positioning system receiver), event data recorder (EDR), flight data recorder (FDR), vehicle infotainment device, marine electronic equipment (e.g., navigation equipment for ships and gyro compasses, etc.), avionics, security It may include at least one of a device, a vehicle head unit, an industrial or domestic robot, an automatic teller's machine (ATM) of a financial institution, or a point of sales (POS) of a store.

According to some embodiments, the electronic device is a piece of furniture or building/structure including a communication function, an electronic board, an electronic signature receiving device, a projector, or various measurement devices. It may include at least one of devices (eg, water, electricity, gas, or radio wave measurement devices). The electronic device according to the present invention may be a combination of one or more of the aforementioned various devices. Also, the electronic device according to the present invention may be a flexible device. In addition, it is obvious to those skilled in the art that the electronic device according to the present invention is not limited to the above-described devices.

Hereinafter, an electronic device according to various embodiments will be described with reference to the accompanying drawings. The term user used in various embodiments may refer to a person using an electronic device or a device (eg, an artificial intelligence electronic device) using an electronic device.

1 illustrates a processor of an electronic device according to various embodiments of the present disclosure.

1, the electronic device 101 according to various embodiments may include a processor 120 for dividing a core of two virtual cores. For example, the processor 120 may be divided into a virtual generic core 111 that performs tasks in a normal mode (eg, Rich Execution Environment) and a virtual security core 112 that performs tasks in a secure mode (eg, Trusted Execution Environment).

The processor 120 may call a virtual general core 111 system or a virtual security core 112 system through a kernel driver (not shown). The processor 120 may switch to a normal mode or a security mode based on the called system. The system may be operated in a virtual form, but is not limited thereto.

In the memory 130, the general area 131 may store work commands or data through the virtual general core 111, and program modules that are operated during the virtual general core 111 system (eg, a biometric application, a biometric function control module, etc.) It may include. For example, program modules included in the general area 131 may be program modules without access restrictions.

In the memory 130, the security area 132 may store work commands or data through the virtual security core 112, and program modules that are operated during the virtual security core 112 system (eg, a biometric information processing module, a security channel generation module, etc.) It may include. For example, program modules included in the security area may be program modules with access restrictions. The security area 132 may be accessed by secure access or a trusted or authorized signal.

The general area 131 and the security area 132 may be a partial area of the memory 130. In addition, the memory 131 may include a shared area 133 capable of storing mutually accessible commands or data in the case of the virtual general core 111 system or the virtual security core 112 system. The shared area 133 may include memory management information for managing an address space of an operating system stored in the memory 130 and performing resource allocation. The shared area 133 may store information for calling a general core system or a virtual security core system.

The biometric sensor module 140 may sense a recognition object for biometric recognition. The recognition object may be the user's body or at least a part of the body. For example, the recognition object may be an object that can be classified physically and physiologically, such as a user's fingerprint, iris, retina pattern, blood vessel, ear shape, face shape, user's voice, hand shape, and user's handwriting.

The biometric sensor module 140 may include various biometric sensors. For example, it may include a fingerprint recognition sensor, a retina recognition sensor, an iris recognition sensor, a vein sensor, and the like. In addition, the biometric sensor module may include a camera for face recognition or iris recognition, an optical sensor such as an infrared sensor, a pressure sensitive sensor or a touch panel for detecting a handwriting. In various embodiments, the biometric sensor module 140 may receive sensing data outside the electronic device or from a separate electronic device.

Hereinafter, components of an electronic device according to various embodiments will be described with reference to FIGS. 2 and 3.

2 is a block diagram of an electronic device according to various embodiments of the present disclosure.

Referring to FIG. 2, according to various embodiments, the electronic device 101 may include a processor 120 (same as the processor 120 of FIG. 1) and a biometric sensor module 140.

The processor 120 may control the biometric information to be processed by switching to each other within the general area 131 or the security area 132. In the general area 131, the processor 120 performs a task using a resource allocated as a virtual general core, and in the security region 132, the processor 120 may perform a task using a resource allocated as a virtual security core.

In various embodiments, the processor 120 in the general area 131 may control execution of functions for the general input/output interface 210, the biometric function control module 211, and the biometric authentication application 212 and process data. For example, in the general area 131, the processor 120 detects the occurrence of a biometric input event (signal or signal), and controls to provide a notification about the biometric registration result or biometric recognition result to the user interface. In the general area 131, the processor 120 may transmit a biometric input event to the security area 132. For example, the processor 120 of the general area 131 may transmit an interrupt signal to the security area through the kernel driver and call the virtual security core system. Then, the processor 120 may switch the mode to operate the virtual general core system as a virtual security core system.

Within the security area 132, the processor 120 controls the security input/output interface 220, the biometric information processing module 221, and the OS change and the security channel control module 222 to perform functions and process data. For example, in the security area 132, the processor 120 may acquire sensing data from the biometric sensor module 140 in response to an interrupt signal. In the security area 132, the processor 120 may generate biometric data based on the sensing data, register the biometric information, or perform biometric authentication by comparing the biometric data previously registered. In the security area 132, the processor 120 may transmit the biometric information registration result or the biometric authentication result to the general area 131. For example, the processor 120 of the security area 132 may transmit a biometric registration signal or an authentication result signal to the general area 131 through a kernel driver (not shown), and may call a virtual general core system. The biometric information registration result or the biometric authentication result may be information of a true??false type, but is not limited thereto.

According to various embodiments, when the processor 120 is operated as a virtual general core system, the biometric sensor module 140 may sense a recognized object. When sensing of a recognized object is detected, the biometric sensor module may transmit an interrupt signal indicating that sensing has been detected to the general input/output interface 210.

Within the general area 131, the processor 120 may transmit an interrupt signal indicating that sensing has been detected to switch to the virtual security core system to the security input/output interface 220 through a kernel driver (not shown). For example, the interrupt signal may be a secure interrupt signal such as a secure access or authorized signal. Then, the processor 120 may switch to a virtual security core system, that is, a security mode in response to a security interrupt.

