WO2021249527A1

WO2021249527A1 - Method and apparatus for implementing motopay, and electronic device

Info

Publication number: WO2021249527A1
Application number: PCT/CN2021/099608
Authority: WO
Inventors: 宋宜涛
Original assignee: 支付宝(杭州)信息技术有限公司
Priority date: 2020-06-12
Filing date: 2021-06-11
Publication date: 2021-12-16
Also published as: CN111445231A

Abstract

A method and an apparatus for implementing MOTOpay, and an electronic device, comprising: in response to a payment request triggered by a user, a client terminal invokes a terminal system to perform first identity verification of the user (202); after the user passes the first identity verification, the terminal system acquires stored bank card information from a trusted execution environment TEE, and returns the bank card information to the client terminal (204); and, on the basis of the returned bank card information, the client terminal executes the payment request (206).

Description

Method, device and electronic equipment for implementing MOTOpay

Technical field

This manual relates to the field of computer communication, especially to the method, device and electronic equipment for implementing MOTOpay.

Background technique

MOTOpay is a credit card remote collection system that can realize non-face-to-face consumption between merchants and consumers. For example, when consumers order goods via telephone, mail, fax, or website, they only need to enter credit card information to complete the payment. Generally, most international e-commerce websites support this payment method.

Summary of the invention

According to the first aspect of this specification, a method for implementing MOTOpay is provided, which is applied to a terminal, the terminal is loaded with a client that supports MOTOpay payment, and the method includes: the client calls the terminal system in response to a payment request triggered by the user Perform a first identity verification on the user; after the user passes the first identity verification, the terminal system obtains the stored bank card information from the trusted execution environment TEE, and returns the bank card information to the Client; The client executes the payment request based on the returned bank card information.

Optionally, the method further includes: after the client terminal obtains the bank card information input by the user for MOTOpay payment, calling the terminal system to perform a second identity verification on the user; the terminal After the user passes the second identity verification, the system stores the bank card information in the TEE.

Optionally, the storing the bank card information in the TEE includes: after the user passes the second identity verification, generating a public key and a private key in the TEE; and using the public key pair The bank card information is encrypted, and the encrypted bank card information is stored in the TEE; the obtaining the stored bank card information from the trusted execution environment TEE includes: obtaining the stored bank card information from the TEE Encrypting bank card information; using the private key corresponding to the client to decrypt the encrypted bank card information to obtain the bank card information.

Optionally, the method further includes: after generating the public key and the private key, the terminal system obtains verification information for second identity verification, and encrypts the verification information to obtain the first encryption Verification information; the terminal system uploads the first encrypted verification information and the public key to the server through the client for storage; the method further includes: the client receives the server on the user A challenge code issued after triggering the payment request; after the user passes the first identity verification, the terminal system obtains verification information for the first identity verification, and encrypts the verification information to obtain the first identity verification. 2. Encryption verification information; the terminal system uses the private key to sign the second encryption verification information and the challenge code, and sends the signature result to the server through the client, so that the The server verifies the signature result; the obtaining the stored bank card information from the trusted execution environment TEE includes: obtaining the stored bank card information from the TEE when the signature result passes the verification.

Optionally, the storing the bank card information in the TEE includes: the terminal system obtains the identity information used for the second identity verification to obtain the first identity; and the terminal system The bank card information and the first identifier are associated and stored in the TEE; the obtaining the stored bank card information from the trusted execution environment TEE includes: obtaining by the terminal system for the first identity verification To obtain the second identity, and obtain the bank card information associated with the second identity from the TEE.

Optionally, the method further includes: the terminal system sets an aging time length for the bank card information stored in the TEE; when the terminal system detects that the aging time length of the bank card information stored in the TEE reaches , Delete the bank card information; or, when the terminal system detects that the use of the bank card information reaches a preset use condition, delete the bank card information; or, the client terminal receives the user’s When deleting the instruction, call the terminal system to delete the bank card information.

Optionally, the bank card information includes at least one of the following: bank card number, name, card validity period, and CVV code.

According to the second aspect of this specification, a method for implementing MOTOpay is provided, which is applied to a client supporting MOTOpay payment carried on a terminal. The method includes: in response to a payment request triggered by a user, sending a first system call to the terminal system Request, the terminal system responds to the first system call request to perform first identity verification on the user, and after the user passes the first identity verification, obtain the stored information from the trusted execution environment TEE Bank card information, and return the bank card information to the client; execute the payment request based on the returned bank card information.

Optionally, the method further includes: after acquiring the bank card information input by the user for MOTOpay payment, sending a second system call request to the terminal system, so that the terminal system responds to the second The system calls a request to perform a second identity verification on the user, and after the user passes the second identity verification, the bank card information is stored in the TEE.

Optionally, the TEE further includes: a public key and a private key generated by the user terminal system after the user passes the second identity verification; the method further includes: receiving the first encrypted verification information sent by the terminal system And the public key, upload the first encrypted verification information and the public key to the server; the first encrypted verification information is obtained by encrypting the verification information of the second identity verification; receiving the The server issues a challenge code after the user triggers the payment request, and sends the challenge code to the terminal system so that the terminal system can obtain the user account after the user passes the first identity verification. Verify the verification information of the first identity verification, encrypt the verification information to obtain the second encrypted verification information, and use the private key to sign the second encrypted verification information and the challenge code; The signature result sent by the terminal system, and the signature result is sent to the server, so that the server verifies the signature result, so as to trigger the terminal system when the signature result passes the verification, Obtain the stored bank card information from the TEE.

According to the third aspect of this specification, a method for implementing MOTOpay is provided, which is applied to a terminal system of a terminal, the terminal is loaded with a client that supports MOTOpay payment, and the method includes: responding to a first sent by the client The system calls a request to perform the first identity verification for the user; after the user passes the first identity verification, obtain the stored bank card information from the TEE; return the bank card information to the client, so that the The client executes the payment request triggered by the user based on the bank card information.

Optionally, the method further includes: in response to a second system call request sent by the client, performing a second identity verification on the user; the second system call request is obtained by the client after the user input After the bank card information used for MOTOpay payment is sent; after the user passes the second identity verification, the bank card information is stored in the TEE.

Optionally, the storing the bank card information in the TEE includes: after the user passes the second identity verification, generating a public key and a private key in the TEE; and using the public key to pair the TEE The bank card information is encrypted, and the encrypted bank card information is stored in the TEE; the obtaining the stored bank card information from the TEE includes: obtaining the stored encrypted bank card information from the TEE; The private key corresponding to the client decrypts the encrypted bank card information to obtain the bank card information.

Optionally, the method further includes: after generating the public key and the private key, obtaining verification information for second identity verification, and encrypting the verification information to obtain the first encrypted verification information; The first encrypted verification information and the public key are uploaded to the server for storage through the client; the method further includes: after the user passes the first identity verification, obtaining verification information for the first identity verification , And encrypt the verification information to obtain second encrypted verification information; use the private key to sign the second encrypted verification information and the received challenge code, and send the signature result to the client through the client The server side verifies the signature result by the server side; the challenge code is issued by the server side after the user triggers the payment request; the stored bank is obtained from the TEE The card information includes: obtaining the stored bank card information from the TEE when the signature result is verified.

Optionally, the storing the bank card information in the TEE includes: acquiring an identifier of the identity information used for the second identity verification to obtain the first identifier; and combining the bank card information with the The first identity is associated and stored in the TEE; the obtaining the stored bank card information from the TEE includes: obtaining the identity of the identity information used for the first identity verification to obtain the second identity; obtaining the first identity from the TEE 2. Identify the associated bank card information.

Optionally, the method further includes: setting an aging duration for the bank card information stored in the TEE; deleting the bank card information when it is detected that the aging duration of the bank card information stored in the TEE reaches; Or, when it is detected that the use of the bank card information reaches a preset use condition, the bank card information is deleted.

According to the fourth aspect of this specification, a device for implementing MOTOpay is provided, which is applied to a client supporting MOTOpay payment on a terminal. The device includes: a sending module for sending a payment request to the terminal system in response to a payment request triggered by a user. Send a first system call request, so that the terminal system responds to the first system call request to perform a first identity verification on the user, and after the user passes the first identity verification, from the trusted execution environment The TEE obtains the stored bank card information and returns the bank card information to the client; the execution module is configured to execute the payment request based on the returned bank card information.

Optionally, the sending module is configured to send a second system call request to the terminal system after acquiring the bank card information input by the user for MOTOpay payment, so that the terminal system responds to the first 2. A system call request to perform a second identity verification on the user, and after the user passes the second identity verification, store the bank card information in the TEE.

Optionally, the TEE further includes: a public key and a private key generated by the user terminal system after the user passes the second identity verification; the device further includes: an upload module, which is used to send the terminal system after receiving the public key and the private key. When the first encrypted verification information and the public key are encrypted, the first encrypted verification information and the public key are uploaded to the server; the first encrypted verification information is encrypted by the verification information for the second identity verification The processing is obtained; the receiving module is configured to receive the challenge code issued by the server after the user triggers the payment request, and send the challenge code to the terminal system so that the terminal system can After the user passes the first identity verification, obtains verification information for the first identity verification, encrypts the verification information to obtain second encrypted verification information, and uses the private key to verify the second encryption Information and the challenge code to sign; the upload module is also used to receive the signature result sent by the terminal system, and send the signature result to the server, so that the server can sign the signature The result is verified to trigger the terminal system to obtain the stored bank card information from the TEE when the signature result is verified.

