WO2021168652A1

WO2021168652A1 - Terminal device information transmission method, device fingerprint generation method, and related product

Info

Publication number: WO2021168652A1
Application number: PCT/CN2020/076605
Authority: WO
Inventors: 郭子亮
Original assignee: 深圳市欢太科技有限公司; Oppo广东移动通信有限公司
Priority date: 2020-02-25
Filing date: 2020-02-25
Publication date: 2021-09-02
Also published as: CN115039376A

Abstract

Provided in embodiments of the present application are a terminal device information transmission method, a device fingerprint generation method, and a related product, the terminal device information transmission method comprising: a terminal device acquires a data signature and a device identification signature from a hardware security area; the terminal device generates a symmetric encryption key, collects information, uses the symmetric encryption key to perform symmetric encryption on the information, the data signature, and the device identification signature, so as to obtain encrypted data; the terminal device uses an asymmetric encryption public key to perform asymmetric encryption on the symmetric encryption key, so as to obtain an asymmetric encryption key; the terminal device reports asymmetric encryption data to a risk probe server, the asymmetric encryption data comprising the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key; and the terminal device receives a token sent by the risk probe server, and stores the token at a local end, the token being a token that corresponds to a device fingerprint and that is generated by the risk probe server according to the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key.

Description

Terminal equipment information transmission method, equipment fingerprint generation method and related products

Technical field

This application relates to the field of terminal technology, and in particular to a method for transmitting terminal device information, a method for generating device fingerprints, and related products.

Background technique

In the field of computer science, fingerprint generation refers to the process of creating unique identifiers for various types of electronic data. And when we need to implement a certain technology to identify a single user or device, we call them device fingerprints. Essentially, the process involves collecting information about smartphones, computers, or other devices. Sometimes, even if the user hides the Internet Protocol (IP) address or changes the browser, the device can be identified through fingerprint recognition.

For many years, terminal equipment has evaluated equipment risks through a risk probe system, analyzed legitimate network traffic, and detected potential fraud. The risk probe system is deployed in a private cloud. The business side client triggers the risk probe to collect device information and upload it to the back end of the business side; the back end of the business side parses, cleans, and filters the reported data, and then forwards the agreed data to the risk probe Needle back end; The risk probe back end receives and parses data, and generates device fingerprints; The risk probe back end performs equipment risk assessment based on the existing equipment information database, and returns the assessment results to the business side back end.

In the current risk probe system, there is no encryption in the process of data reporting, and plaintext transmission is used, and there is a risk of transmission hijacking and data tampering.

Summary of the invention

The embodiments of the present application provide a terminal device information transmission method, a device fingerprint generation method, and related products, which can improve the security of terminal device information transmission.

The first aspect of the embodiments of the present application provides a method for transmitting terminal device information, including:

The terminal device obtains the data signature and the device identification signature from the hardware security zone;

The terminal device generates a symmetric encryption key, collects terminal device information, and uses the symmetric encryption key to perform symmetric encryption on the terminal device information, the data signature, and the device identification signature to obtain encrypted data;

The terminal device uses an asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain an asymmetric encryption key; the asymmetric encryption public key is obtained by the terminal device from the risk probe server;

The terminal device reports asymmetric encrypted data to the risk probe server; the asymmetric encrypted data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key;

The terminal device receives the token sent by the risk probe server, and stores the token at the local end, where the token is the risk probe server according to the encrypted data and the asymmetric encryption The secret key and the token corresponding to the device fingerprint generated by the asymmetric encryption public key.

The second aspect of the embodiments of the present application provides a device fingerprint generation method, including:

The risk probe server receives the secret key acquisition request sent by the terminal device, and sends an asymmetric encryption public key to the terminal device; the asymmetric encryption public key is used for the terminal device to encrypt using an asymmetric encryption method;

The risk probe server receives the asymmetric encryption data sent by the terminal device, and decrypts the asymmetric encryption data with the asymmetric encryption private key corresponding to the asymmetric encryption public key to obtain terminal device information;

The risk probe server generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.

A third aspect of the embodiments of the present application provides a terminal device information transmission apparatus, including:

The obtaining unit is used to obtain the data signature and the device identification signature from the hardware security zone;

The first generating unit is used to generate a symmetric encryption key;

The collection unit is used to collect terminal equipment information;

The first encryption unit is configured to use the symmetric encryption key to perform symmetric encryption on the terminal device information, the data signature, and the device identification signature to obtain encrypted data;

The first encryption unit is further configured to use an asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain an asymmetric encryption key; the asymmetric encryption public key is obtained from the risk probe server ；

The first communication unit is configured to report asymmetric encrypted data to the risk probe server; the asymmetric encrypted data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key;

The first communication unit is further configured to receive a token sent by the risk probe server;

The storage unit is configured to store the token at the local end, and the token is generated by the risk probe server according to the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key The token corresponding to the device fingerprint.

The fourth aspect of the embodiments of the present application provides a device fingerprint generation device, including:

The second communication unit is configured to receive a secret key acquisition request sent by a terminal device, and send an asymmetric encryption public key to the terminal device; the asymmetric encryption public key is used for the terminal device to perform encryption in an asymmetric encryption manner;

The second communication unit is further configured to receive asymmetric encrypted data sent by the terminal device;

The second encryption unit is configured to use the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption data to obtain terminal device information;

The second generating unit is configured to generate a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.

A fifth aspect of the embodiments of the present application provides a terminal device, including a processor and a memory, the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program The instruction executes the step instruction in the first aspect of the embodiment of the present application.

A sixth aspect of the embodiments of the present application provides a server, including a processor and a memory, the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions , Execute the step instructions in the second aspect of the embodiment of the present application.

A seventh aspect of the embodiments of the present application provides a computer-readable storage medium, wherein the above-mentioned computer-readable storage medium stores a computer program for electronic data exchange, wherein the above-mentioned computer program causes a computer to execute Some or all of the steps described in one aspect.

An eighth aspect of the embodiments of the present application provides a computer-readable storage medium, wherein the above-mentioned computer-readable storage medium stores a computer program for electronic data exchange, wherein the above-mentioned computer program enables a computer to execute Part or all of the steps described in the two aspects.

The ninth aspect of the embodiments of the present application provides a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to cause a computer to execute as implemented in this application. Example part or all of the steps described in the first aspect. The computer program product may be a software installation package.

The tenth aspect of the embodiments of the present application provides a computer program product, wherein the computer program product includes a non-transitory computer-readable storage medium storing a computer program, and the computer program is operable to make a computer execute Examples of part or all of the steps described in the second aspect. The computer program product may be a software installation package.

In the embodiment of this application, the terminal device obtains the data signature and the device identification signature from the hardware security zone; the terminal device generates a symmetric encryption key, collects terminal device information, and uses the symmetric encryption key to pair the terminal device information , The data signature and the device identification signature are symmetrically encrypted to obtain encrypted data; the terminal device uses an asymmetric encryption public key to perform asymmetric encryption on the symmetric encryption key to obtain an asymmetric encryption key; The asymmetric encryption public key is obtained by the terminal device from the risk probe server; the terminal device reports the asymmetric encryption data to the risk probe server; the asymmetric encryption data includes the encrypted data, The asymmetric encryption key and the asymmetric encryption public key; the terminal device receives the token sent by the risk probe server, stores the token at the local end, and the token is the The token corresponding to the device fingerprint generated by the risk probe server according to the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key.