In the security area 132, the processor 120 may acquire sensing data from the biometric sensor module 140 through the security input/output interface 220. The sensing data may be raw data obtained from the biosensor module 140 as it is.

In the security area 132, the processor 120 may transmit the acquired sensing data to the biometric information processing module 221 through the security input/output interface 220. The biometric information processing module 221 may generate and store biometric data based on sensing data, and may perform a biometric authentication function. For example, the biometric information processing module 221 may calculate characteristic information of the recognized object from the sensing data. The biometric information processing module 221 may generate biometric data by converting characteristic information of the recognized object into a template form, and store the biometric data. The biometric information processing module 221 may determine a biometric authentication result by comparing the biometric registration data stored in the memory with the biometric authentication data input for authentication. The biometric information processing module 221 may transmit a biometric registration result or biometric authentication result to the secure input/output interface 220.

According to various embodiments, the biometric information processing module 221 generates a unique key based on device-specific identification information (eg, a chipset-specific identifier, etc.), and uses the generated unique key to generate biometric data. It can be encrypted or decrypted.

According to various embodiments, the biometric information processing module 221 may generate pseudo data using a one way function or data arrangement change, and may perform biometric authentication using the fake data. In this case, the original biometric data is stored in a memory allocated to the security area through encryption, and the fake data can be transferred to the general area.

According to various embodiments, the OS change and security channel control module 222 may control a connection to be mutually compatible with a virtual general core or a virtual security core system, and control other electronic devices (eg, servers, etc.) to form a secure channel. . The OS change and secure channel control module 222 may control the connection to be compatible with various security mode execution environments (eg, security OS) operating in the virtual security core system. The OS change and secure channel control module 222 configures the extracted biometric information into one recognition message (eg, info.message) for various uses of biometric information such as payment and login using biometric information, and this is another electronic device. You can establish a secure channel for delivery to devices (eg, servers, etc.). The OS change and secure channel control module 222 may form a secure channel by encrypting through a key generated based on unique identification information set in advance with another electronic device.

In the security area 132, the processor may transmit a biometric registration result or a biometric authentication result signal to the general input/output interface 210 through the security input/output interface 220. Then, the processor may switch to a virtual general core system, that is, a general mode, in response to a biometric registration result or a biometric authentication result signal.

In the general area 131, the processor 120 may transmit a registration result or a biometric authentication result signal input through the general input/output interface 210 to the biometric function control module 211.

The biometric function control module 211 may provide a biometric registration result and a biometric authentication result to a user through the biometric authentication application 212. The biometric function control module 211 may control to perform a function of the biometric application 212 according to a result of biometric recognition.

In various embodiments, when biometric recognition is successful, the biometric function control module 211 may control to run a set application or execute a set function in response to an event for authentication success. For example, when biometric recognition is successful, the biometric function control module 211 may release a screen lock state or allow access to an application requiring personal authentication.

The biometric application 212 may involve biometric-based authentication. Biometric authentication may be programmed to perform biometric authentication in the application itself. Alternatively, biometric authentication may be supported as a function for controlling or managing a separate application supporting biometric recognition, an operating system (OS), a platform, or an electronic device.

3 is a block diagram of a biometric information processing module according to various embodiments of the present disclosure.

3, the biometric information processing module 221 of a security area may include a biometric data generation unit 310, a data matching unit 320, and a security processing unit 330, according to various embodiments of the present disclosure.

The biometric data generation unit 310 may calculate unique feature information of the recognized object based on the sensing data obtained from the biometric sensing module (eg, 140 of FIG. 2 ). The biometric data generation unit 310 may generate biometric data by converting the calculated unique feature information into a biometric template. The template may be an encoding of biometric image information acquired through a sensor. According to an embodiment, the biometric data generation unit 310 may generate a biometric image (e.g., a fingerprint image, an iris image, a face image, etc.) from the sensing data. Can be obtained. For example, the biometric image may be acquired by an optical method using reflection of light or a non-optical method using pressure, heat, or ultrasound. The biometric data generator 310 may extract characteristic information unique to an individual based on the biometric image. For example, feature information for fingerprint recognition may be a minutiae such as a ridge end, a bifurcation point, a core point, or a delta point in the case of fingerprint recognition. . The biometric data generation unit 310 may be calculated in a preset format (or frame) format to check the degree of matching with the stored biometric registration data. For example, the information format of a preset format may be a template format.

When the biometric information registration request is detected, the biometric data generation unit 310 may store the generated biometric data as registration information in the memory. Here, the biometric information registration request may be requested through a security signal transmitted from the general area.

When the biometric recognition request is detected, the data matching unit 320 may determine whether the biometric authentication data input for biometric recognition matches the stored biometric registration data. Here, the biometric recognition request may be requested through a security signal transmitted from the general area.

In various embodiments, the data matching unit 320 may compare specific information calculated from biometric authentication data input for biometric recognition with at least one registered registration data, and calculate a matching value. The matching value may be a value representing information matching the biometric authentication data with the biometric registration data.

For example, the matching value may be calculated as a value representing the number of feature points determined to correspond to each other (or match each other) among feature points included in each biometric data when data is matched. Alternatively, the matching value may be calculated according to statistical data or a probabilistic function in consideration of the distance, direction, or similarity of the arrangement shape of the feature points included in each biometric data.

The data matching unit 320 may determine whether biometric authentication is successful based on a matching value of specific information. For example, when the matching value exceeds a set threshold value, the data matching unit 320 may determine that biometric authentication has been successful, and when the matching value is less than a set threshold value, the data matching unit 320 may determine that biometric authentication has failed.

The data matching unit 320 may control to transmit result information (eg, an authenticity type signal) on whether or not authentication is successful to a biometric recognition function control module in a general area.

The security processing unit 330 may control to encrypt and decrypt the biometric data. The security processing unit 330 may generate a unique key based on unique identification information of the device. For example, the unique key may be a value accessible in the security mode.

