WO2018098950A1 - Method and device of using local authorization certificate in terminal - Google Patents

Method and device of using local authorization certificate in terminal Download PDF

Info

Publication number
WO2018098950A1
WO2018098950A1 PCT/CN2017/078605 CN2017078605W WO2018098950A1 WO 2018098950 A1 WO2018098950 A1 WO 2018098950A1 CN 2017078605 W CN2017078605 W CN 2017078605W WO 2018098950 A1 WO2018098950 A1 WO 2018098950A1
Authority
WO
WIPO (PCT)
Prior art keywords
service
terminal
local authorization
request
information
Prior art date
Application number
PCT/CN2017/078605
Other languages
French (fr)
Chinese (zh)
Inventor
王思善
常新苗
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201780009062.0A priority Critical patent/CN108604990A/en
Publication of WO2018098950A1 publication Critical patent/WO2018098950A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for using local authorization credentials in a terminal.
  • the authentication center is a third-party authority for authenticating the identity of the terminal and not related to the specific service.
  • the server of the authentication center is usually placed in the public network for the authentication server to invoke. This way of cross-domain calling is for the bank. IT systems in the financial sector cannot be implemented. Therefore, in order to solve the dependency relationship between the authentication server and the authentication center, when the terminal receives the service registration request of the application, after the verification service registration request comes from the legal server, the terminal needs to go to the authentication center to apply for the validity check of the terminal. The server proves that the service registration response is from a legitimate terminal.
  • the terminal When performing the validity check of the terminal, the terminal signs the service registration request by using the original equipment manufacturer (original equipment manufacturer, OEM) private key preset by the factory, and generates the service registration response through the authentication center public key encryption.
  • the data packet is sent to the authentication center for the validity check of the terminal.
  • the authentication center decrypts the service registration response data packet, verifies the legality of the terminal by verifying the signature data generated by the OEM manufacturer's private key, and encrypts the verification result, and sends the authentication result to the authentication server, and the authentication server decrypts the verification result. And perform subsequent business logic based on the verification results.
  • the existing terminal needs to detect the validity of the terminal that generates and registers the service public key. Since the different application services are independent of each other, the service key pair generated by the terminal does not have universality.
  • the application provider needs to verify the legality of the terminal that generates the service key pair.
  • the legality detection has been performed. The terminal still needs to repeatedly go to the authentication center to check the validity of the terminal in response to each service registration request, thereby increasing the resource consumption of the terminal and prolonging the processing time of the service request, thereby reducing the efficiency of the service registration request processing. .
  • the embodiment of the invention discloses a method and a device for using a local authorization credential in a terminal, which are used for improving the efficiency of service request processing.
  • the first aspect discloses a method for using a local authorization credential in a terminal.
  • the terminal acquires a local authorization credential in the terminal, where the service request requires providing a terminal legality certificate, where the local authorization credential is
  • the certificate authority is authorized and stored in the terminal, and can provide the certificate of the terminal legality certificate; the terminal generates and sends a service response corresponding to the service request according to the local authorization certificate and the service request, and the service response includes the terminal legality certificate.
  • the certificate center provides the certificate for providing the terminal legality certificate to the terminal, so that the terminal can provide the terminal legality certificate locally, and does not need to go to the authentication center to perform the terminal legality every time the service request for providing the terminal legality certificate is required.
  • the detection of the characteristics can reduce the resource consumption of the terminal, shorten the operation time of the service, and improve the efficiency of the service request processing.
  • the terminal legality certificate includes signature information generated using a local authorized private key, and the local authorized private key is generated by the terminal before sending the request information for obtaining the local authorization credential to the authentication center. If it is stored locally, the terminal can provide the terminal legality certificate locally, and prove to the authentication server that the service responds to the sender, that is, the identity of the terminal, thereby improving security.
  • the service request is one of a service registration request and a service execution request.
  • the service response further includes a service public key
  • the service response is further The signature information generated by using the service private key is generated when the service public key and the service private key are received by the terminal, and the signature information generated by using the service private key is used to prove that the service execution response is sent by the service.
  • the service response response is sent by the terminal of the service registration response, and the service execution response is a service response corresponding to the service execution request, and the service registration response is a service response corresponding to the service registration request, and the service key pair is generated in the service registration request phase, and can be used during the service execution phase.
  • the business private key is signed to prove that the terminal licenses the current business execution, thereby improving the security of the business.
  • the service server may choose to provide the terminal legality proof when the service is executed, and set the service type requirement, which can reduce the risk caused by the terminal legality certificate provided by the terminal during the registration phase, thereby improving the service execution. Security.
  • the first local authorization credential if the first local authorization credential exists in the terminal, and the first local authorization credential is within the validity period, and the first local authorization credential meets the service type requirement of the service request, the first local authorization credential is used to construct the terminal legality. Proving that the service response corresponding to the service request is generated, the service response includes the terminal legality certificate, and the service response is sent. It can be seen that the service server can set the service type requirement according to the service to enhance the control of the service risk; After the locally saved local authorization certificate meets the service type requirements, the service response including the terminal legality certificate is generated, which can reduce the probability of occurrence of risks and improve the security of the service.
  • the service request includes a service type requirement
  • the service type requirement includes a risk management requirement
  • the risk management requirement is generated by the service server for the first local authorization certificate
  • the service request is sent by the service server.
  • the terminal sends the authentication center to the authentication center. Sending request information for acquiring the second local authorization credential, so that the authentication center generates the second local authorization credential; the terminal receives and saves the second local authorization credential; the terminal constructs the service response corresponding to the service request by using the second local authorization credential, and Send a business response.
  • the local authorization certificate can be used to construct a service response when it meets the validity period and service type requirements, so that the security of the service can be improved.
  • the request information for acquiring the second local authorization credential includes at least one of device information or device identity information, using a signature generated by the original device manufacturer, and locally authorizing the public key, so that the authentication center according to the The device information or the device identity information is searched for the stored original device manufacturer public key to verify the original device manufacturer signature, and the second local authorization certificate is generated.
  • the local authorized public key is a public key corresponding to the local authorized private key, and the device information is used.
  • the device identity information is information required by the terminal when the authentication center receives the request information of the second local authorization certificate, or the information that the authentication center negotiates with the terminal in advance.
  • the first local authorization credential and the second local authorization credential include a validity period, a local authorization public key, and signature information generated using the authentication center private key, and the authentication center private key is generated and saved for the authentication center to generate a local authorization.
  • the authentication server verifies the local authorization certificate according to the saved certificate authority public key, and verifies the terminal legality certificate included in the service response according to the local authorization certificate, thereby improving service execution. Security.
  • the first local authorization credential and the second local authorization credential further comprise a credential security level, wherein the credential security level is determined by the authentication center according to the device information, and the credential security level is A type of service type requirement, for different security levels of local authorization credentials, the service server sets corresponding service type requirements according to the security requirements of the service, so that the terminal provides the terminal legality certificate that meets the requirements of the service type, thereby improving Security of business execution.
  • the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal is in the The authentication center generates and saves the request information for acquiring the second local authorization credential before being generated and saved locally.
  • the validity period is determined by the authentication center according to the security level of the device, the security level of the device is determined by the device information, and the device information is sent by the terminal to the authentication center.
  • the device information is sent by the terminal to the authentication center.
  • the device For the first local authorization certificate or the second local authorization certificate request information, or the device information is found by the authentication center in the database according to the device identity information, the device The identity information is carried in the request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential.
  • the service server can set a service type requirement for the validity period, so that the terminal can provide the legitimacy of the terminal locally, and the terminal can provide the terminal legality certificate satisfying the service type requirement according to the service server requirement, thereby improving the security of the service execution. .
  • the terminal may detect whether the service request includes indication information for indicating the validity of the providing terminal, and if the service request includes the indication information for indicating the validity of the providing terminal, acquiring the local information in the terminal.
  • Authorization certificate after the inspection is passed, the terminal legality certificate is constructed.
  • the triggering mechanism for providing the terminal legality proof established according to the indication information can also implement the control of the risk existing in the terminal during the service execution phase, instead of always trusting the legality proof provided by the terminal during the service registration phase, which can improve the service execution. safety.
  • the indication information is determined based on at least one preset field or determined according to at least one of the service type requirements.
  • a second aspect discloses a device for using a local authorization credential, the device comprising means for performing a method of using a local authorization credential in a terminal provided by the first aspect or any of the possible implementations of the first aspect.
  • a third aspect discloses a computer readable storage medium comprising instructions, when executed on a computer, causing a computer to perform local authorization credentials in a terminal provided by the first aspect or any of the possible implementations of the first aspect Instructions.
  • the fourth aspect discloses a terminal, including: a processor, a memory, a communication interface, and a bus; a processor, a communication interface, and a memory communicate with each other through the bus; and the communication interface is configured to receive and send data;
  • the memory is used to store an instruction, and the processor is configured to invoke an instruction in the memory to execute a method for using a local authorization credential in a terminal provided by the first aspect or any possible implementation manner of the first aspect.
  • FIG. 1 is a schematic structural diagram of a system disclosed in an embodiment of the present invention.
  • FIG. 2 is a schematic flowchart of a method for using a local authorization credential in a terminal according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for generating a local authorization credential according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a method for using a local authorization credential in another terminal according to an embodiment of the present invention
  • FIG. 5 is a schematic structural diagram of an apparatus for using local authorization credentials according to an embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a terminal for running a method for using a local authorization credential in the terminal according to an embodiment of the present invention.
  • the embodiment of the invention discloses a method and a device for using a local authorization credential in a terminal, which are used for reducing terminal resource consumption and improving the efficiency of service request processing. The details are described below separately.
  • FIG. 1 is a schematic diagram of a system architecture disclosed in an embodiment of the present invention.
  • the system can include a terminal 101, an application server 102, and a certificate authority 103.
  • the application client 1011 and the unified identity authentication client 1012 and the unified identity authentication trusted application 1013 can be run in the terminal 101.
  • the application client 1011 is the host of the user service on the terminal side, and the unified identity authentication client 1012 is implemented on the terminal side.
  • the entity of the unified identity authentication function can provide services for multiple application clients compatible with the terminal, and is responsible for communicating with the authentication center 103.
  • the unified identity authentication trusted application 1013 provides support for the unified identity authentication client 1012, and can access security.
  • the application server 102 may include a service server 1021 and an authentication server 1022 corresponding to the service server, and the authentication server 1022 is unified.
  • the executor of the application authentication server on the application server can be deployed on the service server 1021 to cooperate with the service server 1021.
  • the server can also independently deploy one server.
  • the authentication center 103 can provide terminal legality detection as part of the unified identity authentication platform.
  • the system Authentication Platform also includes a unified authentication platform root CA (certificate authority).
  • the authentication center 103 pre-stores the authentication center private key and the original equipment manufacturer public key approved by the certification center, and the authentication server 1022 stores the authentication server certificate issued by the unified identity authentication platform root CA, the authentication server private key, and the authentication center in advance.
  • the certificate authority public key is issued.
  • the unified identity authentication trusted application 1013 pre-stores the original device manufacturer private key, the root certificate of the unified identity authentication platform root CA, and the certificate authority public key.
  • the terminal sends an application for the local authorization credential to the authentication center 103 through the unified identity authentication client 1012, and the authentication center 103 responds, generates a local authorization credential, and sends the local authorization credential to the terminal 101, so that the terminal 101 provides the locality.
  • Terminal 101 legality certificate The user can initiate a service to the service server 1021 through the application client 1011, which may be a registration service or an execution service.
  • the service server 1021 is configured to execute the service flow defined in the unified identity authentication protocol, the authentication server certificate and the signature information generated by using the authentication server private key are added to the corresponding service request, and sent to the application client 1011.
  • the client 1011 performs corresponding service processing by calling the unified identity authentication client 1012.
  • the unified authentication trusted application 1013 after the authentication of the identity of the authentication server 1022 is passed, if the service server 1021 requests the terminal 101 to provide the terminal 101 legality certificate in the service request, it is generated by the authentication center 103 and saved in the terminal 101.
  • the local authorization credential constructs a service response corresponding to the legality certificate of the terminal 101 corresponding to the service request, and sends the service response to the authentication server 1022.
  • the certificate server 1022 verifies the service response, obtains the verification result, and notifies the service server 1021 of the verification result, so that the service server 1021 executes the corresponding business logic according to the verification result.
  • the terminal 101 can be a mobile user equipment (English: User Equipment, UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, User agent or user device.
  • UE User Equipment
  • the access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, and a personal digital processing (English: Personal Digital Assistant, PDA), a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal in a future 5G network, or a terminal in a future evolved PLMN network, and the like.
  • the application client 1011 can be used for various application clients, and the unified identity authentication client 1012 is responsible for interacting with the application client 1011 and the unified identity authentication trusted application 1013 running in the security environment.
  • FIG. 2 is a schematic flowchart of a method for using a local authorization credential in a terminal according to an embodiment of the present invention, where a method for using a local authorization credential in the terminal is
  • the terminal 101, the service server 1021, and the authentication server 1022 are described in terms of angles.
  • the method for using the local authorization credential in the terminal may include the following steps.
  • the terminal receives the service request.
  • the service request is sent by the service server, and the service request may include the service registration request and the service execution request.
  • the service registration request requires the terminal to follow the specified process developed by the application server according to the unified identity authentication protocol.
  • the document is referred to as the “designation process”.
  • the request for the fingerprint verification function is activated.
  • the service execution request corresponds to the process of requiring the terminal to perform fingerprint verification according to the specified process when the fingerprint verification service registration is completed.
  • the purpose of the service request is at least divided into two aspects.
  • the first aspect requires the terminal to perform a service-related process, that is, to execute the use of the service private key to generate signature information and subsequent steps, and on the other hand, the terminal is required to provide the terminal legality certificate.
  • step S202 is performed.
  • the indication information indicating that the terminal provides the legality certificate is generated by the service server, and the terminal determines, according to the indication information, that the service request requires providing the terminal legality certificate.
  • the service registration request includes the indication information because the registration service needs to perform terminal legality verification.
  • the terminal determines, according to the indication information, that the terminal legality certificate needs to be provided, for example, one or more fields that are used by the terminal and the service server to indicate the validity of the terminal, or some or all information related to the service registration.
  • the service request is a service registration request
  • the field related to the proof of sex is determined, and the embodiment is not limited.
  • the service server When the service request is a service execution request, the service server responds to the application client initiating the service execution request, and when the service execution request is generated by the authentication server, the service server may determine the service execution request according to the service itself, such as the sensitivity of the service and the security requirement of the service. Whether the terminal is required to provide proof of terminal legality. When required, the terminal is required to provide the terminal legality certificate in the service request sent to the terminal, that is, the indication information including the indication providing the terminal legality certificate. When determining, according to the indication information, that the terminal needs to provide the terminal legality certificate, the terminal acquires the local authorization certificate in the terminal, and constructs the terminal legality certificate.
  • the service request may further include authentication server challenge information, where the service request may be a service registration request or a service execution request, and the challenge information generates a random number internally for the authentication server, The service request is guaranteed to be real-time, and the replay attack is prevented. After the terminal returns to the authentication server service response, the challenge information in the service response is verified to confirm that the service is current.
  • the terminal acquires a local authorization credential.
  • the local authorization credential is a credential authorized by the authentication center and saved in the terminal to provide proof of terminal legality.
  • the terminal acquires the locally saved local authorization certificate, and is used to locally construct a service response including the terminal legality certificate.
  • the Certification Authority is a third-party authority that authenticates terminal identity.
  • the terminal needs to go to the authentication center to perform the problem of low efficiency of the service execution.
  • the authentication center responds to the request sent by the terminal for obtaining the local authorization certificate, and the verification center After the terminal is legal, the local authorization certificate corresponding to the terminal is generated to prove that the authentication center authorizes the terminal to locally generate the terminal legality certificate, and sends the local authorization certificate to the terminal, where the terminal localizes The authorization credentials are saved locally.
  • the local authorization credentials can be saved in the secure storage environment of the terminal, such as the trusted execution environment (TEE) or the security element (English). Or other possible secure storage environments.
  • TEE trusted execution environment
  • the security element English
  • the terminal legality certificate includes signature information generated using a local authorized private key, and the local authorized private key is sent by the terminal to the authentication center for acquiring the local authorization credential The request information is generated and saved locally.
  • the locally saved local authorization credential is used to prove that the terminal passes the terminal legality detection of the authentication center, and is authorized to locally generate the terminal legality certificate. Therefore, the terminal legality certificate includes the local authorization credential.
  • the terminal validity certificate is generated, the saved local authorization private key is used to generate signature information, and the local authorization certificate is used to authenticate the local authorization certificate according to the authentication center public key, and the terminal is determined to be
  • the authority for generating the validity of the terminal is generated locally, and the signature information generated by the terminal using the local authorized private key is verified according to the local authorized public key in the local authorization credential to determine the legality of the terminal.
  • the terminal before the terminal sends the request information for obtaining the local authorization credential to the authentication center, the terminal generates a local authorized asymmetric key pair, and saves the local authorized private key locally, and uses the local authorized public key as the local An element in the request information, configured to enable the authentication center to generate the local authorization credential.
  • the local authorized private key may be stored in a secure storage environment of the terminal, such as TEE or SE, or other possible secure storage environments.
  • the terminal generates a service response corresponding to the service request according to the local authorization credential and the service request.
  • the service response includes the terminal legality certificate.
  • the service response is sent to the authentication server, and the authentication server can verify the validity certificate of the terminal included in the response according to the received service response, and obtain the verification result.
  • the service request is one of a service registration request and a service execution request
  • the service response further includes a service public key
  • the service response further includes signature information generated by using a service private key, the service public key and the service
  • the private key is generated when the terminal receives the service registration request corresponding to the service execution request, and the signature information generated by using the service private key is used to prove that the service execution response is sent by the terminal that sends the service registration response.
  • the service execution response is a service response corresponding to the service execution request
  • the service registration response is a service response corresponding to the service registration request.
  • the service request is to perform a service registration specifying process for the requesting terminal, such as a provisioning process of the fingerprint service or the digital certificate service
  • the service request is a service registration request
  • the terminal passes the identity verification of the authentication server
  • the corresponding service is generated.
  • An asymmetric service key pair and storing the service private key in a secure storage environment, and using the service public key as an element in the service registration response corresponding to the service registration request
  • the service request is a request to perform a service, such as fingerprint verification or Digital signature
  • the business response also includes signature information generated using the business private key.
  • the authentication server verifies the signature information generated by the service private key by using the service public key included in the previous service registration response or the service public key included in the service execution response to confirm that the terminal licenses the service. carried out.
  • the first local authorization credential constructs the terminal legality certificate to generate a service response corresponding to the service request, and sends the service response.
  • the service type requirement is generated by the service server according to its own business requirements.
  • the terminal For the terminal that obtains the local authorization certificate, it is necessary to determine whether the local authorization certificate can be used for the current service to construct the terminal legality certificate.
  • the terminal first checks whether the obtained local authorization credential is within the validity period to determine whether the current local authorization credential is valid; and for the credential within the validity period, further determines the use of the current credential structure according to the service type requirement included in the service request. Determining whether the terminal legality certificate satisfies the service type requirement generated according to the service's own requirements, and if so, constructing the terminal legality certificate using the first local authorization credential, and including the terminal legality certificate in the service response in.
  • the service request includes the service type requirement
  • the service type requirement includes a risk management requirement
  • the risk management requirement is generated by the service server for the first local authorization certificate, and is used to ensure that the terminal is based on the The terminal legality certificate provided by the first local authorization certificate satisfies the security requirement of the service, and the service request is sent by the service server.
  • the service type requirement is generated by the service server, and the service server may set different service type requirements according to the service requirements of the service itself, for example, according to the sensitivity of the service, the security requirement of the service, and the like, such as whether the money is involved.
  • the transaction, the amount of the money transaction involved, etc. are divided into different levels.
  • the service server can classify different service execution requests according to the sensitivity of the service or the security level of the service, and assign different types of services to different categories.
  • Business type requirements may include risk management requirements, and may also include other requirements, such as application client version requirements, and the risk management requirements include risk management parameters and risk management thresholds, and the risk management requirements are for the local authorization.
  • the parameter type generated in the voucher can be the validity period, the security level of the voucher, and the like.
  • the local authorization credential may include at least one of a validity period, a security level of the credential, and the like.
  • the security level of the credential may be determined by the authentication center according to the security level of the device corresponding to the device information, such as the type of the storage environment of the device. The higher the security level of the voucher, the higher the credibility of the currently saved local authorization voucher.
  • Table 1 is an example 1 of determining a service type requirement by a service server according to a service execution request type.
  • the risk management requirement in the service type requirement is generated for the parameter of the validity period in the local authorization certificate.
  • the service takes the fingerprint service execution request as an example, and the first column represents different service execution requests, and the security requirement of the service is determined by
  • the security requirements may be increased according to at least one of factors such as whether the money transaction, the amount of money transactions involved, and the risk analysis result of the current transaction are analyzed by the business server risk management system.
  • the server can detect whether the transaction amount is greater than a preset threshold, and divide the transaction into large and small payment, and the requirement for the business type is gradually increased from top to bottom, and the risk management requirement in the service type requirement is gradually increased from top to bottom, that is, The requirements are gradually strict.
  • the fingerprint login client does not involve the money transaction. Therefore, the service server may not set the risk management requirement, and only applies the client version requirement in the service type requirement according to the requirement; and the small fingerprint payment involves a small amount of money.
  • the risk management requirement may be valid for the local authorization certificate generated within 3 months, or for the certificate within the validity period, the validity period of the certificate itself is valid for more than 3 months, and the service type requirement may further require the application client.
  • the version may also include other business type requirements; for large-value fingerprint payment, the risk management requirement may be set to be valid for the local authorization certificate generated within one month, or for the certificate within the validity period, the validity period of the voucher is more than 6 months.
  • the voucher is valid, and other business type requirements, such as the application client version, can also be performed.
  • the risk management system of the server may be used to perform risk analysis on the current transaction to identify whether it is an abnormal transaction that does not meet the user's trading habits, and set corresponding risk management requirements according to the risk management result of the transaction.
  • the service type requirements other than the risk management requirements and the application client version requirements are set according to the service requirements, and other service execution request types may be set according to the specific conditions of the service execution request, which is not limited in this embodiment.
  • Table 1 Service server determines the service type requirement according to the type of service execution request.
  • Table 2 is a second example of determining a service type requirement according to a service execution request type, and the risk management requirement in the service type requirement is a validity period and a credential security of the service server for the local authorization credential.
  • the local authorization credential also contains the security level of the credential, so on the basis of Table 1, the risk management requirements in Table 2 also correspondingly increase the risk management threshold established by the server for the security level of the credential.
  • the terminal After receiving the service request, the terminal obtains the local authorization certificate locally saved by the terminal and confirms that the voucher is within the validity period, and then determines that the terminal legality certificate needs to be full according to the service type and/or the local authorization certificate in the service request. According to the local business authorization voucher, it can be judged whether the local authorization certificate can meet the business risk management requirements.
  • the terminal needs to use the local authorization certificate generated within 3 days to meet the type requirement of the service;
  • the terminal further detects whether the local authorization credential is generated within 3 days, and if yes, indicates that the local authorization credential meets the risk management requirement, and then determines whether the service type requirement other than the risk management requirement is met, if the local authorization credential is generated 5 days ago.
  • the local authorization certificate does not meet the risk management requirements.
  • the service server determines the service type requirement according to the type of service execution request.
  • the service type requirement may be delivered by the service server to the application client in advance, and when the service request is received, the saved service type requirement and the service request are forwarded to the unified identity authentication client for verification.
  • the terminal sending, to the authentication center, request information for acquiring a second local authorization credential, so that the authentication center generates the second local authorization credential;
  • the terminal constructs a service response corresponding to the service request by using the second local authorization credential, and sends the service response.
  • the existing local authorization credential when there is no local authorization credential in the terminal, or the existing local authorization credential has expired, or the existing local authorization credential cannot meet the service type requirement required by the service server, it indicates that the local authorization credential does not exist locally or The existing local authorization credential cannot be used to construct a service response corresponding to the service request locally, and needs to re-apply the authentication center to apply for a new local authorization credential, that is, the second local authorization credential.
  • the request information for acquiring the second local authorization credential includes at least one of signature information, device information or device identity information generated by using an original device manufacturer private key, and locally authorizing the public key to And causing the authentication center to search the stored original device manufacturer public key according to the device information or the device identity information to verify the signature information generated by using the original device manufacturer private key, to generate the second local authorization certificate.
  • the local authorized public key is a public key corresponding to the local authorized private key, and the device information and the device identity information are required by the authentication center when receiving the request information of the second local authorization credential.
  • the private device of the original device manufacturer may be preset in the secure storage environment in the terminal, and the authentication center stores the public key of the trusted original device manufacturer, and the original local device includes the original device included in the request information of the second local authorization certificate.
  • the signature information generated by the manufacturer's private key is used to enable the certificate authority to extract the saved original device manufacturer's public key to verify the signature information generated by using the original device manufacturer's private key to detect the legitimacy of the terminal and verify the identity of the terminal.
  • the certificate authority will generate the local authorization credentials for the terminal.
  • the authentication center extracts the saved original device manufacturer private key, which may be searched by the device identity information, and the device identity information may include at least one of a device ID, a vendor identifier, a device model, and the like of the terminal.
  • the key specification of the local authorized public-private key pair such as the length and password algorithm, may be required.
  • the first local authorization credential and the second local authorization credential include a validity period, the local authorization public key, and signature information generated using a certificate authority private key, the certificate authority private key being the certificate authority Generated and saved locally in the authentication center, the authentication center private key is used to generate the local authorization credential.
  • the validity period of the local authorization credential in the judgment of the validity period is included in the local authorization credential, and the local authorized public key is the public key corresponding to the local authorized private key, and is used for the service response corresponding to the subsequent service request.
  • the signature information generated by using the local authorization private key is used for verification; and the signature information generated by using the authentication center private key is used to prove that the local authorization certificate is issued by the authentication center, that is, the certification center recognizes that the terminal provides the terminal legality locally. prove.
  • the device information may be carried in the request information that is sent by the terminal to the authentication center for obtaining the local authorization credential.
  • the request information of the local authorization credential is carried in the device identity information, if only If the device ID or other identification information, such as the manufacturer and model, you can also find the device information such as the device storage environment in the database preset by the authentication center through the device identity information, and determine the device security based on the device storage environment and other device information. A rating, which in turn determines the security level of the validity period and/or credentials.
  • the authentication center may set up a risk assessment system based on the terminal device information, and determine the security score of the terminal according to the terminal device information, mainly the storage environment of the terminal, and the security score may be used to determine the validity period of the local authorization certificate. .
  • the first local authorization credential and the second local authorization credential further comprise a credential security level, wherein the credential security level is determined by the authentication center according to the device information, and the credential security level is A type of business type requirement.
  • Table 3 is an example of a device security level evaluation system generated by the certification center based on device information.
  • the first column indicates the different storage environment types of the terminal, including REE (rich execution environment)/TEE/SE, etc.
  • the credit score is determined according to the security level of different types of storage environments, and the credit score corresponds to the security of the corresponding device evaluated by the certification center.
  • Level the certification center determines the validity period of the generated local authorization certificate and the security level of the local authorization certificate based on the credit score.
  • the service server side can also be configured to set a risk management requirement for the parameters in the local authorization credential to ensure that the terminal uses the locally saved local authorization credential to prove that the terminal legality certificate meets its service management requirements.
  • the security level of the device may be classified according to the storage environment as REE/TEE/SE, or may be based on whether the SE meets professional level detection requirements (such as financial level, military level), or whether the SE and TEE have authority. Inspection agency certification, etc. to further subdivide.
  • the authentication center can also perform the division of the credit score, the expiration date, and the security level of the voucher according to the cooperation relationship with each vendor, and the strength and credit of the manufacturer. This embodiment is not limited.
  • Table 3 Example of equipment security level evaluation system generated by the certification center based on equipment information
  • the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal is in the The authentication center generates and saves the request information for acquiring the second local authorization credential before being generated and saved locally.
  • the local authorized public key when the local authorization credential update in the terminal is performed, that is, when the second local authorization credential is obtained from the authentication center, the local authorized public key may be generated when the original credential authorization credential is generated, or a new local may be generated.
  • the re-generated local authorized public key is not limited in this embodiment.
  • the validity period is determined by the authentication center according to the security level of the device, the security level of the device is determined by the device information, and the device information is sent by the terminal to the authentication center.
  • the device information is sent by the terminal to the authentication center.
  • the identity information is carried in the request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential.
  • the terminal sends the service response corresponding to the service request to the authentication server, where the authentication server stores the public key of the authentication center, and verifies the signature information generated by using the private key of the authentication center in the local authorization certificate by using the public key of the authentication center.
  • the local authorized public key in the local authorization certificate verifies the signature information generated by the local authorized private key in the service response, and obtains the verification result of the terminal legality certificate.