According to the fifth aspect of this specification, a device for implementing MOTOpay is provided, which is applied to a terminal system of a terminal, the terminal is equipped with a client that supports MOTOpay payment, and the device includes: a verification module for responding to the client The first system call request sent by the terminal performs the first identity verification for the user; the obtaining module is used to obtain the stored bank card information from the TEE after the user passes the first identity verification; the return module is used to The bank card information is returned to the client, so that the client executes the payment request triggered by the user based on the bank card information.

Optionally, the verification module is further configured to perform a second identity verification on the user in response to a second system call request sent by the client; the second system call request is that the client obtains the user The input bank card information used for MOTOpay payment is sent afterwards; the device further includes: a storage module for storing the bank card information in the TEE after the user passes the second identity verification.

Optionally, when storing the bank card information in the TEE, the storage module is used to generate a public key and a private key in the TEE after the user passes the second identity verification; The public key encrypts the bank card information and stores the encrypted bank card information in the TEE; the obtaining module is used to obtain the stored bank card information from the TEE when obtaining the stored bank card information from the TEE The encrypted bank card information; the private key corresponding to the client is used to decrypt the encrypted bank card information to obtain the bank card information.

Optionally, the device further includes: an encryption module for obtaining verification information for second identity verification after generating the public key and private key, and encrypting the verification information to obtain the first Encryption verification information; upload the first encryption verification information and the public key to the server through the client for storage; the device further includes: a signature module for after the user passes the first identity verification, Obtain verification information used for the first identity verification, and encrypt the verification information to obtain second encrypted verification information; use the private key to sign the second encrypted verification information and the received challenge code , And send the signature result to the server through the client, so that the server verifies the signature result; the challenge code is issued by the server after the user triggers the payment request The acquisition module, when acquiring the stored bank card information from the TEE, is used to acquire the stored bank card information from the TEE when the signature result is verified.

Optionally, when storing the bank card information in the TEE, the storage module is used to obtain the identity information used for the second identity verification to obtain the first identity; The card information and the first identifier are associated and stored in the TEE; the acquiring module is used to acquire the identifier of the identity information used for the first identity verification when acquiring the stored bank card information from the TEE to obtain the first identity verification. Second identification: obtain the bank card information associated with the second identification from the TEE.

Optionally, the device further includes: a setting module, configured to set an aging duration for the bank card information stored in the TEE; a deletion module, configured to detect the aging duration of the bank card information stored in the TEE When it reaches, delete the bank card information; or when it is detected that the use of the bank card information reaches a preset use condition, delete the bank card information.

According to the sixth aspect of this specification, there is provided an electronic device, including: a processor; a memory for storing executable instructions of the processor; wherein the processor executes the executable instructions to implement the above-mentioned method for implementing MOTOpay .

According to the seventh aspect of the present specification, a computer-readable storage medium is provided, on which computer instructions are stored, and when the instructions are executed by a processor, the above-mentioned method for implementing MOTOpay is realized.

It can be seen from the above description that the user's bank card information is stored in the TEE of the user terminal. When the user makes a payment, the user terminal can call the bank card information in the TEE to complete the payment.

In this manual, when the user uses motopay to pay, he only needs to input user information, such as pressing his fingerprint, to realize the payment, thus realizing the domestic fast payment function. Obtaining the bank card information accessed by the terminal through user information authorization can ensure the security of the bank card information.

According to the eighth aspect of this specification, there is provided a method for implementing identity authentication, which is applied to a terminal, the terminal is loaded with a client, and the method includes: the client calls the identity authentication request triggered by the user The terminal system performs the first local identity verification on the user; after the user passes the first local identity verification, the terminal system obtains the stored user authentication information from the trusted execution environment TEE, and combines the user authentication information Return to the client; the client executes the identity authentication request based on the returned user authentication information.

Optionally, the method further includes: after the client obtains the user authentication information input by the user for identity authentication, calling the terminal system to perform a second local identity verification on the user; the After the user passes the second local identity verification, the terminal system stores the user authentication information in the TEE.

Optionally, the storing the user authentication information in the TEE includes: after the user passes the second local identity verification, generating a public key and a private key in the TEE; and using the public key Encrypting the user authentication information and storing the encrypted user authentication information in the TEE; the obtaining the stored user authentication information from the trusted execution environment TEE includes: obtaining all the stored user authentication information from the TEE The encrypted user authentication information; the private key corresponding to the client is used to decrypt the encrypted user authentication information to obtain the user authentication information.

Optionally, the method further includes: after generating the public key and the private key, the terminal system obtains verification information for second local identity verification, and encrypts the verification information to obtain the first Encrypted verification information; the terminal system uploads the first encrypted verification information and the public key to the server through the client for storage; the method further includes: the client receives the server on the A challenge code issued after the user triggers the identity authentication request; after the user passes the first local identity verification, the terminal system obtains verification information for the first local identity verification, and encrypts the verification information Processing to obtain second encrypted verification information; the terminal system uses the private key to sign the second encrypted verification information and the challenge code, and sends the signature result to the server through the client, The server verifies the signature result; the obtaining the stored user authentication information from the trusted execution environment TEE includes: when the signature result passes the verification, obtaining the stored user from the TEE Certification Information.

Optionally, the storing the user authentication information in the TEE includes: the terminal system obtains an identifier of the identity information used for the second local identity verification to obtain the first identifier; the terminal system The user authentication information and the first identifier are associated and stored in the TEE; the obtaining the stored user authentication information from the trusted execution environment TEE includes: the terminal system obtains the user authentication information for the first local The biometric identification of the identity verification obtains the second identification, and the user authentication information associated with the second identification is obtained from the TEE.

It can be seen from the above description that the user authentication information of the user is stored in the TEE of the user terminal. When the user performs identity authentication, the user terminal can call the user authentication information in the TEE to complete the payment.

On the one hand, in this manual, when the user performs identity authentication, the user only needs to press his fingerprint, etc., to achieve identity authentication.

On the other hand, the user authentication information accessed by the terminal is authorized to obtain the user authentication information through user information (such as the user's fingerprint, etc.) to ensure the security of the user authentication information.

Description of the drawings

Fig. 1 is a flowchart of a bank card information storage process shown in an exemplary embodiment of this specification;

Fig. 2 is a flowchart of a MOTOpay payment method shown in an exemplary embodiment of this specification;

Fig. 3 is a flowchart of a method for implementing MOTOpay shown in an exemplary embodiment of this specification;

Fig. 4 is a flowchart of a method for implementing MOTOpay shown in an exemplary embodiment of this specification;

Fig. 5 is a flowchart of another method for storing bank card information according to an exemplary embodiment of this specification;

Fig. 6 is a flowchart of a MOTOpay payment method shown in an exemplary embodiment of this specification;

FIG. 7 is a hardware structure diagram of a terminal shown in an exemplary embodiment of this description;

Fig. 8 is a block diagram of a device for implementing MOTOpay according to an exemplary embodiment of this specification;

Fig. 9 is a block diagram showing another device for implementing MOTOpay according to an exemplary embodiment of the present specification;

Fig. 10 is a flowchart of a method for storing user authentication information according to an exemplary embodiment of this specification;

Fig. 11 is a flowchart of a method for implementing authentication shown in an exemplary embodiment of this specification.

detailed description

Here, exemplary embodiments will be described in detail, and examples thereof are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements. The implementation manners described in the following exemplary embodiments do not represent all implementation manners consistent with this specification. On the contrary, they are merely examples of devices and methods consistent with some aspects of this specification as detailed in the appended claims.

The terms used in this specification are only for the purpose of describing specific embodiments, and are not intended to limit the specification. The singular forms of "a", "said" and "the" used in this specification and appended claims are also intended to include plural forms, unless the context clearly indicates other meanings. It should also be understood that the term "and/or" as used herein refers to and includes any or all possible combinations of one or more associated listed items.

It should be understood that although the terms first, second, third, etc. may be used in this specification to describe various information, the information should not be limited to these terms. These terms are only used to distinguish the same type of information from each other. For example, without departing from the scope of this specification, the first information may also be referred to as second information, and similarly, the second information may also be referred to as first information. Depending on the context, the word "if" as used herein can be interpreted as "when" or "when" or "in response to a certainty".

However, in practical applications, users often forget to carry a bank card or the user cannot remember all the card information, which makes the user unable to pay.

In view of this, this specification proposes a method to implement MOTOpay by storing the user's bank card information in the TEE of the user terminal. When the user makes a payment, the user terminal can call the bank card information in the TEE to complete the payment, thereby solving the payment problem caused by the user forgetting to bring the bank card or forgetting the bank card information.

In addition, in this manual, after the bank card information is stored in the TEE of the user terminal, the user does not need to enter the bank card information when paying, and only needs to enter the fingerprint and other identity letters to realize the payment, so it greatly facilitates the user’s payment. Payment operation improves payment efficiency.