In an embodiment, when registering biometric information, the security processing unit 330 may control to encrypt biometric data using a unique key and store the encrypted biometric data in a secure area of a memory. During biometric authentication, the security processing unit 330 may obtain encrypted biometric data from a security area of a memory and decrypt it using a unique key. The security processing unit 330 may transmit the decrypted biometric data to the data matching unit. In this case, the function for generating the unique key is a value that can be generated when operating as a virtual security core system, and access may be restricted when operating as a general compensation core system.

In an embodiment, the security processing unit 330 may control to encrypt biometric data using a unique key and transfer the encrypted biometric data to a biometric recognition function control module (eg, 211 of FIG. 2) in a general area. During biometric recognition, the security processing unit 330 may receive encrypted biometric data from a biometric recognition function control module in a general area, and decrypt the encrypted biometric data using a unique key generated in the security mode. The security processing unit may transmit the decrypted biometric data to the data matching unit.

In an embodiment, the security processing unit 330 may generate pseudo data by transforming the biometric data through a transform function. The transform function may include a one way function, a data array function, and the like, and a function using a value obtainable in a security mode or in a separate security hardware may be used. The transformation function may be stored as metadata of biometric data.

The security processing unit 330 may transmit the generated fake data to the data matching unit 320 and the data generation unit 310. For example, the data generation unit 310 may store the fake data as registration information. The data matching unit 310 may determine whether biometric authentication is successful by comparing the registered fake data with the newly generated fake data.

The security processing unit 330 may variably operate a transformation function for generating fake data. For example, when the biometric information is unintentionally exposed to the outside, the security processing unit 330 may change a transformation function and create new fake data through the changed transformation function. Since metadata of the biometric data is also updated when exposed to the outside, the security processing unit 330 may process the existing biometric data to be newly updated or discarded.

According to various embodiments of the present disclosure, in an electronic device operating in a general area and a security area through a single processor, a biometric sensor module for biometric recognition and a biometric information input event from a biometric sensor module in the general area are detected, and the general area Transmits the biometric information input event to the security area, obtains sensing data from the biometric sensor module in response to the biometric information input event in the security area, processes the sensing data acquired in the security area, and processes the biometric information registration result information and It may include a processor that controls to transmit biometric result information to the general area.

The processor, in the security domain, calculates characteristic information from sensing data, generates biometric data based on the characteristic information, encrypts the biometric data using a unique key generated based on unique identification information, and encrypts It is possible to control the registered biometric data to be registered as biometric information.

The processor may transmit the encrypted biometric data to the general area and store the encrypted biometric data in the general area.

The processor obtains the encrypted registration data from the memory allocated to the security area or the general area, decrypts the encrypted registration data using a unique key generated based on unique identification information, and generates the decrypted registration data Biometric authentication is performed by comparing the biometric data, and as a result of the comparison, when the matching value of the data exceeds a set threshold, it is determined that biometric recognition is successful, and when the matching value is less than the set threshold, it is determined that biometric recognition has failed. can do.

The processor may transmit a signal of an authentic type corresponding to a result of registration or recognition.

The processor may generate fake data using a transformation function on the biometric data, encrypt the fake data, and store the encrypted fake data as biometric registration information.

The processor may perform biometric authentication based on fake data during biometric authentication.

The processor may control to change a transformation function when the biometric information is exposed to the outside.

The transformation function may use a security mode or a value provided through separate security hardware.

4 illustrates a method of registering biometric information of an electronic device according to various embodiments of the present disclosure.

Referring to FIG. 4, in operation 410 to register biometric information (eg, a registration mode), the processor may detect a biometric information input event based on an interrupt signal transmitted from the biometric sensor module in a general area. In the general area, when a function request for registering biometric information is generated, the processor activates the biometric sensor module and senses the recognition object through the biometric sensing module. For example, the electronic device may recognize an operation in which a user contacts a finger with the sensor using a fingerprint sensor. The electronic device may recognize a motion of the user's eyes approaching the sensor using the iris sensor. The electronic device may recognize a motion of a user's hand approaching the sensor using a vein sensor. The electronic device may recognize an operation of a user inputting a voice using a voice sensor. The electronic device may recognize a motion of a user's face approaching the sensor using the face sensor.

In operation 420, when the biometric information input event is detected, the processor may transmit an event detection signal to the security area to call the virtual security core system. In this case, the event detection signal may be a security interrupt signal.

In operation 430, the processor may acquire sensing data from the biometric sensing module in the security area. The sensing data may be raw data of biometric information. For example, the sensing data may include at least one of user's fingerprint, hand pattern, retina pattern, iris pattern, blood vessel pattern, ear shape, face shape, user's voice and handwriting information.

In operation 440, the processor may calculate unique feature information of the recognized object based on the sensing data in the security area. For example, the processor may obtain a sensing image from the sensing data and extract feature information from the sensing image.

In operation 450, the processor may generate biometric data by converting the feature information into a template form in the security area.

In operation 460, the processor in the security area may encrypt the biometric data. For example, the processor may generate a unique key based on the unique identification information of the device in the security area. The unique key may be a value accessible in the security mode. For example, the processor may store function information for generating a unique key in a memory allocated as a security area, and generate a unique key through the function information in the security mode. Meanwhile, operation 460 may be omitted, but is not limited thereto.

In operation 465, the processor may transfer the biometric data encrypted in the security area to the general area. For example, the processor of the general region may store the encrypted biometric data in a memory (eg, REE file system) allocated to the general region.

In operation 470, the processor may store and register biometric data or encrypted biometric data in the security area as registration information for biometric recognition.

In one embodiment, the processor may store and register biometric data in a secure area accessible in the secure mode.

In one embodiment, the processor may store the unique key used for encryption or function information for generating the unique key in a security area accessible in the security mode, and transmit the encrypted biometric data to the general area. The processor in the general area may store and register the encrypted biometric data transmitted from the security area in the general area without access restrictions.

In operation 480, the processor may transmit the biometric registration result from the security area to the general area. In operation 490, the processor of the general region may provide information on which registration of biometric information is completed through a virtual general core to a user through a user interface or a component of the electronic device.