  • the verification result and/or the service related data in the response are obtained, for example, The transaction order information at the time of fingerprint payment is sent to the service server.
  • the service execution response corresponding to the execution request includes the signature information generated by using the service private key, and the signature information generated by the service private key saved by the service registration or the service public key attached to the service response is used to prove the service execution.
  • the service registration response corresponding to the service registration request corresponding to the service execution response is from the same terminal.
  • the trust mechanism is established in the service server trust authentication center, and then trusts the terminal authenticated by the authentication center to trust the local authorization credential in the terminal; therefore, the verification of the terminal legality verification requires a two-layer check: first according to The certificate authority public key verifies the local authorization certificate signed by the certificate authority, and then verifies the validity of the terminal by verifying the signature information generated by the terminal using the local authorized private key according to the local authorized public key in the certificate.
  • the authentication center delivers a credential for providing the terminal legality certificate to the terminal, so that the terminal can provide the legality proof of the terminal locally, and does not need to provide the terminal every time.
  • the proof of legality goes to the authentication center, which can reduce the resource consumption of the terminal, shorten the operation time of the service, and improve the efficiency of the service request processing.
  • FIG. 3 is a schematic flowchart of a method for generating a local authorization credential, wherein the local authorization credential is generated from a unified identity authentication client.
  • the method for generating the local authorization credential includes the following steps:
  • the unified identity authentication client (the unified identity authentication trusted application) initiates a local authorization certificate application to the authentication center.
  • the step may be performed in advance to obtain and save the local authorization credential in the terminal before the service registration request is received, or in the service registration or service execution process, when the terminal does not have the local authorization credential locally, or The local authorization certificate saved locally by the terminal exceeds the validity period, or the local authorization certificate saved locally by the terminal does not meet the service type requirement.
  • the terminal needs to go to the authentication center to update the local authorization certificate, and then perform this step.
  • a unified identity authentication client (Uniform Identity Authentication Trusted Application) collects device information.
  • the device information may be provided by the unified identity authentication client (a unified identity authentication trusted application) when the authentication center receives the local authorization certificate application, or may be a certification center and a unified identity authentication.
  • the client (Uniform Authentication Trusted Application) is pre-agreed.
  • the device information may include a device ID, a vendor identifier, a device storage environment, and the like.
  • the local authorization key pair specification may be a key length, an encryption algorithm, or the like.
  • the authentication center may simultaneously send the challenge information and the local authorization key specification for identifying the local authorization credential to the unified identity authentication client (the unified identity authentication may be Letter application).
  • the unified identity authentication client (Uniform Authentication Trusted Application) generates a local authorization key pair.
  • the local authorization key pair if the authentication center delivers the local authorization key pair specification requirement, the local authorization key pair generates the local authorization key pair according to the local authorization key pair specification requirement, and the The local authorized private key is securely stored and can be stored in a secure storage environment such as TEE or SE, or other possible secure storage environments.
  • the terminal legality certificate can be constructed by the signature and the voucher generated by the private key.
  • the unified identity authentication client (Uniform Identity Authentication Trusted Application) generates local authorization certificate application information.
  • the local authorization credential application information may include: the local authorized public key, device information or device identity information, signature information generated using an original device manufacturer private key, and the generated by using an original device manufacturer private key
  • the signature information is used to prove the validity of the terminal to the authentication center, wherein the original device manufacturer private key is a pre- Generated and stored in a secure storage environment. If the authentication center sends the challenge information to the unified identity authentication client (the unified identity authentication trusted application), the local authorization certificate application information may further include: the challenge information.
  • the unified identity authentication client (the unified identity authentication trusted application) sends the local authorization certificate application information to the authentication center.
  • the certification center generates a local authorization credential.
  • the generating, by the certificate authority, the local authorization certificate may further include: verifying the local authorization voucher application information, where the specific process is: verifying the challenge information, and verifying the local authorization voucher application information by using the original device manufacturer public key prestored by the certification center.
  • the terminal uses the signature information generated by the original device manufacturer private key to determine the legitimacy of the terminal.
  • the certification center may determine the validity period of the local authorization credential to be generated according to the device information.
  • the specific process may be as follows: determining, by the device information, a corresponding device security level, and determining the validity period according to the device security level.
  • the device information is carried in the request information for acquiring the first local authorization credential or the second local authorization credential request information sent by the terminal to the authentication center, or the device information is The authentication center searches for the device according to the device identity information, where the device identity information is request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential. It can be carried in the device ID, device model, and so on.
  • the request information of the first local authorization credential sent to the authentication center or the second local authorization credential request information sent to the authentication center refers to the request information of the local authorization credential. If the local authorization credential saved locally by the terminal exceeds the expiration date, or the local authorization credential saved locally by the terminal does not meet the service type requirement, the first local authorization credential refers to the local authorization credential currently not satisfying the requirement in the terminal, and the second The authorization credential refers to the local authorization credential regenerated by the certificate authority based on the information of this application.
  • the authentication center may also establish its own device security level evaluation system.
  • the terminal device information it may be a storage environment of the terminal, and determine a device security level of the terminal.
  • the device security level may be used to determine a local authorization certificate.
  • the expiration date also confirms the voucher security level of the local authorization voucher.
  • the local authorization credential may include a validity period, a local authorized public key, and signature information generated by using the authentication center private key, and may also include the device information, and may also include a security level of the credential.
  • the authentication center sends the local authorization credential to the unified identity authentication client (Uniform Identity Authentication Trusted Application).
  • the local authorization credential is stored in a secure storage environment of the terminal, such as in a TEE or SE, or in other possible secure storage environments.
  • FIG. 4 is a schematic flowchart of a method for using a local authorization credential in a terminal according to an embodiment of the present invention, where a method for using a local authorization credential in the terminal is
  • the application client 1011, the unified identity authentication client 1012 (the unified identity authentication trusted application 1013), the service server 1021, and the authentication server 1022 are described.
  • the unified identity authentication client 1012 (the unified identity authentication trusted application 1013) The corresponding steps may be performed by the unified identity authentication client, or may be performed by the unified identity authentication trusted application.
  • the method for using the local authorization credential in the terminal may include the following steps.
  • the application client initiates service registration with the service server.
  • the user can initiate a service registration in the terminal by using the application client.
  • the service registration can be a fingerprint service or a face service of an application.
  • the user can open a “fingerprint login” or “fingerprint payment” in an application client of the terminal. "Function, that is, the business registration that triggers the corresponding fingerprint service.
  • S402 The service server generates a service type requirement.
  • the service type requirement is generated by the service server according to its own business requirements.
  • the service type requirement when the service server determines that the service needs to provide the terminal legality certificate, the service type requirement includes a risk management requirement, where the risk management requirement is generated by the service server for the local authorization certificate, and is used for Ensure that the terminal's legality of the terminal provided by the local authorization certificate meets the needs of the service.
  • the service server may be based on at least one factor such as the sensitivity of the service, the security requirement of the service, the risk analysis result of the business server risk management system, and the risk sensitivity of the current transaction, and may specifically relate to the money transaction and the involved The amount of money transactions, whether it is in line with trading habits, etc., is divided into different levels.
  • the service server can classify different service requests according to the sensitivity of the service or the security level of the service, and allocate the services for different categories.
  • Different risk management requirements may include risk management requirements, and may also include other requirements, such as application client version requirements, and the risk management requirements include risk management parameters and risk management thresholds, and the risk management requirements are for the local authorization.
  • the parameter type generated in the voucher such as the validity period, the security level of the voucher, and so on.
  • the service server sends a service registration notification including a service type requirement to the authentication server.
  • the service server receives the service registration sent by the application client, and sends a service registration notification to the authentication server when receiving the service registration.
  • the authentication server generates a service registration request and sends the service registration request to the service server.
  • the service registration request includes the service type requirement, and when receiving the service registration notification, the authentication server generates a service registration request, and is used to request the terminal to complete registration of the corresponding service according to the specified process, where the specified process includes the terminal being registered. Proof of terminal legality is provided during the process.
  • the authentication server stores a corresponding authentication server certificate, and the service registration request generated by the authentication server includes the authentication server certificate, which is used to prove the legality of the authentication server, and the service registration request further includes the identifier for identifying the registration. Challenge information and/or signature information generated using the authentication server private key.
  • the business registration request is a kind of business request.
  • the service server sends the service registration request to the unified identity authentication client (Uniform Identity Authentication Trusted Application).
  • the authentication server sends the service registration request to the unified identity authentication client (the unified identity authentication trusted application) via the service server and the application client.
  • the terminal may pass the The application client notifies the user to input biological information, such as fingerprints, voices, images, etc., and the terminal receives and saves the information input by the user.
  • the unified identity authentication client (Uniform Identity Authentication Trusted Application) detects the legality of the service registration request.
  • the unified authentication trusted application can extract the CRL and the certificate authority root certificate preset in the secure storage environment, the authentication server certificate includes the authentication server public key, and the unified identity authentication client (the unified identity authentication trusted application) detects the service registration.
  • the legality of the request is as follows: by checking whether the authentication server is in the CRL, it is confirmed whether the authentication server is revoked, and the server certificate is verified by the certificate authority root certificate, after the above two verifications are passed. Indicates that the service registration request is from a legitimate authentication server.
  • the unified identity authentication client (Uniform Authentication Trusted Application) generates an asymmetric service key pair.
  • the asymmetric service key pair is generated for the service registration request, and the service private key may be stored in a secure storage environment of the terminal, such as TEE or SE, or other possible secure storage environments.
  • the unified identity authentication client (Uniform Authentication Trusted Application) detects whether there is a local authorization certificate locally, and detects whether the local authorization certificate is within a validity period.
  • the service registration request is required to provide the terminal legality certificate
  • the service registration request includes the indication information
  • the terminal determines, according to the indication information, that the terminal legality certificate needs to be provided, the terminal first attempts to obtain the local authorization certificate stored in the terminal, and locally constructs the Proof of terminal legality.
  • the local authorization credential may be generated and sent by the authentication center after the terminal initiates the service registration for the first time, and then the terminal applies to the authentication center before the service registration is performed.
  • the embodiment is not limited. If the local authorization certificate has been saved in the current terminal, it is detected whether the local authorization certificate is within the validity period.
  • the local authorization credential may include a validity period, a local authorized public key, and signature information generated by using the authentication center private key, and may also include device information or device identity information, where the validity period may be that the authentication center corresponds to the device information.
  • the device security level is generated.
  • the unified identity authentication client (Uniform Identity Authentication Trusted Application) detects whether the local authorization certificate meets the service type requirement.
  • the terminal when the terminal locally stores the local authorization credential, and the local authorization credential is within the validity period, the terminal can provide the terminal legality certificate locally. Then, the unified identity authentication client (the unified identity authentication trusted application) needs to determine whether the local authorization certificate currently obtained by the terminal satisfies the service requirement according to the service type requirement in the service registration request, and further determines whether the current usage can be used. The obtained local authorization credential is used to construct the terminal legality certificate.
  • step S410 is performed; when the terminal does not have a local authorization certificate locally, or the local authorization If the certificate exceeds the validity period, or if the local authorization certificate does not meet the service type requirement, it indicates that the terminal does not have a local authorization certificate locally or the current local local authorization certificate cannot be used to construct a service registration response corresponding to the service registration request,
  • the authentication center needs to be re-applied to update the local authorization credential, that is, steps S301-S307 are performed to obtain the updated local authorization credential, and the service registration response corresponding to the service registration request is constructed by the updated local authorization credential.
  • the unified identity authentication client (Uniform Identity Authentication Trusted Application) generates a service registration response.
  • the terminal validity certificate can be constructed by using the local authorization credential, generating a service response including the terminal legality certificate: specifically including three parts, challenge information; including the service public key, the device ID, and other service data, such as biological information.
  • Service data such as a hash value; a certificate of terminal validity including a local authorization credential and signature information generated using a local authorized private key.
  • the service registration response formed by the above information may be sent to the authentication server by using the authentication server public key encryption in the authentication server certificate.
  • the unified identity authentication client (the unified identity authentication trusted application) sends the service registration response to the authentication server.
  • the service registration response is sent to the authentication server via the application client and the service server.
  • the authentication server verifies the validity of the service registration response.
  • the process of verifying the validity of the service registration response may be: decrypting the authentication server public key encryption information in the service registration response by using the authentication server private key, verifying the challenge information of the authentication server, and confirming the service registration request and the
  • the service registration response is a business process; the certificate authority public key pre-stored by the authentication server is used to verify the signature of the authentication center private key in the local authorization certificate, and after the verification is passed, the local authorization public key in the local authorization certificate is obtained to verify the service registration response.
  • the terminal uses the signature information generated by the local authorized private key to verify the validity certificate of the terminal through two verifications.
  • the process indicates that the service registration response is from a legitimate terminal that has been verified by the certificate authority. Therefore, the registration process can continue.
  • the authentication server saves the service public key and sends the verification result and the service related data to the service server to make the registration information. Landing, send a notification of successful registration to the terminal.
  • the application client initiates service execution to the service server.
  • the execution process of the same service can be initiated in the terminal. If the service registration is not successful, the execution process of the service cannot be implemented. For example, after an application needs to register the fingerprint successfully, There are processes for implementing fingerprints.
  • the user can initiate service execution through the application client in the terminal.
  • the service execution can be fingerprint unlocking, face unlocking, and fingerprint payment of an application. For example, the user can click the “face unlock” button in an application client of the terminal, that is, Trigger business execution.
  • the service server determines whether the current service needs to provide the terminal legality certificate.
  • the service server may determine whether the terminal legality certificate is required according to the type of the service execution, or the application client determines whether the terminal legality certificate is required according to the preset rule of the service server, for example, if no sensitive service such as transfer is involved, The service server determines that the service does not need to provide the terminal legality certificate, or analyzes the service according to the risk control system of the service server to determine whether the legality certificate needs to be provided.
  • the service server can also be set up for different service execution types. List, classification manages the type of business execution that needs to provide proof of terminal legality. When receiving the service execution, the query is directly performed through the list to obtain whether the service execution needs to provide the terminal legality certificate of the terminal.
  • the current service server determines that the service needs to provide the terminal legality certificate, it also needs to generate a corresponding service type requirement by referring to S402.
  • the service type requirement is generated by the service server, and is used to ensure that the terminal legality certificate constructed according to the local authorization credential in the service response can meet the risk management requirement of the current service.
  • the service type requirement may be preset by the service server in the application client, and when the application client detects that the service request is required to provide the terminal legality certificate, the service type requirement is added to the service request.
  • Send to the unified identity authentication client Uniform Identity Authentication Unified Authentication Trusted Application.
  • the authentication server generates a service execution request and sends the service execution request to the service server.
  • the authentication server when the service execution needs to provide the terminal legality certificate, the authentication server generates a service execution request, and the service execution request may include a service type requirement, and may also include indication that the terminal legality certification indication information needs to be provided, where the indication information is Determined according to at least one preset field or determined according to at least one of the service type requirements.
  • the service execution request may further include an authentication server certificate, signature information generated by using the authentication server private key, and challenge information for identifying the current service execution, and service related information, such as transaction order information when the fingerprint is paid, and may also include other Related information is not limited in this embodiment.
  • the service server sends the service execution request to the unified identity authentication client (the unified identity authentication trusted application).
  • the authentication server sends the service execution request to the unified identity authentication client (the unified identity authentication trusted application) via the service server and the application client.
  • the terminal may pass the application.
  • the client notifies the user to input biological information, such as fingerprints, voices, images, etc., and compares with the information input by the user when the service is registered, and obtains the local biometric verification result.
  • the service type requirement and the indication information may be added by the application client, and then the service execution request for providing the terminal legality certificate is sent to the unified identity authentication client.
  • the unified identity authentication client (Uniform Identity Authentication Trusted Application) detects the legality of the service execution request.
  • detecting the validity of the service execution request includes: confirming whether the authentication server is revoked by searching for the authentication server in the CRL, and verifying the server certificate by using the root certificate of the certification authority, after the above two verifications are passed
  • the business registration request comes from a legitimate server.
  • the unified identity authentication client (Uniform Authentication Trusted Application) detects whether the local authorization certificate is saved locally, and if yes, detects whether the local authorization certificate is within the validity period.
  • the steps S301-S307 may be performed to obtain the local authorization credential issued by the authentication center, and the subsequent steps are performed; If the local authorization certificate is saved, the validity period in the local authorization certificate is obtained, and it is determined whether the current local authorization certificate is within the validity period. If yes, step S419 is performed, and if the current local authorization certificate exceeds the validity period, step S301-S307 is performed. To re-acquire the local authorization credentials issued by the certificate authority, update the local authorization credentials, and perform the next steps.
  • the validity period in the local authorization credential is valid within three months
  • the unified authentication client the unified authentication trusted application detects that the local authorization credential is generated four months ago, indicating that the local authorization credential has exceeded Validity period
  • steps S301-S307 can be performed, the local authorization credential is updated and the subsequent steps are performed.
  • the terminal legality certificate is provided locally, and the subsequent steps are performed.
  • the unified identity authentication client (Uniform Identity Trusted Application) detects whether the local authorization certificate meets the service type requirement.
  • the parameters in the local authorization credential may be obtained, such as obtaining the validity period in the local authorization credential and the security level of the credential, and comparing the risk management requirement with the parameter in the local authorization credential. Yes, to determine if the local authorization credentials meet the business type requirements. For example, taking Table 2 as an example, if the current local authorization credential is valid for 3 months, which is generated 2 months ago, the credential security level is 5 security, when the business execution request is fingerprint payment (small amount), this When the service type requirement corresponding to the voucher is "the local authorization voucher generated within 3 months is valid", the local authorization voucher can be judged to meet the risk management requirement in the service type requirement, and the current service can use the voucher to construct the terminal.
  • S420 A unified identity authentication client (Uniform Identity Authentication Trusted Application) generates a service execution response.
  • the service execution response may include: challenge information; including biometric comparison results, using the service
  • the service related data and the service related data of the signature information generated by the private key may further include a biometric hash and a service public key; and the terminal legality certificate including the local authorization credential and the signature generated by using the local authorized private key.
  • the biometric comparison result is obtained by comparing the biometric information collected by the application client and the biometric information locally saved in the service registration phase during the business execution phase.
  • the service execution response may further include the current biometric hash. Further, the identifier information may be added, and the indication information is used to indicate that the service execution response includes the locally constructed terminal legality certificate.
  • the service execution response is encrypted by the authentication server public key in the authentication server certificate.
  • the unified identity authentication client (the unified identity authentication trusted application) sends the service execution response to the authentication server.
  • the service execution response is sent to the authentication server via the application client and the service server.
  • the authentication server verifies the validity of the service execution response.
  • the process of verifying the validity of the service execution response is: decrypting the authentication server public key encryption information in the service execution response using the authentication server private key, verifying the challenge information of the authentication server, and confirming the service execution request and the service
  • the execution response is a business process; the signature information generated by the authentication center private key in the local authorization certificate is verified by using the certificate authority public key pre-stored by the authentication server, and after the verification is passed, the local authorization public key in the local authorization certificate is obtained to verify the service execution.
  • the signature information generated by the local authorized private key in the response is used to prove that the validity of the terminal is valid.
  • the risk management requirement in the service type requirement and the proof of the terminal legality can be compared again.
  • the service public key stored in the service server or attached to the service execution response verifies the signature information generated by using the service private key, and the service execution response is legal, and the verification result is notified to the service server, and Execute the corresponding industry on the business server
  • the service server is notified to perform the login operation; for example, when the fingerprint is paid, the signature generated by the private key of the service is verified, and the response is determined. After the verification result and the order information are correct, the payment operation is performed.
  • the authentication server may further determine, according to the identifier information, whether the current service execution triggers the terminal legality proof, for example, the partial or all data segments of the terminal validity of the service response may be used as the identification information.
  • the identification step may be generated by a unified identity authentication client or an application client.
  • the authentication center delivers a credential for providing the terminal legality certificate to the terminal, so that the terminal can locally provide the legality certificate of the terminal, and the locally saved credential is It can be proved that the terminal is legal, and it is not necessary to go to the authentication center every time the service is executed, thereby reducing the resource consumption of the terminal, shortening the operation time of the service, and improving the efficiency of the service request processing.
  • FIG. 5 is a schematic structural diagram of an apparatus for using local authorization credentials according to an embodiment of the present invention. As shown in FIG. 4, the apparatus may include:
  • the local authorization credential obtaining module 501 is configured to obtain a local authorization credential in the terminal when the service request is received, where the service request is required to provide the terminal legality certificate, and the local authorization credential is authorized by the authentication center. Preserving a voucher capable of providing the terminal legality certificate in the terminal;
  • the service response sending module 502 is configured to generate and send a service response corresponding to the service request according to the local authorization credential and the service request, where the service response includes the terminal legality certificate.
  • the terminal legality certificate includes signature information generated by using a local authorized private key, and the local authorized private key is sent by the terminal to the authentication center for Get the place
  • the request information describing the local authorization credentials is generated and saved locally.
  • the service request is one of a service registration request and a service execution request
  • the service response further includes a service public key
  • the service response further includes signature information generated by using a service private key, where the service public key and the service private key are corresponding to the terminal receiving the service execution request.
  • the signature information generated by using the service private key is used to prove that the service execution response is sent by the terminal that sends the service registration response, and the service execution response is the service corresponding to the service execution request.
  • the service registration response is a service response corresponding to the service registration request.
  • the service response sending module 502 is specifically configured to: if the first local authorization credential exists in the terminal, and the first local authorization credential is within a valid period, and the first local The authorization certificate satisfies the service type requirement of the service request, and the terminal validity certificate is constructed by using the first local authorization certificate to generate a service response corresponding to the service request, and the service response is sent.
  • the service request includes the service type requirement, where the service type requirement includes a risk management requirement, where the risk management requirement is generated by the service server for the first local authorization certificate, A service request is sent for the service server.
  • the service response sending module 502 is specifically configured to: if the first local authorization credential does not exist in the terminal, or if the first local authorization credential in the terminal exceeds a validity period, Or if the first local authorization credential does not satisfy the service type requirement of the service request, sending, to the authentication center, request information for acquiring the second local authorization credential, so that the authentication center generates the second local Authorization certificate;
  • the request information for acquiring the second local authorization credential includes at least one of device information or device identity information, an original device manufacturer signature, and a local authorization public key to enable the authentication. Determining, by the device information or the device identity information, the stored original device manufacturer public key to verify the original device manufacturer signature, and generating the second local authorization credential, where the local authorized public key is the local authorization a public key corresponding to the private key, the device information and the device identity information are information that the authentication center requests the terminal to provide when receiving the request information of the second local authorization certificate, or the authentication center Information that is negotiated in advance with the terminal.
  • the first local authorization credential and the second local authorization credential include a validity period, the local authorization public key, and signature information generated by using an authentication center private key, where the authentication center private key is The certificate authority generates and saves the generated local authorization credentials.
  • the first local authorization credential and the second local authorization credential further include a credential security level, where the credential security level is determined by the authentication center according to the device information, the credential The security level is one of the types of business types required.
  • the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal It is generated and saved locally before sending the request information for acquiring the second local authorization credential to the authentication center.
  • the validity period is determined by the authentication center according to a security level of the device, a security level of the device is determined by the device information, and the device information is the terminal location
  • the second local authorization credential request information sent by the authentication center for acquiring the first local authorization credential, or the device information is found by the authentication center in the database according to the device identity information.
  • the device identity information is carried in the request information that is sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential.
  • the device further includes an indication information detecting module 503, configured to detect whether the service request includes indication information for indicating that the terminal validity certificate is provided, if the service request includes And the step of the local authorization credential obtaining module 501 performing the obtaining the local authorization credential in the terminal.
  • an indication information detecting module 503 configured to detect whether the service request includes indication information for indicating that the terminal validity certificate is provided, if the service request includes And the step of the local authorization credential obtaining module 501 performing the obtaining the local authorization credential in the terminal.
  • the indication information is determined according to at least one preset field or determined according to at least one of the service type requirements.
  • FIG. 6 is a schematic structural diagram of a terminal for using the method for using the local authorization credential disclosed in the embodiment of the present invention.
  • the terminal may include a processor 601, a memory 602, a communication interface 603, and a bus 604. among them:
  • bus 604 for implementing a connection between these components
  • a set of program codes is stored in the memory 602, and the processor 601 is configured to invoke the communication interface 603 to perform the following operations:
  • the processor 601 is further configured to call the program code stored in the memory 602 to perform the following operations:
  • the communication interface 603 is further configured to send the service response.
  • the terminal legality certificate includes signature information generated by using a local authorized private key, and the local authorized private key is sent by the terminal to the authentication center for The request information for obtaining the local authorization credential is generated and saved locally.
  • the service request is one of a service registration request and a service execution request
  • the service response further includes a service public key
  • the service response further includes signature information generated by using a service private key, where the service public key and the service private key are corresponding to the terminal receiving the service execution request.
  • the signature information generated by using the service private key is used to prove that the service execution response is sent by the terminal that sends the service registration response, and the service execution response is the service corresponding to the service execution request.
  • the service registration response is a service response corresponding to the service registration request.
  • the processor 601 according to the local authorization credential and the service request, generating a service response corresponding to the service request, specifically includes:
  • the validity of the terminal is verified to generate a service response corresponding to the service request.
  • the service request includes the service type requirement, where the service type requirement includes a risk management requirement, where the risk management requirement is generated by the service server for the first local authorization certificate, A service request is sent for the service server.
  • the processor 601 according to the local authorization credential and the service request, generating a service response corresponding to the service request, specifically includes:
  • the terminal Determining, by the terminal, the request information for acquiring the second local authorization credential, so that the authentication center generates the second local authorization credential;
  • the terminal constructs a service response corresponding to the service request by using the second local authorization credential, and sends the service response.
  • the request information for acquiring the second local authorization credential includes at least one of device information or device identity information, signature information generated by using an original device manufacturer private key, and a local authorized public key. And generating, by the authentication center, the signature information generated by using the original device manufacturer private key according to the device information or the device identity information to search the stored original device manufacturer public key, to generate the second local authorization certificate.
  • the local authorized public key is a public key corresponding to the local authorized private key, and the device information and the device identity information are required by the authentication center when receiving the request information of the second local authorization credential.
  • the information provided by the terminal or the information that the authentication center negotiates with the terminal in advance.
  • the first local authorization credential and the second local authorization credential include a validity period, the local authorization public key, and signature information generated by using an authentication center private key, where the authentication center private key is The certificate authority generates and saves the generated local authorization credentials.
  • the first local authorization credential and the second local authorization credential further include a credential security level, where the credential security level is determined by the authentication center according to the device information, the credential The security level is one of the types of business types required.
  • the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal It is generated and saved locally before sending the request information for acquiring the second local authorization credential to the authentication center.
  • the validity period is determined by the authentication center according to the security level of the device, the security level of the device is determined by the device information, and the device information is that the terminal is authenticated to the terminal.
  • the information sent by the center for obtaining the first local authorization credential or the second local authorization credential request information, or the device information is found by the authentication center in the database according to the device identity information.
  • the device identity information is carried in the request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential.
  • the processor 601 is further configured to call the program code stored in the memory 602 to perform the following operations:
  • the service request includes indication information for indicating that the terminal legality certificate is provided, if And the step of performing the obtaining the local authorization credential in the terminal by using the indication information for indicating that the terminal validity certificate is provided.
  • the indication information is determined according to at least one preset field or determined according to at least one of the service type requirements.
  • the embodiment of the present invention also discloses a readable storage medium storing program code of a device and/or a terminal for executing a method of using the local authorization credential shown in FIGS. 2 and 3.
  • the above embodiments it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof.
  • a software program it may be implemented in whole or in part in the form of a computer program product.
  • the computer program product includes one or more computer instructions.
  • the computer program instructions When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part.
  • the computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device.
  • the computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.).
  • the computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media.
  • the usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)) or the like.
  • a magnetic medium eg, a floppy disk, a hard disk, a magnetic tape
  • an optical medium eg, a DVD
  • a semiconductor medium such as a solid state disk (SSD)