In this embodiment of the application, the terminal device sends asymmetric encrypted data containing terminal device information to the risk probe server. Since the data signature and the device identification signature are obtained from the hardware security zone, the security of the data signature and the device identification signature is ensured, and the security of the data sent by the terminal device is ensured. Since a symmetric encryption key is used to symmetrically encrypt the terminal device information, the data signature, and the device identification signature, an asymmetric encryption public key is used to perform asymmetric encryption on the symmetric encryption key to obtain asymmetric encryption The key ensures the security of the asymmetric encrypted data sent by the terminal device to the risk probe server, and ensures the security of the data received by the risk probe server. In the process of terminal device information transmission, both the data sending end and the data receiving end ensure the security of the transmitted data, so that the security of terminal device information transmission can be improved.

Description of the drawings

In order to more clearly describe the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can be obtained based on these drawings without creative work.

FIG. 1 is a schematic structural diagram of a risk probe system provided by an embodiment of the present application;

2 is a schematic flowchart of a method for transmitting terminal device information according to an embodiment of the present application;

FIG. 3 is a schematic flowchart of a method for generating device fingerprints according to an embodiment of the present application;

4 is a schematic flowchart of another method for generating device fingerprints according to an embodiment of the present application;

FIG. 5 is a schematic flowchart of another method for generating device fingerprints according to an embodiment of the present application;

FIG. 6 is a schematic flowchart of another device fingerprint generation method provided by an embodiment of the present application;

FIG. 7 is a schematic flowchart of another device fingerprint generation method provided by an embodiment of the present application;

FIG. 8 is a schematic diagram of a service access process provided by an embodiment of the present application;

FIG. 9 is a schematic structural diagram of a terminal device information transmission apparatus provided by an embodiment of the application;

FIG. 10 is a schematic structural diagram of an apparatus for generating device fingerprints according to an embodiment of this application;

FIG. 11 is a schematic structural diagram of a terminal device provided by an embodiment of the present application;

FIG. 12 is a schematic structural diagram of a server provided by an embodiment of the present application.

Detailed ways

The technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only a part of the embodiments of the present application, rather than all the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.

The terms "first", "second", etc. in the specification and claims of this application and the above-mentioned drawings are used to distinguish different objects, rather than to describe a specific sequence. In addition, the terms "including" and "having" and any variations of them are intended to cover non-exclusive inclusions. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the listed steps or units, but optionally includes unlisted steps or units, or optionally also includes Other steps or units inherent to these processes, methods, products or equipment.

The reference to "embodiments" in this application means that a specific feature, structure, or characteristic described in conjunction with the embodiments may be included in at least one embodiment of the present application. The appearance of the phrase in various places in the specification does not necessarily refer to the same embodiment, nor is it an independent or alternative embodiment mutually exclusive with other embodiments. Those skilled in the art clearly and implicitly understand that the embodiments described in this application can be combined with other embodiments.

The terminal devices involved in the embodiments of the present application may include various handheld devices with wireless communication functions, vehicle-mounted devices, wearable devices, computing devices or other processing devices connected to wireless modems, as well as various forms of user equipment (user equipment). equipment, UE), mobile station (mobile station, MS), terminal device (terminal device), and so on. For ease of description, the devices mentioned above are collectively referred to as terminal devices.

Please refer to FIG. 1. FIG. 1 is a schematic structural diagram of a risk probe system provided by an embodiment of the present application, which includes a risk probe server 100 and at least one terminal device 101 communicatively connected with the risk probe server 100. A client may be installed on the terminal device 101, and a risk probe server may be installed on the risk probe server 100. The client refers to the program that corresponds to the risk probe server and provides customers with local services. The risk probe server is also a program installed on the risk probe server. The risk probe server serves the client. The content of the service is such as providing computing or application services to the client, providing resources to the client, and saving the client. Terminal data, etc., for example, the risk probe server can provide the client with risk assessment services for terminal devices. The risk probe server 100 can directly establish a communication connection with the terminal device 101 via the Internet, and the risk probe server 100 can also establish a communication connection with the terminal device 101 via other servers via the Internet. The embodiments of this application do not make limitations.

The risk detection server in the embodiment of the present application may have the following functions: (1) Generate a unique identification of the terminal device: a fingerprint of the terminal device. (2) Based on big data, classify the business type tendency of terminal equipment, and conduct risk assessment of terminal equipment.

Please refer to FIG. 2, which is a schematic flowchart of a method for transmitting terminal device information according to an embodiment of the present application. As shown in FIG. 2, the terminal device information transmission method may include the following steps.

201. The terminal device obtains a data signature and a device identification signature from the hardware security zone.

The terminal device can support REE operation, for example, general OS: REE such as Android, iOS, Linux. REE can provide all the functions of the device for the upper application (App). REE is open, extensible and universal. The application provided by REE is RA.

The terminal device can also support trusted execution environment (TEE) operation. TEE is protected by hardware mechanism, and TEE is isolated from REE. The application provided by TEE is Trusted Application (TA). The REE can only communicate with the TA in the TEE through a specific entrance. The TEE has hardware exclusivity. When the TEE is running, the TEE can use all the performance of the central processing unit (CPU) of the terminal device. TEE also has a fast communication mechanism. TEE can access the memory of REE, but REE cannot access the memory of TEE protected by hardware. Multiple TAs can run simultaneously in TEE.

TA is an application in TEE. TEE belongs to an independent hardware security zone. Even if Android OS is rooted or ROM is flashed, it will not affect the security of TEE.

RA in REE can obtain data signature SIGN1 and equipment identification signature SIGN2 from TA.

The data signature SIGN1 is the signature of the key field set (KeyFieldSet, KeyFieldSet) data of the terminal device information, and the KeyFieldSet is a subset of the terminal device information (InformationSet, InfoSet). The equipment identification signature SIGN2 is the signature of the unique identification of the terminal equipment. Since the device identification at the software layer is unreliable and there is a risk of being tampered with, the device identification in the embodiment of the present application is generated in the hardware security zone, and a unique device identification is maintained in the hardware security zone. The RA in REE can guarantee the security of its preset key, signature and uniqueness of device fingerprint.

Wherein, the data signature and the device identification signature are obtained by encrypting the hardware security zone using a message digest algorithm.

The specific methods for generating data signatures and device identification signatures in the hardware security zone are as follows:

The TA in the hardware security zone generates a random number TRAN through the hardware in the hardware security zone, and signs (KeyFieldSet+TRAN) and (sk_2) respectively to obtain the data signature SIGN1 and the device identification signature SIGN2; then, the (SIGN1+SIGN2+ TRAN) does asymmetric encryption (the secret key is pk_1) to get EncSign; TA returns the encryption result EncSign to the RA end of the terminal device. Among them, sk_2 is the unique identifier of the terminal device. Here sk_2 can be considered as the private key in the key pair, and pk_2 is the public key corresponding to sk_2 in the key pair.