On the other hand, the processor may process to perform a re-registration procedure when biometric information registration fails due to a cause such as a deterioration in quality of raw data. To this end, in the general area, the processor may control to provide at least one of feedback on registration failure (eg, visual, auditory effects, etc.) and acquisition of new sensing data through a user interface.

5 illustrates a method of authenticating biometric information of an electronic device according to various embodiments of the present disclosure.

Referring to FIG. 5, in operation 510 for biometric authentication (eg, authentication mode), the processor may detect a biometric information input event based on an interrupt signal transmitted from a biometric sensor module in a general area. In the general area, when a function request for biometric authentication is generated, the processor activates the biometric sensor module and senses the recognition object through the biometric sensing module.

In operation 520, when a biometric information input event is detected in the general area, the processor may transmit an event detection signal to the security area. In this case, the event detection signal may be a security interrupt signal.

In operation 530, the processor may acquire sensing data from the biometric sensing module in the security area. In operation 540, the processor of the security area may calculate unique feature information of the recognized object based on the sensing data and generate biometric authentication data for biometric authentication. Here, the biometric authentication data may be in a preset format, for example, in a template form.

In operation 550, the processor may receive the encrypted biometric registration data from the general area in the security area, or obtain the encrypted biometric registration data from the memory allocated to the security area.

In operation 560, the processor may decrypt biometric registration data (eg, encrypted biometric data) stored in the secure area. For example, when the encrypted biometric data is obtained, the processor in the security area may decrypt the encrypted biometric data using a unique key. The processor may obtain function information for generating a unique key from a memory allocated to a secure area with access restrictions, and generate a unique key through the obtained function information.

In operation 570, the processor may calculate a matching value by comparing the biometric authentication data and the feature information calculated from the biometric registration data in the security area.

In operation 580, the processor may determine whether biometric authentication is successful based on the matching value of the feature information in the security area. For example, when the matching value exceeds a set threshold, the processor may determine that biometric authentication has been successful, and when the matching value is less than a set threshold, the processor may determine that biometric authentication has failed.

In operation 585, the processor may transfer the biometric authentication result from the security area to the general area. In operation 590, the processor of the general area may provide the biometric authentication result to the user through a user interface or a component of the electronic device.

Meanwhile, the processor may perform processing to perform a re-recognition procedure when biometric information recognition fails due to a deterioration in quality of raw data or the like. To this end, in the general area, the processor may control to provide at least one of feedback (eg, visual, auditory, tactile, olfactory effect, etc.) on recognition failure and acquisition of new sensing data through the user interface. .

6 is a diagram illustrating a method of processing biometric information by an electronic device according to various embodiments of the present disclosure.

Referring to FIG. 6, in various embodiments, in operation 610, the processor may acquire biometric data in the security area. In operation 620, the processor may select a transformation function in the security domain and apply the transformation function in operation 630 to generate pseudo data. In this case, the fake data may be transformed in a preset format, for example, a template form.

The transform function may include a one way function, a data array function, and the like, and a function using a value obtainable in a security mode or in a separate security hardware may be used.

In various embodiments, the processor may re-modify the fake data generated by using the additional information of the biometric data in the security area. The additional information includes information generated when biometric data is generated, biometric matching fitness score, number of attempts, information on the number of fingers when biometric information is a fingerprint, information set in advance when a user registers biometric information, etc. can do. The transformation function and additional information may be stored as metadata of biometric data. Meta data of biometric data may be stored in a memory allocated as an accessible area in the secure mode.

In operation 640, the processor may encrypt the fake data modified in the security area. For example, the processor may generate a unique key based on the unique identification information of the device in the security area.

In operation 650, the processor may use the modified data or encrypted modified data in the security domain as registration information for biometric recognition or biometric authentication information.

In one embodiment, the processor may store the fake data as registration information. The processor may transmit the fake data generated in the security area to the general area, and control the normal area to process a biometric recognition function based on the fake data.

In one embodiment, when biometric data is registered as fake data, the processor transforms the biometric authentication data newly input for biometric authentication into fake data through a transformation function in a secure mode, and converts the modified fake data into registered fake data. By comparing it with the data, it is possible to determine whether or not biometric authentication is successful.

In an embodiment, when the biometric information is exposed to the outside, the processor may control to change a transformation function and control to update metadata of the biometric data according to the changed transformation function.

According to various embodiments of the present disclosure, there is provided a method for processing biometric information of an electronic device operated in a general area and a security area through a single processor, the method comprising: detecting a biometric information input event from a biometric sensor module in the general area; Transmitting a biometric information input event from the general area to a security area; Acquiring sensing data from a biometric sensor module in response to a biometric information input event in the security area; And processing the sensing data obtained in the security area to transmit the biometric information registration result information and the biometric recognition result information to the general area.

The obtaining may include calculating feature information from sensing data in the security area; Generating biometric data based on the characteristic information in the security area; Encrypting the biometric data in the security area. And

In the security area, the method further includes registering the encrypted biometric data as biometric information, and the encryption may be performed with a unique key generated based on unique identification information in the security area.

The encrypting operation may further include transmitting the encrypted biometric data to a general area.

The obtaining of the sensing data includes: generating biometric data based on the sensing data in the security area; Obtaining, in the security area, encrypted registration data from a memory allocated to a general area or a security area; Decrypting the encrypted registration data in the security area; The method further includes performing biometric authentication by comparing the decrypted registration data with the generated biometric data, and the decryption may be decrypted with a unique key generated based on unique identification information in the security area.

The operation of transmitting the biometric information registration result information and the biometric recognition result information may be transmitted as an authentic type signal corresponding to the registration or recognition result.

The encrypting operation may further include generating fake data using a transformation function for the biometric data, and encrypting the fake data, and may transfer the encrypted fake data to a general area.

The transformation function may use a security mode or a value provided through separate security hardware.

During biometric authentication, biometric authentication can be performed based on fake data.

7 illustrates a network environment 100 including an electronic device 701 according to various embodiments of the present disclosure.