Abstract

A method and device of using a local authorization certificate in a terminal. The method comprises: obtain, when a terminal receives a service request, a local authorization certificate in the terminal, the service request requiring providing a terminal validity proof, and the local authorization certificate being a certificate authorized by an authentication center, stored in the terminal and capable of providing the terminal validity proof; the terminal generates and sends a service response corresponding to the service request according to the local authorization certificate and the service request, the service response comprising the terminal validity proof. By implementing embodiments of the present invention, service request processing efficiency can be improved.

Description

终端中本地授权凭证的使用方法及装置Method and device for using local authorization credential in terminal
本申请要求于2016年12月02日提交中国专利局、申请号为201611097424.X发明名称为“一种业务注册方法和终端”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims priority to Chinese Patent Application No. 201611097424.X entitled "A Business Registration Method and Terminal" on December 2, 2016, the entire contents of which are incorporated herein by reference. in.
技术领域Technical field
本发明涉及通信技术领域,尤其涉及一种终端中本地授权凭证的使用方法及装置。The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for using local authorization credentials in a terminal.
背景技术Background technique
在统一身份认证体系中,认证中心是用于认证终端身份,与具体业务无关的第三方权威机构,认证中心的服务器通常放在公网中供认证服务器调用,这种跨域调用的方式对于银行等金融领域的IT系统是无法实施的。因此,为解开认证服务器与认证中心的依赖关系,目前终端在接收到应用的业务注册请求时,在验证业务注册请求来自合法服务器之后,需要去认证中心申请进行终端的合法性检测,以向服务器证明业务注册响应来自合法终端。在进行终端的合法性检测时,终端通过使用出厂时预置的原始设备制造商(英文:original equipment manufacturer,OEM)厂商私钥对业务注册请求进行签名,通过认证中心公钥加密生成业务注册响应数据包,并把业务注册响应数据包发送给认证中心进行终端的合法性检测。认证中心解密业务注册响应数据包,通过验证其中的OEM厂商私钥生成的签名数据来验证终端的合法性,并将验证结果进行加密,经过认证客户端发送给认证服务器,认证服务器解密得到验证结果,并根据验证结果执行后续业务逻辑。In the unified identity authentication system, the authentication center is a third-party authority for authenticating the identity of the terminal and not related to the specific service. The server of the authentication center is usually placed in the public network for the authentication server to invoke. This way of cross-domain calling is for the bank. IT systems in the financial sector cannot be implemented. Therefore, in order to solve the dependency relationship between the authentication server and the authentication center, when the terminal receives the service registration request of the application, after the verification service registration request comes from the legal server, the terminal needs to go to the authentication center to apply for the validity check of the terminal. The server proves that the service registration response is from a legitimate terminal. When performing the validity check of the terminal, the terminal signs the service registration request by using the original equipment manufacturer (original equipment manufacturer, OEM) private key preset by the factory, and generates the service registration response through the authentication center public key encryption. The data packet is sent to the authentication center for the validity check of the terminal. The authentication center decrypts the service registration response data packet, verifies the legality of the terminal by verifying the signature data generated by the OEM manufacturer's private key, and encrypts the verification result, and sends the authentication result to the authentication server, and the authentication server decrypts the verification result. And perform subsequent business logic based on the verification results.
然而,现有的终端对业务注册请求处理过程中,需要对生成并注册业务公钥的终端进行合法性检测,由于不同应用业务相互独立,终端对应生成的业务密钥对不具有通用性,以致对每个应用的业务注册请求进行处理时,应用提供方均需要验证生成业务密钥对的终端的合法性,在同一终端中不同的应用进行业务注册请求处理时,已经进行过合法性检测的终端,仍需在响应每个业务注册请求时,重复地去认证中心进行终端的合法性检测,从而增大了终端的资源消耗,延长了业务请求处理时间,以致降低了业务注册请求处理的效率。However, in the process of processing a service registration request, the existing terminal needs to detect the validity of the terminal that generates and registers the service public key. Since the different application services are independent of each other, the service key pair generated by the terminal does not have universality. When processing the service registration request of each application, the application provider needs to verify the legality of the terminal that generates the service key pair. When different applications in the same terminal perform service registration request processing, the legality detection has been performed. The terminal still needs to repeatedly go to the authentication center to check the validity of the terminal in response to each service registration request, thereby increasing the resource consumption of the terminal and prolonging the processing time of the service request, thereby reducing the efficiency of the service registration request processing. .
发明内容Summary of the invention
本发明实施例公开了一种终端中本地授权凭证的使用方法及设备,用于提高业务请求处理的效率。The embodiment of the invention discloses a method and a device for using a local authorization credential in a terminal, which are used for improving the efficiency of service request processing.
第一方面公开了一种终端中本地授权凭证的使用方法,终端接收到业务请求时,获取终端中的本地授权凭证,该业务请求要求提供终端合法性证明,所述本地授权凭证是由所述认证中心授权并保存在所述终端中,能够提供所述终端合法性证明的凭证;终端根据本地授权凭证以及业务请求,生成并发送与业务请求对应的业务响应,业务响应包含终端合法性证明,可见,认证中心下发用于提供终端合法性证明的凭证给终端,使终端可以在本地提供终端合法性证明,无需每次响应要求提供终端合法性证明的业务请求时均去认证中心进行终端合法性的检测,从而可以减小终端的资源消耗,缩短业务操作时间,可以提高业务请求处理的效率。 The first aspect discloses a method for using a local authorization credential in a terminal. When receiving a service request, the terminal acquires a local authorization credential in the terminal, where the service request requires providing a terminal legality certificate, where the local authorization credential is The certificate authority is authorized and stored in the terminal, and can provide the certificate of the terminal legality certificate; the terminal generates and sends a service response corresponding to the service request according to the local authorization certificate and the service request, and the service response includes the terminal legality certificate. It can be seen that the certificate center provides the certificate for providing the terminal legality certificate to the terminal, so that the terminal can provide the terminal legality certificate locally, and does not need to go to the authentication center to perform the terminal legality every time the service request for providing the terminal legality certificate is required. The detection of the characteristics can reduce the resource consumption of the terminal, shorten the operation time of the service, and improve the efficiency of the service request processing.
在一个实施例中,终端合法性证明包含使用本地授权私钥生成的签名信息和本地授权凭证,本地授权私钥为终端在向所述认证中心发送用于获取本地授权凭证的请求信息之前生成并保存在本地的,可以在终端本地提供终端合法性证明的同时,向认证服务器证明业务响应发送方即所述终端的身份,从而提高了安全性。In one embodiment, the terminal legality certificate includes signature information generated using a local authorized private key, and the local authorized private key is generated by the terminal before sending the request information for obtaining the local authorization credential to the authentication center. If it is stored locally, the terminal can provide the terminal legality certificate locally, and prove to the authentication server that the service responds to the sender, that is, the identity of the terminal, thereby improving security.
在一个实施例中,业务请求为业务注册请求和业务执行请求中的一种,当业务请求为业务注册请求时,业务响应还包括业务公钥,当业务请求为业务执行请求时,业务响应还包括使用业务私钥生成的签名信息,业务公钥和业务私钥为终端接收到业务执行请求对应的业务注册请求时生成的,使用业务私钥生成的签名信息用于证明业务执行响应是由发送业务注册响应的终端发送的,业务执行响应为业务执行请求对应的业务响应,业务注册响应为业务注册请求对应的业务响应,在业务注册请求阶段生成业务密钥对,在业务执行阶段可以通过使用业务私钥进行签名来证明终端许可本次的业务执行,从而可以提高业务的安全性。业务服务器可以选择在业务执行时也要求提供终端合法性证明,并设置业务类型要求,可以减小业务执行时始终信任终端在注册阶段提供的终端合法性证明带来的风险,从而可以提高业务执行的安全性。In an embodiment, the service request is one of a service registration request and a service execution request. When the service request is a service registration request, the service response further includes a service public key, and when the service request is a service execution request, the service response is further The signature information generated by using the service private key is generated when the service public key and the service private key are received by the terminal, and the signature information generated by using the service private key is used to prove that the service execution response is sent by the service. The service response response is sent by the terminal of the service registration response, and the service execution response is a service response corresponding to the service execution request, and the service registration response is a service response corresponding to the service registration request, and the service key pair is generated in the service registration request phase, and can be used during the service execution phase. The business private key is signed to prove that the terminal licenses the current business execution, thereby improving the security of the business. The service server may choose to provide the terminal legality proof when the service is executed, and set the service type requirement, which can reduce the risk caused by the terminal legality certificate provided by the terminal during the registration phase, thereby improving the service execution. Security.
在一个实施例中,如果终端内存在第一本地授权凭证,且第一本地授权凭证在有效期内,且第一本地授权凭证满足业务请求的业务类型要求,使用第一本地授权凭证构造终端合法性证明,以生成业务请求对应的业务响应,所述业务响应包含终端合法性证明,并发送业务响应,可见,业务服务器可以根据业务不同自行设置业务类型要求,以增强对业务风险的控制;终端检测本地保存的本地授权凭证满足业务类型要求后再生成包含终端合法性证明业务响应,可以降低风险发生的概率,提高业务的安全性。In an embodiment, if the first local authorization credential exists in the terminal, and the first local authorization credential is within the validity period, and the first local authorization credential meets the service type requirement of the service request, the first local authorization credential is used to construct the terminal legality. Proving that the service response corresponding to the service request is generated, the service response includes the terminal legality certificate, and the service response is sent. It can be seen that the service server can set the service type requirement according to the service to enhance the control of the service risk; After the locally saved local authorization certificate meets the service type requirements, the service response including the terminal legality certificate is generated, which can reduce the probability of occurrence of risks and improve the security of the service.
在一个实施例中,业务请求包含业务类型要求,业务类型要求包含风险管理要求,风险管理要求为业务服务器针对第一本地授权凭证生成的,业务请求为业务服务器发送的。In one embodiment, the service request includes a service type requirement, the service type requirement includes a risk management requirement, the risk management requirement is generated by the service server for the first local authorization certificate, and the service request is sent by the service server.
在一个实施例中,如果终端内不存在第一本地授权凭证,或如果终端内的第一本地授权凭证超出有效期,或如果第一本地授权凭证不满足业务请求的业务类型要求,终端向认证中心发送用于获取第二本地授权凭证的请求信息,以使认证中心生成第二本地授权凭证;终端接收并保存第二本地授权凭证;终端使用第二本地授权凭证构造业务请求对应的业务响应,并发送业务响应。本地授权凭证需要同时满足有效期、业务类型要求时才可以用来构造业务响应,从而可以提高业务的安全性。In an embodiment, if the first local authorization credential does not exist in the terminal, or if the first local authorization credential in the terminal exceeds the validity period, or if the first local authorization credential does not satisfy the service type requirement of the service request, the terminal sends the authentication center to the authentication center. Sending request information for acquiring the second local authorization credential, so that the authentication center generates the second local authorization credential; the terminal receives and saves the second local authorization credential; the terminal constructs the service response corresponding to the service request by using the second local authorization credential, and Send a business response. The local authorization certificate can be used to construct a service response when it meets the validity period and service type requirements, so that the security of the service can be improved.
在一个实施例中,用于获取第二本地授权凭证的请求信息包括设备信息或设备身份信息中的至少一种,使用原始设备制造商生成的签名,本地授权公钥,以使认证中心根据所述设备信息或所述设备身份信息查找存储的原始设备制造商公钥验证原始设备制造商签名,生成第二本地授权凭证,本地授权公钥为本地授权私钥对应的公钥,所述设备信息和所述设备身份信息为认证中心在接收到第二本地授权凭证的请求信息时,要求终端提供的信息,或者认证中心预先与终端协商的信息。In one embodiment, the request information for acquiring the second local authorization credential includes at least one of device information or device identity information, using a signature generated by the original device manufacturer, and locally authorizing the public key, so that the authentication center according to the The device information or the device identity information is searched for the stored original device manufacturer public key to verify the original device manufacturer signature, and the second local authorization certificate is generated. The local authorized public key is a public key corresponding to the local authorized private key, and the device information is used. And the device identity information is information required by the terminal when the authentication center receives the request information of the second local authorization certificate, or the information that the authentication center negotiates with the terminal in advance.
在一个实施例中,第一本地授权凭证和第二本地授权凭证包括有效期、本地授权公钥和使用认证中心私钥生成的签名信息,认证中心私钥为认证中心生成并保存用于生成本地授权凭证的,认证服务器在进行业务响应验证时,根据保存的认证中心公钥验证本地授权凭证,根据本地授权凭证验证业务响应中包含的终端合法性证明,从而可以提高业务执行 的安全性。In one embodiment, the first local authorization credential and the second local authorization credential include a validity period, a local authorization public key, and signature information generated using the authentication center private key, and the authentication center private key is generated and saved for the authentication center to generate a local authorization. When the certificate is authenticated, the authentication server verifies the local authorization certificate according to the saved certificate authority public key, and verifies the terminal legality certificate included in the service response according to the local authorization certificate, thereby improving service execution. Security.
在一个实施例中,第一本地授权凭证和所述第二本地授权凭证还包括凭证安全等级,所述凭证安全等级为所述认证中心根据所述设备信息确定的,所述凭证安全等级为所述业务类型要求的一种,针对本地授权凭证划分的不同安全等级,业务服务器根据业务的安全需求,设置相应的业务类型要求,使终端提供满足其业务类型要求的终端合法性证明,从而可以提高业务执行的安全性。In one embodiment, the first local authorization credential and the second local authorization credential further comprise a credential security level, wherein the credential security level is determined by the authentication center according to the device information, and the credential security level is A type of service type requirement, for different security levels of local authorization credentials, the service server sets corresponding service type requirements according to the security requirements of the service, so that the terminal provides the terminal legality certificate that meets the requirements of the service type, thereby improving Security of business execution.
在一个实施例中,本地授权公钥为所述终端在向所述认证中心发送用于获取所述第一本地授权凭证的请求信息之前生成并保存在本地的,或者所述终端在向所述认证中心发送用于获取所述第二本地授权凭证的请求信息之前生成并保存在本地的。In an embodiment, the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal is in the The authentication center generates and saves the request information for acquiring the second local authorization credential before being generated and saved locally.
在一个实施例中,有效期为所述认证中心根据所述设备的安全等级确定的,所述设备的安全等级由所述设备信息确定的,所述设备信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证的或者所述第二本地授权凭证请求信息中携带的,或者,所述设备信息为所述认证中心根据设备身份信息在数据库中查找的,所述设备身份信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证或者所述第二本地授权凭证的请求信息中携带的。业务服务器可以针对有效期设立一种业务类型要求,从而可以在本地提供终端合法性的同时,使终端按照业务服务器要求,提供满足其业务类型要求的终端合法性证明,从而可以提高业务执行的安全性。In an embodiment, the validity period is determined by the authentication center according to the security level of the device, the security level of the device is determined by the device information, and the device information is sent by the terminal to the authentication center. For the first local authorization certificate or the second local authorization certificate request information, or the device information is found by the authentication center in the database according to the device identity information, the device The identity information is carried in the request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential. The service server can set a service type requirement for the validity period, so that the terminal can provide the legitimacy of the terminal locally, and the terminal can provide the terminal legality certificate satisfying the service type requirement according to the service server requirement, thereby improving the security of the service execution. .
在一个实施例中,终端可以检测业务请求中是否包含用于指示提供终端合法性证明的指示信息,如果业务请求中包含所述用于指示提供终端合法性证明的指示信息,获取终端中的本地授权凭证,检查通过后构造所述终端合法性证明。通过根据指示信息设立的提供终端合法性证明的触发机制,在业务执行阶段也可以实现对终端存在的风险进行管控,而不是始终信任终端在业务注册阶段提供的合法性证明,可以提高业务执行的安全性。In an embodiment, the terminal may detect whether the service request includes indication information for indicating the validity of the providing terminal, and if the service request includes the indication information for indicating the validity of the providing terminal, acquiring the local information in the terminal. Authorization certificate, after the inspection is passed, the terminal legality certificate is constructed. The triggering mechanism for providing the terminal legality proof established according to the indication information can also implement the control of the risk existing in the terminal during the service execution phase, instead of always trusting the legality proof provided by the terminal during the service registration phase, which can improve the service execution. safety.
在一个实施例中,指示信息为根据至少一个预设字段确定的或者根据所述业务类型要求中的至少一个字段确定的。In one embodiment, the indication information is determined based on at least one preset field or determined according to at least one of the service type requirements.
第二方面公开了一种本地授权凭证的使用装置,该装置包括用于执行第一方面或第一方面的任一种可能实现方式所提供的终端中本地授权凭证的使用方法的模块。A second aspect discloses a device for using a local authorization credential, the device comprising means for performing a method of using a local authorization credential in a terminal provided by the first aspect or any of the possible implementations of the first aspect.
第三方面公开了一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得计算机执行第一方面或第一方面的任一种可能实现方式所提供的终端中本地授权凭证的使用方法。A third aspect discloses a computer readable storage medium comprising instructions, when executed on a computer, causing a computer to perform local authorization credentials in a terminal provided by the first aspect or any of the possible implementations of the first aspect Instructions.
第四方面公开了一种一种终端,包括:处理器,存储器,通信接口和总线;处理器、通信接口、存储器通过所述总线相互的通信;所述通信接口,用于接收和发送数据;所述存储器,用于存储指令;所述处理器,用于调用所述存储器中的指令,执行第一方面或第一方面的任一种可能实现方式所提供的终端中本地授权凭证的使用方法。The fourth aspect discloses a terminal, including: a processor, a memory, a communication interface, and a bus; a processor, a communication interface, and a memory communicate with each other through the bus; and the communication interface is configured to receive and send data; The memory is used to store an instruction, and the processor is configured to invoke an instruction in the memory to execute a method for using a local authorization credential in a terminal provided by the first aspect or any possible implementation manner of the first aspect. .
附图说明 DRAWINGS
图1是本发明实施例公开的一种系统架构示意图;1 is a schematic structural diagram of a system disclosed in an embodiment of the present invention;
图2是本发明实施例公开的一种终端中本地授权凭证的使用方法的流程示意图;2 is a schematic flowchart of a method for using a local authorization credential in a terminal according to an embodiment of the present invention;
图3是本发明实施例公开的一种本地授权凭证的生成方法的流程示意图;3 is a schematic flowchart of a method for generating a local authorization credential according to an embodiment of the present invention;
图4是本发明实施例公开的另一种终端中本地授权凭证的使用方法的流程示意图;4 is a schematic flowchart of a method for using a local authorization credential in another terminal according to an embodiment of the present invention;
图5是本发明实施例公开的一种本地授权凭证的使用装置的结构示意图;FIG. 5 is a schematic structural diagram of an apparatus for using local authorization credentials according to an embodiment of the present invention; FIG.
图6是本发明实施例公开的一种运行上述终端中本地授权凭证的使用方法的终端的结构示意图。FIG. 6 is a schematic structural diagram of a terminal for running a method for using a local authorization credential in the terminal according to an embodiment of the present invention.
具体实施方式detailed description
本发明实施例公开了一种终端中本地授权凭证的使用方法及装置,用于减小终端资源消耗,提高业务请求处理的效率。以下分别进行详细说明。The embodiment of the invention discloses a method and a device for using a local authorization credential in a terminal, which are used for reducing terminal resource consumption and improving the efficiency of service request processing. The details are described below separately.
为了更好地理解本发明实施例公开的一种终端中本地授权凭证的使用方法及装置,下面先对本发明实施例使用的系统架构进行描述。该系统架构为一种统一身份认证体系,请参阅图1,图1是本发明实施例公开的一种系统架构示意图。如图1所示,该系统可以包括终端101、应用服务器102和认证中心103。其中,终端101中可以运行应用客户端1011、统一身份认证客户端1012和统一身份认证可信应用1013,应用客户端1011为终端侧实现用户业务的主体,统一身份认证客户端1012是终端侧实现统一身份认证功能的实体,可以为终端上兼容的多个应用客户端提供服务,并负责与认证中心103进行通信,统一身份认证可信应用1013为统一身份认证客户端1012提供支持,可以访问安全存储环境中预置证书吊销列表(英文:crtificate revoke list,CRL)和需要在终端侧安全保存的密钥,应用服务器102可以包括业务服务器1021和业务服务器对应的认证服务器1022,认证服务器1022为统一身份认证协议在应用服务器端的执行者,可以部署在业务服务器1021上,配合业务服务器1021服务,也可以独立部署一台服务器,认证中心103可以提供终端合法性检测,为统一身份认证平台的一部分,所述统一身份认证平台还包括统一身份认证平台根CA(certificate authority)。其中,认证中心103中预存有认证中心私钥和认证中心认可的原始设备制造商公钥,认证服务器1022中保存有统一身份认证平台根CA签发的认证服务器证书、认证服务器私钥和认证中心预先下发的认证中心公钥,统一身份认证可信应用1013中预存有原始设备制造商私钥、统一身份认证平台根CA的根证书和认证中心公钥。In order to better understand the method and apparatus for using the local authorization credential in the terminal disclosed in the embodiment of the present invention, the system architecture used in the embodiment of the present invention is described below. The system architecture is a unified identity authentication system. Please refer to FIG. 1. FIG. 1 is a schematic diagram of a system architecture disclosed in an embodiment of the present invention. As shown in FIG. 1, the system can include a terminal 101, an application server 102, and a certificate authority 103. The application client 1011 and the unified identity authentication client 1012 and the unified identity authentication trusted application 1013 can be run in the terminal 101. The application client 1011 is the host of the user service on the terminal side, and the unified identity authentication client 1012 is implemented on the terminal side. The entity of the unified identity authentication function can provide services for multiple application clients compatible with the terminal, and is responsible for communicating with the authentication center 103. The unified identity authentication trusted application 1013 provides support for the unified identity authentication client 1012, and can access security. In the storage environment, a certificate revocation list (CRL) and a key that needs to be securely stored on the terminal side, the application server 102 may include a service server 1021 and an authentication server 1022 corresponding to the service server, and the authentication server 1022 is unified. The executor of the application authentication server on the application server can be deployed on the service server 1021 to cooperate with the service server 1021. The server can also independently deploy one server. The authentication center 103 can provide terminal legality detection as part of the unified identity authentication platform. The system Authentication Platform also includes a unified authentication platform root CA (certificate authority). The authentication center 103 pre-stores the authentication center private key and the original equipment manufacturer public key approved by the certification center, and the authentication server 1022 stores the authentication server certificate issued by the unified identity authentication platform root CA, the authentication server private key, and the authentication center in advance. The certificate authority public key is issued. The unified identity authentication trusted application 1013 pre-stores the original device manufacturer private key, the root certificate of the unified identity authentication platform root CA, and the certificate authority public key.
终端通过统一身份认证客户端1012向认证中心103发起本地授权凭证的申请,认证中心103作出响应,生成本地授权凭证,并将本地授权凭证发送给终端101,用于使终端101在本地提供所述终端101合法性证明。用户可以通过应用客户端1011向业务服务器1021发起业务,可以是注册业务,也可以是执行业务。当业务服务器1021通过认证服务器1022来执行统一身份认证协议中定义的业务流程,将认证服务器证书和使用认证服务器私钥生成的的签名信息加入对应的业务请求中,发送给应用客户端1011,应用客户端1011通过调用统一身份认证客户端1012来进行相应的业务处理。统一身份认证可信应用1013在对认证服务器1022身份的验证通过后,若业务服务器1021在业务请求中要求终端101提供所述终端101合法性证明,则通过认证中心103生成并保存在终端101的本地授权凭证构造业务请求对应的包含所述终端101合法性证明的业务响应,并将所述业务响应发送给认证服务器1022,认 证服务器1022对业务响应进行验证,获得验证结果,并将验证结果通知业务服务器1021,使业务服务器1021根据验证结果执行相应的业务逻辑。The terminal sends an application for the local authorization credential to the authentication center 103 through the unified identity authentication client 1012, and the authentication center 103 responds, generates a local authorization credential, and sends the local authorization credential to the terminal 101, so that the terminal 101 provides the locality. Terminal 101 legality certificate. The user can initiate a service to the service server 1021 through the application client 1011, which may be a registration service or an execution service. When the service server 1021 is configured to execute the service flow defined in the unified identity authentication protocol, the authentication server certificate and the signature information generated by using the authentication server private key are added to the corresponding service request, and sent to the application client 1011. The client 1011 performs corresponding service processing by calling the unified identity authentication client 1012. The unified authentication trusted application 1013, after the authentication of the identity of the authentication server 1022 is passed, if the service server 1021 requests the terminal 101 to provide the terminal 101 legality certificate in the service request, it is generated by the authentication center 103 and saved in the terminal 101. The local authorization credential constructs a service response corresponding to the legality certificate of the terminal 101 corresponding to the service request, and sends the service response to the authentication server 1022. The certificate server 1022 verifies the service response, obtains the verification result, and notifies the service server 1021 of the verification result, so that the service server 1021 executes the corresponding business logic according to the verification result.
终端101可以为可移动的用户设备(英文:User Equipment,UE)、接入终端、用户单元、用户站、移动站、移动台、远方站、远程终端、移动设备、用户终端、无线通信设备、用户代理或用户装置。接入终端可以是蜂窝电话、无绳电话、会话启动协议(英文:Session Initiation Protocol,SIP)电话、无线本地环路(英文:Wireless Local Loop,WLL)站、个人数字处理(英文:Personal Digital Assistant,PDA)、具有无线通信功能的手持设备、计算设备或连接到无线调制解调器的其它处理设备、车载设备、可穿戴设备,未来5G网络中的终端或者未来演进的PLMN网络中的终端等。应用客户端1011可以为各类应用客户端,统一身份认证客户端1012负责与应用客户端1011、运行在安全环境中的统一身份认证可信应用1013可以和认证中心交互。The terminal 101 can be a mobile user equipment (English: User Equipment, UE), an access terminal, a subscriber unit, a subscriber station, a mobile station, a mobile station, a remote station, a remote terminal, a mobile device, a user terminal, a wireless communication device, User agent or user device. The access terminal can be a cellular phone, a cordless phone, a Session Initiation Protocol (SIP) phone, a Wireless Local Loop (WLL) station, and a personal digital processing (English: Personal Digital Assistant, PDA), a handheld device with wireless communication capabilities, a computing device or other processing device connected to a wireless modem, an in-vehicle device, a wearable device, a terminal in a future 5G network, or a terminal in a future evolved PLMN network, and the like. The application client 1011 can be used for various application clients, and the unified identity authentication client 1012 is responsible for interacting with the application client 1011 and the unified identity authentication trusted application 1013 running in the security environment.
基于图1所示的系统架构,请参阅图2,图2是本发明实施例公开的一种终端中本地授权凭证的使用方法的流程示意图,其中,该终端中本地授权凭证的使用方法是从终端101、业务服务器1021和认证服务器1022的角度来描述的。如图2所示,该终端中本地授权凭证的使用方法可以包含以下步骤。Based on the system architecture shown in FIG. 1, please refer to FIG. 2. FIG. 2 is a schematic flowchart of a method for using a local authorization credential in a terminal according to an embodiment of the present invention, where a method for using a local authorization credential in the terminal is The terminal 101, the service server 1021, and the authentication server 1022 are described in terms of angles. As shown in FIG. 2, the method for using the local authorization credential in the terminal may include the following steps.
S201、终端接收到业务请求。S201. The terminal receives the service request.
具体地,业务请求为业务服务器发送的,业务请求可以包含业务注册请求和业务执行请求,例如在指纹验证场景下,业务注册请求即要求终端按照应用服务器根据统一身份认证协议开发的指定流程(后文简称“指定流程”)开通指纹验证功能的请求,业务执行请求对应要求终端在已完成指纹验证业务注册的情况下按指定流程进行指纹验证的过程。Specifically, the service request is sent by the service server, and the service request may include the service registration request and the service execution request. For example, in the fingerprint verification scenario, the service registration request requires the terminal to follow the specified process developed by the application server according to the unified identity authentication protocol. The document is referred to as the “designation process”. The request for the fingerprint verification function is activated. The service execution request corresponds to the process of requiring the terminal to perform fingerprint verification according to the specified process when the fingerprint verification service registration is completed.
该业务请求的目的至少分为两方面,第一方面要求终端进行业务相关流程,即执行使用业务私钥生成签名信息及后续步骤,另一方面要求终端提供该终端合法性证明。The purpose of the service request is at least divided into two aspects. The first aspect requires the terminal to perform a service-related process, that is, to execute the use of the service private key to generate signature information and subsequent steps, and on the other hand, the terminal is required to provide the terminal legality certificate.
在一个实施例中,如果所述业务请求中包含用于指示提供终端合法性证明的指示信息,执行步骤S202。In an embodiment, if the service request includes indication information for indicating that the terminal legality certificate is provided, step S202 is performed.
具体地,所述指示终端提供合法性证明的指示信息为所述业务服务器生成的,所述终端根据所述指示信息确定所述业务请求要求提供终端合法性证明。当所述业务请求为业务注册请求时,由于注册业务是需要进行终端合法性验证的,业务注册请求中会包含该指示信息。终端根据该指示信息,确定需要提供终端合法性证明,比如根据终端与业务服务器约定的一个或多个用于指示提供终端合法性证明的字段,也可以是与业务注册相关的部分或全部信息,例如根据业务请求是业务注册请求,确定需要提供终端合法性证明,或是根据业务注册请求中存在用于进行风险管理要求的参数,确定需要提供终端合法性证明,也可以是根据其他与终端合法性证明相关的字段确定,本实施例不作限定。Specifically, the indication information indicating that the terminal provides the legality certificate is generated by the service server, and the terminal determines, according to the indication information, that the service request requires providing the terminal legality certificate. When the service request is a service registration request, the service registration request includes the indication information because the registration service needs to perform terminal legality verification. The terminal determines, according to the indication information, that the terminal legality certificate needs to be provided, for example, one or more fields that are used by the terminal and the service server to indicate the validity of the terminal, or some or all information related to the service registration. For example, if the service request is a service registration request, it is determined that the terminal legality certificate needs to be provided, or the parameter for performing the risk management requirement exists in the service registration request, and it is determined that the terminal legality certificate needs to be provided, or may be legal according to other terminals. The field related to the proof of sex is determined, and the embodiment is not limited.
当业务请求为业务执行请求时,业务服务器响应应用客户端发起业务执行的申请,在通过认证服务器生成业务执行请求时,可以根据业务自身需求,例如业务的敏感程度,业务的安全需求等,决定是否需要终端提供终端合法性证明。当需要时,在发送给终端的业务请求中要求该终端提供该终端合法性证明,即包含所述指示提供终端合法性证明的指示信息。终端在根据所述指示信息确定需要提供终端合法性证明时,才会获取所述终端中的本地授权凭证,并构造终端合法性证明。 When the service request is a service execution request, the service server responds to the application client initiating the service execution request, and when the service execution request is generated by the authentication server, the service server may determine the service execution request according to the service itself, such as the sensitivity of the service and the security requirement of the service. Whether the terminal is required to provide proof of terminal legality. When required, the terminal is required to provide the terminal legality certificate in the service request sent to the terminal, that is, the indication information including the indication providing the terminal legality certificate. When determining, according to the indication information, that the terminal needs to provide the terminal legality certificate, the terminal acquires the local authorization certificate in the terminal, and constructs the terminal legality certificate.
其中,所述业务请求还可以包含认证服务器挑战(challenge)信息,所述业务请求可以是业务注册请求,也可以是业务执行请求,所述challenge信息为所述认证服务器内部产生一个随机数,为了保证业务请求是实时的,防止重放攻击,在终端返回给认证服务器业务响应后验证业务响应中的challenge信息来确认是本次业务。The service request may further include authentication server challenge information, where the service request may be a service registration request or a service execution request, and the challenge information generates a random number internally for the authentication server, The service request is guaranteed to be real-time, and the replay attack is prevented. After the terminal returns to the authentication server service response, the challenge information in the service response is verified to confirm that the service is current.