TA separately signs (KeyFieldSet+TRAN) and (sk_2), which can be signed by MD5 encryption.

Specifically, SIGN1=MD5(KeyFieldSet+TRAN); SIGN2=MD5(sk_2).

202. The terminal device collects and generates a symmetric encryption key and terminal device information, and uses the symmetric encryption key to perform symmetric encryption on the terminal device information, data signature, and device identification signature to obtain encrypted data.

In the embodiment of the present application, the terminal device can randomly generate a symmetric encryption key (key) through software. For example, the terminal device can randomly generate a symmetric encryption key through a rich application (Rich Application, RA) provided by a rich execution environment (REE) using a random number generation method. The RA in the REE can generate a symmetric encryption key.

In the embodiment of the present application, the terminal device may collect terminal device information through the RA in the TEE. Terminal device information may include terminal device hardware information, system information, operating environment information, network information, and so on.

Among them, the symmetric encryption key (key) is generated by the terminal device in step 201. When encrypting, use a symmetric encryption key (key) to symmetrically encrypt the terminal device information InfoSet, data signature SIGN1, and device identification signature SIGN2 to obtain encrypted data (EnData); when decrypting, you need to use a symmetric encryption key (key) The encrypted data (EnData) is decrypted, and the terminal device information InfoSet, the data signature SIGN1 and the device identification signature SIGN2 are obtained.

203. The terminal device uses the asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain the asymmetric encryption key; the asymmetric encryption public key is obtained by the terminal device from the risk probe server.

After the symmetric encryption key is encrypted, once the symmetric encryption key is cracked, the cracker can directly use the symmetric encryption key to decrypt, which will cause information leakage. Therefore, the embodiment of the present application uses the asymmetric encryption public key (pk_1) to perform asymmetric encryption processing on the symmetric encryption key (key) to obtain the asymmetric encryption key (Enkey). Under the premise of symmetric encryption key encryption, the asymmetric encryption public key is then used to encrypt the symmetric encryption key, which can further improve the security of data transmission.

Among them, the asymmetric encryption public key is obtained by the terminal device from the risk probe server. Specifically, the risk probe server can generate the asymmetric encryption public key (pk_1) and the asymmetric encryption private key (sk_1), and the terminal device requests the risk probe server to obtain the asymmetric encryption public key. Asymmetric encryption public key (pk_1) and asymmetric encryption private key (sk_1) are key pairs, which are used for encryption and decryption, respectively.

Optionally, before step 201 is performed, the following steps may also be performed:

The terminal device sends a secret key acquisition request to the risk probe server, and obtains the asymmetric encryption public key from the risk probe server.

204. The terminal device reports the asymmetric encryption data to the risk probe server; the asymmetric encryption data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key.

In the embodiment of this application, after the terminal device reports the asymmetric encryption data to the risk probe server, the risk probe server can use the asymmetric encryption private key (sk_1) corresponding to the asymmetric encryption public key (pk_1) to counter the non-symmetric encryption data. The symmetric encryption key (Enkey) is decrypted to obtain the symmetric encryption key (key). Use a symmetric encryption key (key) to decrypt the encrypted data (EnData) to obtain terminal device information InfoSet, data signature SIGN1, device identification signature SIGN2, and TRAN.

The risk probe server can generate a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information InfoSet.

Optionally, the risk probe server can verify the data signature SIGN1. Specifically, MD5 signature is performed on KeyFieldSet+TRAN and compared with SIGN1. If they are consistent, the signature verification is passed (KeyFieldSet is a subset of InfoSet).

Optionally, the risk probe server can generate the back-end verification element VerCode according to the device identification signatures SIGN2 and TAND. Among them, TAND is a random number generated by the risk probe server.

Optionally, the risk probe server can generate a back-end check factor according to the back-end check element VerCode. Specifically, verify whether SIGN2 exists in the device identification signature library of the risk probe server. If it exists, then the public key pk_2 corresponding to sk_2 in the key pair can be obtained (the device identification signature library has a mapping of device identification signatures SIGN2 and pk_2 ). The risk probe server can use the public key pk_2 to perform asymmetric encryption on the back-end verification element VerCode to obtain the back-end verification factor EnVerCode.

205. The terminal device receives the token sent by the risk probe server, and stores the token on the local end. The token is the device fingerprint generated by the risk probe server according to the encrypted data, asymmetric encryption key, and asymmetric encryption public key. The corresponding token.

In the embodiment of this application, after the terminal device reports the asymmetric encrypted data to the risk probe server, the risk probe server decrypts the asymmetric encrypted data to obtain the terminal device information, and generates the device fingerprint and contact information based on the terminal device information. For the token corresponding to the device fingerprint, the risk probe server can send the token to the terminal device, and the terminal device can store the token on its own. For example, the terminal device can persistently store the token in the non-volatile memory of the terminal device.

Among them, Token is an object representing the right to perform certain operations. Token, as an alias for device fingerprints, spreads between networks, which can effectively prevent the risk of malicious collection of device fingerprints during the spreading process. At the same time, the token Token has timeliness to prevent malicious users from forging and cheating on the Token.

Optionally, the risk probe server may send the back-end check factor to the terminal device, and the terminal device may check the back-end check factor through the hardware security zone, based on the back-end check factor Generating a front-end check factor and sending the front-end check factor to the risk probe server, where the front-end check factor is used by the risk probe server to perform security verification;

When the risk probe server successfully verifies the front-end check factor, the terminal device executes step 205.

In the embodiment of the present application, the terminal device may decrypt the back-end verification factor EnVerCode through the TA in the hardware security zone to obtain the back-end verification element VerCode. The terminal device can use the asymmetric encryption public key (pk_1) to perform asymmetric encryption on the back-end verification element VerCode and the device identification signature SIGN2 through the TA in the hardware security zone to obtain the front-end verification factor EnSIGN2. The terminal equipment sends the front-end check factor EnSIGN2 to the risk probe server through the RA, and the risk probe server performs a security check on the front-end check factor EnSIGN2. Specifically, the risk probe server uses the asymmetric encryption private key (sk_1) to decrypt the front-end verification factor EnSIGN2 to obtain the back-end verification element VerCode and the device identification signature SIGN2. The risk probe server verifies the back-end verification element VerCode and equipment identification signature SIGN2 are verified.

When the risk probe server successfully verifies the front-end check factor, the risk probe server sends a token to the terminal device.

In the embodiment of the present application, the back-end verification of the risk probe server can be enhanced, the back-end verification factor after asymmetric encryption is generated on the risk probe server, and the front-end verification of the terminal device can also be enhanced. The terminal equipment and the risk probe server can be mutually verified, which can increase the cheating cost of the terminal equipment and make up for the lack of untrustworthiness and insecurity of RA.

Please refer to FIG. 3, which is a schematic flowchart of a method for generating device fingerprints according to an embodiment of the present application. As shown in Figure 3, the device fingerprint generation method may include the following steps.