The method for implementing MOTOpay provided in this manual will be described in detail below.

The method of implementing MOTOpay in this manual may include: the storage process of bank card information and the process of user payment. The following two aspects will describe the method of implementing MOTOpay provided in this manual in detail. 1. The storage process of bank card information

Referring to Fig. 1, Fig. 1 is a flowchart of a bank card information storage process shown in an exemplary embodiment of this specification. The method can be applied to the terminal. The terminal may include a client and a terminal system. The client supports MOTOpay payment.

The terminal may include: a PC, a portable terminal, etc. For example, the portable terminal may include: the user's mobile phone, IPAD, notebook computer, palmtop computer, and so on. The terminal and the portable terminal are not specifically limited here.

The method may include the steps shown below.

Step 102: After obtaining the bank card information input by the user for MOTOpay payment, the client invokes the terminal system to perform a second identity verification on the user.

The bank card includes: a credit card, a debit card, etc. The bank card is only exemplified here, and it is not specifically limited.

Step 102 is described below through step 1021 to step 1022.

Step 1021: The client terminal obtains the bank card information input by the user for MOTOpay payment.

In implementation, when the user pays for the first time, or the user needs to add bank card information, or the registered user information stored on the terminal (such as registered user fingerprints, etc.) changes, the user can enter the MOTOpay on the terminal Payment bank card information. The client terminal can obtain the bank card information entered by the user.

For example, for the user's first payment, when the client detects a payment request triggered by the user, it can call the terminal system to obtain the user information of the user, and perform identity verification on the user according to the user information. After passing the identity verification, the terminal system can detect whether the bank card information is stored in the TEE, and if the bank card information is not stored, it will notify the client. The client can prompt the user to enter bank card information. Then, the client terminal can obtain the bank card information entered by the user.

Alternatively, the client terminal obtains the bank card information carried in the adding instruction when receiving the adding instruction of the user to add the bank card information.

Here is only an exemplary description of the manner in which the “client terminal obtains the bank card information input by the user for MOTOpay payment” is exemplified, and is not specifically limited.

Step 1022: The client invokes the terminal system to perform a second identity verification on the user.

After obtaining the bank card information input by the user for MOTOpay payment, the client can send a second system call request to the terminal system. The terminal system may obtain the user information of the user in response to the second system call request, and perform the second identity verification on the user based on the user information and the locally stored verification information.

The user information may include text information such as the user's user name and password, or the user's biometric information. For example, the user's fingerprint, the user's facial features, the user's iris features, and so on. The user information is only exemplified here, and it is not specifically limited.

The terminal system locally stores the user's registered verification information, such as text information such as the user's registered user name and password, or the user's biometric information, such as the registered user's fingerprint, facial features, and iris features. Here, the verification information stored locally in the terminal system is merely exemplified, and no specific limitation is imposed on it.

When performing the second identity verification on the user based on the identity information and the locally stored verification information, the terminal system can detect whether the user's identity information matches the verification information stored in the terminal system. If the identity information matches the verification information, it is determined that the second identity verification of the user is passed, and if the identity information does not match the verification information, it is determined that the second identity verification of the user fails.

Step 104: After the user passes the second identity verification, the terminal system stores the bank card information in the TEE.

Here are several ways to store bank card information in TEE.

Method 1: When storing the bank card information in the TEE, the terminal system can only store the bank card information in the TEE, and any user's identity information can call the bank card information in the TEE.

Taking fingerprints as an example, suppose that the user's thumb fingerprint and index finger fingerprint are included in the terminal system. The terminal system can only store the bank card information in the TEE. When a subsequent user pays, whether the user inputs a thumb fingerprint or an index finger fingerprint for the first identity verification, the call is one or more bank card information stored in the TEE.

Manner 2: The terminal system can obtain the identity information used for the second identity verification to obtain the first identity. Then, the terminal system can store the encrypted bank card information in association with the first identification in the TEE.

Such associative storage can bind the user's identity information to the bank card one by one. When the user pays later, different bank cards can be called based on the user's different identity information.

Take the user's identity information as a fingerprint as an example.

Suppose that the bank card information used to pay for MOTOpay input by the user on the client is Bank of China bank card information, and the user uses thumb fingerprints for the second identity authentication. When the terminal system determines that the second identity authentication is passed, the user's thumb fingerprint and the bank card information of the Bank of China are associated and stored in the TEE. Assume that the bank card information used to pay for MOTOpay entered by the user on the client is the bank card information of China Construction Bank, and the user uses the index finger fingerprint to perform the second identity authentication. When the terminal system determines that the second identity authentication is passed, the user's index finger fingerprint and the bank card information of the China Construction Bank are associated and stored in the TEE.

When the user pays, if the user enters the thumb fingerprint for the first identity verification, the bank card information of the Bank of China will be returned to the user. If the user enters the index finger fingerprint for the first identity verification, the bank card information of China Construction Bank will be returned to the user.

In addition, in order to ensure the security of the bank card information, whether it is to directly store the bank card information in the TEE, or store the bank card information in association with the identity information identification of the second identity verification in the TEE, the terminal system can use the generated public The key encrypts the bank card information, and stores the encrypted bank card information in the TEE in the above two ways.

Specifically, in order to ensure the security of the bank card information, the terminal system can generate a key pair of a public key and a private key. The generated key pair may correspond to the client or the user, and the correspondence relationship of the key pair is not specifically limited here.

When the key is bound to the client, other clients cannot access the key pair. When the key is bound to the user, other users of the client or other clients cannot access the key pair, thereby ensuring the security of the bank card information.

The terminal system can use the public key to encrypt the bank card information, and store the encrypted bank card information in the TEE. 2. MOTOpay payment process

Refer to Fig. 2, which is a flowchart of a MOTOpay payment method shown in an exemplary embodiment of this specification, and the method can be applied to a terminal. The terminal may include a client and a terminal system. The client supports MOTOpay payment.

The terminal may include: a PC, a portable terminal, etc. For example, the portable terminal may include: the user's mobile phone, IPAD, notebook computer, palmtop computer, and so on. The terminal and the mobile terminal are not specifically limited here.

The method may include the following steps: Step 202: In response to the payment request triggered by the user, the client invokes the terminal system to perform the first identity verification for the user.

In implementation, after the client detects the payment request triggered by the user, it can respond to the payment request and send a second system call message to the terminal system.

In response to the second system call message, the terminal system can obtain the identity information input by the user through the TUI, and perform the first identity verification on the user based on the identity information and the locally stored verification information.

When performing the first identity verification on the user according to the identity information, the terminal system can detect whether the identity information of the user matches the verification information stored in the terminal system. If the identity information matches the verification information, it is determined that the first identity verification of the user is passed, and if the identity information does not match the verification information, it is determined that the first identity verification of the user fails.

Step 204: After the user passes the first identity verification, the terminal system obtains the stored bank card information from the trusted execution environment TEE, and returns the bank card information to the client.

Corresponding to step 104 above, step 204 can be implemented in multiple implementation manners.

Method 1: When the terminal system only stores the bank card information entered by the user in the TEE after determining that the user has passed the second identity verification, this step 204 is implemented as follows: After the terminal system determines that the user has passed the first identity verification, it can Obtain the bank card information directly from the TEE and return the bank card information to the client.

Taking fingerprints as an example, suppose that the user's thumb fingerprint and index finger fingerprint are included in the terminal system. The user performs the second identity verification through the thumb fingerprint, and the terminal system can only store the bank card information of the Bank of China entered by the user in the TEE after confirming that the user has passed the identity verification.

In the subsequent user payment, no matter the user enters the thumb fingerprint or index finger fingerprint for the first identity verification, after the first identity verification is passed, the terminal system obtains the bank card information of the Bank of China from the TEE.

Manner 2: When the terminal system determines that the user passes the second identity verification, and stores the identifier of the identity information used for the second identity verification in association with the bank card information in the TEE, the step 204 is implemented as follows: : The terminal system obtains the identity information used for the first identity verification to obtain the second identity; obtains the bank card information associated with the second identity from the TEE.

Taking fingerprints as an example, suppose that the bank card information used to pay for MOTOpay input by the user on the client is Bank of China bank card information, and the user uses thumb fingerprints for the second identity authentication. When the terminal system determines that the second identity authentication is passed, the user's thumb fingerprint and the bank card information of the Bank of China are associated and stored in the TEE. Assume that the bank card information used to pay for MOTOpay entered by the user on the client is the bank card information of China Construction Bank, and the user uses the index finger fingerprint to perform the second identity authentication. When the terminal system determines that the second identity authentication is passed, the user's index finger fingerprint and the bank card information of the China Construction Bank are associated and stored in the TEE.

When the user pays, if the user enters the thumb fingerprint for the first identity verification, the terminal system can obtain the bank card information of the Bank of China corresponding to the thumb fingerprint from the TEE, and return the bank card information of the Chinese bank to the client. If the user inputs the index finger fingerprint to perform the first identity verification, the terminal system can obtain the bank card information of the China Construction Bank corresponding to the index finger fingerprint from the TEE, and return the information of the construction bank card to the client.