S202、所述终端获取本地授权凭证。S202. The terminal acquires a local authorization credential.
具体地,该本地授权凭证是由认证中心授权并保存在终端中能够提供终端合法性证明的凭证。当业务请求要求提供终端合法性证明时,终端获取本地保存的该本地授权凭证,用于在本地构造包含终端合法性证明的业务响应。Specifically, the local authorization credential is a credential authorized by the authentication center and saved in the terminal to provide proof of terminal legality. When the service request is required to provide the terminal legality certificate, the terminal acquires the locally saved local authorization certificate, and is used to locally construct a service response including the terminal legality certificate.
认证中心作为一个联盟共享的公共域服务器,是一个认证终端身份的第三方权威机构。为避免业务服务器要求提供终端合法性证明时,该终端每次均需要去认证中心造成的业务执行效率低的问题,认证中心在响应终端发送的用于获取所述本地授权凭证的请求,验证所述终端合法性后,生成该终端对应的本地授权凭证,用以证明认证中心授权所述终端在本地生成所述终端合法性证明,并将该本地授权凭证发送给该终端,该终端将该本地授权凭证保存在本地。As a public domain server shared by the Alliance, the Certification Authority is a third-party authority that authenticates terminal identity. In order to avoid the problem that the service server requires the terminal legality certificate, the terminal needs to go to the authentication center to perform the problem of low efficiency of the service execution. The authentication center responds to the request sent by the terminal for obtaining the local authorization certificate, and the verification center After the terminal is legal, the local authorization certificate corresponding to the terminal is generated to prove that the authentication center authorizes the terminal to locally generate the terminal legality certificate, and sends the local authorization certificate to the terminal, where the terminal localizes The authorization credentials are saved locally.
为保证本地授权凭证的安全性,可以将本地授权凭证保存在终端的安全储存环境中,例如可信执行环境(英文:trusted execution environment,TEE)或者安全模块(英文:secure element,SE)中,或者其他可能的安全存储环境中。To ensure the security of the local authorization credentials, the local authorization credentials can be saved in the secure storage environment of the terminal, such as the trusted execution environment (TEE) or the security element (English). Or other possible secure storage environments.
在一个实施例中,终端合法性证明包含使用本地授权私钥生成的签名信息和本地授权凭证,所述本地授权私钥为所述终端在向所述认证中心发送用于获取所述本地授权凭证的请求信息之前生成并保存在本地的。In one embodiment, the terminal legality certificate includes signature information generated using a local authorized private key, and the local authorized private key is sent by the terminal to the authentication center for acquiring the local authorization credential The request information is generated and saved locally.
具体地,本地保存的本地授权凭证是用于证明所述终端通过认证中心的终端合法性检测,并被授权在本地生成终端合法性证明的,因此,终端合法性证明包含所述本地授权凭证。在生成终端合法性证明时,使用保存的所述本地授权私钥生成签名信息,配合所述本地授权凭证,就可以使认证服务器根据认证中心公钥验证所述本地授权凭证,确定所述终端具备在本地生成终端合法性证明的权限,进而可以根据本地授权凭证中的本地授权公钥,验证终端使用该本地授权私钥生成的签名信息,确定所述终端合法性。另一方面,在终端向认证中心发送所述用于获取本地授权凭证的请求信息之前,终端生成本地授权非对称密钥对,并将本地授权私钥保存在本地,将本地授权公钥作为所述请求信息中的元素,用于使所述认证中心生成所述本地授权凭证。Specifically, the locally saved local authorization credential is used to prove that the terminal passes the terminal legality detection of the authentication center, and is authorized to locally generate the terminal legality certificate. Therefore, the terminal legality certificate includes the local authorization credential. When the terminal validity certificate is generated, the saved local authorization private key is used to generate signature information, and the local authorization certificate is used to authenticate the local authorization certificate according to the authentication center public key, and the terminal is determined to be The authority for generating the validity of the terminal is generated locally, and the signature information generated by the terminal using the local authorized private key is verified according to the local authorized public key in the local authorization credential to determine the legality of the terminal. On the other hand, before the terminal sends the request information for obtaining the local authorization credential to the authentication center, the terminal generates a local authorized asymmetric key pair, and saves the local authorized private key locally, and uses the local authorized public key as the local An element in the request information, configured to enable the authentication center to generate the local authorization credential.
为了保证本地授权私钥的安全性,可以将本地授权私钥保存在终端的安全储存环境中,例如TEE或者SE中,或者其他可能的安全存储环境中。To ensure the security of the local authorized private key, the local authorized private key may be stored in a secure storage environment of the terminal, such as TEE or SE, or other possible secure storage environments.
S203、终端根据本地授权凭证以及业务请求,生成所述业务请求对应的业务响应。S203. The terminal generates a service response corresponding to the service request according to the local authorization credential and the service request.
具体地,该业务响应包含所述终端合法性证明。其中,所述业务响应是发送给所述认证服务器的,认证服务器可以根据接收到的业务响应,对响应中包含的终端合法性证明进行验证,并获取验证结果。Specifically, the service response includes the terminal legality certificate. The service response is sent to the authentication server, and the authentication server can verify the validity certificate of the terminal included in the response according to the received service response, and obtain the verification result.
在一个实施例中,业务请求为业务注册请求和业务执行请求中的一种,当所述业务请求为所述业务注册请求时,所述业务响应还包括业务公钥,当所述业务请求为所述业务执行请求时,所述业务响应还包括使用业务私钥生成的签名信息,所述业务公钥和所述业务 私钥为所述终端接收到所述业务执行请求对应的业务注册请求时生成的,所述使用业务私钥生成的签名信息用于证明业务执行响应是由发送业务注册响应的所述终端发送的,所述业务执行响应为所述业务执行请求对应的业务响应,所述业务注册响应为所述业务注册请求对应的业务响应。In one embodiment, the service request is one of a service registration request and a service execution request, and when the service request is the service registration request, the service response further includes a service public key, when the service request is When the service performs the request, the service response further includes signature information generated by using a service private key, the service public key and the service The private key is generated when the terminal receives the service registration request corresponding to the service execution request, and the signature information generated by using the service private key is used to prove that the service execution response is sent by the terminal that sends the service registration response. The service execution response is a service response corresponding to the service execution request, and the service registration response is a service response corresponding to the service registration request.
具体地,当业务请求为请求终端执行业务注册指定流程时,如指纹服务或数字证书服务的开通流程,该业务请求为业务注册请求,终端对认证服务器的身份验证通过后,即生成该业务对应的非对称业务密钥对,并将业务私钥存储在安全存储环境中,将业务公钥作为业务注册请求对应的业务注册响应中的元素,当业务请求为请求执行业务时,如指纹验证或进行数字签名,业务响应还包括使用业务私钥生成的签名信息。将业务执行响应发送给认证服务器后,认证服务器通过之前业务注册响应中包含的业务公钥或者业务执行响应中包含的业务公钥,验证业务私钥生成的签名信息来确认该终端许可本次业务执行。Specifically, when the service request is to perform a service registration specifying process for the requesting terminal, such as a provisioning process of the fingerprint service or the digital certificate service, the service request is a service registration request, and after the terminal passes the identity verification of the authentication server, the corresponding service is generated. An asymmetric service key pair, and storing the service private key in a secure storage environment, and using the service public key as an element in the service registration response corresponding to the service registration request, when the service request is a request to perform a service, such as fingerprint verification or Digital signature, the business response also includes signature information generated using the business private key. After the service execution response is sent to the authentication server, the authentication server verifies the signature information generated by the service private key by using the service public key included in the previous service registration response or the service public key included in the service execution response to confirm that the terminal licenses the service. carried out.
在一个实施例中,如果所述终端内存在第一本地授权凭证,且所述第一本地授权凭证在有效期内,且所述第一本地授权凭证满足所述业务请求的业务类型要求,使用所述第一本地授权凭证构造所述终端合法性证明,以生成所述业务请求对应的业务响应,并发送所述业务响应。In an embodiment, if the first local authorization certificate exists in the terminal, and the first local authorization certificate is within the validity period, and the first local authorization certificate satisfies the service type requirement of the service request, The first local authorization credential constructs the terminal legality certificate to generate a service response corresponding to the service request, and sends the service response.
具体地,所述业务类型要求为业务服务器根据自身业务需求生成的。Specifically, the service type requirement is generated by the service server according to its own business requirements.
对于获取到本地授权凭证的终端,需要判断对于本次业务能否使用所述本地授权凭证来构造所述终端合法性证明。终端首先检查获取的本地授权凭证是否在有效期内,来判断当前的所述本地授权凭证是否有效;对于在有效期内的凭证,进一步根据业务请求中包含的业务类型要求来判断使用当前凭证构造的所述终端合法性证明能否满足根据业务自身需求生成的业务类型要求,如果可以,则使用所述第一本地授权凭证构造所述终端合法性证明,并将所述终端合法性证明包含在业务响应中。For the terminal that obtains the local authorization certificate, it is necessary to determine whether the local authorization certificate can be used for the current service to construct the terminal legality certificate. The terminal first checks whether the obtained local authorization credential is within the validity period to determine whether the current local authorization credential is valid; and for the credential within the validity period, further determines the use of the current credential structure according to the service type requirement included in the service request. Determining whether the terminal legality certificate satisfies the service type requirement generated according to the service's own requirements, and if so, constructing the terminal legality certificate using the first local authorization credential, and including the terminal legality certificate in the service response in.
在一个实施例中,业务请求包含所述业务类型要求,所述业务类型要求包含风险管理要求,所述风险管理要求为业务服务器针对所述第一本地授权凭证生成的,用于确保终端根据所述第一本地授权凭证提供的终端合法性证明满足业务的安全需求,所述业务请求为所述业务服务器发送的。In one embodiment, the service request includes the service type requirement, the service type requirement includes a risk management requirement, and the risk management requirement is generated by the service server for the first local authorization certificate, and is used to ensure that the terminal is based on the The terminal legality certificate provided by the first local authorization certificate satisfies the security requirement of the service, and the service request is sent by the service server.
本实施例中,业务类型要求为业务服务器生成的,业务服务器可以根据业务自身的业务需求设立不同的业务类型要求,例如,可以根据业务的敏感程度、业务的安全需求等,如是否涉及到钱款交易、涉及到的钱款交易的金额等划分不同的等级,例如,业务服务器可以将不同的业务执行请求按照业务的敏感程度或者业务的安全等级进行分类,并为不同类别的业务分配不同的业务类型要求。另一方面,业务类型要求可以包含风险管理要求,也可以包含其他要求,如应用客户端版本要求等,所述风险管理要求包含风险管理参数和风险管理阈值,风险管理要求是针对所述本地授权凭证中的参数类型生成的,可以是有效期、凭证的安全等级等。In this embodiment, the service type requirement is generated by the service server, and the service server may set different service type requirements according to the service requirements of the service itself, for example, according to the sensitivity of the service, the security requirement of the service, and the like, such as whether the money is involved. The transaction, the amount of the money transaction involved, etc. are divided into different levels. For example, the service server can classify different service execution requests according to the sensitivity of the service or the security level of the service, and assign different types of services to different categories. Business type requirements. On the other hand, the service type requirement may include risk management requirements, and may also include other requirements, such as application client version requirements, and the risk management requirements include risk management parameters and risk management thresholds, and the risk management requirements are for the local authorization. The parameter type generated in the voucher can be the validity period, the security level of the voucher, and the like.
例如,本地授权凭证中可以包含有效期、凭证的安全等级等中的至少一种,凭证的安全等级可以是认证中心根据设备信息对应的设备的安全等级确定的,如设备的存储环境的类型,一般地,凭证的安全等级越高,当前保存的本地授权凭证可信度越高。For example, the local authorization credential may include at least one of a validity period, a security level of the credential, and the like. The security level of the credential may be determined by the authentication center according to the security level of the device corresponding to the device information, such as the type of the storage environment of the device. The higher the security level of the voucher, the higher the credibility of the currently saved local authorization voucher.
例如,如表1所示,表1为业务服务器根据业务执行请求类型确定业务类型要求示例一, 该业务类型要求中的风险管理要求是针对所述本地授权凭证中的有效期这一参数生成的,该业务以指纹业务执行请求为例,第一列表示不同的业务执行请求,业务的安全需求由上到下依次增加,该安全需求可以是根据是否涉及到钱款交易、涉及到的钱款交易的金额、业务服务器风险管理系统对当前交易的风险分析结果等因素中的至少一种划分的。服务器可以检测交易金额是否大于预设阈值,将交易划分为大、小额支付,则由上到下对于业务类型要求逐步增高,业务类型要求中的风险管理要求也由上到下逐步增高,即要求逐步严格。具体地,指纹登录客户端不涉及钱款交易,因此,业务服务器可以不设置风险管理要求,仅根据需求在业务类型要求中进行应用客户端版本要求;而小额指纹支付中涉及到小额钱款交易,可设立风险管理要求为3月内生成的本地授权凭证有效,或者对于在有效期内的凭证,凭证本身的有效期长度为3个月以上的凭证有效,业务类型要求可进一步要求应用客户端版本,也可包含其他业务类型要求;对于大额指纹支付,可设立风险管理要求为1月内生成的本地授权凭证有效,或者,对于在有效期内的凭证,凭证有效期长度为6个月以上的凭证有效,也可进行其他业务类型要求,如应用客户端版本。另外,也可以根据服务器的风险管理系统对当前交易进行风险分析,识别是否是不符合用户交易习惯的异常交易,并根据对交易的风险管理结果来设置相应的风险管理要求。另也可视具体情况,根据业务需要设定风险管理要求和应用客户端版本要求以外的业务类型要求,也可视业务执行请求具体情况设立其他业务执行请求类型,本实施例不作限定。For example, as shown in Table 1, Table 1 is an example 1 of determining a service type requirement by a service server according to a service execution request type. The risk management requirement in the service type requirement is generated for the parameter of the validity period in the local authorization certificate. The service takes the fingerprint service execution request as an example, and the first column represents different service execution requests, and the security requirement of the service is determined by The security requirements may be increased according to at least one of factors such as whether the money transaction, the amount of money transactions involved, and the risk analysis result of the current transaction are analyzed by the business server risk management system. The server can detect whether the transaction amount is greater than a preset threshold, and divide the transaction into large and small payment, and the requirement for the business type is gradually increased from top to bottom, and the risk management requirement in the service type requirement is gradually increased from top to bottom, that is, The requirements are gradually strict. Specifically, the fingerprint login client does not involve the money transaction. Therefore, the service server may not set the risk management requirement, and only applies the client version requirement in the service type requirement according to the requirement; and the small fingerprint payment involves a small amount of money. For the transaction, the risk management requirement may be valid for the local authorization certificate generated within 3 months, or for the certificate within the validity period, the validity period of the certificate itself is valid for more than 3 months, and the service type requirement may further require the application client. The version may also include other business type requirements; for large-value fingerprint payment, the risk management requirement may be set to be valid for the local authorization certificate generated within one month, or for the certificate within the validity period, the validity period of the voucher is more than 6 months. The voucher is valid, and other business type requirements, such as the application client version, can also be performed. In addition, the risk management system of the server may be used to perform risk analysis on the current transaction to identify whether it is an abnormal transaction that does not meet the user's trading habits, and set corresponding risk management requirements according to the risk management result of the transaction. In addition, depending on the specific situation, the service type requirements other than the risk management requirements and the application client version requirements are set according to the service requirements, and other service execution request types may be set according to the specific conditions of the service execution request, which is not limited in this embodiment.
表1业务服务器根据业务执行请求类型确定业务类型要求示例一Table 1 Service server determines the service type requirement according to the type of service execution request.
Figure PCTCN2017078605-appb-000001
Figure PCTCN2017078605-appb-000001
再例如,如表2所示,表2为业务服务器根据业务执行请求类型确定业务类型要求示例二,该业务类型要求中的风险管理要求是业务服务器针对所述本地授权凭证中的有效期和凭证安全等级这两个参数生成的,所述本地授权凭证还包含凭证的安全等级,所以在表1的基础上,表2中的风险管理要求也相应增加了服务器针对凭证的安全等级设立的风险管理阈值,从而生成相应的业务类型要求和风险管理要求。For another example, as shown in Table 2, Table 2 is a second example of determining a service type requirement according to a service execution request type, and the risk management requirement in the service type requirement is a validity period and a credential security of the service server for the local authorization credential. Generated by the two parameters of the level, the local authorization credential also contains the security level of the credential, so on the basis of Table 1, the risk management requirements in Table 2 also correspondingly increase the risk management threshold established by the server for the security level of the credential. To generate the corresponding business type requirements and risk management requirements.
终端在接收到所述业务请求,获取终端本地保存的本地授权凭证并确认凭证在有效期内之后,接着根据业务请求中的业务类型和/或本地授权凭证,确定终端合法性证明需要满 足怎样的业务类型要求,进一步根据本地授权凭证判断该本地授权凭证能否满足业务风险管理要求。如在表2小额指纹支付场景下,如终端中当前保存的本地授权凭证的等级为2级,按照风险管理要求,该终端需使用在3日内生成的本地授权凭证才能满足业务的类型要求;终端进一步检测该本地授权凭证是否为3日内生成的,若是,则表明该本地授权凭证满足风险管理要求,之后再判定是否满足风险管理要求以外的业务类型要求,若该本地授权凭证是5日前生成的,则表明该本地授权凭证不满足风险管理要求。After receiving the service request, the terminal obtains the local authorization certificate locally saved by the terminal and confirms that the voucher is within the validity period, and then determines that the terminal legality certificate needs to be full according to the service type and/or the local authorization certificate in the service request. According to the local business authorization voucher, it can be judged whether the local authorization certificate can meet the business risk management requirements. For example, in the small fingerprint payment scenario of Table 2, if the level of the local authorization certificate currently stored in the terminal is level 2, according to the risk management requirement, the terminal needs to use the local authorization certificate generated within 3 days to meet the type requirement of the service; The terminal further detects whether the local authorization credential is generated within 3 days, and if yes, indicates that the local authorization credential meets the risk management requirement, and then determines whether the service type requirement other than the risk management requirement is met, if the local authorization credential is generated 5 days ago. The local authorization certificate does not meet the risk management requirements.
表2业务服务器根据业务执行请求类型确定业务类型要求示例二Table 2: The service server determines the service type requirement according to the type of service execution request.
Figure PCTCN2017078605-appb-000002
Figure PCTCN2017078605-appb-000002
其中,业务类型要求也可以是由业务服务器预先下发到应用客户端,在接收到业务请求时,将保存的业务类型要求和业务请求交给统一身份认证客户端进行验证。The service type requirement may be delivered by the service server to the application client in advance, and when the service request is received, the saved service type requirement and the service request are forwarded to the unified identity authentication client for verification.
在一个实施例中,如果所述终端内不存在第一本地授权凭证,或如果所述终端内的所述第一本地授权凭证超出有效期,或如果所述第一本地授权凭证不满足所述业务请求的业务类型要求,所述终端向所述认证中心发送用于获取第二本地授权凭证的请求信息,以使所述认证中心生成所述第二本地授权凭证;In one embodiment, if the first local authorization credential does not exist in the terminal, or if the first local authorization credential in the terminal exceeds a validity period, or if the first local authorization credential does not satisfy the service Requesting the service type request, the terminal sending, to the authentication center, request information for acquiring a second local authorization credential, so that the authentication center generates the second local authorization credential;
所述终端接收并保存所述第二本地授权凭证;Receiving and saving the second local authorization credential by the terminal;
所述终端使用所述第二本地授权凭证构造所述业务请求对应的业务响应,并发送所述业务响应。 The terminal constructs a service response corresponding to the service request by using the second local authorization credential, and sends the service response.
具体地,当终端中不存在本地授权凭证,或者,已存在的本地授权凭证已经过期,或者,已存在的本地授权凭证不能满足业务服务器要求的业务类型要求,则表明本地不存在本地授权凭证或者存在的本地授权凭证不能用于在本地构造业务要求对应的业务响应,需要重新去认证中心申请新的本地授权凭证,即第二本地授权凭证。Specifically, when there is no local authorization credential in the terminal, or the existing local authorization credential has expired, or the existing local authorization credential cannot meet the service type requirement required by the service server, it indicates that the local authorization credential does not exist locally or The existing local authorization credential cannot be used to construct a service response corresponding to the service request locally, and needs to re-apply the authentication center to apply for a new local authorization credential, that is, the second local authorization credential.
在一个实施例中,所述用于获取第二本地授权凭证的请求信息包括使用原始设备制造商私钥生成的签名信息,设备信息或设备身份信息中的至少一种,本地授权公钥,以使所述认证中心根据所述设备信息或所述设备身份信息查找存储的原始设备制造商公钥验证所述使用原始设备制造商私钥生成的签名信息,生成所述第二本地授权凭证,所述本地授权公钥为所述本地授权私钥对应的公钥,所述设备信息和所述设备身份信息为所述认证中心在接收到所述第二本地授权凭证的请求信息时,要求所述终端提供的信息,或者所述认证中心预先与所述终端协商的信息。In an embodiment, the request information for acquiring the second local authorization credential includes at least one of signature information, device information or device identity information generated by using an original device manufacturer private key, and locally authorizing the public key to And causing the authentication center to search the stored original device manufacturer public key according to the device information or the device identity information to verify the signature information generated by using the original device manufacturer private key, to generate the second local authorization certificate. The local authorized public key is a public key corresponding to the local authorized private key, and the device information and the device identity information are required by the authentication center when receiving the request information of the second local authorization credential. Information provided by the terminal, or information that the authentication center negotiates with the terminal in advance.
具体地,终端中的安全储存环境中可以预置原始设备制造商的私钥,而认证中心保存有信任的原始设备制造商的公钥,第二本地授权凭证的请求信息中包含的使用原始设备制造商私钥生成的签名信息,用于使认证中心提取保存的原始设备制造商公钥对使用原始设备制造商私钥生成的签名信息进行验证,来检测终端的合法性,验证终端的身份后,认证中心才会生成该终端的本地授权凭证。另一方面,认证中心提取保存的原始设备制造商私钥可以是通过设备身份信息查找的,所述设备身份信息可以包括终端的设备ID、厂商标识、设备型号等中的至少一种。Specifically, the private device of the original device manufacturer may be preset in the secure storage environment in the terminal, and the authentication center stores the public key of the trusted original device manufacturer, and the original local device includes the original device included in the request information of the second local authorization certificate. The signature information generated by the manufacturer's private key is used to enable the certificate authority to extract the saved original device manufacturer's public key to verify the signature information generated by using the original device manufacturer's private key to detect the legitimacy of the terminal and verify the identity of the terminal. The certificate authority will generate the local authorization credentials for the terminal. On the other hand, the authentication center extracts the saved original device manufacturer private key, which may be searched by the device identity information, and the device identity information may include at least one of a device ID, a vendor identifier, a device model, and the like of the terminal.
其中,认证中心要求所述终端提供的设备信息和设备身份信息之前,还可以对本地授权公私钥对的密钥规格,如长度、密码算法等进行要求。Before the authentication center requests the device information and the device identity information provided by the terminal, the key specification of the local authorized public-private key pair, such as the length and password algorithm, may be required.
在一个实施例中,第一本地授权凭证和所述第二本地授权凭证包括有效期、所述本地授权公钥和使用认证中心私钥生成的签名信息,所述认证中心私钥为所述认证中心生成并保存在所述认证中心本地的,所述认证中心私钥用于生成所述本地授权凭证。In one embodiment, the first local authorization credential and the second local authorization credential include a validity period, the local authorization public key, and signature information generated using a certificate authority private key, the certificate authority private key being the certificate authority Generated and saved locally in the authentication center, the authentication center private key is used to generate the local authorization credential.
具体地,本地授权凭证是否在有效期内的判断中的有效期是包含在本地授权凭证中的,本地授权公钥是本地授权私钥对应的公钥,用于对在后续业务请求对应的业务响应中包含的使用本地授权私钥生成的签名信息进行验证;而使用认证中心私钥生成的签名信息,用于证明本地授权凭证为认证中心下发的,即认证中心认可该终端在本地提供终端合法性证明。Specifically, the validity period of the local authorization credential in the judgment of the validity period is included in the local authorization credential, and the local authorized public key is the public key corresponding to the local authorized private key, and is used for the service response corresponding to the subsequent service request. The signature information generated by using the local authorization private key is used for verification; and the signature information generated by using the authentication center private key is used to prove that the local authorization certificate is issued by the authentication center, that is, the certification center recognizes that the terminal provides the terminal legality locally. prove.
具体地,所述设备信息可以是终端发送给认证中心的用于获取本地授权凭证的请求信息中携带的,另一方面,若本地授权凭证的请求信息中携带的为设备身份信息,如仅包含设备ID或其他标识信息如厂商、型号等,则也可以通过以上设备身份信息在认证中心预置的数据库中查找对应的设备储存环境等设备信息,并根据设备储存环境等设备信息确定设备的安全等级,进而确定所述有效期和/或凭证的安全等级。例如,认证中心可以设立一套基于终端设备信息的风险评估体系,根据所述终端设备信息,主要是终端的储存环境,确定该终端的安全分,该安全分可以用来确定本地授权凭证的有效期。Specifically, the device information may be carried in the request information that is sent by the terminal to the authentication center for obtaining the local authorization credential. On the other hand, if the request information of the local authorization credential is carried in the device identity information, if only If the device ID or other identification information, such as the manufacturer and model, you can also find the device information such as the device storage environment in the database preset by the authentication center through the device identity information, and determine the device security based on the device storage environment and other device information. A rating, which in turn determines the security level of the validity period and/or credentials. For example, the authentication center may set up a risk assessment system based on the terminal device information, and determine the security score of the terminal according to the terminal device information, mainly the storage environment of the terminal, and the security score may be used to determine the validity period of the local authorization certificate. .
在一个实施例中,第一本地授权凭证和所述第二本地授权凭证还包括凭证安全等级,所述凭证安全等级为所述认证中心根据所述设备信息确定的,所述凭证安全等级为所述业务类型要求的一种。 In one embodiment, the first local authorization credential and the second local authorization credential further comprise a credential security level, wherein the credential security level is determined by the authentication center according to the device information, and the credential security level is A type of business type requirement.
例如,如表3所示,表3为认证中心根据设备信息生成的设备安全等级评估体系示例。第一列表示终端不同的存储环境类型,包含REE(rich execution environment)/TEE/SE等,根据不同类型存储环境的安全等级确定对应的信用分,信用分对应了认证中心评估的对应设备的安全等级,认证中心根据信用分来确定生成的本地授权凭证的有效期和本地授权凭证的安全等级等。更进一步,也可以使业务服务器侧能够针对本地授权凭证中的参数设立风险管理要求,来确保终端使用本地保存的本地授权凭证构造的终端合法性证明满足其业务管理要求。For example, as shown in Table 3, Table 3 is an example of a device security level evaluation system generated by the certification center based on device information. The first column indicates the different storage environment types of the terminal, including REE (rich execution environment)/TEE/SE, etc. The credit score is determined according to the security level of different types of storage environments, and the credit score corresponds to the security of the corresponding device evaluated by the certification center. Level, the certification center determines the validity period of the generated local authorization certificate and the security level of the local authorization certificate based on the credit score. Further, the service server side can also be configured to set a risk management requirement for the parameters in the local authorization credential to ensure that the terminal uses the locally saved local authorization credential to prove that the terminal legality certificate meets its service management requirements.
其中,所述设备的安全等级可以是根据储存环境为REE/TEE/SE来进行划分,也可以是根据SE是否达到专业等级检测要求(如金融级、军事级),或者SE、TEE是否有权威检测机构认证证书等来进一步细分。另一方面,认证中心也可以根据与各个厂商的合作关系,结合厂商的实力和信用,进行信用分、有效期和凭证安全等级等的划分,本实施例不作限定。The security level of the device may be classified according to the storage environment as REE/TEE/SE, or may be based on whether the SE meets professional level detection requirements (such as financial level, military level), or whether the SE and TEE have authority. Inspection agency certification, etc. to further subdivide. On the other hand, the authentication center can also perform the division of the credit score, the expiration date, and the security level of the voucher according to the cooperation relationship with each vendor, and the strength and credit of the manufacturer. This embodiment is not limited.
表3认证中心根据设备信息生成的设备安全等级评估体系示例Table 3 Example of equipment security level evaluation system generated by the certification center based on equipment information
存储环境类型Storage environment type 信用分(总分5分)Credit score (5 points total) 有效期Validity period 凭证安全等级Credential security level ……......
REEREE 1分1 point 使用一次Use once 1(最低)1 (lowest) ……......
TEETEE 2分2 minutes 3个月3 months 2(中低)2 (low to medium) ……......
SESE 4分4 points 1年1 year 3(较高)3 (higher) ……......
……...... ……...... ……...... ……...... ……......
在一个实施例中,本地授权公钥为所述终端在向所述认证中心发送用于获取所述第一本地授权凭证的请求信息之前生成并保存在本地的,或者所述终端在向所述认证中心发送用于获取所述第二本地授权凭证的请求信息之前生成并保存在本地的。In an embodiment, the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal is in the The authentication center generates and saves the request information for acquiring the second local authorization credential before being generated and saved locally.
具体地,在进行终端中的本地授权凭证更新,即从认证中心处获取所述第二本地授权凭证时,本地授权公钥可以是原先生成本地授权凭证时生成的,也可以是生成新的本地授权凭证时,重新生成的本地授权公钥,本实施例不作限定。Specifically, when the local authorization credential update in the terminal is performed, that is, when the second local authorization credential is obtained from the authentication center, the local authorized public key may be generated when the original credential authorization credential is generated, or a new local may be generated. The re-generated local authorized public key is not limited in this embodiment.
在一个实施例中,有效期为所述认证中心根据所述设备的安全等级确定的,所述设备的安全等级由所述设备信息确定的,所述设备信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证的或者所述第二本地授权凭证请求信息中携带的,或者,所述设备信息为所述认证中心根据设备身份信息在数据库中查找的,所述设备身份信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证或者所述第二本地授权凭证的请求信息中携带的。In an embodiment, the validity period is determined by the authentication center according to the security level of the device, the security level of the device is determined by the device information, and the device information is sent by the terminal to the authentication center. For the first local authorization certificate or the second local authorization certificate request information, or the device information is found by the authentication center in the database according to the device identity information, the device The identity information is carried in the request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential.
S204、终端发送所述业务响应。S204. The terminal sends the service response.
具体地,终端将业务请求对应的业务响应发送给认证服务器,所述认证服务器保存有认证中心公钥,通过认证中心公钥来验证本地授权凭证中的使用认证中心私钥生成的签名信息,通过本地授权凭证中的本地授权公钥验证业务响应中的本地授权私钥生成的签名信息,得到终端合法性证明的验证结果,验证通过时,将验证结果和/或响应中的业务相关数据,如指纹支付时的交易订单信息发送给业务服务器。当业务请求为业务执行请求时,业 务执行请求对应的业务执行响应中包含使用业务私钥生成的签名信息,使用业务注册时保存的或在业务响应中附带的业务公钥验证所述业务私钥生成的签名信息,来证明业务执行请求对应的业务执行响应与所述业务注册请求对应的业务注册响应是来自同一终端。Specifically, the terminal sends the service response corresponding to the service request to the authentication server, where the authentication server stores the public key of the authentication center, and verifies the signature information generated by using the private key of the authentication center in the local authorization certificate by using the public key of the authentication center. The local authorized public key in the local authorization certificate verifies the signature information generated by the local authorized private key in the service response, and obtains the verification result of the terminal legality certificate. When the verification is passed, the verification result and/or the service related data in the response are obtained, for example, The transaction order information at the time of fingerprint payment is sent to the service server. When a business request is for a business execution request, The service execution response corresponding to the execution request includes the signature information generated by using the service private key, and the signature information generated by the service private key saved by the service registration or the service public key attached to the service response is used to prove the service execution. The service registration response corresponding to the service registration request corresponding to the service execution response is from the same terminal.