301. The risk probe server receives a secret key acquisition request sent by the terminal device, and sends an asymmetric encryption public key to the terminal device; the asymmetric encryption public key is used for the terminal device to encrypt using an asymmetric encryption method.

In the embodiment of this application, the risk probe server can generate the asymmetric encryption public key (pk_1) and the asymmetric encryption private key (sk_1). After receiving the secret key acquisition request sent by the terminal device, the risk probe server can Send the asymmetric encryption public key (pk_1) to the terminal device. After the terminal device receives the asymmetric encryption public key (pk_1), the terminal device uses the asymmetric encryption public key (pk_1) to perform asymmetric encryption on the symmetric encryption key (key) to obtain the asymmetric encryption key (Enkey).

Among them, the symmetric encryption key (key) is generated by the terminal device, and the symmetric encryption key (key) is used by the terminal device to symmetrically encrypt the terminal device information InfoSet, the data signature SIGN1, and the device identification signature SIGN2. The data signature SIGN1 and the device identification signature SIGN2 are obtained by the terminal device from the TA in the hardware security zone.

Terminal equipment can collect terminal equipment information through RA in TEE (terminal equipment information can include terminal equipment hardware information, system information, operating environment information, network information, etc.), terminal equipment can use a symmetric encryption key (key) to terminal equipment Information InfoSet, data signature SIGN1 and equipment identification signature SIGN2 are symmetrically encrypted to obtain encrypted data (EnData).

The terminal device can use the asymmetric encryption public key (pk_1) to perform asymmetric encryption processing on the symmetric encryption key (key) to obtain the asymmetric encryption key (Enkey).

302. The risk probe server receives the asymmetric encryption data sent by the terminal device, and decrypts the asymmetric encryption data with the asymmetric encryption private key corresponding to the asymmetric encryption public key to obtain terminal device information.

Optionally, the asymmetric encryption data includes encrypted data, an asymmetric encryption key, and an asymmetric encryption public key; in step 302, the risk probe server uses an asymmetric encryption corresponding to the asymmetric encryption public key. The encryption private key decrypts the asymmetric encrypted data to obtain terminal device information, including the following steps:

(11) The risk probe server uses the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption key to obtain the symmetric encryption key;

(12) The risk probe server uses the symmetric encryption key to decrypt the encrypted data to obtain the terminal device information.

In the embodiment of the present application, the asymmetric encryption data includes encrypted data (EnData), asymmetric encryption key (Enkey), and asymmetric encryption public key (pk_1). After the risk probe server receives the asymmetric encryption data sent by the terminal device, the risk probe server can use the asymmetric encryption private key (sk_1) corresponding to the asymmetric encryption public key (pk_1) to pair the asymmetric encryption key (Enkey ) Is decrypted to obtain a symmetric encryption key (key). Use a symmetric encryption key (key) to decrypt the encrypted data (EnData) to obtain terminal device information InfoSet, data signature SIGN1, and device identification signature SIGN2.

303. The risk probe server generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.

In the embodiments of the present application, a device fingerprint (Device fingerprint) refers to a device feature or a unique device identifier that can be used to uniquely identify the device. The terminal device information of each terminal device is unique, so the generated device fingerprint is also unique.

Optionally, after step 303 is performed, the following steps may be performed:

The risk probe server sends the token to the terminal device.

Optionally, after step 303 is performed, the following steps may be performed:

The risk probe server generates a back-end check factor, and sends the back-end check factor to the terminal device, where the back-end check factor is used by the terminal device to perform a security check through the hardware security zone .

In the embodiment of the present application, the risk probe server can generate the back-end verification element VerCode according to the device identification signature SIGN2 and TAND. Among them, TAND is a random number generated by the risk probe server. The risk probe server can generate a back-end verification factor based on the back-end verification element VerCode. Specifically, according to the mapping relationship between the device identification signature SIGN2 and pk_2 in the device identification signature library, the public key pk_2 corresponding to sk_2 in the key pair can be obtained. The risk probe server can use the public key pk_2 to perform asymmetric encryption on the back-end verification element VerCode to obtain the back-end verification factor EnVerCode.

Optionally, when the terminal device successfully verifies the back-end check factor through the hardware security zone, the risk probe server receives the front-end check factor sent by the terminal device;

The risk probe server performs a security check on the front-end check factor;

In the case that the risk probe server successfully verifies the front-end check factor, the risk probe server executes the step of sending the token to the terminal device.

In the embodiment of the present application, the terminal device may decrypt the back-end verification factor EnVerCode through the TA in the hardware security zone to obtain the back-end verification element VerCode, and verify the device identification signature SIGN2. After the verification is passed, the terminal device can use the asymmetric encryption public key (pk_1) to perform asymmetric encryption on the back-end verification element VerCode and the device identification signature SIGN2 through the TA in the hardware security zone to obtain the front-end verification factor EnSIGN2. The terminal equipment sends the front-end check factor EnSIGN2 to the risk probe server through the RA, and the risk probe server performs a security check on the front-end check factor EnSIGN2. Specifically, the risk probe server uses the asymmetric encryption private key (sk_1) to decrypt the front-end verification factor EnSIGN2 to obtain the back-end verification element VerCode and the device identification signature SIGN2. The risk probe server verifies the back-end verification element VerCode and equipment identification signature SIGN2 are verified. When the risk probe server successfully verifies the front-end check factor, the risk probe server sends a token to the terminal device.

In the embodiment of this application, the risk probe server receives the asymmetric encryption data sent by the terminal device, and decrypts the asymmetric encryption data with the asymmetric encryption private key corresponding to the asymmetric encryption public key to obtain terminal device information. Since the asymmetric encrypted data is encrypted by the terminal device using a symmetric encryption key, the security of the asymmetric encrypted data received from the terminal device by the risk probe server is ensured, and the security of the data received by the risk probe server is guaranteed. Thereby ensuring the security of device fingerprint generation.

Please refer to FIG. 4, which is a schematic flowchart of another device fingerprint generation method provided by an embodiment of the present application. As shown in Figure 4, the device fingerprint generation method may include the following steps.

401. The risk probe server receives a secret key acquisition request sent by a terminal device, and sends an asymmetric encryption public key to the terminal device; the asymmetric encryption public key is used for the terminal device to encrypt using an asymmetric encryption method.

402. The risk probe server receives the asymmetric encryption data sent by the terminal device, and uses the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption data to obtain terminal device information.

403. The risk probe server generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.

The specific implementation of step 401 to step 403 in the embodiment of the present application can participate in step 301 to step 303 shown in FIG. 3, which will not be repeated here.

404. The risk probe server performs big data calculations based on terminal device information, historical reported data, and business risk control data, identifies the business tendency classification of the terminal device, and identifies the equipment risk level of the terminal device.

In the embodiment of the present application, the risk probe server can construct a terminal device portrait library. The risk probe server can clean the terminal device information Infoset reported by the terminal device, and combine the historical reported data and business risk control data to perform big data calculations, and perform business tendency classification and risk marking on device fingerprints to build a terminal device profile Library.