In order to ensure the security of the bank card information, whether it is directly storing the bank card information in the TEE, or storing the bank card information in association with the identity information of the second identity verification in the TEE, the terminal system can use the generated public key pair The bank card information is encrypted, and the encrypted bank card information is stored in the TEE through the above two methods.

Similarly, whether it is to obtain bank card information directly from the TEE, or obtain the bank card information corresponding to the identity information identifier of the first identity authentication from the TEE, if the terminal system obtains encrypted bank card information from the TEE, Then, the private key can be used to decrypt the bank card information, and the decrypted bank card information can be returned to the client.

Step 206: The client executes the payment request based on the returned bank card information.

If the client receives one bank card information returned by the terminal system, it can directly execute the payment request based on the bank card information.

If there are multiple bank card information returned by the terminal system received by the client, the client can display the multiple bank card information to the user so that the user can select the bank card information used for this payment. Then, the client can execute the payment request based on the bank card information selected by the user.

Or, if there are multiple bank card information returned by the terminal system received by the client, the client can select one bank card information according to a preset selection algorithm, and execute the payment request based on the selected bank card information.

Among them, the preset selection algorithm may include: random selection, or selection of bank card information stored recently in the TEE, and so on. Here, the preset selection algorithm is only exemplified, and it is not specifically limited.

When executing the payment request, the client can generate a payment message based on the bank card information, and then send the payment message to the bank information, so that the banking system can transfer money to the purchaser of the goods to complete the payment. Here, the execution of the payment request is merely exemplified, and it is not specifically limited.

In addition, in the embodiment of this specification, in order to ensure the security of the bank card information, when the user adds or deletes user information (such as fingerprints), the user must re-enter the bank card information. In order to realize the function of "the user must re-enter bank card information when adding or deleting user information", the following methods can be used.

In implementation, the terminal system can obtain the verification information used for the second identity verification after generating the public key and the private key. In other words, the terminal system can obtain the registered user identity information currently stored locally.

Then, the terminal system can perform encryption processing on the verification information of the second identity verification to obtain the first encrypted verification information. For example, the terminal system may calculate the hash value of the verification information of the second identity verification, and then use the hash value as the first encryption verification information. Of course, the terminal system can also use other encryption processing methods, which are not specifically limited here.

The terminal system may send the first encryption verification information and the public key to the client, and the client may send the first encryption verification information and the public key to the server for storage.

After the user triggers the payment request, the client can receive the challenge code issued by the server. Wherein, the challenge code may be that the client sends a challenge code acquisition request to the server after detecting the user's payment request, so that the server sends the challenge code to the client in response to the challenge code acquisition request. Of course, the challenge code can also be issued by the server at other times after the user triggers the payment request, which is not specifically limited here.

After the user triggers the payment request, the client can send the first system call request to the terminal system, and the terminal system can perform the first identity verification on the user. After the user passes the first identity verification, the terminal system can obtain the verification information of the first identity verification. In other words, the terminal system can obtain the currently locally stored registered user identity information.

Then, the terminal system can perform encryption processing on the verification information of the first identity verification to obtain the second encrypted verification information. For example, the terminal system may calculate the hash value of the verification information of the first identity verification, and then use the hash value as the second encryption verification information. Of course, the terminal system can also use other encryption processing methods, which are not specifically limited here.

The terminal system uses the private key to sign the second encryption verification information and the challenge code, and sends the signature result to the client. The client sends the signature result to the server, so that the server verifies the signature result.

When verifying the signature result, the server can use the previously stored public key to decrypt the signature to obtain the second encrypted verification information and the challenge code.

The server can detect whether the second encrypted verification information is consistent with the previously stored first encrypted verification information, and whether the decrypted challenge code is consistent with the issued challenge code.

If the second encrypted verification information is consistent with the previously stored first encrypted verification information, and the decrypted challenge code is consistent with the issued challenge code, a message indicating that the signature result is passed is returned to the client. The client can send the message that the signature result has passed to the terminal system, and the terminal system can determine that the signature result has passed after receiving the message that the signature result has passed, and execute the above step of obtaining the stored bank card information from the TEE.

If the second encrypted verification information is inconsistent with the previously stored first encrypted verification information, and/or the decrypted challenge code is inconsistent with the issued challenge code, a message indicating that the signature result is not passed is returned to the client. The client can send the message that the signature result is not passed to the terminal system. When the terminal system receives the message that the signature result is not passed, the terminal system can determine that the signature result is not passed. The terminal system does not execute the above-mentioned obtaining and storing the bank card from the TEE. Informational steps. Optionally, the terminal system may also delete the stored bank card information from the TEE when receiving the message that the signature result is not passed.

In addition, the client terminal can send prompt information to the user so that the user can re-enter the bank card information. After the user enters the bank card information, the above-mentioned storage process of the bank card information can be executed, which will not be repeated here.

For example, suppose that the current terminal system stores the identity information as fingerprints of the user's thumb.

After obtaining the bank card information input by the user for MOTOpay payment, the client invokes the terminal system to perform the second identity verification on the user, assuming that the verification information of the second identity verification is the thumb fingerprint stored in the current terminal system.

Then, after the user's second identity verification is passed, the terminal system can generate a public key and a private key. On the one hand, the terminal system can use the public key to encrypt the bank card information and store the encrypted bank card information in the TEE. On the other hand, the terminal system can perform a hash operation on the thumb fingerprint to obtain the hash value of the thumb fingerprint, and upload the hash value and public key of the thumb fingerprint to the server through the client for storage.

1) Assuming that the user does not add or delete fingerprints on the user terminal during the period from when the user inputs bank card information to when the user triggers payment, the identity information stored in the current terminal system is the user's thumb fingerprint.

In response to the payment request triggered by the user, the client invokes the terminal system to perform the first identity verification for the user, and the verification information of the first identity verification is the thumb fingerprint stored in the current terminal system.

In addition, after the user triggers the payment request, the client can obtain the challenge code issued by the server, and the client can send the challenge code to the terminal system.

After the user passes the first identity verification, the terminal system performs a hash operation on the verification information of the first identity verification (that is, the thumb fingerprint) to obtain the hash value of the thumb fingerprint.

Then, the terminal system can sign the hash value of the thumb fingerprint and the challenge code, and send the signature result to the server through the client. The server uses the previously stored public key to decrypt the signature result to obtain the thumb hash fingerprint and the challenge code. Because the thumb hash fingerprint obtained by decryption (ie the second encrypted verification information) and the previously stored thumb hash fingerprint (ie The first encrypted verification information) is consistent, and the challenge code obtained by decryption is consistent with the issued challenge code, the server can determine that the signature result is passed, and return a message that the signature result passed to the client. After receiving the message that the signature result passed back by the client, the terminal system can obtain the bank card information from the TEE and return it to the client.

2) Assuming that during the period between the user inputting the bank card information and the user triggering the payment, the user adds an index finger fingerprint on the user terminal, and the identity information stored in the current terminal system is the user's thumb fingerprint and index finger fingerprint.

In response to the payment request triggered by the user, the client invokes the terminal system to perform the first identity verification for the user, and the verification information of the first identity verification is the thumb fingerprint and the index finger fingerprint stored in the current terminal system.

After the user passes the first identity verification, the terminal system performs a hash operation on the verification information of the first identity verification (that is, thumb fingerprint and index finger fingerprint) to obtain the hash values of the thumb fingerprint and the index finger fingerprint.

Then, the terminal system can sign the hash value and challenge code of the thumb fingerprint and index finger fingerprint, and send the signature result to the server through the client. The server uses the previously stored public key to decrypt the signature result to obtain the hash value of the thumb fingerprint and index finger fingerprint and the challenge code. Because of the hash value of the thumb fingerprint and index finger fingerprint obtained by decryption (that is, the second encrypted verification information) It is inconsistent with the previously stored hash value of the thumb fingerprint (ie the first encrypted verification information), and the decrypted challenge code is consistent with the issued challenge code. The server can determine that the signature result is not passed and return the signature result to the client Failed message. The terminal system does not obtain the bank card information from the TEE after receiving the message that the signature result is not passed from the client. At the same time, the client sends a prompt message to the user to prompt the user to re-enter the bank card information.

It can be seen that the above method can realize that when a user adds or deletes a fingerprint, the user has to re-enter the bank card information.

In this manual, when using motopay to pay, users only need to enter their identity information, such as by pressing their fingerprints, to realize the payment, thus realizing the function of domestic fast payment. Through the interaction with the server, when the user adds or deletes the registered identity information in the terminal system, the user needs to re-enter the bank card information, thereby ensuring the security of the bank card information. For example, when a user adds or deletes a fingerprint, he/she needs to re-enter the bank card information.

The bank card information is stored in the TEE of the user terminal, and the user can enter the bank card information and call the bank card information through identity verification, thereby greatly ensuring the security of the bank card information.

Referring to Figure 3, Figure 3 is a flow chart of a method for implementing MOTOpay shown in an exemplary embodiment of this specification. The method can be applied to a client supporting MOTOpay payment carried on a terminal. The method can include the following steps .