本实施例中,信任机制建立在业务服务器信任认证中心,进而信任认证中心认证过的终端,信任终端中的本地授权凭证;所以在终端合法性证明验证时需要进行两层的验签:首先根据认证中心公钥验证认证中心签名的本地授权凭证,然后根据凭证中的本地授权公钥验证终端使用本地授权私钥生成的签名信息进而确认终端合法性。In this embodiment, the trust mechanism is established in the service server trust authentication center, and then trusts the terminal authenticated by the authentication center to trust the local authorization credential in the terminal; therefore, the verification of the terminal legality verification requires a two-layer check: first according to The certificate authority public key verifies the local authorization certificate signed by the certificate authority, and then verifies the validity of the terminal by verifying the signature information generated by the terminal using the local authorized private key according to the local authorized public key in the certificate.
在图2所示的终端中本地授权凭证的使用方法中,认证中心下发用于提供终端合法性证明的凭证给终端,使终端可以在本地提供终端的合法性证明,无需每次需要提供终端的合法性证明时均去认证中心,从而可以减小终端的资源消耗,缩短业务操作时间,可以提高业务请求处理的效率。In the method for using the local authorization credential in the terminal shown in FIG. 2, the authentication center delivers a credential for providing the terminal legality certificate to the terminal, so that the terminal can provide the legality proof of the terminal locally, and does not need to provide the terminal every time. The proof of legality goes to the authentication center, which can reduce the resource consumption of the terminal, shorten the operation time of the service, and improve the efficiency of the service request processing.
基于图1所示的系统架构,请参阅图3,如图3所示,图3是一种本地授权凭证的生成方法的流程示意图,其中,该本地授权凭证的生成方法是从统一身份认证客户端1012(统一身份认证可信应用1013)和认证中心103的角度来描述的,如图4所示,该本地授权凭证的生成方法包含以下步骤:Based on the system architecture shown in FIG. 1, please refer to FIG. 3. As shown in FIG. 3, FIG. 3 is a schematic flowchart of a method for generating a local authorization credential, wherein the local authorization credential is generated from a unified identity authentication client. As described in the perspective of the terminal 1012 (the unified authentication trusted application 1013) and the authentication center 103, as shown in FIG. 4, the method for generating the local authorization credential includes the following steps:
S301、统一身份认证客户端(统一身份认证可信应用)向认证中心发起本地授权凭证申请。S301. The unified identity authentication client (the unified identity authentication trusted application) initiates a local authorization certificate application to the authentication center.
具体地,可以是在未接收到业务注册请求之前,预先执行该步骤,以获取并在终端保存本地授权凭证,也可以是在业务注册或者业务执行过程中,当终端本地没有本地授权凭证,或者终端本地保存的本地授权凭证超出有效期,或者终端本地保存的本地授权凭证不满足业务类型要求,终端需要去认证中心更新本地授权凭证时,执行该步骤。Specifically, the step may be performed in advance to obtain and save the local authorization credential in the terminal before the service registration request is received, or in the service registration or service execution process, when the terminal does not have the local authorization credential locally, or The local authorization certificate saved locally by the terminal exceeds the validity period, or the local authorization certificate saved locally by the terminal does not meet the service type requirement. The terminal needs to go to the authentication center to update the local authorization certificate, and then perform this step.
S302、统一身份认证客户端(统一身份认证可信应用)搜集设备信息。S302: A unified identity authentication client (Uniform Identity Authentication Trusted Application) collects device information.
具体地,所述设备信息可以是在认证中心接收到所述本地授权凭证申请时,要求所述统一身份认证客户端(统一身份认证可信应用)提供的,也可以是认证中心与统一身份认证客户端(统一身份认证可信应用)预先约定好的。所述设备信息可以包含设备ID、厂商标识、设备存储环境等。其中,所述本地授权密钥对规格要求可以是密钥长度、加密算法等等。其中,认证中心接收到所述本地授权凭证申请时,认证中心可以同时下发用于标识本次本地授权凭证生成的challenge信息和本地授权密钥规格要求给统一身份认证客户端(统一身份认证可信应用)。Specifically, the device information may be provided by the unified identity authentication client (a unified identity authentication trusted application) when the authentication center receives the local authorization certificate application, or may be a certification center and a unified identity authentication. The client (Uniform Authentication Trusted Application) is pre-agreed. The device information may include a device ID, a vendor identifier, a device storage environment, and the like. The local authorization key pair specification may be a key length, an encryption algorithm, or the like. When the authentication center receives the local authorization credential application, the authentication center may simultaneously send the challenge information and the local authorization key specification for identifying the local authorization credential to the unified identity authentication client (the unified identity authentication may be Letter application).
S303、统一身份认证客户端(统一身份认证可信应用)生成本地授权密钥对。S303. The unified identity authentication client (Uniform Authentication Trusted Application) generates a local authorization key pair.
具体地,若所述认证中心下发了所述本地授权密钥对规格要求,该本地授权密钥对按照所述本地授权密钥对规格要求生成所述本地授权密钥对,并将其中的本地授权私钥安全保存,可以保存在安全储存环境,例如TEE或SE中,或者其他可能的安全存储环境中。后续可以通过该私钥生成的签名和凭证来构造终端合法性证明。Specifically, if the authentication center delivers the local authorization key pair specification requirement, the local authorization key pair generates the local authorization key pair according to the local authorization key pair specification requirement, and the The local authorized private key is securely stored and can be stored in a secure storage environment such as TEE or SE, or other possible secure storage environments. The terminal legality certificate can be constructed by the signature and the voucher generated by the private key.
S304、统一身份认证客户端(统一身份认证可信应用)生成本地授权凭证申请信息。S304. The unified identity authentication client (Uniform Identity Authentication Trusted Application) generates local authorization certificate application information.
具体地,所述本地授权凭证申请信息可以包括:所述本地授权公钥、设备信息或设备身份信息、使用原始设备制造商私钥生成的签名信息,所述使用原始设备制造商私钥生成的签名信息用于向认证中心证明所述终端合法性,其中,所述原始设备制造商私钥为预先 生成并存储在安全存储环境中的。若所述认证中心下发了challenge信息给所述统一身份认证客户端(统一身份认证可信应用),则所述本地授权凭证申请信息还可以包括:所述challenge信息。Specifically, the local authorization credential application information may include: the local authorized public key, device information or device identity information, signature information generated using an original device manufacturer private key, and the generated by using an original device manufacturer private key The signature information is used to prove the validity of the terminal to the authentication center, wherein the original device manufacturer private key is a pre- Generated and stored in a secure storage environment. If the authentication center sends the challenge information to the unified identity authentication client (the unified identity authentication trusted application), the local authorization certificate application information may further include: the challenge information.
S305、统一身份认证客户端(统一身份认证可信应用)将本地授权凭证申请信息发送给认证中心。S305. The unified identity authentication client (the unified identity authentication trusted application) sends the local authorization certificate application information to the authentication center.
S306、认证中心生成本地授权凭证。S306. The certification center generates a local authorization credential.
具体地,认证中心生成本地授权凭证还可以包括,验证所述本地授权凭证申请信息,具体过程为:验证challenge信息,并通过认证中心预存的原始设备制造商公钥验证本地授权凭证申请信息中的终端使用原始设备制造商私钥生成的签名信息,进而确定所述终端合法性。Specifically, the generating, by the certificate authority, the local authorization certificate may further include: verifying the local authorization voucher application information, where the specific process is: verifying the challenge information, and verifying the local authorization voucher application information by using the original device manufacturer public key prestored by the certification center. The terminal uses the signature information generated by the original device manufacturer private key to determine the legitimacy of the terminal.
在本地授权凭证申请信息验证通过后,认证中心可以根据设备信息确定要生成的本地授权凭证的有效期。具体过程可以如下:由所述设备信息确定对应的设备安全等级,再根据所述设备安全等级确定所述有效期。所述设备信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证的请求信息或者所述第二本地授权凭证请求信息中携带的,或者,所述设备信息为所述认证中心根据设备身份信息在数据库中查找的,所述设备身份信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证或者所述第二本地授权凭证的请求信息中携带的,可以是设备ID、设备型号等。其中,若终端本地未保存本地授权凭证,则所述发送给认证中心的第一本地授权凭证的请求信息或者所述发送给认证中心的第二本地授权凭证请求信息是指本地授权凭证的请求信息;若终端本地保存的本地授权凭证超出有效期,或者终端本地保存的本地授权凭证不满足业务类型要求,所述第一本地授权凭证是指终端中当前不满足要求的本地授权凭证,所述第二授权凭证是指认证中心根据本次申请信息重新生成的本地授权凭证。After the local authorization credential application information is verified, the certification center may determine the validity period of the local authorization credential to be generated according to the device information. The specific process may be as follows: determining, by the device information, a corresponding device security level, and determining the validity period according to the device security level. The device information is carried in the request information for acquiring the first local authorization credential or the second local authorization credential request information sent by the terminal to the authentication center, or the device information is The authentication center searches for the device according to the device identity information, where the device identity information is request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential. It can be carried in the device ID, device model, and so on. If the local authorization certificate is not saved locally, the request information of the first local authorization credential sent to the authentication center or the second local authorization credential request information sent to the authentication center refers to the request information of the local authorization credential. If the local authorization credential saved locally by the terminal exceeds the expiration date, or the local authorization credential saved locally by the terminal does not meet the service type requirement, the first local authorization credential refers to the local authorization credential currently not satisfying the requirement in the terminal, and the second The authorization credential refers to the local authorization credential regenerated by the certificate authority based on the information of this application.
进一步地,认证中心也可以设立自己的设备安全等级评估体系,根据所述终端设备信息,可以是终端的储存环境,确定该终端的设备安全等级,该设备安全等级可以用来确定本地授权凭证的有效期,也可以确认本地授权凭证的凭证安全等级。Further, the authentication center may also establish its own device security level evaluation system. According to the terminal device information, it may be a storage environment of the terminal, and determine a device security level of the terminal. The device security level may be used to determine a local authorization certificate. The expiration date also confirms the voucher security level of the local authorization voucher.
例如,参见表3及步骤S203中对表3相应的描述。For example, refer to Table 3 and the corresponding description of Table 3 in step S203.
其中,本地授权凭证可以包括有效期、本地授权公钥、使用认证中心私钥生成的签名信息,还可以包括所述设备信息,还可以包含凭证的安全等级等。The local authorization credential may include a validity period, a local authorized public key, and signature information generated by using the authentication center private key, and may also include the device information, and may also include a security level of the credential.
S307、认证中心将所述本地授权凭证发送给所述统一身份认证客户端(统一身份认证可信应用)。S307. The authentication center sends the local authorization credential to the unified identity authentication client (Uniform Identity Authentication Trusted Application).
具体地,所述本地授权凭证保存在终端的安全储存环境中,例如可TEE或SE中,或者其他可能的安全存储环境中。Specifically, the local authorization credential is stored in a secure storage environment of the terminal, such as in a TEE or SE, or in other possible secure storage environments.
基于图1所示的系统架构,请参阅图4,图4是本发明实施例公开的一种终端中本地授权凭证的使用方法的流程示意图,其中,该终端中本地授权凭证的使用方法是从应用客户端1011、统一身份认证客户端1012(统一身份认证可信应用1013)、业务服务器1021和认证服务器1022的角度来描述的,其中,统一身份认证客户端1012(统一身份认证可信应用1013)对应的步骤可以是统一身份认证客户端执行的,也可以是统一身份认证可信应用执行的。如图3所示,该终端中本地授权凭证的使用方法可以包含以下步骤。 Based on the system architecture shown in FIG. 1, please refer to FIG. 4. FIG. 4 is a schematic flowchart of a method for using a local authorization credential in a terminal according to an embodiment of the present invention, where a method for using a local authorization credential in the terminal is The application client 1011, the unified identity authentication client 1012 (the unified identity authentication trusted application 1013), the service server 1021, and the authentication server 1022 are described. The unified identity authentication client 1012 (the unified identity authentication trusted application 1013) The corresponding steps may be performed by the unified identity authentication client, or may be performed by the unified identity authentication trusted application. As shown in FIG. 3, the method for using the local authorization credential in the terminal may include the following steps.
S401、应用客户端向业务服务器发起业务注册。S401. The application client initiates service registration with the service server.
具体地,用户可以在终端中通过应用客户端发起业务注册,业务注册可以是某应用的指纹服务、人脸服务等,例如用户可以在终端某应用客户端中开通“指纹登陆”、“指纹支付”功能,即触发相应的指纹服务的业务注册。Specifically, the user can initiate a service registration in the terminal by using the application client. The service registration can be a fingerprint service or a face service of an application. For example, the user can open a “fingerprint login” or “fingerprint payment” in an application client of the terminal. "Function, that is, the business registration that triggers the corresponding fingerprint service.
S402、业务服务器生成业务类型要求。S402: The service server generates a service type requirement.
具体地,业务类型要求为业务服务器根据自身业务需求生成的。Specifically, the service type requirement is generated by the service server according to its own business requirements.
在一个实施例中,当业务服务器决定所述业务需要提供终端合法性证明时,所述业务类型要求包含风险管理要求,所述风险管理要求为业务服务器针对所述本地授权凭证生成的,用于确保终端根据本地授权凭证提供的终端合法性证明满足业务的需求。业务服务器可以根据业务的敏感程度、业务的安全需求、业务服务器风险管理系统对当前交易的风险分析结果等至少一种因素,业务的敏感程度方面,具体可以是否涉及到钱款交易、涉及到的钱款交易的金额、是否符合交易习惯等划分不同的等级,业务的敏感程度方面,业务服务器可以将不同的业务请求按照业务的敏感程度或者业务的安全等级进行分类,并为不同类别的业务分配不同的风险管理要求。另一方面,业务类型要求可以包含风险管理要求,也可以包含其他要求,如应用客户端版本要求等,所述风险管理要求包含风险管理参数和风险管理阈值,风险管理要求是针对所述本地授权凭证中的参数类型生成的,如有效期、凭证的安全等级等。In an embodiment, when the service server determines that the service needs to provide the terminal legality certificate, the service type requirement includes a risk management requirement, where the risk management requirement is generated by the service server for the local authorization certificate, and is used for Ensure that the terminal's legality of the terminal provided by the local authorization certificate meets the needs of the service. The service server may be based on at least one factor such as the sensitivity of the service, the security requirement of the service, the risk analysis result of the business server risk management system, and the risk sensitivity of the current transaction, and may specifically relate to the money transaction and the involved The amount of money transactions, whether it is in line with trading habits, etc., is divided into different levels. In terms of the sensitivity of the business, the service server can classify different service requests according to the sensitivity of the service or the security level of the service, and allocate the services for different categories. Different risk management requirements. On the other hand, the service type requirement may include risk management requirements, and may also include other requirements, such as application client version requirements, and the risk management requirements include risk management parameters and risk management thresholds, and the risk management requirements are for the local authorization. The parameter type generated in the voucher, such as the validity period, the security level of the voucher, and so on.
S403、业务服务器向认证服务器发送包含业务类型要求的业务注册通知。S403. The service server sends a service registration notification including a service type requirement to the authentication server.
具体地,业务服务器接收应用客户端发送的业务注册,并在接收到业务注册时,向认证服务器发送业务注册通知。Specifically, the service server receives the service registration sent by the application client, and sends a service registration notification to the authentication server when receiving the service registration.
S404、认证服务器生成业务注册请求并将所述业务注册请求发送给业务服务器。S404. The authentication server generates a service registration request and sends the service registration request to the service server.
具体地,所述业务注册请求包含所述业务类型要求,认证服务器在接收到业务注册通知时,生成业务注册请求,用于请求终端按照指定流程完成相应业务的注册,该指定流程包括终端在注册过程中提供终端合法性证明。认证服务器保存有相应的认证服务器证书,认证服务器生成的业务注册请求中包含所述认证服务器证书,用于证明所述认证服务器的合法性,所述业务注册请求还包括用于标识本次注册的challenge信息和/或使用认证服务器私钥生成的签名信息。其中,业务注册请求为业务请求的一种。Specifically, the service registration request includes the service type requirement, and when receiving the service registration notification, the authentication server generates a service registration request, and is used to request the terminal to complete registration of the corresponding service according to the specified process, where the specified process includes the terminal being registered. Proof of terminal legality is provided during the process. The authentication server stores a corresponding authentication server certificate, and the service registration request generated by the authentication server includes the authentication server certificate, which is used to prove the legality of the authentication server, and the service registration request further includes the identifier for identifying the registration. Challenge information and/or signature information generated using the authentication server private key. Among them, the business registration request is a kind of business request.
S405、业务服务器将业务注册请求发送给统一身份认证客户端(统一身份认证可信应用)。S405. The service server sends the service registration request to the unified identity authentication client (Uniform Identity Authentication Trusted Application).
具体地,认证服务器经由业务服务器、应用客户端将业务注册请求发送给统一身份认证客户端(统一身份认证可信应用),此时,若所述业务注册流程需要采集用户的信息,终端可以通过应用客户端通知用户输入生物信息,如指纹、语音、图像等,终端接收并保存用户输入的信息。Specifically, the authentication server sends the service registration request to the unified identity authentication client (the unified identity authentication trusted application) via the service server and the application client. At this time, if the service registration process needs to collect the user information, the terminal may pass the The application client notifies the user to input biological information, such as fingerprints, voices, images, etc., and the terminal receives and saves the information input by the user.
S406、统一身份认证客户端(统一身份认证可信应用)检测业务注册请求的合法性。S406. The unified identity authentication client (Uniform Identity Authentication Trusted Application) detects the legality of the service registration request.
具体地,统一身份认证可信应用可以提取安全存储环境中预置的CRL和认证机构根证书,认证服务器证书包含认证服务器公钥,统一身份认证客户端(统一身份认证可信应用)检测业务注册请求的合法性具体如下:通过查找所述认证服务器是否在CRL中,来确认所述认证服务器是否被吊销,并通过认证机构根证书验证服务器证书,以上两次验证通过后 说明业务注册请求来自合法的认证服务器。Specifically, the unified authentication trusted application can extract the CRL and the certificate authority root certificate preset in the secure storage environment, the authentication server certificate includes the authentication server public key, and the unified identity authentication client (the unified identity authentication trusted application) detects the service registration. The legality of the request is as follows: by checking whether the authentication server is in the CRL, it is confirmed whether the authentication server is revoked, and the server certificate is verified by the certificate authority root certificate, after the above two verifications are passed. Indicates that the service registration request is from a legitimate authentication server.
S407、统一身份认证客户端(统一身份认证可信应用)生成非对称业务密钥对。S407. The unified identity authentication client (Uniform Authentication Trusted Application) generates an asymmetric service key pair.
具体地,该非对称业务密钥对是针对所述业务注册请求生成的,业务私钥可以保存在终端的安全储存环境中,例如TEE或者SE中,或者其他可能的安全存储环境中。Specifically, the asymmetric service key pair is generated for the service registration request, and the service private key may be stored in a secure storage environment of the terminal, such as TEE or SE, or other possible secure storage environments.
S408、统一身份认证客户端(统一身份认证可信应用)检测本地是否有本地授权凭证,以及检测所述本地授权凭证是否在有效期内。S408. The unified identity authentication client (Uniform Authentication Trusted Application) detects whether there is a local authorization certificate locally, and detects whether the local authorization certificate is within a validity period.
具体地,业务注册请求要求提供终端合法性证明,业务注册请求包含指示信息,终端根据指示信息确定需要提供终端合法性证明,则终端首先尝试获取储存在终端的本地授权凭证,在本地构造所述终端合法性证明。本地授权凭证可以是在终端首次执行业务注册时,触发向认证中心发起本地授权凭证申请后,由认证中心生成并下发的;也可以是未进行业务注册之前,终端向认证中心申请的,本实施例不作限定。若当前终端中已保存有本地授权凭证,则检测所述本地授权凭证是否在有效期内。其中,本地授权凭证可以包括有效期、本地授权公钥、使用认证中心私钥生成的签名信息,也可以包括设备信息或者设备身份信息,其中,有效期可以是所述认证中心根据所述设备信息对应的设备安全等级生成的。Specifically, the service registration request is required to provide the terminal legality certificate, and the service registration request includes the indication information, and the terminal determines, according to the indication information, that the terminal legality certificate needs to be provided, the terminal first attempts to obtain the local authorization certificate stored in the terminal, and locally constructs the Proof of terminal legality. The local authorization credential may be generated and sent by the authentication center after the terminal initiates the service registration for the first time, and then the terminal applies to the authentication center before the service registration is performed. The embodiment is not limited. If the local authorization certificate has been saved in the current terminal, it is detected whether the local authorization certificate is within the validity period. The local authorization credential may include a validity period, a local authorized public key, and signature information generated by using the authentication center private key, and may also include device information or device identity information, where the validity period may be that the authentication center corresponds to the device information. The device security level is generated.
S409、统一身份认证客户端(统一身份认证可信应用)检测所述本地授权凭证是否满足所述业务类型要求。S409. The unified identity authentication client (Uniform Identity Authentication Trusted Application) detects whether the local authorization certificate meets the service type requirement.
具体的,本实施例中,当所述终端本地保存有本地授权凭证,且所述本地授权凭证在有效期内,说明所述终端能够在本地提供所述终端合法性证明。之后统一身份认证客户端(统一身份认证可信应用)还需要根据业务注册请求中的业务类型要求,来判断所述终端当前获取的本地授权凭证能否满足业务的要求,进而判断能否使用当前获取的本地授权凭证来构造所述终端合法性证明。Specifically, in this embodiment, when the terminal locally stores the local authorization credential, and the local authorization credential is within the validity period, the terminal can provide the terminal legality certificate locally. Then, the unified identity authentication client (the unified identity authentication trusted application) needs to determine whether the local authorization certificate currently obtained by the terminal satisfies the service requirement according to the service type requirement in the service registration request, and further determines whether the current usage can be used. The obtained local authorization credential is used to construct the terminal legality certificate.
当所述本地授权凭证满足所述业务类型要求,表明可以使用所述本地授权凭证构造所述终端合法性证明,则执行步骤S410;当所述终端本地没有本地授权凭证,或者,所述本地授权凭证超出有效期,或者,所述本地授权凭证不满足所述业务类型要求时,表明终端本地没有本地授权凭证或者当前本地的本地授权凭证不能用来构造本次业务注册请求对应的业务注册响应,则需要重新去认证中心申请更新本地授权凭证,即执行步骤S301-S307以得到更新的本地授权凭证,通过更新的本地授权凭证来构造本次业务注册请求对应的业务注册响应。When the local authorization certificate meets the service type requirement, indicating that the terminal authorization certificate can be constructed by using the local authorization certificate, step S410 is performed; when the terminal does not have a local authorization certificate locally, or the local authorization If the certificate exceeds the validity period, or if the local authorization certificate does not meet the service type requirement, it indicates that the terminal does not have a local authorization certificate locally or the current local local authorization certificate cannot be used to construct a service registration response corresponding to the service registration request, The authentication center needs to be re-applied to update the local authorization credential, that is, steps S301-S307 are performed to obtain the updated local authorization credential, and the service registration response corresponding to the service registration request is constructed by the updated local authorization credential.
S410、统一身份认证客户端(统一身份认证可信应用)生成业务注册响应。S410. The unified identity authentication client (Uniform Identity Authentication Trusted Application) generates a service registration response.
具体地,在确定可以使用本地授权凭证构造终端合法性证明后,生成包含终端合法性证明的业务响应:具体包括三部分,challenge信息;包含业务公钥、设备ID、其他业务数据,如生物信息哈希值等的业务数据;包括本地授权凭证和使用本地授权私钥生成的签名信息的终端合法性证明。以上信息构成的业务注册响应可以使用认证服务器证书中的认证服务器公钥加密发送给所述认证服务器。Specifically, after determining that the terminal validity certificate can be constructed by using the local authorization credential, generating a service response including the terminal legality certificate: specifically including three parts, challenge information; including the service public key, the device ID, and other service data, such as biological information. Service data such as a hash value; a certificate of terminal validity including a local authorization credential and signature information generated using a local authorized private key. The service registration response formed by the above information may be sent to the authentication server by using the authentication server public key encryption in the authentication server certificate.
S411、统一身份认证客户端(统一身份认证可信应用)将业务注册响应发送给认证服务器。S411. The unified identity authentication client (the unified identity authentication trusted application) sends the service registration response to the authentication server.
具体地,业务注册响应是经由应用客户端和业务服务器发送给所述认证服务器的。Specifically, the service registration response is sent to the authentication server via the application client and the service server.
S412、认证服务器验证业务注册响应的有效性。 S412. The authentication server verifies the validity of the service registration response.
具体地,验证业务注册响应的有效性的过程可以为:使用认证服务器私钥解密业务注册响应中的认证服务器公钥加密信息,验证认证服务器的challenge信息,来确认所述业务注册请求与所述业务注册响应是一次业务过程;使用认证服务器预先存储的认证中心公钥验证本地授权凭证中的认证中心私钥签名,验证通过后,获取本地授权凭证中的本地授权公钥来验证业务注册响应中的终端使用本地授权私钥生成的签名信息,通过两次验签来验证所述终端合法性证明。通过则表明业务注册响应来自一台经过认证中心验证过的合法终端,因此注册过程可以继续执行,认证服务器保存业务公钥,并将验证结果和业务有关数据发送给业务服务器,使其将注册信息落地,向终端发送注册成功的通知。Specifically, the process of verifying the validity of the service registration response may be: decrypting the authentication server public key encryption information in the service registration response by using the authentication server private key, verifying the challenge information of the authentication server, and confirming the service registration request and the The service registration response is a business process; the certificate authority public key pre-stored by the authentication server is used to verify the signature of the authentication center private key in the local authorization certificate, and after the verification is passed, the local authorization public key in the local authorization certificate is obtained to verify the service registration response. The terminal uses the signature information generated by the local authorized private key to verify the validity certificate of the terminal through two verifications. The process indicates that the service registration response is from a legitimate terminal that has been verified by the certificate authority. Therefore, the registration process can continue. The authentication server saves the service public key and sends the verification result and the service related data to the service server to make the registration information. Landing, send a notification of successful registration to the terminal.
S413、应用客户端向业务服务器发起业务执行。S413. The application client initiates service execution to the service server.
具体地,当业务注册成功后,则在终端中可以发起同一业务的执行过程,若该业务注册未成功,则不能实现该业务的执行过程,例如,在某应用中需指纹注册成功后,才能有实现指纹业务过程。用户可以在终端中通过应用客户端发起业务执行,业务执行可以是某应用的指纹解锁、人脸解锁和指纹支付等,例如用户可以在终端某应用客户端中点击“人脸解锁”按键,即触发业务执行。Specifically, after the service registration is successful, the execution process of the same service can be initiated in the terminal. If the service registration is not successful, the execution process of the service cannot be implemented. For example, after an application needs to register the fingerprint successfully, There are processes for implementing fingerprints. The user can initiate service execution through the application client in the terminal. The service execution can be fingerprint unlocking, face unlocking, and fingerprint payment of an application. For example, the user can click the “face unlock” button in an application client of the terminal, that is, Trigger business execution.
S414、业务服务器决定当次业务是否需要提供终端合法性证明。S414. The service server determines whether the current service needs to provide the terminal legality certificate.
具体地,业务服务器可以根据业务执行的类型决定是否需要终端合法性证明,也可以是应用客户端根据业务服务器预设规则决定是否需要终端合法性证明,例如,如果不涉及转账等敏感业务,则业务服务器决定本次业务不需要提供终端合法性证明,或者根据业务服务器的风险控制系统对本次业务进行分析,来决定是否需要提供合法性证明,这里业务服务器也可以针对不同的业务执行类型设立列表,分类对是否需要提供终端合法性证明的业务执行类型进行管理。当接收到业务执行时,直接通过列表进行查询获得该业务执行是否需要提供终端的终端合法性证明。Specifically, the service server may determine whether the terminal legality certificate is required according to the type of the service execution, or the application client determines whether the terminal legality certificate is required according to the preset rule of the service server, for example, if no sensitive service such as transfer is involved, The service server determines that the service does not need to provide the terminal legality certificate, or analyzes the service according to the risk control system of the service server to determine whether the legality certificate needs to be provided. Here, the service server can also be set up for different service execution types. List, classification manages the type of business execution that needs to provide proof of terminal legality. When receiving the service execution, the query is directly performed through the list to obtain whether the service execution needs to provide the terminal legality certificate of the terminal.
如果当次业务服务器判断业务需要提供终端合法性证明,还需参照S402生成相应的业务类型要求。本实施例中,业务类型要求为业务服务器生成的,用于确保业务响应中的根据本地授权凭证构造的终端合法性证明能够满足当次业务的风险管理需求。If the current service server determines that the service needs to provide the terminal legality certificate, it also needs to generate a corresponding service type requirement by referring to S402. In this embodiment, the service type requirement is generated by the service server, and is used to ensure that the terminal legality certificate constructed according to the local authorization credential in the service response can meet the risk management requirement of the current service.
例如,参见表1和表2及步骤S203中对表1和表2相应的描述。For example, refer to Table 1 and Table 2 and the corresponding description of Table 1 and Table 2 in Step S203.
可选的,所述业务类型要求可以由业务服务器预置在所述应用客户端中,当应用客户端检测到业务请求中要求提供终端合法性证明时,将所述业务类型要求加入业务请求中发送给统一身份认证客户端(统一身份认证统一身份认证可信应用)。Optionally, the service type requirement may be preset by the service server in the application client, and when the application client detects that the service request is required to provide the terminal legality certificate, the service type requirement is added to the service request. Send to the unified identity authentication client (Uniform Identity Authentication Unified Authentication Trusted Application).
S415、认证服务器生成业务执行请求并发送给所述业务服务器。S415. The authentication server generates a service execution request and sends the service execution request to the service server.
具体地,当业务执行需要提供终端合法性证明时,认证服务器生成业务执行请求,业务执行请求可以包含业务类型要求,也可以包含指示需要提供终端合法性证明指示信息,其中,所述指示信息为根据至少一个预设字段确定的或者根据所述业务类型要求中的至少一个字段确定的。所述业务执行请求还可以包括认证服务器证书、使用认证服务器私钥生成的签名信息和用于标识本次业务执行的challenge信息以及业务相关信息,如指纹支付时的交易订单信息,也可以包含其他相关信息,本实施例不作限定。Specifically, when the service execution needs to provide the terminal legality certificate, the authentication server generates a service execution request, and the service execution request may include a service type requirement, and may also include indication that the terminal legality certification indication information needs to be provided, where the indication information is Determined according to at least one preset field or determined according to at least one of the service type requirements. The service execution request may further include an authentication server certificate, signature information generated by using the authentication server private key, and challenge information for identifying the current service execution, and service related information, such as transaction order information when the fingerprint is paid, and may also include other Related information is not limited in this embodiment.
S416、业务服务器将业务执行请求发送给统一身份认证客户端(统一身份认证可信应用)。 S416. The service server sends the service execution request to the unified identity authentication client (the unified identity authentication trusted application).
具体地,认证服务器经由业务服务器、应用客户端将业务执行请求发送给统一身份认证客户端(统一身份认证可信应用),此时,若所述业务执行需要验证用户生物信息,终端可以通过应用客户端通知用户输入生物信息,如指纹、语音、图像等,并与业务注册时用户输入的信息进行比对,获得本地生物验证结果。进一步地,业务类型要求和指示信息可以由应用客户端添加,然后将要求提供终端合法性证明的业务执行请求发送给统一身份认证客户端。Specifically, the authentication server sends the service execution request to the unified identity authentication client (the unified identity authentication trusted application) via the service server and the application client. At this time, if the service execution needs to verify the user biometric information, the terminal may pass the application. The client notifies the user to input biological information, such as fingerprints, voices, images, etc., and compares with the information input by the user when the service is registered, and obtains the local biometric verification result. Further, the service type requirement and the indication information may be added by the application client, and then the service execution request for providing the terminal legality certificate is sent to the unified identity authentication client.