Optionally, after step 404 is performed, the following steps may be performed:

The risk probe server sends the device risk level identifier of the terminal device to the terminal device.

The risk probe server of the embodiment of this application can combine terminal equipment information (such as operating environment, system status, etc.), business data, and risk control information, and use big data technology and machine learning to identify equipment risk levels, thereby Obtain equipment risk levels quickly and accurately, and provide risk early warning services for terminal equipment.

Please refer to FIG. 5, which is a schematic flowchart of another device fingerprint generation method provided by an embodiment of the present application. The terminal equipment may include the terminal equipment RA, and the risk probe server may be the OPPO Risk Probe (ORP) backend. As shown in Figure 5, the device fingerprint generation method may include the following steps.

501. The terminal device RA sends a secret key acquisition request to the ORP back end, and obtains the asymmetric encryption public key from the ORP back end.

Among them, the ORP backend can generate a secret key pair (asymmetric encryption public key pk_1 and asymmetric encryption private key sk_1).

502. The terminal device RA requests the terminal device TA in the hardware security zone to obtain a data signature and a device identification signature.

The specific method for the terminal device TA in the hardware security zone to generate the data signature and the device identification signature is as follows:

The terminal device TA in the hardware security zone generates a random number TRAN through the hardware in the hardware security zone, and signs (KeyFieldSet+TRAN) and (sk_2) respectively to obtain the data signature SIGN1 and the device identification signature SIGN2; then, the (SIGN1+ SIGN2+TRAN) do asymmetric encryption (the secret key is pk_1) to get EncSign; the terminal device TA returns the encryption result EncSign to the RA end of the terminal device. Among them, sk_2 is the unique identifier of the terminal device. Here sk_2 can be considered as the private key in the key pair, and pk_2 is the public key corresponding to sk_2 in the key pair.

The terminal device TA separately signs (KeyFieldSet+TRAN) and (sk_2), specifically, MD5 encryption method can be used to sign.

Specifically, SIGN1=MD5(KeyFieldSet+TRAN); SIGN2=MD5(sk_2).

503. The terminal device RA generates a symmetric encryption key, and the terminal device RA collects terminal device information, and uses the symmetric encryption key to perform symmetric encryption on the terminal device information, data signature, and device identification signature to obtain encrypted data.

For the specific implementation of step 503, refer to the description of step 202, which will not be repeated here.

504. The terminal device RA uses the asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain the asymmetric encryption key.

For the specific implementation of step 504, refer to the description of step 203, which will not be repeated here.

505. The terminal device RA reports the asymmetric encryption data to the ORP backend; the asymmetric encryption data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key.

For the specific implementation of step 505, refer to the description of step 204, which will not be repeated here.

506. The ORP back-end receives the asymmetric encryption data sent by the terminal device RA, and decrypts the asymmetric encryption data with the asymmetric encryption private key corresponding to the asymmetric encryption public key to obtain terminal device information.

For the specific implementation of step 506, refer to the description of step 302, which will not be repeated here.

507. The ORP backend generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.

For the specific implementation of step 507, refer to the description of step 303, which will not be repeated here.

508. The terminal device RA receives the token sent by the ORP backend, and stores the token on the local end.

For the specific implementation of step 508, refer to the description of step 205, which will not be repeated here.

In this embodiment of the application, the terminal device sends asymmetric encrypted data containing terminal device information to the risk probe server. Since the data signature and the device identification signature are obtained from the hardware security zone, the security of the data signature and the device identification signature is ensured, and the security of the data sent by the terminal device is ensured. Since a symmetric encryption key is used to symmetrically encrypt the terminal device information, the data signature, and the device identification signature, an asymmetric encryption public key is used to perform asymmetric encryption on the symmetric encryption key to obtain asymmetric encryption The key ensures the security of the asymmetric encrypted data sent by the terminal device to the risk probe server, and ensures the security of the data received by the risk probe server. In the process of terminal device information transmission, both the data sending end and the data receiving end ensure the security of the transmitted data, so that the security of terminal device information transmission can be improved. The risk probe server receives the asymmetric encryption data sent by the terminal device, and decrypts the asymmetric encryption data with the asymmetric encryption private key corresponding to the asymmetric encryption public key to obtain terminal device information. Since the asymmetric encrypted data is encrypted by the terminal device using a symmetric encryption key, the security of the asymmetric encrypted data received from the terminal device by the risk probe server is ensured, and the security of the data received by the risk probe server is guaranteed. Thereby ensuring the security of device fingerprint generation.

Please refer to FIG. 6, which is a schematic flowchart of another device fingerprint generation method provided by an embodiment of the present application. The terminal equipment may include the terminal equipment RA, and the risk probe server may be the OPPO Risk Probe (ORP) backend. As shown in Figure 6, the device fingerprint generation method may include the following steps.

601. The terminal device RA sends a secret key acquisition request to the ORP backend, and acquires the asymmetric encryption public key from the ORP backend.

602. The terminal device RA requests the terminal device TA in the hardware security zone to obtain a data signature and a device identification signature.

603. The terminal device RA generates a symmetric encryption key, and the terminal device RA collects terminal device information, and uses the symmetric encryption key to perform symmetric encryption on the terminal device information, data signature, and device identification signature to obtain encrypted data.

604. The terminal equipment RA uses the asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain the asymmetric encryption key.

605. The terminal device RA reports the asymmetric encryption data to the ORP backend; the asymmetric encryption data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key.

606. The ORP back-end receives the asymmetric encryption data sent by the terminal device RA, and decrypts the asymmetric encryption data with the asymmetric encryption private key corresponding to the asymmetric encryption public key to obtain terminal device information.

Among them, the specific implementation of step 601 to step 606 can participate in step 501 to step 506 shown in FIG. 5, which will not be repeated here.

607. The ORP back-end generates a back-end check factor, and sends the back-end check factor to the terminal device TA through the terminal device RA.

608. The terminal device TA checks the back-end check factor.

609: If the verification is successful, the terminal device TA generates a front-end check factor, and sends the front-end check factor to the ORP back end through the terminal device RA.

610. The ORP back-end performs a security check on the front-end check factor.

In the embodiment of this application, the ORP backend may generate the backend verification element VerCode according to the device identification signature SIGN2 and TAND. Among them, TAND is a random number generated by the ORP backend. The ORP back-end can generate a back-end verification factor based on the back-end verification element VerCode. Specifically, for the device identification signature SIGN2, the ORP backend can use MD5 decryption to obtain sk_2, and then obtain the public key pk_2 corresponding to sk_2 in the key pair. The ORP backend can use the public key pk_2 to perform asymmetric encryption on the backend verification element VerCode to obtain the backend verification factor EnVerCode.