Referring to FIG. 7, the electronic device 701 (eg, 101 of FIG. 1 ), a bus 710, a processor 720, a memory 130, an input/output interface 740, a display 750, and a communication interface 760 may be included.

The bus 720 may be a circuit that connects the above-described components to each other and transmits communication (eg, a control message) between the above-described components.

The processor 720 (eg, 120 in FIG. 1) may include, for example, the other components described above through the bus 710 (eg, the memory 730, the input/output interface 740, the display 750 or the communication interface 760, etc.) It is possible to receive an instruction from, decrypt the received instruction, and perform an operation or data processing according to the decrypted instruction.

The memory 730 may store commands or data received from the processor 720 or other components (eg, the input/output interface 740, the display 750, or the communication interface 760) or generated by the processor 720 or other components. Can be saved. The memory 730 may include programming modules such as a kernel 731, a middleware 732, an application programming interface (API) 733, or an application 734, for example. Each of the above-described programming modules may be composed of software, firmware, hardware, or a combination of at least two or more of them.

The kernel 731 includes system resources (e.g., the bus 710, the processor 720) used to execute an operation or function implemented in the other programming modules, for example, the middleware 732, the API 733, or the application 734. Alternatively, the memory 730, etc.) may be controlled or managed. In addition, the kernel 731 may provide an interface through which the middleware 732, the API 733, or the application 734 can access and control or manage individual components of the electronic device 701.

The middleware 732 may serve as an intermediary so that the API 733 or the application 734 communicates with the kernel 731 to exchange data. In addition, the middleware 732 provides system resources (eg, the bus 710, the processor 720, or the electronic device 701) to at least one application among the applications 734 in relation to the job requests received from the application 734. Control (eg, scheduling or load balancing) on a work request may be performed by using a method such as assigning a priority to use the memory 730 or the like.

The API 733 is an interface for the application 734 to control functions provided by the kernel 731 or the middleware 732, for example, at least one interface or function for file control, window control, image processing or text control, etc. (Example: command) can be included.

According to various embodiments, the application 734 is an SMS/MMS application, an email application, a calendar application, an alarm application, a health care application (eg, an application that measures exercise amount or blood sugar), or an environmental information application (eg: An application that provides information on atmospheric pressure, humidity, or temperature), etc. may be included. Additionally or alternatively, the application 734 may be an application related to information exchange between the electronic device 701 and an external electronic device (eg, the electronic device 704). The application related to the information exchange may include, for example, a notification relay application for delivering specific information to the external electronic device, or a device management application for managing the external electronic device. I can.

For example, the notification delivery application sends notification information generated by another application (eg, SMS/MMS application, email application, health management application, environment information application, etc.) of the electronic device 701 to an external electronic device (eg, electronic device 704). ) Can be included. Additionally or alternatively, the notification delivery application may receive notification information from, for example, an external electronic device (eg, electronic device 704) and provide it to a user. The device management application includes, for example, a function for at least a part of an external electronic device (eg, electronic device 704) communicating with the electronic device 701 (eg, turning on/on of the external electronic device itself (or some component parts)). Turn off or adjust the brightness (or resolution) of the display), manage applications running on the external electronic device or services (eg, call service or message service) provided by the external electronic device (eg, install, delete or update) )can do.

According to various embodiments, the application 734 may include an application designated according to a property (eg, type of electronic device) of the external electronic device (eg, electronic device 704). For example, when the external electronic device is an MP3 player, the application 734 may include an application related to music playback. Similarly, when the external electronic device is a mobile medical device, the application 734 may include an application related to health management. According to an embodiment, the application 734 may include at least one of an application designated to the electronic device 701 or an application received from an external electronic device (eg, the server 706 or the electronic device 704).

The input/output interface 740 may transmit a command or data input from a user through an input/output device (eg, a sensor, a keyboard, or a touch screen), for example, the processor 720, the memory 730, or the communication interface 760 through the bus 710. Can be passed on. For example, the input/output interface 740 may provide data on a user's touch input through a touch screen to the processor 720. In addition, the input/output interface 740 may output commands or data received from the processor 720, the memory 730, or the communication interface 760 through the bus 710 through the input/output device (eg, a speaker or a display). I can. For example, the input/output interface 740 may output voice data processed through the processor 720 to a user through a speaker.

The display 750 may display various types of information (eg, multimedia data or text data) to a user.

The communication interface 760 may connect communication between the electronic device 701 and an external device (eg, the electronic device 704 or the server 706). For example, the communication interface 760 may be connected to a network 762 through wireless communication or wired communication to communicate with the external device. The wireless communication is, for example, Wifi (wireless fidelity), BT (Bluetooth), NFC (near field communication), GPS (global positioning system) or cellular communication (e.g., LTE, LTE-A, CDMA, WCDMA, UMTS , WiBro or GSM, etc.). The wired communication may include, for example, at least one of a universal serial bus (USB), a high definition multimedia interface (HDMI), a recommended standard 232 (RS-232), or a plain old telephone service (POTS).

According to an embodiment, the network 762 may be a telecommunications network. The communication network may include at least one of a computer network, the Internet, the Internet of things, and a telephone network. According to an embodiment, a protocol for communication between the electronic device 701 and an external device (eg, transport layer protocol, data link layer protocol, or physical layer protocol) is an application 734, an application programming interface 733, the middleware 732, and a kernel 731. Alternatively, it may be supported by at least one of the communication interfaces 760.

8 is a block diagram 800 of an electronic device 801 according to various embodiments.

Referring to FIG. 8, the electronic device 801 includes at least one application processor (AP) 810, a communication module 820, a subscriber identification module (SIM) card 824, a memory 830, a sensor module 840, an input device 850, a display 860, and An interface 870, an audio module 880, a camera module 891, a power management module 895, a battery 896, an indicator 897, and a motor 898 may be included. The electronic device 801 may constitute, for example, all or part of the electronic device 101 shown in FIG. 1 or the electronic device 701 shown in FIG. 7.