S417、统一身份认证客户端(统一身份认证可信应用)检测业务执行请求的合法性。S417. The unified identity authentication client (Uniform Identity Authentication Trusted Application) detects the legality of the service execution request.
具体地,检测业务执行请求的合法性包括:通过查找所述认证服务器是在CRL中,来确认所述认证服务器是否被吊销,并通过认证机构根证书验证服务器证书,以上两次验证通过后说明业务注册请求来自合法的服务器。Specifically, detecting the validity of the service execution request includes: confirming whether the authentication server is revoked by searching for the authentication server in the CRL, and verifying the server certificate by using the root certificate of the certification authority, after the above two verifications are passed The business registration request comes from a legitimate server.
S418、统一身份认证客户端(统一身份认证可信应用)检测本地是否保存有本地授权凭证,若有,则检测本地授权凭证是否在有效期内。S418. The unified identity authentication client (Uniform Authentication Trusted Application) detects whether the local authorization certificate is saved locally, and if yes, detects whether the local authorization certificate is within the validity period.
具体地,在要求提供终端合法性证明的情况下,若终端本地未保存本地授权凭证,则可执行步骤S301-S307,以得到认证中心下发的本地授权凭证,并执行后续步骤;若终端本地保存有本地授权凭证,则获取本地授权凭证中的有效期,并判断当前的本地授权凭证是否在有效期之内,若是,则执行步骤S419,若当前的本地授权凭证超出有效期,则执行步骤S301-S307,以重新获取认证中心下发的本地授权凭证,实现本地授权凭证的更新,并执行后续步骤。Specifically, in the case that the terminal legality certificate is required to be provided, if the terminal does not locally save the local authorization credential, the steps S301-S307 may be performed to obtain the local authorization credential issued by the authentication center, and the subsequent steps are performed; If the local authorization certificate is saved, the validity period in the local authorization certificate is obtained, and it is determined whether the current local authorization certificate is within the validity period. If yes, step S419 is performed, and if the current local authorization certificate exceeds the validity period, step S301-S307 is performed. To re-acquire the local authorization credentials issued by the certificate authority, update the local authorization credentials, and perform the next steps.
例如,本地授权凭证中的有效期为三个月内有效,统一身份认证客户端(统一身份认证可信应用)检测到所述本地授权凭证是四个月前生成的,则表明本地授权凭证已经超出有效期,可执行步骤S301-S307,更新本地授权凭证并执行后续步骤,如果检测到所述本地授权凭证是两个月前生成的,则表明所述本地授权凭证在有效期内,所述终端能够在本地提供所述终端合法性证明,执行后续步骤。For example, the validity period in the local authorization credential is valid within three months, and the unified authentication client (the unified authentication trusted application) detects that the local authorization credential is generated four months ago, indicating that the local authorization credential has exceeded Validity period, steps S301-S307 can be performed, the local authorization credential is updated and the subsequent steps are performed. If the local authorization credential is detected to be generated two months ago, it indicates that the local authorization credential is within the validity period, and the terminal can The terminal legality certificate is provided locally, and the subsequent steps are performed.
S419、统一身份认证客户端(统一身份认证可信应用)检测本地授权凭证是否满足业务类型要求。S419. The unified identity authentication client (Uniform Identity Trusted Application) detects whether the local authorization certificate meets the service type requirement.
具体地,当业务类型要求包含风险管理要求时,可以获取本地授权凭证中的参数,如获取本地授权凭证中的有效期和凭证的安全等级等,将风险管理要求与本地授权凭证中的参数进行比对,来确定本地授权凭证是否满足业务类型要求。例如,以表2为例,假如当前本地授权凭证的有效期为3个月,是2个月之前生成的,凭证安全等级为5级安全,当业务执行请求为指纹支付(小额)时,此时该凭证对应的业务类型要求为“3个月内生成的本地授权凭证有效”,则可判断该本地授权凭证满足业务类型要求中的风险管理要求,本次业务能够使用该凭证构造所述终端合法性证明;当业务执行请求为指纹支付(大额)时,此时该凭证对应的业务类型要求为“1个月内生成的本地授权凭证有效”,则可判断该本地授权凭证不满足业务类型要求中的风险管理要求,因此本次业务无法使用该凭证来构造所述终端合法性证明,因此需要执行步骤S301-S307,更新本地授权凭证,并使用新的本地授权凭证来构造满足业务类型要求的终端合法性证明。Specifically, when the service type requirement includes the risk management requirement, the parameters in the local authorization credential may be obtained, such as obtaining the validity period in the local authorization credential and the security level of the credential, and comparing the risk management requirement with the parameter in the local authorization credential. Yes, to determine if the local authorization credentials meet the business type requirements. For example, taking Table 2 as an example, if the current local authorization credential is valid for 3 months, which is generated 2 months ago, the credential security level is 5 security, when the business execution request is fingerprint payment (small amount), this When the service type requirement corresponding to the voucher is "the local authorization voucher generated within 3 months is valid", the local authorization voucher can be judged to meet the risk management requirement in the service type requirement, and the current service can use the voucher to construct the terminal. Proof of legality; when the business execution request is a fingerprint payment (large amount), at this time, the service type requirement corresponding to the voucher is "the local authorization certificate generated within one month is valid", then it can be judged that the local authorization certificate does not satisfy the service. The risk management requirement in the type requirement, so the current service cannot use the voucher to construct the terminal legality certificate, so steps S301-S307 need to be performed, the local authorization credential is updated, and the new local authorization credential is used to construct the service type. Proof of terminal legality required.
S420、统一身份认证客户端(统一身份认证可信应用)生成业务执行响应。S420: A unified identity authentication client (Uniform Identity Authentication Trusted Application) generates a service execution response.
具体地,业务执行响应可以包括:challenge信息;包含生物特征比对结果、使用业务 私钥生成的签名信息的业务相关数据、业务相关数据还可以包括生物特征hash、业务公钥的;包含本地授权凭证和使用本地授权私钥生成的签名的终端合法性证明。其中,生物特征比对结果为业务执行阶段通过应用客户端采集的生物信息和业务注册阶段本地保存的生物信息进行比对得到的结果。所述业务执行响应还可以包括本次生物特征hash,进一步地,还可以增加标识信息,对应指示信息,标识信息用于说明业务执行响应里面包含了本地构造的终端合法性证明。业务执行响应由所述认证服务器证书中的认证服务器公钥加密。Specifically, the service execution response may include: challenge information; including biometric comparison results, using the service The service related data and the service related data of the signature information generated by the private key may further include a biometric hash and a service public key; and the terminal legality certificate including the local authorization credential and the signature generated by using the local authorized private key. The biometric comparison result is obtained by comparing the biometric information collected by the application client and the biometric information locally saved in the service registration phase during the business execution phase. The service execution response may further include the current biometric hash. Further, the identifier information may be added, and the indication information is used to indicate that the service execution response includes the locally constructed terminal legality certificate. The service execution response is encrypted by the authentication server public key in the authentication server certificate.
S421、统一身份认证客户端(统一身份认证可信应用)将业务执行响应发送给认证服务器。S421. The unified identity authentication client (the unified identity authentication trusted application) sends the service execution response to the authentication server.
具体地,业务执行响应是经由应用客户端和业务服务器发送给所述认证服务器的。Specifically, the service execution response is sent to the authentication server via the application client and the service server.
S422、认证服务器验证业务执行响应的有效性。S422. The authentication server verifies the validity of the service execution response.
具体地,验证业务执行响应的有效性的过程为:使用认证服务器私钥解密业务执行响应中的认证服务器公钥加密信息,验证认证服务器的challenge信息,来确认所述业务执行请求与所述业务执行响应是一次业务过程;使用认证服务器预先存储的认证中心公钥验证本地授权凭证中的认证中心私钥生成的签名信息,验证通过后,获取本地授权凭证中的本地授权公钥来验证业务执行响应中的使用本地授权私钥生成的签名信息,通过后说明终端合法性证明有效,可选的,还可以再次对业务类型要求中的风险管理要求和所述终端合法性证明进行比对;获取业务注册成功时,保存在业务服务器中的,或者附带在业务执行响应中的业务公钥,验证使用业务私钥生成的签名信息,通过则表明业务执行响应合法,将验证结果告知业务服务器,并在业务服务器执行对应业务的后续流程。如业务执行是指纹登陆时,验完业务私钥生成的签名,确定响应中验证结果有效后,通知业务服务器执行登陆操作;再例如,指纹支付时,验完业务私钥生成的签名,确定响应中的验证结果和订单信息无误后,执行支付操作。Specifically, the process of verifying the validity of the service execution response is: decrypting the authentication server public key encryption information in the service execution response using the authentication server private key, verifying the challenge information of the authentication server, and confirming the service execution request and the service The execution response is a business process; the signature information generated by the authentication center private key in the local authorization certificate is verified by using the certificate authority public key pre-stored by the authentication server, and after the verification is passed, the local authorization public key in the local authorization certificate is obtained to verify the service execution. The signature information generated by the local authorized private key in the response is used to prove that the validity of the terminal is valid. Alternatively, the risk management requirement in the service type requirement and the proof of the terminal legality can be compared again. When the service registration is successful, the service public key stored in the service server or attached to the service execution response verifies the signature information generated by using the service private key, and the service execution response is legal, and the verification result is notified to the service server, and Execute the corresponding industry on the business server The follow-up process. For example, when the business execution is a fingerprint login, the signature generated by the private key of the service is verified, and after the verification result is valid in the response, the service server is notified to perform the login operation; for example, when the fingerprint is paid, the signature generated by the private key of the service is verified, and the response is determined. After the verification result and the order information are correct, the payment operation is performed.
其中,认证服务器还可以根据标识信息确定本次业务执行是否触发了终端合法性证明,如可以通过预设字段,或业务响应中终端合法性证明部分或全部的数据段作为标识信息。其中,该标识步骤可以是统一身份认证客户端或者应用客户端生成的。The authentication server may further determine, according to the identifier information, whether the current service execution triggers the terminal legality proof, for example, the partial or all data segments of the terminal validity of the service response may be used as the identification information. The identification step may be generated by a unified identity authentication client or an application client.
在图4所示的终端中本地授权凭证的使用方法中,认证中心下发用于提供终端合法性证明的凭证给终端,使终端可以在本地提供终端的合法性证明,通过本地保存的凭证即可实现证明终端合法,无需每次执行业务时均去认证中心,从而可以减小终端的资源消耗,缩短业务操作时间,可以提高业务请求处理的效率。In the method for using the local authorization credential in the terminal shown in FIG. 4, the authentication center delivers a credential for providing the terminal legality certificate to the terminal, so that the terminal can locally provide the legality certificate of the terminal, and the locally saved credential is It can be proved that the terminal is legal, and it is not necessary to go to the authentication center every time the service is executed, thereby reducing the resource consumption of the terminal, shortening the operation time of the service, and improving the efficiency of the service request processing.
基于图1所示的系统架构,请参阅图5,图5是本发明实施例公开的一种本地授权凭证的使用装置的结构示意图。如图4所示,该装置可以包括:Based on the system architecture shown in FIG. 1, please refer to FIG. 5. FIG. 5 is a schematic structural diagram of an apparatus for using local authorization credentials according to an embodiment of the present invention. As shown in FIG. 4, the apparatus may include:
本地授权凭证获取模块501,用于在接收到业务请求时,获取终端中的本地授权凭证,所述业务请求要求提供所述终端合法性证明,所述本地授权凭证是由所述认证中心授权并保存在所述终端中能够提供所述终端合法性证明的凭证;The local authorization credential obtaining module 501 is configured to obtain a local authorization credential in the terminal when the service request is received, where the service request is required to provide the terminal legality certificate, and the local authorization credential is authorized by the authentication center. Preserving a voucher capable of providing the terminal legality certificate in the terminal;
业务响应发送模块502,用于根据所述本地授权凭证以及所述业务请求,生成并发送与所述业务请求对应的业务响应,所述业务响应包含所述终端合法性证明。The service response sending module 502 is configured to generate and send a service response corresponding to the service request according to the local authorization credential and the service request, where the service response includes the terminal legality certificate.
作为一种可能的实施方式,所述终端合法性证明包含使用本地授权私钥生成的签名信息和所述本地授权凭证,所述本地授权私钥为所述终端在向所述认证中心发送用于获取所 述本地授权凭证的请求信息之前生成并保存在本地的。As a possible implementation manner, the terminal legality certificate includes signature information generated by using a local authorized private key, and the local authorized private key is sent by the terminal to the authentication center for Get the place The request information describing the local authorization credentials is generated and saved locally.
作为一种可能的实施方式,所述业务请求为业务注册请求和业务执行请求中的一种,当所述业务请求为所述业务注册请求时,所述业务响应还包括业务公钥,当所述业务请求为所述业务执行请求时,所述业务响应还包括使用业务私钥生成的签名信息,所述业务公钥和所述业务私钥为所述终端接收到所述业务执行请求对应的业务注册请求时生成的,所述使用业务私钥生成的签名信息用于证明业务执行响应是由发送业务注册响应的所述终端发送的,所述业务执行响应为所述业务执行请求对应的业务响应,所述业务注册响应为所述业务注册请求对应的业务响应。As a possible implementation manner, the service request is one of a service registration request and a service execution request, and when the service request is the service registration request, the service response further includes a service public key, where When the service request is a request for the service, the service response further includes signature information generated by using a service private key, where the service public key and the service private key are corresponding to the terminal receiving the service execution request. When the service registration request is generated, the signature information generated by using the service private key is used to prove that the service execution response is sent by the terminal that sends the service registration response, and the service execution response is the service corresponding to the service execution request. In response, the service registration response is a service response corresponding to the service registration request.
作为一种可能的实施方式,所述业务响应发送模块502,具体用于,如果所述终端内存在第一本地授权凭证,且所述第一本地授权凭证在有效期内,且所述第一本地授权凭证满足所述业务请求的业务类型要求,使用所述第一本地授权凭证构造所述终端合法性证明,以生成所述业务请求对应的业务响应,并发送所述业务响应。As a possible implementation manner, the service response sending module 502 is specifically configured to: if the first local authorization credential exists in the terminal, and the first local authorization credential is within a valid period, and the first local The authorization certificate satisfies the service type requirement of the service request, and the terminal validity certificate is constructed by using the first local authorization certificate to generate a service response corresponding to the service request, and the service response is sent.
作为一种可能的实施方式,所述业务请求包含所述业务类型要求,所述业务类型要求包含风险管理要求,所述风险管理要求为业务服务器针对所述第一本地授权凭证生成的,所述业务请求为所述业务服务器发送的。As a possible implementation manner, the service request includes the service type requirement, where the service type requirement includes a risk management requirement, where the risk management requirement is generated by the service server for the first local authorization certificate, A service request is sent for the service server.
作为一种可能的实施方式,所述业务响应发送模块502,具体用于,如果所述终端内不存在第一本地授权凭证,或如果所述终端内的所述第一本地授权凭证超出有效期,或如果所述第一本地授权凭证不满足所述业务请求的业务类型要求,向所述认证中心发送用于获取第二本地授权凭证的请求信息,以使所述认证中心生成所述第二本地授权凭证;As a possible implementation manner, the service response sending module 502 is specifically configured to: if the first local authorization credential does not exist in the terminal, or if the first local authorization credential in the terminal exceeds a validity period, Or if the first local authorization credential does not satisfy the service type requirement of the service request, sending, to the authentication center, request information for acquiring the second local authorization credential, so that the authentication center generates the second local Authorization certificate;
接收并保存所述第二本地授权凭证;Receiving and saving the second local authorization credential;
使用所述第二本地授权凭证构造所述业务请求对应的业务响应,并发送所述业务响应。And using the second local authorization credential to construct a service response corresponding to the service request, and sending the service response.
作为一种可能的实施方式,所述用于获取第二本地授权凭证的请求信息包括设备信息或者设备身份信息中的至少一种,原始设备制造商签名,本地授权公钥,以使所述认证中心根据所述设备信息或所述设备身份信息查找存储的原始设备制造商公钥验证所述原始设备制造商签名,生成所述第二本地授权凭证,所述本地授权公钥为所述本地授权私钥对应的公钥,所述设备信息和所述设备身份信息为所述认证中心在接收到所述第二本地授权凭证的请求信息时,要求所述终端提供的信息,或者所述认证中心预先与所述终端协商的信息。As a possible implementation manner, the request information for acquiring the second local authorization credential includes at least one of device information or device identity information, an original device manufacturer signature, and a local authorization public key to enable the authentication. Determining, by the device information or the device identity information, the stored original device manufacturer public key to verify the original device manufacturer signature, and generating the second local authorization credential, where the local authorized public key is the local authorization a public key corresponding to the private key, the device information and the device identity information are information that the authentication center requests the terminal to provide when receiving the request information of the second local authorization certificate, or the authentication center Information that is negotiated in advance with the terminal.
作为一种可能的实施方式,所述第一本地授权凭证和所述第二本地授权凭证包括有效期、所述本地授权公钥和使用认证中心私钥生成的签名信息,所述认证中心私钥为所述认证中心生成并保存用于生成所述本地授权凭证的。As a possible implementation manner, the first local authorization credential and the second local authorization credential include a validity period, the local authorization public key, and signature information generated by using an authentication center private key, where the authentication center private key is The certificate authority generates and saves the generated local authorization credentials.
作为一种可能的实施方式,所述第一本地授权凭证和所述第二本地授权凭证还包括凭证安全等级,所述凭证安全等级为所述认证中心根据所述设备信息确定的,所述凭证安全等级为所述业务类型要求的一种。As a possible implementation manner, the first local authorization credential and the second local authorization credential further include a credential security level, where the credential security level is determined by the authentication center according to the device information, the credential The security level is one of the types of business types required.
作为一种可能的实施方式,所述本地授权公钥为所述终端在向所述认证中心发送用于获取所述第一本地授权凭证的请求信息之前生成并保存在本地的,或者所述终端在向所述认证中心发送用于获取所述第二本地授权凭证的请求信息之前生成并保存在本地的。 As a possible implementation manner, the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal It is generated and saved locally before sending the request information for acquiring the second local authorization credential to the authentication center.
作为一种可能的实施方式,所述有效期为所述认证中心根据所述设备的安全等级确定的,所述设备的安全等级由所述设备信息确定的,所述设备信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证的或者所述第二本地授权凭证请求信息中携带的,或者,所述设备信息为所述认证中心根据设备身份信息在数据库中查找的,所述设备身份信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证或者所述第二本地授权凭证的请求信息中携带的。As a possible implementation manner, the validity period is determined by the authentication center according to a security level of the device, a security level of the device is determined by the device information, and the device information is the terminal location And the second local authorization credential request information sent by the authentication center for acquiring the first local authorization credential, or the device information is found by the authentication center in the database according to the device identity information. The device identity information is carried in the request information that is sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential.
作为一种可能的实施方式,所述装置还包括指示信息检测模块503,用于检测所述业务请求中是否包含用于指示提供所述终端合法性证明的指示信息,如果所述业务请求中包含所述用于指示提供所述终端合法性证明的指示信息,本地授权凭证获取模块501执行所述获取所述终端中的本地授权凭证的步骤。As a possible implementation, the device further includes an indication information detecting module 503, configured to detect whether the service request includes indication information for indicating that the terminal validity certificate is provided, if the service request includes And the step of the local authorization credential obtaining module 501 performing the obtaining the local authorization credential in the terminal.
作为一种可能的实施方式,所述指示信息为根据至少一个预设字段确定的或者根据所述业务类型要求中的至少一个字段确定的。As a possible implementation manner, the indication information is determined according to at least one preset field or determined according to at least one of the service type requirements.
基于图1所示的系统架构,请参阅图6,如图6所示,图6本发明实施例公开的一种运行上述本地授权凭证的使用方法的终端的结构示意图。如图6所示,该终端可以包括:处理器601、存储器602、通信接口603和总线604。其中:Based on the system architecture shown in FIG. 1, please refer to FIG. 6. As shown in FIG. 6, FIG. 6 is a schematic structural diagram of a terminal for using the method for using the local authorization credential disclosed in the embodiment of the present invention. As shown in FIG. 6, the terminal may include a processor 601, a memory 602, a communication interface 603, and a bus 604. among them:
总线604,用于实现这些组件之间的连接;a bus 604 for implementing a connection between these components;
存储器602中存储有一组程序代码,处理器601用于调用通信接口603执行以下操作:A set of program codes is stored in the memory 602, and the processor 601 is configured to invoke the communication interface 603 to perform the following operations:
在接收到业务请求时,获取终端中的本地授权凭证,所述业务请求要求提供所述终端合法性证明,所述本地授权凭证是由所述认证中心授权并保存在所述终端中能够提供所述终端合法性证明的凭证;Obtaining a local authorization credential in the terminal when the service request is received, where the service request is required to provide the terminal legality certificate, and the local authorization credential is authorized by the authentication center and saved in the terminal to provide the a certificate describing the legality of the terminal;
处理器601还用于调用存储器602中存储的程序代码执行以下操作:The processor 601 is further configured to call the program code stored in the memory 602 to perform the following operations:
根据所述本地授权凭证以及所述业务请求,生成与所述业务请求对应的业务响应,所述业务响应包含所述终端合法性证明;And generating, according to the local authorization credential and the service request, a service response corresponding to the service request, where the service response includes the terminal legality certificate;
通信接口603,还用于发送所述业务响应。The communication interface 603 is further configured to send the service response.
作为一种可能的实施方式,所述终端合法性证明包含使用本地授权私钥生成的签名信息和所述本地授权凭证,所述本地授权私钥为所述终端在向所述认证中心发送用于获取所述本地授权凭证的请求信息之前生成并保存在本地的。As a possible implementation manner, the terminal legality certificate includes signature information generated by using a local authorized private key, and the local authorized private key is sent by the terminal to the authentication center for The request information for obtaining the local authorization credential is generated and saved locally.
作为一种可能的实施方式,所述业务请求为业务注册请求和业务执行请求中的一种,当所述业务请求为所述业务注册请求时,所述业务响应还包括业务公钥,当所述业务请求为所述业务执行请求时,所述业务响应还包括使用业务私钥生成的签名信息,所述业务公钥和所述业务私钥为所述终端接收到所述业务执行请求对应的业务注册请求时生成的,所述使用业务私钥生成的签名信息用于证明业务执行响应是由发送业务注册响应的所述终端发送的,所述业务执行响应为所述业务执行请求对应的业务响应,所述业务注册响应为所述业务注册请求对应的业务响应。As a possible implementation manner, the service request is one of a service registration request and a service execution request, and when the service request is the service registration request, the service response further includes a service public key, where When the service request is a request for the service, the service response further includes signature information generated by using a service private key, where the service public key and the service private key are corresponding to the terminal receiving the service execution request. When the service registration request is generated, the signature information generated by using the service private key is used to prove that the service execution response is sent by the terminal that sends the service registration response, and the service execution response is the service corresponding to the service execution request. In response, the service registration response is a service response corresponding to the service registration request.
作为一种可能的实施方式,处理器601根据所述本地授权凭证以及所述业务请求,生成与所述业务请求对应的业务响应具体包括:As a possible implementation manner, the processor 601, according to the local authorization credential and the service request, generating a service response corresponding to the service request, specifically includes:
如果所述终端内存在第一本地授权凭证,且所述第一本地授权凭证在有效期内,且所述第一本地授权凭证满足所述业务请求的业务类型要求,使用所述第一本地授权凭证构造 所述终端合法性证明,以生成所述业务请求对应的业务响应。Using the first local authorization credential if the first local authorization credential exists in the terminal, and the first local authorization credential is within a valid period, and the first local authorization credential satisfies the service type requirement of the service request Construction The validity of the terminal is verified to generate a service response corresponding to the service request.
作为一种可能的实施方式,所述业务请求包含所述业务类型要求,所述业务类型要求包含风险管理要求,所述风险管理要求为业务服务器针对所述第一本地授权凭证生成的,所述业务请求为所述业务服务器发送的。As a possible implementation manner, the service request includes the service type requirement, where the service type requirement includes a risk management requirement, where the risk management requirement is generated by the service server for the first local authorization certificate, A service request is sent for the service server.
作为一种可能的实施方式,处理器601根据所述本地授权凭证以及所述业务请求,生成与所述业务请求对应的业务响应具体包括:As a possible implementation manner, the processor 601, according to the local authorization credential and the service request, generating a service response corresponding to the service request, specifically includes:
作为一种可能的实施方式,如果所述终端内不存在第一本地授权凭证,或如果所述终端内的所述第一本地授权凭证超出有效期,或如果所述第一本地授权凭证不满足所述业务请求的业务类型要求,所述终端向所述认证中心发送用于获取第二本地授权凭证的请求信息,以使所述认证中心生成所述第二本地授权凭证;As a possible implementation manner, if the first local authorization credential does not exist in the terminal, or if the first local authorization credential in the terminal exceeds a validity period, or if the first local authorization credential is not satisfied Determining, by the terminal, the request information for acquiring the second local authorization credential, so that the authentication center generates the second local authorization credential;
所述终端接收并保存所述第二本地授权凭证;Receiving and saving the second local authorization credential by the terminal;
所述终端使用所述第二本地授权凭证构造所述业务请求对应的业务响应,并发送所述业务响应。The terminal constructs a service response corresponding to the service request by using the second local authorization credential, and sends the service response.
作为一种可能的实施方式,所述用于获取第二本地授权凭证的请求信息包括设备信息或者设备身份信息中的至少一种,使用原始设备制造商私钥生成的签名信息,本地授权公钥,以使所述认证中心根据所述设备信息或者所述设备身份信息查找存储的原始设备制造商公钥验证所述使用原始设备制造商私钥生成的签名信息,生成所述第二本地授权凭证,所述本地授权公钥为所述本地授权私钥对应的公钥,所述设备信息和所述设备身份信息为所述认证中心在接收到所述第二本地授权凭证的请求信息时,要求所述终端提供的信息,或者所述认证中心预先与所述终端协商的信息。As a possible implementation manner, the request information for acquiring the second local authorization credential includes at least one of device information or device identity information, signature information generated by using an original device manufacturer private key, and a local authorized public key. And generating, by the authentication center, the signature information generated by using the original device manufacturer private key according to the device information or the device identity information to search the stored original device manufacturer public key, to generate the second local authorization certificate. The local authorized public key is a public key corresponding to the local authorized private key, and the device information and the device identity information are required by the authentication center when receiving the request information of the second local authorization credential. The information provided by the terminal or the information that the authentication center negotiates with the terminal in advance.
作为一种可能的实施方式,所述第一本地授权凭证和所述第二本地授权凭证包括有效期、所述本地授权公钥和使用认证中心私钥生成的签名信息,所述认证中心私钥为所述认证中心生成并保存用于生成所述本地授权凭证的。As a possible implementation manner, the first local authorization credential and the second local authorization credential include a validity period, the local authorization public key, and signature information generated by using an authentication center private key, where the authentication center private key is The certificate authority generates and saves the generated local authorization credentials.
作为一种可能的实施方式,所述第一本地授权凭证和所述第二本地授权凭证还包括凭证安全等级,所述凭证安全等级为所述认证中心根据所述设备信息确定的,所述凭证安全等级为所述业务类型要求的一种。As a possible implementation manner, the first local authorization credential and the second local authorization credential further include a credential security level, where the credential security level is determined by the authentication center according to the device information, the credential The security level is one of the types of business types required.
作为一种可能的实施方式,所述本地授权公钥为所述终端在向所述认证中心发送用于获取所述第一本地授权凭证的请求信息之前生成并保存在本地的,或者所述终端在向所述认证中心发送用于获取所述第二本地授权凭证的请求信息之前生成并保存在本地的。As a possible implementation manner, the local authorized public key is generated and saved locally by the terminal before sending the request information for acquiring the first local authorization credential to the authentication center, or the terminal It is generated and saved locally before sending the request information for acquiring the second local authorization credential to the authentication center.
作为一种可能的实施方式,有效期为所述认证中心根据所述设备的安全等级确定的,所述设备的安全等级由所述设备信息确定的,所述设备信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证的或者所述第二本地授权凭证请求信息中携带的,或者,所述设备信息为所述认证中心根据设备身份信息在数据库中查找的,所述设备身份信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证或者所述第二本地授权凭证的请求信息中携带的。As a possible implementation manner, the validity period is determined by the authentication center according to the security level of the device, the security level of the device is determined by the device information, and the device information is that the terminal is authenticated to the terminal. The information sent by the center for obtaining the first local authorization credential or the second local authorization credential request information, or the device information is found by the authentication center in the database according to the device identity information. The device identity information is carried in the request information sent by the terminal to the authentication center for acquiring the first local authorization credential or the second local authorization credential.
作为一种可能的实施方式,处理器601还用于调用存储器602中存储的程序代码执行以下操作:As a possible implementation manner, the processor 601 is further configured to call the program code stored in the memory 602 to perform the following operations:
检测所述业务请求中是否包含用于指示提供所述终端合法性证明的指示信息,如果所 述业务请求中包含所述用于指示提供所述终端合法性证明的指示信息,执行所述获取所述终端中的本地授权凭证的步骤。Detecting whether the service request includes indication information for indicating that the terminal legality certificate is provided, if And the step of performing the obtaining the local authorization credential in the terminal by using the indication information for indicating that the terminal validity certificate is provided.
作为一种可能的实施方式,所述指示信息为根据至少一个预设字段确定的或者根据所述业务类型要求中的至少一个字段确定的。As a possible implementation manner, the indication information is determined according to at least one preset field or determined according to at least one of the service type requirements.
本发明实施例还公开了一种可读存储介质,该可读存储介质存储了装置和/或终端用于执行图2和3所示的本地授权凭证的使用方法的程序代码。The embodiment of the present invention also discloses a readable storage medium storing program code of a device and/or a terminal for executing a method of using the local authorization credential shown in FIGS. 2 and 3.
在上述实施例中,可以全部或部分的通过软件、硬件、固件或者其任意组合来实现。当使用软件程序实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或者数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或者数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或半导体介质(例如固态硬盘Solid State Disk(SSD))等。In the above embodiments, it may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using a software program, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with embodiments of the present invention are generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable device. The computer instructions can be stored in a computer readable storage medium or transferred from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions can be from a website site, computer, server or data center Transfer to another website site, computer, server, or data center by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL), or wireless (eg, infrared, wireless, microwave, etc.). The computer readable storage medium can be any available media that can be accessed by a computer or a data storage device such as a server, data center, or the like that includes one or more available media. The usable medium may be a magnetic medium (eg, a floppy disk, a hard disk, a magnetic tape), an optical medium (eg, a DVD), or a semiconductor medium (such as a solid state disk (SSD)) or the like.
本领域普通技术人员可以理解上述实施例的各种方法中的全部或部分步骤是可以通过程序来指令相关的硬件来完成,该程序可以存储于可读存储介质中,存储介质可以包括:闪存盘、只读存储器(read-only memory,ROM)、随机存取器(random access memory,RAM)、磁盘或光盘等。 A person of ordinary skill in the art may understand that all or part of the steps of the foregoing embodiments may be completed by a program instructing related hardware, and the program may be stored in a readable storage medium, and the storage medium may include: a flash drive , read-only memory (ROM), random access memory (RAM), disk or optical disk.