The terminal device TA decrypts the back-end verification factor EnVerCode to obtain the back-end verification element VerCode, and verifies the device identification signature SIGN2. After the verification is passed, the terminal device TA uses the asymmetric encryption public key (pk_1) to perform asymmetric encryption on the back-end verification element VerCode and the device identification signature SIGN2 to obtain the front-end verification factor EnSIGN2. The terminal device TA sends the front-end check factor EnSIGN2 to the ORP back-end through the terminal device RA, and the ORP back-end performs a security check on the front-end check factor EnSIGN2. Specifically, the ORP back-end decrypts the front-end verification factor EnSIGN2 through the asymmetric encryption private key (sk_1) to obtain the back-end verification element VerCode and the device identification signature SIGN2, and the ORP back-end verifies the back-end verification element VerCode and the device identification. Sign SIGN2 for verification. In the case that the ORP backend successfully verifies the front-end check factor, step 611 is executed.

611. If the verification is successful, the ORP backend generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.

612. The terminal device RA receives the token sent by the ORP backend, and stores the token on the local end.

Among them, the specific implementation of step 611 to step 612 can participate in step 507 to step 508 shown in FIG. 5, which will not be repeated here.

Please refer to FIG. 7, which is a schematic flowchart of another device fingerprint generation method provided by an embodiment of the present application. The terminal equipment may include the terminal equipment RA and the terminal equipment TA, and the risk probe server may be the OPPO Risk Probe (ORP) backend. Figure 7 is the specific implementation process of Figure 6. As shown in Figure 7, the device fingerprint generation method may include the following steps.

701. RA requests pk_1 from the ORP backend;

702. The ORP backend generates a secret key pair (pk_1, sk_1);

703, the ORP backend returns pk_1 to RA;

704. RA requests identity information (KeyFieldSet, pk_1) from TA;

705, TA generates data signature SIGN1 and equipment identification signature SIGN2; where SIGN1=MD5(KeyFieldSet+TRAN); SIGN2=MD5(sk_2);

706, TA uses pk_1 to asymmetrically encrypt data signature SIGN1 and device identification signature SIGN2 to obtain EnSign; where EnSign=RSA_ENC(pk_1, SIGN1+SIGN2+TRAN);

707, TA returns EnSign to RA;

708, RA generates a key, collects Infoset, uses key to encrypt Infoset and EnSign symmetrically to obtain EnData, uses pk_1 to perform asymmetric encryption on key to obtain Enkey; where, EnData=AES_ENC(key, Infoset+EnSign); Enkey=RSA_ENC (pk_1, key);

709, RA uploads data EnData, Enkey and pk_1 to the ORP backend;

710. The ORP backend uses sk_1 to decrypt Enkey to obtain the key, uses key to decrypt EnData to obtain Infoset+EnSign, and uses sk_1 to decrypt EnSign to obtain SIGN1 and SIGN2;

711, ORP back-end verification SIGN1 (specifically, MD5 signature is performed on KeyFieldSet+TRAN and compared with SIGN1, if they are consistent, the verification is passed), the back-end verification element VerCode is generated according to the device identification signatures SIGN2 and TAND, Use the public key pk_2 to perform asymmetric encryption on the back-end verification element VerCode to obtain the back-end verification factor EnVerCode; where VerCode=(SIGN2+TAND), EnVerCode=RSA_ENC(pk_2, VerCode);

712, ORP backend returns EnVerCode to RA;

713, RA returns EnVerCode to TA;

714, TA uses the private key sk_2 to decrypt EnVerCode to obtain VerCode; where VerCode=RSA_DNC(sk_2, EnVerCode);

715, TA verify SIGN2 (verify whether SIGN2 exists in the equipment identification signature library of the risk probe server), use pk_1 to asymmetrically encrypt SIGN2 and VerCode to obtain the front-end verification factor EnSIGN2; where EnSIGN2 = RSA_ENC(pk_1, SIGN2 +VerCode);

716, TA returns EnSIGN2 to RA;

717, RA returns EnSIGN2 to the ORP backend;

718, the ORP backend uses sk_1 to decrypt EnSIGN2 to obtain SIGN2+VerCode;

719, ORP backend verifies SIGN2 and VerCode;

720, ORP backend generates Token;

721, ORP returns Token to RA.

Please refer to FIG. 8. FIG. 8 is a schematic diagram of a service access process provided by an embodiment of the present application. As shown in Figure 8, on the business client, the software development kit (SDK) accesses, and the business client sends request information to the business backend. The request information includes the token Token and the key field set of terminal device information. KeyFieldSet, after the business backend adds the application identity document (APPID) to the request information, the request information is sent to the ORP backend, and the ORP backend returns the risk assessment result to the business backend.

In the embodiment of this application, the service deployment is simple, and the service client only needs to access the lightweight SDK to obtain the persistently stored Token and KeyFieldSet in the terminal device and upload the data to the service back end; the service back end only needs to access An interface on the ORP backend can obtain the terminal device risk label. The business client only needs to access the lightweight SDK, and the business client accesses the lightweight SDK, collecting very little terminal device information, requiring very few permissions, and negligible impact on the business client. TA is built into the hardware of the terminal device, and RA follows the operating system of the terminal device, that is, the risk probe client is bound to the terminal device to provide unified services for all services on the terminal device. The security of the risk probe SDK can be improved, and the lightweight SDK can be reinforced, effectively improving the difficulty of SDK reverse engineering and cracking.

The foregoing mainly introduces the solution of the embodiment of the present application from the perspective of the execution process on the method side. It can be understood that, in order to implement the above-mentioned functions, the terminal device includes a hardware structure and/or software module corresponding to each function. Those skilled in the art should easily realize that in combination with the units and algorithm steps of the examples described in the embodiments provided herein, this application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a certain function is executed by hardware or computer software-driven hardware depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.

The embodiment of the present application may divide the terminal device into functional units according to the foregoing method examples. For example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated into one processing unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit. It should be noted that the division of units in the embodiments of the present application is illustrative, and is only a logical function division, and there may be other division methods in actual implementation.

Consistent with the above, please refer to FIG. 9. FIG. 9 is a schematic structural diagram of a terminal equipment information transmission apparatus provided by an embodiment of the application. The terminal equipment information transmission apparatus 900 is applied to terminal equipment, and the terminal equipment information transmission apparatus 900 may It includes an acquisition unit 901, a first generation unit 902, an acquisition unit 903, a first encryption unit 904, a first communication unit 905, and a storage unit 906, wherein:

The obtaining unit 901 is configured to obtain a data signature and a device identification signature from the hardware security zone;

The first generating unit 902 is configured to generate a symmetric encryption key;

The collection unit 903 is used to collect terminal device information;

The first encryption unit 904 is configured to use the symmetric encryption key to perform symmetric encryption on the terminal device information, the data signature, and the device identification signature to obtain encrypted data;

The first encryption unit 904 is further configured to use an asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain an asymmetric encryption key; the asymmetric encryption public key is obtained from the risk probe server Obtain;

The first communication unit 905 is configured to report asymmetric encrypted data to the risk probe server; the asymmetric encrypted data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption Public key

The first communication unit 905 is further configured to receive a token sent by the risk probe server;

The storage unit 906 is configured to store the token at the local end, and the token is the risk probe server based on the encrypted data, the asymmetric encryption key, and the asymmetric encryption public. The token corresponding to the device fingerprint generated by the key.