Step 302: In response to the payment request triggered by the user, the client sends a first system call request to the terminal system, so that the terminal system responds to the first system call request to perform first identity verification on the user, and After the user passes the first identity verification, the stored bank card information is obtained from the trusted execution environment TEE, and the bank card information is returned to the client.

For details, please refer to the description in step 202 to step 204 above, which will not be repeated here.

Step 304: The client executes the payment request based on the returned bank card information.

For details, please refer to the description in step 206 above, which will not be repeated here.

In addition, in the embodiment of this specification, after obtaining the bank card information input by the user for MOTOpay payment, the client sends a second system call request to the terminal system, so that the terminal system responds to the first system call request. 2. The system calls a request to perform a second identity verification on the user, and after the user passes the second identity verification, store the bank card information in the TEE.

For details, refer to the descriptions in steps 102 to 104 above, which are not repeated here.

In this manual, when the user uses motopay to pay, he only needs to input user information, such as pressing his fingerprint, to realize the payment, thus realizing the domestic fast payment function.

Refer to FIG. 4, which is a flowchart of a method for implementing MOTOpay according to an exemplary embodiment of this specification. The method can be applied to a terminal system of a terminal, and the terminal is equipped with a client that supports MOTOpay payment.

Step 402: In response to the first system call request sent by the client, the terminal system performs first identity verification on the user; for details, please refer to the above step 202, which will not be repeated here.

Step 404: After the user passes the first identity verification, the terminal system obtains the stored bank card information from the TEE. For details, refer to step 204 above, which will not be repeated here.

Step 406: The terminal system returns the bank card information to the client, so that the client executes the user-triggered payment request based on the bank card information. For details, refer to step 206 above, which will not be repeated here.

In addition, in the embodiment of this specification, the terminal system may also perform a second identity verification on the user in response to the second system call request sent by the client; the second system call request is that the client is acquiring The bank card information for MOTOpay payment input by the user is sent after the user passes the second identity verification, and the bank card information is stored in the TEE.

For details, please refer to the above steps 102 to 104, which will not be repeated here.

The following describes another method of implementing MOTOpay with reference to Figure 5 and Figure 6.

Referring to Fig. 5, Fig. 5 is a flowchart of another bank card information storage method shown in an exemplary embodiment of this specification, and the method can be applied to a terminal. The terminal includes: client and terminal system that support MOTOpay payment. The method may include the steps shown below.

Step 501: The client terminal obtains the bank card information input by the user for MOTOpay payment;

Step 502: The client sends a first system call request to the terminal system;

Step 503: The terminal system performs a second identity verification on the user in response to the first system call request;

Step 504: After the terminal system passes the second identity verification, the terminal system generates a public key and a private key.

Step 505: The terminal system uses the public key to encrypt the bank card information, stores the encrypted bank card information in the TEE, and obtains the verification information of the second identity verification, and encrypts the verification information to obtain the first encryption verification information.

Step 506: The terminal system sends the first encryption verification information and the public key to the client;

Step 507: The client sends the first encryption verification information and the public key to the server;

Step 508: The server stores the first encryption verification information and the public key.

Refer to Fig. 6, which is a flowchart of a MOTOpay payment method shown in an exemplary embodiment of this specification, and the method can be applied to a terminal. The terminal includes: client and terminal system that support MOTOpay payment. The method may include the steps shown below.

Step 601: The client detects a payment request triggered by the user.

Step 602: In response to the payment request, the client sends a challenge code acquisition request to the server.

Step 603: The server sends the challenge code to the client in response to the challenge code acquisition request.

Step 604: In response to the payment request, the client sends a second system call request and a challenge code to the terminal system.

In implementation, the client can send the second system call request and the challenge code to the terminal system at the same time.

The client can also send a second system call request to the terminal system when detecting a payment request triggered by the user. After receiving the challenge code issued by the server, the client sends the challenge code to the terminal system. The sending of the two is not specifically limited here, as long as it is logical.

Step 605: In response to the second system call request, the terminal system performs the first identity verification on the user.

Step 606: When the user passes the first identity verification, the terminal system obtains verification information for the first identity verification, and encrypts the verification information to obtain second encrypted verification information.

Step 607: The terminal system uses the private key to sign the second encryption verification information and the challenge code.

Step 608: The terminal system sends the signature result to the client.

Step 609: The client sends the signature result to the server.

Step 610: The server uses the stored public key to decrypt the signature result to obtain the second encrypted verification information and the challenge code.

Step 611: When the second encryption verification information is consistent with the stored first encryption verification information, and the decrypted challenge code is consistent with the issued challenge code, the server sends a message that the signature result is passed to the client.

Step 612: The client sends a message that the signature result is passed to the terminal system.

Step 613: After receiving the message that the signature result is passed, the terminal system obtains the bank card information from the TEE.

Step 614: The terminal system returns the bank card information to the client.

Step 615: The client executes a payment request based on the bank card information.

This specification does not limit the timing of the above steps, as long as the steps conform to a logical relationship.

On the one hand, in this manual, when a user uses motopay to pay, he only needs to enter his identity information, such as pressing his fingerprint, to realize the payment, thus realizing the domestic fast payment function.

On the other hand, in this manual, by interacting with the server, when the user adds or deletes the registered identity information in the terminal system, the user needs to re-enter the bank card information, thereby ensuring the security of the bank card information . For example, when a user adds or deletes a fingerprint, he/she needs to re-enter the bank card information.

The bank card information is stored in the TEE of the user terminal, and the user can enter the bank card information and call the bank card information through the identity verification, thereby greatly ensuring the security of the bank card information.

Corresponding to the foregoing embodiment of the method for implementing MOTOpay, this specification also provides an embodiment of the device for implementing MOTOpay.

The embodiments of the MOTOpay device in this specification can be applied to electronic equipment. The device embodiments can be implemented by software, or can be implemented by hardware or a combination of software and hardware. Taking software implementation as an example, as a logical device, it is formed by reading the corresponding computer program instructions in the non-volatile memory into the memory through the processor of the electronic device where it is located. From a hardware perspective, as shown in Figure 7, a hardware structure diagram of the electronic equipment where the MOTOpay device is implemented in this specification, except for the processor, memory, network interface, and non-volatile memory shown in Figure 7. In addition, the electronic device in which the device is located in the embodiment usually may include other hardware according to the actual function of the electronic device, which will not be repeated here.

Refer to FIG. 8, which is a block diagram of a device for implementing MOTOpay according to an exemplary embodiment of this specification. The device is applied to a client supporting MOTOpay payment carried on a terminal, and includes a sending module 801 for sending a first system call request to the terminal system in response to a payment request triggered by a user, so that the terminal system responds to the The first system call request is to perform first identity verification on the user, and after the user passes the first identity verification, obtain the stored bank card information from the trusted execution environment TEE, and return the bank card information to Client; execution module 802, used to execute the payment request based on the returned bank card information.

Optionally, the sending module 801 is configured to send a second system call request to the terminal system after acquiring the bank card information input by the user for MOTOpay payment, so that the terminal system can respond to the The second system calls a request to perform a second identity verification on the user, and after the user passes the second identity verification, the bank card information is stored in the TEE.

Optionally, the TEE further includes: a public key and a private key generated by the user terminal system after the user passes the second identity verification. The device also includes an upload module (not shown in FIG. 8), which is used to combine the first encrypted verification information and the public key when receiving the first encrypted verification information and the public key sent by the terminal system. Upload to the server; the first encrypted verification information is obtained by encrypting the verification information of the second identity verification. The receiving module (not shown in Figure 8) is used to receive the challenge code issued by the server after the user triggers the payment request, and send the challenge code to the terminal system so that the terminal system can After passing the first identity verification, the user obtains verification information for the first identity verification, encrypts the verification information to obtain second encrypted verification information, and uses the private key to encrypt the second verification information Sign the challenge code. The upload module is also used to receive the signature result sent by the terminal system, and send the signature result to the server, so that the server verifies the signature result, so as to trigger the terminal system to pass the verification of the signature result At the time, obtain the stored bank card information from the TEE.

Refer to FIG. 9, which is a block diagram of another device for implementing MOTOpay shown in an exemplary embodiment of this specification. The device is applied to a terminal system of a terminal, and the terminal is loaded with a client that supports MOTOpay payment. The device includes: a verification module 901 for responding to the first system call request sent by the client to perform the first system call to the user. An identity verification; an obtaining module 902, used to obtain the stored bank card information from the TEE after the user passes the first identity verification; a return module 903, used to return the bank card information to the client, so that The client executes a payment request triggered by the user based on the bank card information.

Optionally, the verification module is further configured to perform a second identity verification on the user in response to a second system call request sent by the client; the second system call request is that the client obtains the user It is sent after entering the bank card information used for MOTOpay payment. The device also includes a storage module (not shown in FIG. 9) for storing the bank card information in the TEE after the user passes the second identity verification.

Optionally, a storage module, after storing the bank card information in the TEE, is used to generate a public key and a private key in the TEE after the user passes the second identity verification; use the public key to pair the TEE The bank card information is encrypted, and the encrypted bank card information is stored in the TEE. The obtaining module 902 is used to decrypt the encrypted bank card information by using the private key corresponding to the client when obtaining the stored encrypted bank card information from the TEE to obtain the bank card information.