Claims (28)

  1. 一种终端中本地授权凭证的使用方法,其特征在于,包括:A method for using a local authorization credential in a terminal, comprising:
    在所述终端接收到业务请求时,获取所述终端中的本地授权凭证,所述业务请求要求提供终端合法性证明,所述本地授权凭证是由认证中心授权并保存在所述终端中能够提供所述终端合法性证明的凭证;When the terminal receives the service request, acquiring a local authorization credential in the terminal, where the service request is required to provide a terminal legality certificate, and the local authorization credential is authorized by the authentication center and saved in the terminal to provide a certificate of the terminal legality certificate;
    所述终端根据所述本地授权凭证以及所述业务请求,生成并发送与所述业务请求对应的业务响应,所述业务响应包含所述终端合法性证明。And the terminal generates and sends a service response corresponding to the service request according to the local authorization credential and the service request, where the service response includes the terminal legality certificate.
  2. 如权利要求1所述的方法,其特征在于,所述终端合法性证明包含使用本地授权私钥生成的签名信息和所述本地授权凭证,所述本地授权私钥为所述终端在向所述认证中心发送用于获取所述本地授权凭证的请求信息之前生成并保存在本地的。The method of claim 1, wherein the terminal validity certificate comprises signature information generated using a local authorized private key and the local authorization credential, the local authorized private key being the terminal being The certificate center generates and saves the request information for obtaining the local authorization credential before it is generated locally.
  3. 如权利要求1所述的方法,其特征在于,所述业务请求为业务注册请求和业务执行请求中的一种,当所述业务请求为所述业务注册请求时,所述业务响应还包括业务公钥,当所述业务请求为所述业务执行请求时,所述业务响应还包括使用业务私钥生成的签名信息,所述业务公钥和所述业务私钥为所述终端接收到所述业务执行请求对应的业务注册请求时生成的,所述使用业务私钥生成的签名信息用于证明业务执行响应是由发送业务注册响应的所述终端发送的,所述业务执行响应为所述业务执行请求对应的业务响应,所述业务注册响应为所述业务注册请求对应的业务响应。The method according to claim 1, wherein the service request is one of a service registration request and a service execution request, and when the service request is the service registration request, the service response further includes a service a public key, when the service request is a service execution request, the service response further includes signature information generated by using a service private key, where the service public key and the service private key are received by the terminal When the service execution request is corresponding to the service registration request, the signature information generated by using the service private key is used to prove that the service execution response is sent by the terminal that sends the service registration response, and the service execution response is the service. Performing a service response corresponding to the request, where the service registration response is a service response corresponding to the service registration request.
  4. 如权利要求1所述的方法,其特征在于,所述终端根据所述本地授权凭证以及所述业务请求,生成并发送与所述业务请求对应的业务响应,具体包括:The method according to claim 1, wherein the terminal generates and sends a service response corresponding to the service request according to the local authorization credential and the service request, which specifically includes:
    如果所述终端内存在第一本地授权凭证,且所述第一本地授权凭证在有效期内,且所述第一本地授权凭证满足所述业务请求的业务类型要求,使用所述第一本地授权凭证构造所述终端合法性证明,以生成所述业务请求对应的业务响应,并发送所述业务响应。Using the first local authorization credential if the first local authorization credential exists in the terminal, and the first local authorization credential is within a valid period, and the first local authorization credential satisfies the service type requirement of the service request Constructing the terminal legality certificate to generate a service response corresponding to the service request, and sending the service response.
  5. 如权利要求4所述的方法,其特征在于,所述业务请求包含所述业务类型要求,所述业务类型要求包含风险管理要求,所述风险管理要求为业务服务器针对所述第一本地授权凭证生成的,所述业务请求为所述业务服务器发送的。The method of claim 4, wherein the service request includes the service type requirement, the service type requirement includes a risk management requirement, and the risk management requirement is that the service server is for the first local authorization certificate The generated service request is sent by the service server.
  6. 如权利要求2所述的方法,其特征在于,所述终端根据本地授权凭证以及所述业务请求,生成并发送与所述业务请求对应的业务响应,具体包括:The method according to claim 2, wherein the terminal generates and sends a service response corresponding to the service request according to the local authorization credential and the service request, and specifically includes:
    如果所述终端内不存在第一本地授权凭证,或如果所述终端内的所述第一本地授权凭证超出有效期,或如果所述第一本地授权凭证不满足所述业务请求的业务类型要求,所述终端向所述认证中心发送用于获取第二本地授权凭证的请求信息,以使所述认证中心生成所述第二本地授权凭证;If the first local authorization credential does not exist in the terminal, or if the first local authorization credential in the terminal exceeds a validity period, or if the first local authorization credential does not satisfy the service type requirement of the service request, Sending, by the terminal, request information for acquiring a second local authorization credential to the authentication center, so that the authentication center generates the second local authorization credential;
    所述终端接收并保存所述第二本地授权凭证;Receiving and saving the second local authorization credential by the terminal;
    所述终端使用所述第二本地授权凭证构造所述业务请求对应的业务响应,并发送所述业务响应。The terminal constructs a service response corresponding to the service request by using the second local authorization credential, and sends the service response.
  7. 如权利要求6所述的方法,其特征在于,所述用于获取第二本地授权凭证的请求信息包括设备信息或者设备身份信息中的至少一种,使用原始设备制造商私钥生成的签名信息,本地授权公钥,以使所述认证中心根据所述设备信息或者所述设备身份信息查找存储的原始设备制造商公钥验证所述使用原始设备制造商私钥生成的签名信息,生成所述第二 本地授权凭证,所述本地授权公钥为所述本地授权私钥对应的公钥,所述设备信息和所述设备身份信息为所述认证中心在接收到所述第二本地授权凭证的请求信息时,要求所述终端提供的信息,或者所述认证中心预先与所述终端协商的信息。The method according to claim 6, wherein the request information for acquiring the second local authorization credential comprises at least one of device information or device identity information, and signature information generated using an original device manufacturer private key Authorizing the public key locally, so that the authentication center searches for the stored original device manufacturer public key according to the device information or the device identity information to verify the signature information generated by using the original device manufacturer private key, and generates the Second a local authorization certificate, where the local authorization public key is a public key corresponding to the local authorization private key, and the device information and the device identity information are request information that the authentication center receives the second local authorization certificate At the time, the information provided by the terminal or the information that the authentication center negotiates with the terminal in advance is requested.
  8. 如权利要求7所述的方法,其特征在于,所述第一本地授权凭证和所述第二本地授权凭证包括有效期、所述本地授权公钥和使用认证中心私钥生成的签名信息,所述认证中心私钥为所述认证中心生成并保存在所述认证中心,所述认证中心私钥用于生成所述本地授权凭证。The method of claim 7, wherein the first local authorization credential and the second local authorization credential comprise a validity period, the local authorization public key, and signature information generated using a certificate authority private key, The authentication center private key is generated by the authentication center and stored in the authentication center, and the authentication center private key is used to generate the local authorization credential.
  9. 如权利要求8所述的方法,其特征在于,所述第一本地授权凭证和所述第二本地授权凭证还包括凭证安全等级,所述凭证安全等级为所述认证中心根据所述设备信息确定的,所述凭证安全等级为所述业务类型要求的一种。The method according to claim 8, wherein said first local authorization credential and said second local authorization credential further comprise a credential security level, said credential security level being determined by said authentication center based on said device information The credential security level is one of the types of service requirements.
  10. 如权利要求8所述的方法,其特征在于,所述本地授权公钥为所述终端在向所述认证中心发送用于获取所述第一本地授权凭证的请求信息之前生成并保存在本地的,或者所述终端在向所述认证中心发送用于获取所述第二本地授权凭证的请求信息之前生成并保存在本地的。The method according to claim 8, wherein said local authorized public key is generated and saved locally by said terminal before transmitting request information for obtaining said first local authorization credential to said authentication center Or the terminal generates and saves locally before sending the request information for acquiring the second local authorization credential to the authentication center.
  11. 如权利要求4至10任一项所述的方法,其特征在于,所述有效期为所述认证中心根据所述设备的安全等级确定的,所述设备的安全等级由所述设备信息确定的,所述设备信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证的或者所述第二本地授权凭证请求信息中携带的,或者,所述设备信息为所述认证中心根据设备身份信息在数据库中查找的,所述设备身份信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证或者所述第二本地授权凭证的请求信息中携带的。The method according to any one of claims 4 to 10, wherein the expiration date is determined by the authentication center according to a security level of the device, and the security level of the device is determined by the device information. The device information is carried in the second local authorization credential request information sent by the terminal to the authentication center for acquiring the first local authorization credential, or the device information is the authentication. The device is located in the database according to the device identity information, and the device identity information is carried in the request information that is sent by the terminal to the authentication center for acquiring the first local authorization certificate or the second local authorization certificate. of.
  12. 如权利要求4至10任一项所述的方法,其特征在于,所述接收到业务请求时,所述方法还包括:The method according to any one of claims 4 to 10, wherein, when the service request is received, the method further includes:
    检测所述业务请求中是否包含用于指示提供所述终端合法性证明的指示信息,如果所述业务请求中包含所述用于指示提供所述终端合法性证明的指示信息,执行所述获取所述终端中的本地授权凭证的步骤。Detecting whether the service request includes indication information for indicating that the terminal validity certificate is provided, and if the service request includes the indication information for indicating that the terminal legality certificate is provided, performing the obtaining The step of local authorization credentials in the terminal.
  13. 如权利要求12所述的方法,其特征在于,所述指示信息为根据至少一个预设字段确定的或者根据所述业务类型要求中的至少一个字段确定的。The method according to claim 12, wherein the indication information is determined according to at least one preset field or determined according to at least one of the service type requirements.
  14. 一种本地授权凭证的使用装置,其特征在于,包括:A device for using a local authorization credential, comprising:
    本地授权凭证获取模块,用于在接收到业务请求时,获取终端中的本地授权凭证,所述业务请求要求提供终端合法性证明,所述本地授权凭证是由认证中心授权并保存在所述终端中能够提供所述终端合法性证明的凭证;a local authorization credential obtaining module, configured to acquire a local authorization credential in the terminal when the service request is received, where the service request is required to provide a terminal legality certificate, where the local authorization credential is authorized by the authentication center and saved in the terminal Providing a certificate of the terminal legality certificate;
    业务响应发送模块,用于根据所述本地授权凭证以及所述业务请求,生成并发送与所述业务请求对应的业务响应,所述业务响应包含所述终端合法性证明。And a service response sending module, configured to generate and send a service response corresponding to the service request according to the local authorization credential and the service request, where the service response includes the terminal legality certificate.
  15. 如权利要求14所述的装置,其特征在于,所述终端合法性证明包含使用本地授权私钥生成的签名信息和所述本地授权凭证,所述本地授权私钥为所述终端在向所述认证中心发送用于获取所述本地授权凭证的请求信息之前生成并保存在本地的。The apparatus according to claim 14, wherein said terminal validity certificate comprises signature information generated using a local authorized private key and said local authorization credential, said local authorized private key being said terminal being said to said terminal The certificate center generates and saves the request information for obtaining the local authorization credential before it is generated locally.
  16. 如权利要求14所述的装置,其特征在于,所述业务请求为业务注册请求和业务执 行请求中的一种,当所述业务请求为所述业务注册请求时,所述业务响应还包括业务公钥,当所述业务请求为所述业务执行请求时,所述业务响应还包括使用业务私钥生成的签名信息,所述业务公钥和所述业务私钥为所述终端接收到所述业务执行请求对应的业务注册请求时生成的,所述使用业务私钥生成的签名信息用于证明业务执行响应是由发送业务注册响应的所述终端发送的,所述业务执行响应为所述业务执行请求对应的业务响应,所述业务注册响应为所述业务注册请求对应的业务响应。The apparatus according to claim 14, wherein said service request is a service registration request and a service execution One of the line requests, when the service request is the service registration request, the service response further includes a service public key, and when the service request is the service execution request, the service response further includes using The signature information generated by the service private key, where the service public key and the service private key are generated when the terminal receives the service registration request corresponding to the service execution request, and the signature information generated by using the service private key is used by The service execution response is sent by the terminal that sends the service registration response, and the service execution response is a service response corresponding to the service execution request, and the service registration response is a service response corresponding to the service registration request.
  17. 如权利要求14所述的装置,其特征在于,所述业务响应发送模块,具体用于,如果所述终端内存在第一本地授权凭证,且所述第一本地授权凭证在有效期内,且所述第一本地授权凭证满足所述业务请求的业务类型要求,使用所述第一本地授权凭证构造所述终端合法性证明,以生成所述业务请求对应的业务响应,并发送所述业务响应。The device according to claim 14, wherein the service response sending module is configured to: if a first local authorization credential exists in the terminal, and the first local authorization credential is within a valid period, and The first local authorization certificate satisfies the service type requirement of the service request, and the terminal validity certificate is constructed by using the first local authorization certificate to generate a service response corresponding to the service request, and the service response is sent.
  18. 如权利要求17所述的装置,其特征在于,所述业务请求包含所述业务类型要求,所述业务类型要求包含风险管理要求,所述风险管理要求为业务服务器针对所述第一本地授权凭证生成的,所述业务请求为所述业务服务器发送的。The apparatus according to claim 17, wherein said service request includes said service type requirement, said service type requirement includes a risk management requirement, and said risk management request is said service server for said first local authorization certificate The generated service request is sent by the service server.
  19. 如权利要求15所述的装置,其特征在于,所述业务响应发送模块,具体用于,如果所述终端内不存在第一本地授权凭证,或如果所述终端内的所述第一本地授权凭证超出有效期,或如果所述第一本地授权凭证不满足所述业务请求的业务类型要求,向所述认证中心发送用于获取第二本地授权凭证的请求信息,以使所述认证中心生成所述第二本地授权凭证;The device according to claim 15, wherein the service response sending module is configured to: if the first local authorization credential does not exist in the terminal, or if the first local authorization in the terminal The voucher exceeds the validity period, or if the first local authorization voucher does not satisfy the service type requirement of the service request, the request information for acquiring the second local authorization voucher is sent to the authentication center, so that the authentication center generates the Describe the second local authorization credential;
    接收并保存所述第二本地授权凭证;Receiving and saving the second local authorization credential;
    使用所述第二本地授权凭证构造所述业务请求对应的业务响应,并发送所述业务响应。And using the second local authorization credential to construct a service response corresponding to the service request, and sending the service response.
  20. 如权利要求19所述的装置,其特征在于,所述用于获取第二本地授权凭证的请求信息包括设备信息或者设备身份信息中的至少一种,使用原始设备制造商私钥生成的签名,本地授权公钥,以使所述认证中心根据所述设备信息或所述设备身份信息查找存储的原始设备制造商公钥验证所述原始设备制造商签名,生成所述第二本地授权凭证,所述本地授权公钥为所述本地授权私钥对应的公钥,所述设备信息和所述设备身份信息为所述认证中心在接收到所述第二本地授权凭证的请求信息时,要求所述终端提供的信息,或者所述认证中心预先与所述终端协商的信息。The apparatus according to claim 19, wherein the request information for acquiring the second local authorization credential comprises at least one of device information or device identity information, a signature generated using an original device manufacturer private key, Authorizing the public key locally, so that the authentication center searches the stored original device manufacturer public key according to the device information or the device identity information to verify the original device manufacturer signature, and generates the second local authorization certificate. The local authorized public key is a public key corresponding to the local authorized private key, and the device information and the device identity information are required by the authentication center when receiving the request information of the second local authorization credential. Information provided by the terminal, or information that the authentication center negotiates with the terminal in advance.
  21. 如权利要求20所述的装置,其特征在于,所述第一本地授权凭证和所述第二本地授权凭证包括有效期、所述本地授权公钥和使用认证中心私钥生成的签名信息,所述认证中心私钥为所述认证中心生成并保存在所述认证中心,所述认证中心私钥用于生成所述本地授权凭证。The apparatus of claim 20, wherein the first local authorization credential and the second local authorization credential comprise a validity period, the local authorization public key, and signature information generated using a certificate authority private key, The authentication center private key is generated by the authentication center and stored in the authentication center, and the authentication center private key is used to generate the local authorization credential.
  22. 如权利要求21所述的装置,其特征在于,所述第一本地授权凭证和所述第二本地授权凭证还包括凭证安全等级,所述凭证安全等级为所述认证中心根据所述设备信息确定的,所述凭证安全等级为所述业务类型要求的一种。The apparatus according to claim 21, wherein said first local authorization credential and said second local authorization credential further comprise a credential security level, said credential security level being determined by said authentication center based on said device information The credential security level is one of the types of service requirements.
  23. 如权利要求21所述的装置,其特征在于,所述本地授权公钥为所述终端在向所述认证中心发送用于获取所述第一本地授权凭证的请求信息之前生成并保存在本地的,或者所述终端在向所述认证中心发送用于获取所述第二本地授权凭证的请求信息之前生成并保存在本地的。 The apparatus according to claim 21, wherein said local authorized public key is generated and saved locally by said terminal before transmitting request information for obtaining said first local authorization credential to said authentication center Or the terminal generates and saves locally before sending the request information for acquiring the second local authorization credential to the authentication center.
  24. 如权利要求17至23任一项所述的装置,其特征在于,所述有效期为所述认证中心根据所述设备的安全等级确定的,所述设备的安全等级由所述设备信息确定的,所述设备信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证的或者所述第二本地授权凭证请求信息中携带的,或者,所述设备信息为所述认证中心根据设备身份信息在数据库中查找的,所述设备身份信息为所述终端向所述认证中心发送的用于获取所述第一本地授权凭证或者所述第二本地授权凭证的请求信息中携带的。The device according to any one of claims 17 to 23, wherein the expiration date is determined by the authentication center according to a security level of the device, and a security level of the device is determined by the device information, The device information is carried in the second local authorization credential request information sent by the terminal to the authentication center for acquiring the first local authorization credential, or the device information is the authentication. The device is located in the database according to the device identity information, and the device identity information is carried in the request information that is sent by the terminal to the authentication center for acquiring the first local authorization certificate or the second local authorization certificate. of.
  25. 如权利要求17至23任一项所述的装置,其特征在于,所述装置还包括:The device according to any one of claims 17 to 23, wherein the device further comprises:
    指示信息检测模块,用于检测所述业务请求中是否包含用于指示提供所述终端合法性证明的指示信息,如果所述业务请求中包含所述用于指示提供所述终端合法性证明的指示信息,本地授权凭证获取模块执行所述获取所述终端中的本地授权凭证的步骤。The indication information detecting module is configured to detect whether the service request includes indication information for indicating that the terminal validity certificate is provided, if the service request includes the indication for indicating that the terminal legality certificate is provided The information, the local authorization credential obtaining module performs the step of acquiring the local authorization credential in the terminal.
  26. 如权利要求25所述的装置,其特征在于,所述指示信息为根据至少一个预设字段确定的或者根据所述业务类型要求中的至少一个字段确定的。The apparatus according to claim 25, wherein the indication information is determined according to at least one preset field or determined according to at least one of the service type requirements.
  27. 一种计算机可读存储介质,包括指令,当其在计算机上运行时,使得计算机执行如权利要求1-13所述的方法。A computer readable storage medium comprising instructions which, when executed on a computer, cause the computer to perform the method of claims 1-13.
  28. 一种终端,其特征在于,所述终端包括:处理器,存储器,通信接口和总线;A terminal, the terminal comprising: a processor, a memory, a communication interface, and a bus;
    所述处理器、通信接口、存储器通过所述总线相互的通信;The processor, the communication interface, and the memory communicate with each other through the bus;
    所述通信接口,用于接收和发送数据;The communication interface is configured to receive and send data;
    所述存储器,用于存储指令;The memory is configured to store an instruction;
    所述处理器,用于调用所述存储器中的指令,执行如权利要求1-13任一项所述的方法。 The processor is configured to invoke an instruction in the memory to perform the method of any one of claims 1-13.
PCT/CN2017/078605 2016-12-02 2017-03-29 Method and device of using local authorization certificate in terminal WO2018098950A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201780009062.0A CN108604990A (en) 2016-12-02 2017-03-29 The application method and device of local authorized certificate in terminal