The AP 810 may control a plurality of hardware or software components connected to the AP 810 by driving an operating system or an application program, and may perform various data processing and operations including multimedia data. The AP 810 may be implemented with, for example, a system on chip (SoC). According to an embodiment, the AP 810 may further include a Graphic Processing Unit (GPU) (not shown).

The communication module 820 (for example, the communication interface 160) performs data transmission and reception in communication between the electronic device 801 (for example, the electronic device 101) and other electronic devices (for example, the electronic device 104 or the server 106) connected through a network. Can be done. According to an embodiment, the communication module 820 may include a cellular module 821, a Wifi module 823, a BT module 825, a GPS module 827, an NFC module 828, and a radio frequency (RF) module 829.

The cellular module 821 may provide a voice call, a video call, a text service, or an Internet service through a communication network (eg, LTE, LTE??A, CDMA, WCDMA, UMTS, WiBro, GSM, etc.). In addition, the cellular module 821 may distinguish and authenticate electronic devices in a communication network using, for example, a subscriber identification module (eg, a SIM card 824). According to an embodiment, the cellular module 821 may perform at least some of functions that can be provided by the AP 810. For example, the cellular module 821 may perform at least a part of a multimedia control function.

According to an embodiment, the cellular module 821 may include a Communication Processor (CP). In addition, the cellular module 821 may be implemented as an SoC, for example. In FIG. 8, components such as the cellular module 821 (for example, a communication processor), the memory 830, or the power management module 895 are shown as separate components from the AP 810, but according to an embodiment, the AP 810 May be implemented to include at least some (eg, cellular module 821) of the above-described components.

According to an embodiment, the AP 810 or the cellular module 821 (for example, a communication processor) loads and processes commands or data received from at least one of a nonvolatile memory or other components connected to each of the volatile memory. can do. In addition, the AP 810 or the cellular module 821 may store data received from at least one of other components or generated by at least one of the other components in a nonvolatile memory.

Each of the Wifi module 823, the BT module 825, the GPS module 827, or the NFC module 828 may include, for example, a processor for processing data transmitted and received through a corresponding module. In FIG. 8, the cellular module 821, the Wifi module 823, the BT module 825, the GPS module 827, or the NFC module 828 are shown as separate blocks, respectively, but according to an embodiment, the cellular module 821, the Wifi module 823, the BT module 825, the GPS At least some (eg, two or more) of the module 827 or the NFC module 828 may be included in one integrated chip (IC) or IC package. For example, at least some of the processors corresponding to each of the cellular module 821, the Wifi module 823, the BT module 825, the GPS module 827, or the NFC module 828 (e.g., a communication processor corresponding to the cellular module 821 and a communication processor corresponding to the Wifi module 823) Wifi processor) can be implemented with one SoC.

The RF module 829 may transmit and receive data, for example, transmit and receive an RF signal. Although not shown, the RF module 829 may include, for example, a transceiver, a power amp module (PAM), a frequency filter, or a low noise amplifier (LNA). In addition, the RF module 829 may further include a component for transmitting and receiving an electromagnetic wave in a free space in wireless communication, for example, a conductor or a conducting wire. In FIG. 8, the cellular module 821, the Wifi module 823, the BT module 825, the GPS module 827, and the NFC module 828 are shown to share one RF module 829 with each other, but according to an embodiment, the cellular module 821, the Wifi module 823 At least one of the BT module 825, the GPS module 827, and the NFC module 828 may transmit/receive an RF signal through a separate RF module.

The SIM card 824 may be a card including a subscriber identification module, and may be inserted into a slot formed at a specific location of the electronic device. The SIM card 824 may include unique identification information (eg, integrated circuit card identifier (ICCID)) or subscriber information (eg, international mobile subscriber identity (IMSI)).

The memory 830 (eg, the memory 130) may include an internal memory 832 or an external memory 834. The internal memory 832 may be, for example, a volatile memory (e.g., dynamic RAM (DRAM), static RAM (SRAM), synchronous dynamic RAM (SDRAM), etc.)) or non-volatile memory (e.g., , At least one of OTPROM (one time programmable ROM), PROM (programmable ROM), EPROM (erasable and programmable ROM), EEPROM (electrically erasable and programmable ROM), mask ROM, flash ROM, NAND flash memory, NOR flash memory, etc.) It may include.

According to an embodiment, the internal memory 832 may be a solid state drive (SSD). The external memory 834 is a flash drive, for example, compact flash (CF), secure digital (SD), micro secure digital (Micro-SD), mini secure digital (Mini-SD), extreme digital (xD), or a Memory Stick. And the like may be further included. The external memory 834 may be functionally connected to the electronic device 801 through various interfaces. According to an embodiment, the electronic device 801 may further include a storage device (or storage medium) such as a hard drive.

The sensor module 840 may measure a physical quantity or detect an operating state of the electronic device 801 and convert the measured or detected information into an electric signal. The sensor module 840 is, for example, a gesture sensor 840A, a gyro sensor 840B, an atmospheric pressure sensor 840C, a magnetic sensor 840D, an acceleration sensor 840E, a grip sensor 840F, a proximity sensor 840G, a color sensor 840H (e.g., RGB (red, green, blue) sensor), a biometric sensor 840I, a temperature/humidity sensor 840J, an illuminance sensor 840K, or an ultra violet (UV) sensor 840M. Additionally or alternatively, the sensor module 840 may include, for example, an olfactory sensor (E??nose sensor, not shown), an EMG sensor (electromyography sensor, not shown), an EEG sensor (electroencephalogram sensor, not shown), and an ECG sensor. (electrocardiogram sensor, not shown), IR (infra red) sensor (not shown), an iris sensor (not shown), or a fingerprint sensor (not shown). The sensor module 840 may further include a control circuit for controlling at least one or more sensors included therein.

The input device 850 may include a touch panel 852, a (digital) pen sensor 854, a key 856, or an ultrasonic input device 858. The touch panel 852 may recognize a touch input in at least one of a capacitive type, a pressure sensitive type, an infrared type, or an ultrasonic type. In addition, the touch panel 852 may further include a control circuit. In the case of capacitive type, physical contact or proximity recognition is possible. The touch panel 852 may further include a tactile layer. In this case, the touch panel 852 may provide a tactile reaction to a user.