Optionally, the device further includes an encryption module (not shown in FIG. 9) for obtaining verification information for second identity verification after generating the public key and the private key, and verifying the verification information Encryption processing is performed to obtain first encrypted verification information; the first encrypted verification information and the public key are uploaded to the server for storage through the client. The device also includes a signature module (not shown in FIG. 9) for obtaining verification information for the first identity verification after the user passes the first identity verification, and encrypting the verification information to obtain the first identity verification. 2. Encryption verification information; use the private key to sign the second encryption verification information and the challenge code, and send the signature result to the server through the client, so that the server verifies the signature result; The challenge code is issued by the server after the user triggers the payment request. The obtaining module 902 is used to obtain the stored bank card information from the TEE when the signature result is verified.

Optionally, when storing the bank card information in the TEE, the storage module is used to obtain the identity information used for the second identity verification to obtain the first identity; The card information and the first identifier are stored in the TEE in association with each other. The obtaining module 902 is used to obtain the identifier of the identity information used for the first identity verification when obtaining the stored bank card information from the TEE to obtain the second identifier; to obtain the second identifier association from the TEE Bank card information.

Optionally, the device further includes: a setting module (not shown in FIG. 9), which is used to set the aging duration for the bank card information stored in the TEE; and a deletion module (not shown in FIG. 9), which is used to When it is detected that the aging time of the bank card information stored in the TEE is reached, the bank card information is deleted; or when it is detected that the use of the bank card information reaches a preset use condition, the bank card information is deleted.

This specification also provides an electronic device, including: a processor; and a memory for storing executable instructions of the processor. Wherein, the processor implements the above-mentioned method for implementing MOTOpay by running the executable instruction.

This specification also provides a computer-readable storage medium on which computer instructions are stored. When the instructions are executed by a processor, the above-mentioned method for implementing MOTOpay is realized.

In actual applications, when a user performs identity authentication through a terminal device, such as a certain APP of the user, the user's identity information needs to be input, and the back-end server of the APP authenticates the user's identity information before being allowed to log in to the APP. However, every time the user logs in, the user has to input user authentication information, which not only reduces the login efficiency, but also makes it inconvenient for the user to log in.

In view of this, this specification provides a method for implementing identity authentication, which is used to enable a user to perform identity authentication without inputting user authentication information, but only by inputting biometric characteristics such as fingerprints to achieve identity authentication.

The following describes in detail the implementation of the identity authentication provided in this manual from the two aspects of the storage process of user authentication information and the identity authentication process.

1. The storage process of user authentication information

Refer to FIG. 10, which is a flowchart of a method for storing user authentication information according to an exemplary embodiment of this specification. The method can be applied to the terminal. The terminal may include a client and a terminal system. The terminal may include: a PC, a portable terminal, etc. For example, the portable terminal may include: the user's mobile phone, IPAD, notebook computer, palmtop computer, and so on. The terminal and the mobile terminal are not specifically limited here.

The method may include the steps shown below.

Step 1002: After obtaining the user authentication information input by the user for identity authentication, the client invokes the terminal system to perform a second local identity verification on the user.

User authentication information includes: user's certificate number, user's identity privacy information, such as user name, password, and so on. The user authentication information is only exemplified here, and it is not specifically limited.

When the user logs in to the application for the first time, he can input user authentication information on the client terminal of the terminal. After obtaining the user authentication information, the client can send a second system call request to the terminal system. The terminal system may obtain the user information of the user in response to the second system call request, and perform a second local identity verification on the user based on the user information and the locally stored verification information.

User information may include information such as the user's biological characteristics. For example, the user's fingerprint, the user's facial features, the user's iris features, and so on. The user information is only exemplified here, and it is not specifically limited.

The terminal system locally stores the user's registered verification information, such as the user's biometric information of the registered user, such as the registered user's fingerprint, facial features, and iris features. Here, the verification information stored locally in the terminal system is merely exemplified, and no specific limitation is imposed on it.

When performing the second local identity verification on the user based on the identity information and the locally stored verification information, the terminal system can detect whether the user's identity information matches the verification information stored in the terminal system. If the identity information matches the verification information, it is determined that the user's second local identity verification is passed, and if the identity information does not match the verification information, it is determined that the user's second local identity verification fails.

Step 1004: After the user passes the second local identity verification, the terminal system stores the user authentication information in the TEE.

Here are several ways to store user authentication information in TEE.

Method 1: When storing the user authentication information in the TEE, the terminal system can only store the user authentication information in the TEE, and any biological characteristics of the user can call the user authentication information in the TEE.

Taking fingerprints as an example, suppose that the user's thumb fingerprint and index finger fingerprint are included in the terminal system. Assuming that the user authentication information entered by the user is the ID number, the terminal system may only store the user authentication information in the TEE. When the subsequent user performs identity authentication, whether the user enters a thumb fingerprint or an index finger fingerprint for the first local identity verification, the call is the ID number stored in the TEE.

Manner 2: The terminal system can obtain the biometric identification used for the second local identity verification to obtain the first identification. Then, the terminal system can store the encrypted user authentication information and the first identification in the TEE in association with each other.

Such associative storage can make the user's biometric identification and different user authentication information be bound one by one. When the subsequent user performs identity authentication, different user authentication information can be called based on the different biological characteristics of the user.

For example, the user's biological characteristics include thumb fingerprints and index finger fingerprints, and user authentication information includes: the user's identity number, and the user's social security card number. In this example, the thumb fingerprint and the user's ID number are associated and stored in the TEE, and the index finger fingerprint and the user's social security card number are associated and stored in the TEE. When the user performs identity authentication, the user enters the thumb fingerprint to obtain the user's ID number for identity authentication, and the user enters the index finger fingerprint to obtain the user's social security card number for identity authentication.

In order to ensure the security of user authentication information, whether it is to directly store user authentication information in the TEE, or store the user authentication information in association with the biometric identification of the second local identity verification in the TEE, the terminal system can use the generated public key The user authentication information is encrypted, and the encrypted user authentication information is stored in the TEE in the above two ways.

Specifically, in order to ensure the security of user authentication information, the terminal system may generate a key pair of a public key and a private key. The generated key pair may correspond to the client or the user, and the correspondence relationship of the key pair is not specifically limited here. When the key is bound to the client, other clients cannot access the key pair. When the key is bound to the user, other users of the client or other clients cannot access the key pair, thereby ensuring the security of user authentication information. The terminal system can use the public key to encrypt the user authentication information, and store the encrypted user authentication information in the TEE.

2. Identity authentication

Refer to FIG. 11, which is a flowchart of an authentication implementation method shown in an exemplary embodiment of this specification. This method can be applied to the terminal. The terminal may include a client and a terminal system.

The method may include the following steps: Step 1102: In response to the identity authentication request triggered by the user, the client invokes the terminal system to perform local first local identity verification on the user.

In implementation, after the client detects the identity authentication request triggered by the user, it can send a second system call message to the terminal system in response to the identity authentication request.

In response to the second system call message, the terminal system can obtain the biometric input by the user through the TUI, and perform the first local identity verification on the user according to the biometric feature and the locally stored verification information.

When performing the first local identity verification on the user based on the biological characteristics, the terminal system can detect whether the biological characteristics of the user match the verification information stored in the terminal system. If the biological characteristics match the verification information, it is determined that the local first local identity verification is passed, and if the biological characteristics do not match the verification information, it is determined that the local first local identity verification fails.

Step 1104: After the user passes the first local identity verification, the terminal system obtains the stored user authentication information from the trusted execution environment TEE, and returns the user authentication information to the client.

Corresponding to step 1004 above, step 1104 can be implemented in multiple implementation manners.

Method 1: When the terminal system only stores the user authentication information entered by the user in the TEE after determining that the user has passed the second local identity verification, this step 1104 may be: after the terminal system has determined that the user has passed the first local identity verification, The user authentication information can be obtained directly from the TEE, and the user authentication information can be returned to the client.

Taking fingerprints as an example, suppose that the user's thumb fingerprint and index finger fingerprint are included in the terminal system. The user performs the second local identity verification through the thumb fingerprint. After the terminal system determines that the user passes the identity verification, only the ID number entered by the user can be stored in the TEE.

In the subsequent user payment, no matter the user enters the thumb fingerprint or index finger fingerprint for the first local identity verification, after the first local identity verification is passed, the terminal system obtains the user's ID number from the TEE.

Manner 2: After the terminal system determines that the user has passed the second local identity verification, the biometric identification used for the second local identity verification is associated with the user authentication information and stored in the TEE, then step 1104 is implemented The method is: the terminal system obtains the biometric identification used for the first local identity verification to obtain the second identification; and obtains the user authentication information associated with the second identification from the TEE.

For example, the user's biological characteristics include thumb fingerprints and index finger fingerprints, and user authentication information includes: the user's identity number, and the user's social security card number.