Optionally, the terminal device information transmission apparatus 900 may further include a first verification unit 907;

The first communication unit 905 is further configured to receive the backend check factor sent by the risk probe server after reporting the asymmetric encrypted data to the risk probe server;

The first check unit 907 is configured to check the back-end check factor through the hardware security zone;

The first generating unit 902 is further configured to generate a front-end check factor based on the back-end check factor;

The first communication unit 905 is further configured to send the front-end check factor to the risk probe server, where the front-end check factor is used by the risk probe server to perform security verification; and In the case that the front-end check factor is successfully verified by the risk probe server, the token sent by the risk probe server is received.

Among them, the acquisition unit 901, the first generation unit 902, the acquisition unit 903, the first encryption unit 904, and the first verification unit 907 in the embodiment of the present application may be processors in the terminal device, and the first communication unit 905 may be For the communication interface in the terminal device, the storage unit 906 may be a memory in the terminal device (for example, a non-volatile memory).

In this embodiment of the application, the terminal device sends asymmetric encrypted data containing terminal device information to the risk probe server. Since the data signature and the device identification signature are obtained from the hardware security zone, the security of the data signature and the device identification signature is ensured, and the security of the data sent by the terminal device is ensured. Since a symmetric encryption key is used to symmetrically encrypt the terminal device information, the data signature, and the device identification signature, an asymmetric encryption public key is used to perform asymmetric encryption on the symmetric encryption key to obtain asymmetric encryption The key ensures the security of the asymmetric encrypted data sent by the terminal device to the risk probe server, and ensures the security of the data received by the risk probe server. In the process of terminal device information transmission, both the data sending end and the data receiving end ensure the security of the transmitted data, which can improve the security of terminal device information transmission.

Consistent with the above, please refer to FIG. 10. FIG. 10 is a schematic structural diagram of a device fingerprint generating apparatus according to an embodiment of the present application. The device fingerprint generating apparatus 1000 is applied to a risk probe server. The device fingerprint generation device 1000 may include a second communication unit 1001, a decryption unit 1002, and a second generation unit 1003, wherein:

The second communication unit 1001 is configured to receive a secret key acquisition request sent by a terminal device, and send an asymmetric encryption public key to the terminal device; the asymmetric encryption public key is used for encryption by the terminal device in an asymmetric encryption manner ；

The second communication unit 1001 is further configured to receive asymmetric encrypted data sent by the terminal device;

The decryption unit 1002 is configured to use the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption data to obtain terminal device information;

The second generating unit 1003 is configured to generate a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.

Optionally, the device 1000 for generating fingerprints may include an identification unit 1004.

The identification unit 1004 is configured to, after the second generating unit 1003 generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information, according to the terminal device information, historical reported data, and business style The control data performs big data calculation, identifies the business tendency classification of the terminal device, and identifies the equipment risk level of the terminal device.

Optionally, the asymmetric encryption data includes encrypted data, an asymmetric encryption key, and an asymmetric encryption public key; the decryption unit 1002 uses an asymmetric encryption private key corresponding to the asymmetric encryption public key to pair the Asymmetrically encrypted data is decrypted to obtain terminal device information, specifically:

Use the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption key to obtain a symmetric encryption key; use the symmetric encryption key to decrypt the encrypted data to obtain the terminal Device Information.

Optionally, the second communication unit 1001 is further configured to send to the terminal device after the second generating unit 1003 generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information The token.

Optionally, the second generating unit 1003 is further configured to generate a back-end check factor after the second generating unit 1003 generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information ；

The second communication unit 1001 is further configured to send the back-end check factor to the terminal device, where the back-end check factor is used by the terminal device to perform security verification through the hardware security zone.

Optionally, the device 1000 for generating fingerprints may include a second verification unit 1005.

The second communication unit 1001 is further configured to receive the front-end check factor sent by the terminal device when the terminal device successfully checks the back-end check factor through the hardware security zone;

The second verification unit 1005 is configured to perform security verification on the front-end verification factor;

The second communication unit 1001 is further configured to send the token to the terminal device when the second check unit 1005 successfully checks the front-end check factor.

Please refer to FIG. 11. FIG. 11 is a schematic structural diagram of a terminal device provided by an embodiment of the present application. As shown in FIG. 11, the terminal device 1100 includes a processor 1101 and a memory 1102. 1103 are connected to each other. The communication bus 1103 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The communication bus 1103 can be divided into an address bus, a data bus, a control bus, and so on. For ease of representation, only one thick line is used to represent in FIG. 11, but it does not mean that there is only one bus or one type of bus. The memory 1102 is used to store a computer program, the computer program includes program instructions, the processor 1101 is configured to call the program instructions, and the above program includes a method for executing the method shown in FIG. 2.

The processor 1101 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the above program programs.

The memory 1102 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storage, optical disc storage (Including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program codes in the form of instructions or data structures and can be used by a computer Any other media accessed, but not limited to this. The memory can exist independently and is connected to the processor through a bus. The memory can also be integrated with the processor.

In addition, the terminal device 1100 may also include general components such as a communication interface and an antenna, which are not described in detail here.

Please refer to FIG. 12, which is a schematic structural diagram of a server provided by an embodiment of the present application. As shown in FIG. 12, the server 1200 includes a processor 1201 and a memory 1202. The processor 1201 and the memory 1202 can communicate with each other through a communication bus 1203. connect. The communication bus 1203 may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. The communication bus 1203 can be divided into an address bus, a data bus, a control bus, and so on. For ease of presentation, only one thick line is used to represent in FIG. 12, but it does not mean that there is only one bus or one type of bus. The memory 1202 is used to store a computer program. The computer program includes program instructions. The processor 1201 is configured to call the program instructions. The above program includes methods for executing the methods shown in FIGS. 2 to 4.

The processor 1201 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of the above program programs.

The memory 1202 may be a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM), or other types that can store information and instructions The dynamic storage device can also be electrically erasable programmable read-only memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), CD-ROM (Compact Disc Read-Only Memory, CD-ROM) or other optical disc storage, optical disc storage (Including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or can be used to carry or store desired program codes in the form of instructions or data structures and can be used by a computer Any other media accessed, but not limited to this. The memory can exist independently and is connected to the processor through a bus. The memory can also be integrated with the processor.

In addition, the server 1200 may also include general components such as a communication interface and an antenna, which are not described in detail here.

The server 1200 may be a risk probe server.

In the embodiment of the present application, the risk probe server receives the asymmetric encryption data sent by the terminal device, and uses the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption data to obtain the terminal device information. Since the asymmetric encrypted data is encrypted by the terminal device using a symmetric encryption key, the security of the asymmetric encrypted data received by the risk probe server from the terminal device is ensured, and the security of the data received by the risk probe server is guaranteed. Thereby ensuring the security of device fingerprint generation.

An embodiment of the present application also provides a computer-readable storage medium, wherein the computer-readable storage medium stores a computer program for electronic data exchange, and the computer program enables a computer to execute any network described in the above method embodiments. Part or all of the steps of the standard switching method.