The (digital) pen sensor 854 may be implemented using, for example, a method similar to or the same as receiving a user's touch input or a separate recognition sheet. The key 856 may include, for example, a physical button, an optical key, or a keypad. The ultrasonic input device 858 is a device capable of checking data by detecting sound waves with a microphone (eg, a microphone 888) in the electronic device 801 through an input tool generating an ultrasonic signal, and wireless recognition is possible. According to an embodiment, the electronic device 801 may receive a user input from an external device (eg, a computer or a server) connected thereto by using the communication module 820.

The display 860 (for example, the display 150) may include a panel 862, a hologram device 864, or a projector 866. The panel 862 may be, for example, a liquid-crystal display (LCD) or an active-matrix organic light-emitting diode (AMOLED). The panel 862 may be implemented, for example, to be flexible, transparent, or wearable. The panel 862 may be configured with the touch panel 852 as a single module. The hologram device 864 may show a 3D image in the air by using interference of light. The projector 866 may display an image by projecting light onto a screen. The screen may be located inside or outside the electronic device 801, for example. According to an embodiment, the display 860 may further include a control circuit for controlling the panel 862, the hologram device 864, or the projector 866.

The interface 870 may include, for example, a high-definition multimedia interface (HDMI) 872, a universal serial bus (USB) 874, an optical interface 876, or a D-subminiature (D-sub) 878. The interface 870 may be included in, for example, the communication interface 160 illustrated in FIG. 1. Additionally or alternatively, the interface 870 includes, for example, a mobile high-definition link (MHL) interface, a secure digital (SD) card/multi-media card (MMC) interface, or an infrared data association (IrDA) standard interface. can do.

The audio module 880 may convert a sound and an electric signal bidirectionally. At least some components of the audio module 880 may be included in, for example, the input/output interface 140 illustrated in FIG. 1. The audio module 880 may process sound information input or output through, for example, a speaker 882, a receiver 884, an earphone 886, or a microphone 888.

The camera module 891 is a device capable of capturing still images and moving pictures. According to an embodiment, one or more image sensors (eg, a front sensor or a rear sensor), a lens (not shown), and an image signal processor (ISP) are not shown. ) Or flash (not shown) (eg, LED or xenon lamp).

The power management module 895 may manage power of the electronic device 801. Although not shown, the power management module 895 may include, for example, a power management integrated circuit (PMIC), a charger integrated circuit (IC), or a battery or fuel gauge.

The PMIC may be mounted in an integrated circuit or an SoC semiconductor, for example. Charging methods can be divided into wired and wireless. The charger IC may charge a battery and prevent overvoltage or overcurrent from flowing from a charger. According to an embodiment, the charger IC may include a charger IC for at least one of a wired charging method or a wireless charging method. The wireless charging method includes, for example, a magnetic resonance method, a magnetic induction method, or an electromagnetic wave method, and additional circuits for wireless charging, for example, a coil loop, a resonant circuit, or a circuit such as a rectifier may be added. have.

The battery gauge may measure, for example, the remaining amount of the battery 896 and a voltage, current, or temperature during charging. The battery 896 may store or generate electricity, and may supply power to the electronic device 801 by using the stored or generated electricity. The battery 896 may include, for example, a rechargeable battery or a solar battery.

The indicator 897 may display a specific state of the electronic device 801 or a part thereof (for example, the AP 810), for example, a boot state, a message state, or a charging state. The motor 898 may convert an electrical signal into mechanical vibration. Although not shown, the electronic device 801 may include a processing device (eg, a GPU) for supporting mobile TV. The processing device for supporting mobile TV may process media data according to standards such as digital multimedia broadcasting (DMB), digital video broadcasting (DVB), or media flow.

Each of the above-described components of the electronic device according to the present invention may be composed of one or more components, and the name of the corresponding component may vary according to the type of the electronic device. The electronic device according to the present invention may be configured to include at least one of the above-described components, and some components may be omitted or additional other components may be further included. In addition, some of the constituent elements of the electronic device according to the present invention are combined to form a single entity, so that functions of the corresponding constituent elements before the combination may be performed in the same manner.

The term "module" used in the present invention may mean, for example, a unit including one or a combination of two or more of hardware, software, or firmware. "Module" may be used interchangeably with terms such as unit, logic, logical block, component, or circuit, for example. The "module" may be the smallest unit of integrally configured parts or a part thereof. The "module" may be a minimum unit or a part of one or more functions. The "module" can be implemented mechanically or electronically. For example, the "module" according to the present invention, known or to be developed in the future, is an application-pecific integrated circuit (ASIC) chip, field-rogrammable gate arrays (FPGAs), or programmable logic devices that perform certain operations. ogic device).

According to various embodiments, at least a part of an apparatus (eg, modules or functions thereof) or a method (eg, operations) according to the present invention is, for example, a computer-readable storage medium in the form of a programming module. -readable storage media). When the instruction is executed by one or more processors (eg, the processor 210), the one or more processors may perform a function corresponding to the instruction. The computer-readable storage medium may be, for example, the memory 220. At least a portion of the programming module may be implemented (eg, executed) by the processor 210, for example. At least a portion of the programming module may include, for example, a module, a program, a routine, a set of instructions or a process for performing one or more functions.

The computer-readable recording medium includes magnetic media such as hard disks, floppy disks, and magnetic tapes, and optical recording media such as Compact Disc Read Only Memory (CD-ROM) and Digital Versatile Disc (DVD). Media), Magnetic-Optical Media such as a floptical disk, and program commands such as read only memory (ROM), random access memory (RAM), flash memory, etc. ) May include hardware devices specifically configured to store and perform Further, the program instruction may include not only machine language codes such as those produced by a compiler but also high-level language codes that can be executed by a computer using an interpreter or the like. The above-described hardware device may be configured to operate as one or more software modules to perform the operation of the present invention, and vice versa.