In this example, the thumb fingerprint and the user's ID number are associated and stored in the TEE, and the index finger fingerprint and the user's social security card number are associated and stored in the TEE. When the user performs identity authentication, the user enters the thumb fingerprint to obtain the user's ID number for identity authentication, and the user enters the index finger fingerprint to obtain the user's social security card number for identity authentication.

In addition, in order to ensure the security of user authentication information, whether it is directly storing user authentication information in the TEE, or storing the user authentication information in association with the biometric identification of the second local identity verification in the TEE, the terminal system can use the generated The public key encrypts the user authentication information, and stores the encrypted user authentication information in the TEE in the above two ways.

Similarly, whether it is to obtain user authentication information directly from the TEE, or obtain user authentication information corresponding to the biometric identification of the first identity authentication from the TEE, if the terminal system obtains encrypted user authentication information from the TEE, The private key can be used to decrypt the user authentication information, and the decrypted user authentication information can be returned to the client.

Step 1106: The client executes the identity authentication request based on the returned user authentication information.

When performing a payment request identity authentication request, the client can generate a payment message identity authentication message based on the bank card information user authentication information, and then send the payment message identity authentication message to the server to perform identity authentication by the server.

In the embodiments of this specification, in order to ensure the security of user authentication information, when a user adds or deletes a biometric feature (such as a fingerprint), the user must re-enter the user authentication information. In order to realize the function of "the user has to re-enter user authentication information when adding or deleting biometrics," the following methods can be used.

In implementation, the terminal system can obtain the verification information used for the second local identity verification after generating the public key and the private key. In other words, the terminal system can obtain the registered user biometrics currently stored locally.

Then, the terminal system can perform encryption processing on the verification information of the second local identity verification to obtain the first encrypted verification information. For example, the terminal system may calculate the hash value of the verification information of the second local identity verification, and then use the hash value as the first encryption verification information. Of course, the terminal system can also use other encryption processing methods, which are not specifically limited here.

After the user triggers the identity authentication request, the client can receive the challenge code issued by the server. Wherein, the challenge code may be that the client sends a challenge code acquisition request to the server after detecting the user's identity authentication request, so that the server sends the challenge code to the client in response to the challenge code acquisition request. Of course, the challenge code can also be issued by the server at other times after the user triggers the identity authentication request, which is not specifically limited here.

After the user triggers the identity authentication request, the client can send the first system call request to the terminal system, and the terminal system can perform the first local identity verification on the user. After the user passes the first local identity verification, the terminal system can obtain the verification information of the first local identity verification. In other words, the terminal system can obtain the biometric characteristics of the registered user currently stored locally.

Then, the terminal system can perform encryption processing on the verification information of the first local identity verification to obtain the second encrypted verification information. For example, the terminal system may calculate the hash value of the verification information of the first local identity verification, and then use the hash value as the second encryption verification information. Of course, the terminal system can also use other encryption processing methods, which are not specifically limited here.

If the second encrypted verification information is consistent with the previously stored first encrypted verification information, and the decrypted challenge code is consistent with the issued challenge code, a message indicating that the signature result is passed is returned to the client. The client can send the message that the signature result passed to the terminal system, and the terminal system can determine that the signature result is passed after receiving the message that the signature result has passed, and execute the above-mentioned step of obtaining stored user authentication information from the TEE.

If the second encrypted verification information is inconsistent with the previously stored first encrypted verification information, and/or the decrypted challenge code is inconsistent with the issued challenge code, a message indicating that the signature result is not passed is returned to the client. The client can send the message that the signature result is not passed to the terminal system. When the terminal system receives the message that the signature result is not passed, the terminal system can determine that the signature result is not passed, and the terminal system does not perform the above-mentioned user authentication obtained from the TEE. Informational steps. Optionally, the terminal system may also delete the stored user authentication information from the TEE when receiving the message that the signature result is not passed.

It can be seen from the above description that in this manual, when a user performs identity authentication, the user only needs to press his fingerprint, etc., to achieve identity authentication. The user authentication information accessed by the terminal is authorized to obtain the user authentication information through user information (such as the user's fingerprint, etc.), which can ensure the security of the user authentication information.

For the implementation process of the functions and roles of each unit in the above-mentioned device, refer to the implementation process of the corresponding steps in the above-mentioned method for details, which will not be repeated here.

As for the device embodiment, since it basically corresponds to the method embodiment, the relevant part can refer to the part of the description of the method embodiment. The device embodiments described above are merely illustrative, and the units described as separate parts may or may not be physically separated, and the parts displayed as units may or may not be physical units, which can be located in one place. , Or it can be distributed to multiple network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the solution in this specification. Those of ordinary skill in the art can understand and implement it without creative work.

The systems, devices, modules, or units explained in the foregoing embodiments may be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. The specific form of the computer can be a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email receiving and sending device, and a game console. , Tablet computers, wearable devices, or a combination of any of these devices.

The above descriptions are only the preferred embodiments of this specification and are not intended to limit this specification. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this specification shall be included in this specification. Within the scope of protection.

Claims

A method for implementing MOTOpay, applied to a terminal, the terminal is loaded with a client terminal that supports MOTOpay payment, and the method includes:

In response to the payment request triggered by the user, the client invokes the terminal system to perform the first identity verification on the user;

After the user passes the first identity verification, the terminal system obtains the stored bank card information from the trusted execution environment TEE, and returns the bank card information to the client;

The client executes the payment request based on the returned bank card information.
The method according to claim 1, further comprising:

After obtaining the bank card information input by the user for MOTOpay payment, the client invokes the terminal system to perform a second identity verification on the user;

The terminal system stores the bank card information in the TEE after the user passes the second identity verification.
The method according to claim 2, wherein said storing said bank card information in said TEE comprises:

After the user passes the second identity verification, generate a public key and a private key in the TEE;

Use the public key to encrypt the bank card information, and store the encrypted bank card information in the TEE;

The obtaining and storing bank card information from the trusted execution environment TEE includes:

Obtain the stored encrypted bank card information from the TEE;

Use the private key corresponding to the client to decrypt the encrypted bank card information to obtain the bank card information.
The method according to claim 3, further comprising:

After generating the public key and the private key, the terminal system obtains verification information used for second identity verification, and encrypts the verification information to obtain the first encrypted verification information;

The terminal system uploads the first encryption verification information and the public key to the server through the client for storage;

The method also includes:

Receiving, by the client, a challenge code issued by the server after the user triggers the payment request;

After the user passes the first identity verification, the terminal system obtains verification information for the first identity verification, and encrypts the verification information to obtain second encrypted verification information;

The terminal system uses the private key to sign the second encrypted verification information and the challenge code, and sends the signature result to the server through the client, so that the server can The signature result is verified;

The obtaining and storing bank card information from the trusted execution environment TEE includes:

When the signature result is verified, the stored bank card information is obtained from the TEE.
The method according to claim 2, wherein said storing said bank card information in said TEE comprises:

Acquiring, by the terminal system, the identifier of the identity information used for the second identity verification to obtain the first identifier;

The terminal system associates and stores the bank card information and the first identifier in the TEE;

The obtaining and storing bank card information from the trusted execution environment TEE includes:

The terminal system obtains the identifier of the identity information used for the first identity verification, obtains the second identifier, and obtains the bank card information associated with the second identifier from the TEE.
The method according to claim 2, further comprising:

The terminal system sets the aging time length for the bank card information stored in the TEE;

The terminal system deletes the bank card information when it detects that the aging time of the bank card information stored in the TEE has reached;

or,

The terminal system deletes the bank card information when it detects that the use of the bank card information reaches a preset use condition;

or,

When the client terminal receives the user's deletion instruction, it calls the terminal system to delete the bank card information.
The method according to claim 1, wherein the bank card information includes at least one of the following: bank card number, name, card validity period, and CVV code.
A method for implementing MOTOpay, which is applied to a client supporting MOTOpay payment carried on a terminal, and the method includes:

In response to the payment request triggered by the user, a first system call request is sent to the terminal system, so that the terminal system responds to the first system call request to perform the first identity verification on the user, and the user passes the After the first identity verification, obtain the stored bank card information from the trusted execution environment TEE, and return the bank card information to the client;

The payment request is executed based on the returned bank card information.
The method according to claim 8, further comprising:

After obtaining the bank card information input by the user for MOTOpay payment, a second system call request is sent to the terminal system, so that the terminal system responds to the second system call request to perform the first system call on the user. Second identity verification, and after the user passes the second identity verification, the bank card information is stored in the TEE.
The method according to claim 9, wherein the TEE further comprises: a public key and a private key generated by the user terminal system after the user passes the second identity verification;

The method also includes:

When the first encrypted verification information and the public key sent by the terminal system are received, the first encrypted verification information and the public key are uploaded to the server; the first encrypted verification information is for the second The verification information of identity verification is encrypted and processed;

Receive the challenge code issued by the server after the user triggers the payment request, and send the challenge code to the terminal system, so that the terminal system will pass the first identity verification by the terminal system , Obtain verification information for the first identity verification, encrypt the verification information to obtain second encrypted verification information, and use the private key to sign the second encrypted verification information and the challenge code ；