The embodiments of the present application also provide a computer program product. The computer program product includes a non-transitory computer-readable storage medium storing a computer program. The computer program enables a computer to execute any network described in the above method embodiments. Part or all of the steps of the standard switching method.

It should be noted that for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should know that this application is not limited by the described sequence of actions. Because according to this application, some steps can be performed in other order or at the same time. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by this application.

In the above-mentioned embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in an embodiment, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed device may be implemented in other ways. For example, the device embodiments described above are merely illustrative, for example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components may be combined or may be Integrate into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.

In addition, it is stated in the application that each functional unit in each embodiment may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or in the form of software program modules.

If the integrated unit is implemented in the form of a software program module and sold or used as an independent product, it can be stored in a computer readable memory. Based on this understanding, the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a memory. A number of instructions are included to enable a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned memory includes: U disk, read-only memory (read-only memory, ROM), random access memory (random access memory, RAM), mobile hard disk, magnetic disk, or optical disk and other media that can store program codes.

Those of ordinary skill in the art can understand that all or part of the steps in the various methods of the above-mentioned embodiments can be completed by a program instructing relevant hardware. The program can be stored in a computer-readable memory, and the memory can include: a flash disk , Read-only memory, random access device, magnetic or optical disk, etc.

The embodiments of the application are described in detail above, and specific examples are used in this article to illustrate the principles and implementation of the application. The descriptions of the above embodiments are only used to help understand the methods and core ideas of the application; at the same time, for Those of ordinary skill in the art, based on the idea of the application, will have changes in the specific implementation and the scope of application. In summary, the content of this specification should not be construed as a limitation to the application.

Claims

A method for transmitting terminal equipment information, which is characterized in that it includes:

The terminal device obtains the data signature and the device identification signature from the hardware security zone;

The terminal device generates a symmetric encryption key, collects terminal device information, and uses the symmetric encryption key to perform symmetric encryption on the terminal device information, the data signature, and the device identification signature to obtain encrypted data;

The terminal device uses an asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain an asymmetric encryption key; the asymmetric encryption public key is obtained by the terminal device from the risk probe server;

The terminal device reports asymmetric encrypted data to the risk probe server; the asymmetric encrypted data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key;

The terminal device receives the token sent by the risk probe server, and stores the token at the local end, where the token is the risk probe server according to the encrypted data and the asymmetric encryption The secret key and the token corresponding to the device fingerprint generated by the asymmetric encryption public key.
The method according to claim 1, wherein after the terminal device reports the asymmetric encrypted data to the risk probe server, the method further comprises:

The terminal device receives the back-end check factor sent by the risk probe server, checks the back-end check factor through the hardware security zone, and generates a front-end check based on the back-end check factor Factor, sending the front-end check factor to the risk probe server, where the front-end check factor is used by the risk probe server to perform security verification;

When the risk probe server successfully verifies the front-end check factor, the terminal device executes the step of receiving the token sent by the risk probe server.
A method for generating device fingerprints is characterized in that it includes:

The risk probe server receives the secret key acquisition request sent by the terminal device, and sends an asymmetric encryption public key to the terminal device; the asymmetric encryption public key is used for the terminal device to encrypt using an asymmetric encryption method;

The risk probe server receives the asymmetric encryption data sent by the terminal device, and decrypts the asymmetric encryption data with the asymmetric encryption private key corresponding to the asymmetric encryption public key to obtain terminal device information;

The risk probe server generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.
The method according to claim 3, wherein after the risk probe server generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information, the method further comprises:

The risk probe server performs big data calculations based on the terminal device information, historical report data, and business risk control data, identifies the business tendency classification of the terminal device, and identifies the equipment risk level of the terminal device .
The method according to claim 3 or 4, wherein the asymmetric encryption data includes encrypted data, an asymmetric encryption key, and an asymmetric encryption public key; the risk probe server uses the same The asymmetric encryption private key corresponding to the encryption public key decrypts the asymmetric encryption data to obtain terminal device information, including:

The risk probe server uses the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption key to obtain the symmetric encryption key;

The risk probe server uses the symmetric encryption key to decrypt the encrypted data to obtain the terminal device information.
The method according to claim 3, wherein after the risk probe server generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information, the method further comprises:

The risk probe server sends the token to the terminal device.
The method according to claim 6, wherein after the risk probe server generates a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information, the method further comprises:

The risk probe server generates a back-end check factor, and sends the back-end check factor to the terminal device, where the back-end check factor is used by the terminal device to perform a security check through the hardware security zone .
The method according to claim 7, wherein the method further comprises:

In the case that the terminal device successfully verifies the back-end check factor through the hardware security zone, the risk probe server receives the front-end check factor sent by the terminal device;

The risk probe server performs a security check on the front-end check factor;

In the case that the risk probe server successfully verifies the front-end check factor, the risk probe server executes the step of sending the token to the terminal device.
A terminal equipment information transmission device, which is characterized in that it comprises:

The obtaining unit is used to obtain the data signature and the device identification signature from the hardware security zone;

The first generating unit is used to generate a symmetric encryption key;

The collection unit is used to collect terminal equipment information;

The first encryption unit is configured to use the symmetric encryption key to perform symmetric encryption on the terminal device information, the data signature, and the device identification signature to obtain encrypted data;

The first encryption unit is further configured to use an asymmetric encryption public key to perform asymmetric encryption processing on the symmetric encryption key to obtain an asymmetric encryption key; the asymmetric encryption public key is obtained from the risk probe server ；

The first communication unit is configured to report asymmetric encrypted data to the risk probe server; the asymmetric encrypted data includes the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key;

The first communication unit is further configured to receive a token sent by the risk probe server;

The storage unit is configured to store the token at the local end, and the token is generated by the risk probe server according to the encrypted data, the asymmetric encryption key, and the asymmetric encryption public key The token corresponding to the device fingerprint.
A device fingerprint generation device, characterized in that it comprises:

The second communication unit is configured to receive a secret key acquisition request sent by a terminal device, and send an asymmetric encryption public key to the terminal device; the asymmetric encryption public key is used for the terminal device to perform encryption in an asymmetric encryption manner;

The second communication unit is further configured to receive asymmetric encrypted data sent by the terminal device;

The second encryption unit is configured to use the asymmetric encryption private key corresponding to the asymmetric encryption public key to decrypt the asymmetric encryption data to obtain terminal device information;

The second generating unit is configured to generate a device fingerprint and a token corresponding to the device fingerprint based on the terminal device information.
A terminal device, characterized by comprising a processor and a memory, the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions to execute as claimed The method described in any one of 1 to 2.
A server, characterized by comprising a processor and a memory, the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to call the program instructions to execute as claimed in claim 3. The method described in any one of ~8.
A computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, and the computer program includes program instructions that, when executed by a processor, cause the processor to execute The method described in any one of 1 to 2 is required.
A computer-readable storage medium, wherein the computer-readable storage medium stores a computer program, and the computer program includes program instructions that, when executed by a processor, cause the processor to execute The method described in any one of 3-8 is required.