The module or programming module according to the present invention may include at least one or more of the above-described elements, some of the above-described elements may be omitted, or additional other elements may be further included. Operations performed by a module, a programming module, or other components according to the present invention may be executed sequentially, in parallel, repeatedly, or in a heuristic manner. Also, some operations may be executed in a different order, omitted, or other operations may be added.

According to various embodiments, in a storage medium storing instructions, the instructions are set to cause the at least one processor to perform at least one operation when executed by at least one processor, and the at least one operation is A method for processing biometric information of an electronic device operated as a general area and a security area through a single processor, the method comprising: detecting a biometric information input event from a biometric sensor module in the general area; Transmitting a biometric information input event from the general area to a security area; Acquiring sensing data from a biometric sensor module in response to a biometric information input event in the security area; And processing the sensing data obtained in the security area to transmit the biometric information registration result information and the biometric recognition result information to the general area.

In addition, the embodiments of the present invention in the present specification and drawings are provided only to provide specific examples to easily explain the technical content of the present invention and to aid in understanding of the present invention, and are not intended to limit the scope of the present invention. Therefore, the scope of the present invention should be construed as including all changes or modified forms derived based on the technical idea of the present invention in addition to the embodiments of the present invention to be included in the scope of the present invention.

101: electronic device
120: processor
111: virtual normal core
112: weather security core
131: general area
132: security zone
140: biometric sensor module

Claims (23)

In an electronic device for processing biometric information,
Biometric sensor module; And
And a processor operatively connected to the biometric sensor module and operable in a normal mode (REE) and a security mode (TEE),
The processor,
In the normal mode, receiving a signal from the biometric sensor module,
Upon receiving the signal, switch the mode to operate in the secure mode,
In the security mode, sensing data from a biometric object sensed by the biometric sensor module is acquired through a security input/output interface,
In the security mode, biometric data is generated based on the acquired sensing data,
In the security mode, biometric registration is performed based on the generated biometric data,
Configured to obtain result information of the biometric registration from the security mode in the general mode,
An electronic device capable of accessing the data sensed from the biometric sensor module through the secure input/output interface by the processor while operating in the secure mode. The method of claim 1,
Further comprising a memory including a general area and a security area,
The general area is accessible by the processor operating in the general mode,
The general area and the security area are accessible by the processor operating in the security mode. The method of claim 2,
The processor,
An electronic device configured to perform the biometric registration by storing the generated biometric data in the secure area. The method of claim 2,
The processor,
Performing the biometric registration by encrypting the generated biometric data,
An electronic device configured to store the encrypted biometric data in the general area. The method of claim 3,
The processor,
An electronic device configured to perform biometric authentication by matching the biometric data newly generated through the biometric sensor module with the stored biometric data. The method of claim 3,
The processor,
In the normal mode, another signal is received from the biometric sensor module,
As the other signal is received, in the security mode, additional sensing data from the biometric object sensed by the biometric sensor module is obtained through the security input/output interface,
In the security mode, additional biometric data is generated based on the additional sensing data,
In the secure mode, an electronic device configured to perform biometric authentication based on the additional biometric data and the stored biometric data. The method of claim 6,
The other signal is an electronic device including a trigger signal or a biometric input event signal. The method of claim 1,
The signal includes a trigger signal or an interrupt signal. The method of claim 1,
The processor,
In the secure mode, an electronic device configured to generate the biometric data based on the sensing data by obtaining feature information from the sensing data and generating the biometric data based on the obtained feature information. The method of claim 9,
The processor,
An electronic device configured to encrypt the biometric data with a unique key generated based on unique identification information. The method of claim 9,
The sensing data is accessible by the processor only while the processor is operating in the secure mode. In an electronic device for processing biometric information,
Biometric sensor module; And
And a processor operatively connected to the biometric sensor module and operable in a normal mode (REE) and a security mode (TEE),
The processor,
In the normal mode, receiving a signal from the biometric sensor module,
Upon receiving the signal, transfer an event signal from the normal mode to the security mode,
Upon receiving the event signal, in the security mode, sensing data from the biometric object sensed by the biometric sensor module is acquired through a security input/output interface,
In the security mode, biometric data is generated based on the acquired sensing data,
In the security mode, biometric registration is performed based on the generated biometric data,
Configured to obtain the result information of the biometric registration from the security mode in the general mode,
An electronic device capable of accessing the data sensed from the biometric sensor module through the secure input/output interface by the processor while operating in the secure mode. The method of claim 12,
The processor,
An electronic device configured to switch an operating mode of the processor from the normal mode to the secure mode upon receiving the signal. The method of claim 12,
Further comprising a memory including a general area and a security area,
The general area is accessible by the processor operating in the general mode,
The general area and the security area are accessible by the processor operating in the security mode. The method of claim 14,
The processor,
An electronic device configured to perform the biometric registration by storing the generated biometric data in the secure area. The method of claim 14,
The processor,
Performing the biometric registration by encrypting the generated biometric data,
An electronic device configured to store the encrypted biometric data in the general area. The method of claim 14,
The processor,
An electronic device configured to perform biometric authentication by matching the biometric data newly generated through the biometric sensor module with the stored biometric data. The method of claim 14,
The processor,
In the normal mode, another signal is received from the biometric sensor module,
As the other signal is received, in the security mode, additional sensing data from the biometric object sensed by the biometric sensor module is obtained through the security input/output interface,
In the security mode, additional biometric data is generated based on the additional sensing data,
In the secure mode, an electronic device configured to perform biometric authentication based on the generated additional biometric data and the stored biometric data. The method of claim 12,
The processor,
In the secure mode, an electronic device configured to generate the biometric data based on the sensing data by obtaining feature information from the sensing data and generating the biometric data based on the obtained feature information. The method of claim 19,
The processor,
An electronic device configured to encrypt the biometric data with a unique key generated based on unique identification information. The method of claim 18,
The other signal is an electronic device including a trigger signal or a biometric input event signal. The method of claim 12,
The signal includes a trigger signal or an interrupt signal. The method of claim 12,
The sensing data is accessible by the processor only while the processor is operating in the secure mode.

Images