Receive the signature result sent by the terminal system, and send the signature result to the server, so that the server verifies the signature result, so as to trigger the terminal system to pass the verification of the signature result At the time, obtain the stored bank card information from the TEE.
A method for implementing MOTOpay is applied to a terminal system of a terminal equipped with a client terminal supporting MOTOpay payment, and the method includes:

In response to the first system call request sent by the client, performing a first identity verification on the user;

After the user passes the first identity verification, obtain the stored bank card information from the TEE;

The bank card information is returned to the client, so that the client executes the payment request triggered by the user based on the bank card information.
The method according to claim 11, the method further comprising:

In response to the second system call request sent by the client, the second identity verification is performed on the user; the second system call request is sent by the client after obtaining the bank card information input by the user for MOTOpay payment of;

After the user passes the second identity verification, the bank card information is stored in the TEE.
The method according to claim 12, the storing the bank card information in the TEE comprises:

After the user passes the second identity verification, generate a public key and a private key in the TEE;

Use the public key to encrypt the bank card information, and store the encrypted bank card information in the TEE;

The obtaining and storing bank card information from the TEE includes:

Obtain the stored encrypted bank card information from the TEE;

Use the private key corresponding to the client to decrypt the encrypted bank card information to obtain the bank card information.
The method according to claim 12, the method further comprising:

After generating the public key and the private key, obtaining verification information for second identity verification, and encrypting the verification information to obtain the first encrypted verification information;

Uploading the first encrypted verification information and the public key to the server for storage through the client;

The method also includes:

After the user passes the first identity verification, obtain verification information for the first identity verification, and encrypt the verification information to obtain second encrypted verification information;

Use the private key to sign the second encrypted verification information and the received challenge code, and send the signature result to the server through the client, so that the server verifies the signature result The challenge code is issued by the server after the user triggers the payment request;

The obtaining and storing bank card information from the TEE includes:

When the signature result is verified, the stored bank card information is obtained from the TEE.
The method according to claim 12, the storing the bank card information in the TEE comprises:

Acquiring the identifier of the identity information used for the second identity verification to obtain the first identifier;

Store the bank card information and the first identifier in a TEE in association;

The obtaining and storing bank card information from the TEE includes:

Acquiring the identifier of the identity information used for the first identity verification to obtain the second identifier;

Obtain the bank card information associated with the second identifier from the TEE.
The method according to claim 12, the method further comprising:

Setting the aging time period for the bank card information stored in the TEE;

Delete the bank card information when it is detected that the aging time of the bank card information stored in the TEE is reached;

or,

When it is detected that the use of the bank card information reaches a preset use condition, the bank card information is deleted.
A device for implementing MOTOpay, which is applied to a client supporting MOTOpay payment carried on a terminal, and the device includes:

The sending module is configured to send a first system call request to the terminal system in response to the payment request triggered by the user, so that the terminal system responds to the first system call request to perform the first identity verification on the user, and After the user passes the first identity verification, obtain the stored bank card information from the trusted execution environment TEE, and return the bank card information to the client;

The execution module is configured to execute the payment request based on the returned bank card information.
The device according to claim 17, wherein the sending module is configured to send a second system call request to the terminal system after acquiring the bank card information input by the user for MOTOpay payment, so that the terminal system In response to the second system call request, a second identity verification is performed on the user, and after the user passes the second identity verification, the bank card information is stored in the TEE.
The apparatus according to claim 18, wherein the TEE further comprises: a public key and a private key generated by the user terminal system after the user passes the second identity verification;

The device also includes:

The upload module is configured to upload the first encrypted verification information and the public key to the server when receiving the first encrypted verification information and the public key sent by the terminal system; the first encrypted verification information is Obtained by encrypting the verification information of the second identity verification;

The receiving module is configured to receive the challenge code issued by the server after the user triggers the payment request, and send the challenge code to the terminal system for the terminal system to pass the user through After the first identity verification, the verification information used for the first identity verification is obtained, the verification information is encrypted, and the second encrypted verification information is obtained, and the second encrypted verification information is encrypted with the private key. Sign the challenge code;

The upload module is further configured to receive the signature result sent by the terminal system, and send the signature result to the server, so that the server verifies the signature result to trigger the terminal When the signature result is verified, the system obtains the stored bank card information from the TEE.
A device for implementing MOTOpay is applied to a terminal system of a terminal, the terminal is equipped with a client terminal that supports MOTOpay payment, and the device includes:

The verification module is configured to perform first identity verification on the user in response to the first system call request sent by the client;

The obtaining module is used to obtain the stored bank card information from the TEE after the user passes the first identity verification;

The return module is used to return the bank card information to the client, so that the client executes the user-triggered payment request based on the bank card information.
The device according to claim 20, wherein the verification module is further configured to perform a second identity verification on the user in response to a second system call request sent by the client; the second system call request is for the client Send after receiving the bank card information entered by the user for MOTOpay payment;

The device also includes:

The storage module is configured to store the bank card information in the TEE after the user passes the second identity verification.
The device according to claim 21, the storage module, when storing the bank card information in the TEE, is used to generate a public key and a private key in the TEE after the user passes the second identity verification. Key; use the public key to encrypt the bank card information, and store the encrypted bank card information in the TEE;

The obtaining module is used to obtain the stored encrypted bank card information from the TEE when obtaining the stored bank card information from the TEE; use the private key corresponding to the client to pair the encrypted bank card The information is decrypted to obtain the bank card information.
The device according to claim 21, further comprising:

The encryption module is used to obtain verification information for second identity verification after generating the public key and the private key, and encrypt the verification information to obtain first encrypted verification information; and encrypt the first The verification information and the public key are uploaded to the server for storage through the client;

The device also includes:

The signature module is used to obtain verification information for the first identity verification after the user passes the first identity verification, and encrypt the verification information to obtain the second encrypted verification information; using the private key pair The second encryption verification information and the received challenge code are signed, and the signature result is sent to the server through the client, so that the server verifies the signature result; the challenge code is The server issues after the user triggers the payment request;

The acquiring module is used to acquire the stored bank card information from the TEE when the signature result is verified.
The device according to claim 21, the storage module, when storing the bank card information in the TEE, is used to obtain the identity information used for the second identity verification to obtain the first identity ; Store the bank card information and the first identifier in association with the TEE;

The acquiring module is used to acquire the identifier of the identity information used for the first identity verification when acquiring the stored bank card information from the TEE to obtain the second identifier; to acquire the information associated with the second identifier from the TEE Bank card information.
The device according to claim 21, further comprising:

A setting module for setting the aging time length for the bank card information stored in the TEE;

The deletion module is used to delete the bank card information when it is detected that the aging time of the bank card information stored in the TEE reaches; or, when it is detected that the use of the bank card information reaches a preset use condition, Delete the bank card information.
An electronic device including:

processor;

A memory for storing processor executable instructions;

Wherein, the processor implements the method according to any one of claims 1-7 by running the executable instruction.
A method for realizing identity authentication, applied to a terminal, the terminal is loaded with a client, and the method includes:

In response to the identity authentication request triggered by the user, the client invokes the terminal system to perform the first local identity authentication on the user;

After the user passes the first local identity verification, the terminal system obtains the stored user authentication information from the trusted execution environment TEE, and returns the user authentication information to the client;

The client executes the identity authentication request based on the returned user authentication information.
The method according to claim 27, further comprising:

After obtaining the user authentication information input by the user for identity authentication, the client invokes the terminal system to perform a second local identity verification on the user;

The terminal system stores the user authentication information in the TEE after the user passes the second local identity verification.
The method according to claim 28, wherein said storing said user authentication information in said TEE comprises:

After the user passes the second local identity verification, generate a public key and a private key in the TEE;

Encrypting the user authentication information by using the public key, and storing the encrypted user authentication information in the TEE;

The obtaining of stored user authentication information from the trusted execution environment TEE includes:

Acquiring the stored encrypted user authentication information from the TEE;

Use the private key corresponding to the client to decrypt the encrypted user authentication information to obtain the user authentication information.
The method according to claim 29, further comprising:

After generating the public key and the private key, the terminal system obtains the verification information used for the second local identity verification, and encrypts the verification information to obtain the first encrypted verification information;

The terminal system uploads the first encryption verification information and the public key to the server through the client for storage;

The method also includes:

Receiving, by the client, a challenge code issued by the server after the user triggers the identity authentication request;

After the user passes the first local identity verification, the terminal system obtains verification information for the first local identity verification, and encrypts the verification information to obtain second encrypted verification information;

The terminal system uses the private key to sign the second encrypted verification information and the challenge code, and sends the signature result to the server through the client, so that the server can The signature result is verified;

The obtaining of stored user authentication information from the trusted execution environment TEE includes:

When the signature result passes the verification, the stored user authentication information is obtained from the TEE.
The method according to claim 28, wherein said storing said user authentication information in said TEE comprises:

Acquiring, by the terminal system, the identifier of the identity information used for the second local identity verification to obtain the first identifier;

The terminal system associates and stores the user authentication information and the first identifier in the TEE;

The obtaining of stored user authentication information from the trusted execution environment TEE includes:

The terminal system obtains the biometric identification used for the first local identity verification, obtains the second identification, and obtains the user authentication information associated with the second identification from the TEE.