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611097424.X 2016-12-02
CN201611097424 2016-12-02

Publications (1)

Publication Number Publication Date
WO2018098950A1 true WO2018098950A1 (en) 2018-06-07

Family

ID=62242301

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/078605 WO2018098950A1 (en) 2016-12-02 2017-03-29 Method and device of using local authorization certificate in terminal

Country Status (2)

Country Link
CN (1) CN108604990A (en)
WO (1) WO2018098950A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113673000A (en) * 2020-03-25 2021-11-19 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN114124494A (en) * 2021-11-12 2022-03-01 中国联合网络通信集团有限公司 Data processing method, device, equipment and storage medium
CN114448725A (en) * 2022-03-22 2022-05-06 北京一砂信息技术有限公司 Equipment authentication method, system and storage medium
CN115150154A (en) * 2022-06-30 2022-10-04 深圳希施玛数据科技有限公司 User login authentication method and related device

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114124404B (en) * 2021-11-12 2023-07-07 中国联合网络通信集团有限公司 Data processing method, device, server and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140325232A1 (en) * 2013-04-30 2014-10-30 Unisys Corporation Requesting and storing certificates for secure connection validation
CN104703170A (en) * 2013-12-05 2015-06-10 华为终端有限公司 Methods and equipment for downloading file of operator
CN104901806A (en) * 2014-12-29 2015-09-09 腾讯科技(深圳)有限公司 Method, device and system for processing virtual resources

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866816A (en) * 2006-01-25 2006-11-22 华为技术有限公司 Mobile terminal root certificate maintaining method, system and mobile terminal
CN101127599B (en) * 2006-08-18 2011-05-04 华为技术有限公司 An identity and right authentication method and system and a biological processing unit
CN101136748B (en) * 2006-08-31 2012-03-07 普天信息技术研究院 Identification authentication method and system
CN101291220B (en) * 2007-04-16 2010-08-18 华为技术有限公司 System, device and method for identity security authentication
CN101582765B (en) * 2009-06-29 2012-02-15 北京交通大学 User bound portable trusted mobile device
CN101872396A (en) * 2010-06-04 2010-10-27 北京播思软件技术有限公司 Method for multipoint safety certificate libraries and safety authentication for mobile device
US9078128B2 (en) * 2011-06-03 2015-07-07 Apple Inc. System and method for secure identity service
CN103945374A (en) * 2013-01-18 2014-07-23 深圳市华营数字商业有限公司 Method of mobile terminal equipment and user authentication based on PKI technology
CN105281908B (en) * 2014-07-23 2019-08-06 阿里巴巴集团控股有限公司 USB Key, USB Key digital certificate wiring method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140325232A1 (en) * 2013-04-30 2014-10-30 Unisys Corporation Requesting and storing certificates for secure connection validation
CN104703170A (en) * 2013-12-05 2015-06-10 华为终端有限公司 Methods and equipment for downloading file of operator
CN104901806A (en) * 2014-12-29 2015-09-09 腾讯科技(深圳)有限公司 Method, device and system for processing virtual resources

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113673000A (en) * 2020-03-25 2021-11-19 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN113673000B (en) * 2020-03-25 2024-03-08 支付宝(杭州)信息技术有限公司 Method and device for operating trusted program in TEE
CN114124494A (en) * 2021-11-12 2022-03-01 中国联合网络通信集团有限公司 Data processing method, device, equipment and storage medium
CN114124494B (en) * 2021-11-12 2023-06-30 中国联合网络通信集团有限公司 Data processing method, device, equipment and storage medium
CN114448725A (en) * 2022-03-22 2022-05-06 北京一砂信息技术有限公司 Equipment authentication method, system and storage medium
CN115150154A (en) * 2022-06-30 2022-10-04 深圳希施玛数据科技有限公司 User login authentication method and related device
CN115150154B (en) * 2022-06-30 2023-05-26 深圳希施玛数据科技有限公司 User login authentication method and related device

Also Published As

Publication number Publication date
CN108604990A (en) 2018-09-28

Similar Documents

Publication Publication Date Title
TWI667585B (en) Method and device for safety authentication based on biological characteristics
US9537661B2 (en) Password-less authentication service
TWI792320B (en) Query system, method and non-transitory machine-readable medium to determine authentication capabilities
US9166966B2 (en) Apparatus and method for handling transaction tokens
WO2018098950A1 (en) Method and device of using local authorization certificate in terminal
US8572686B2 (en) Method and apparatus for object transaction session validation
JP6963609B2 (en) Transparency Multi-Factor Authentication and Security Initiatives Systems and Methods for Posture Checks
US8990572B2 (en) Methods and systems for conducting smart card transactions
US20160125180A1 (en) Near Field Communication Authentication Mechanism
KR101941227B1 (en) A FIDO authentication device capable of identity confirmation or non-repudiation and the method thereof
US8806602B2 (en) Apparatus and method for performing end-to-end encryption
JP2017519412A (en) Enhanced security for authentication device registration
JP2016524248A (en) Method and system for protecting identity information from theft or copying
US8572690B2 (en) Apparatus and method for performing session validation to access confidential resources
US8752157B2 (en) Method and apparatus for third party session validation
US9894062B2 (en) Object management for external off-host authentication processing systems
US8572724B2 (en) Method and apparatus for network session validation
US8850515B2 (en) Method and apparatus for subject recognition session validation
CN110869928A (en) Authentication system and method
US8572688B2 (en) Method and apparatus for session validation to access third party resources
US8584201B2 (en) Method and apparatus for session validation to access from uncontrolled devices
US20130047262A1 (en) Method and Apparatus for Object Security Session Validation
US8726340B2 (en) Apparatus and method for expert decisioning
KR20140042222A (en) User identity authentication method using mobile terminal
US20210136064A1 (en) Secure use of authoritative data within biometry based digital identity authentication and verification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17875183

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17875183

Country of ref document: EP

Kind code of ref document: A1