HK1254025A1

HK1254025A1 - Business authorization method, device and apparatus

Info

Publication number: HK1254025A1
Application number: HK18112803.2A
Authority: HK
Inventors: 孫曦; 孙曦; 落紅衛; 落红卫
Original assignee: 创新先进技术有限公司; 阿里巴巴集團控股有限公司
Priority date: 2018-10-08
Filing date: 2018-10-08
Publication date: 2019-07-12

Description

Method, device and equipment for service authorization

Technical Field

The present disclosure relates to the field of computer technologies, and in particular, to a method, an apparatus, and a device for service authorization.

Background

At present, the traditional password-based authentication mode cannot gradually meet the requirements of convenience and safety of a user during authentication because of the problems that the traditional password-based authentication mode is easy to forget, steal, inconvenient to input and the like, and the authentication mode based on biological characteristics such as fingerprints, voiceprints, facial recognition and the like is safe, convenient and fast and widely applied to various scenes.

In practical applications, a system in which a device operates generally includes two environments, one is a Trusted Execution Environment (TEE) and one is an Execution Environment provided for a Secure Element (SE), wherein a service application for performing service processing generally operates in the TEE. While the security application for authorizing the service to be performed by the user is running in the SE. In general, a terminal needs to verify biometric information to be verified input by a user to obtain a verification result, the verification result needs to be sent to the security application for verification, and the security application authorizes a service executed by the service application only after the security application determines that the verification result passes verification, so that the service application executes the service.

However, since the verification result may be tampered during the process of transferring from the TEE to the SE, how the security application trusts the verification result sent from the TEE is a considerable problem.

Based on the prior art, a more efficient service authorization approach is needed.

Disclosure of Invention

The present specification provides a method for service authorization, which is used to solve the problem in the prior art that a verification result of identity verification generated by one secure environment cannot obtain trust and authentication of another secure environment.

The present specification provides a method for service authorization, a system of a device at least includes a first secure environment and a second secure environment, a first execution unit operates in the first secure environment, and a second execution unit operates in the second secure environment, and the method includes:

acquiring information to be verified, and sending the information to be verified to the first execution unit for verification;

receiving signature information obtained by signing the verification result through a signature verification private key returned by the first execution unit;

and sending the signature information to the second execution unit so that the second execution unit verifies the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information is verified to pass, performing service authorization according to the verification result.

The present specification provides a device for service authorization, which is used to solve the problem in the prior art that a verification result of identity verification generated in one secure environment cannot obtain trust and authentication of another secure environment.

The present specification provides a device for service authorization, a system of an apparatus including the device includes at least a first secure environment and a second secure environment, a first execution unit operates in the first secure environment, and a second execution unit operates in the second secure environment, the device includes:

the acquisition module acquires information to be verified and sends the information to be verified to the first execution unit for verification;

the receiving module is used for receiving signature information which is returned by the first execution unit and obtained by signing the verification result through a signature verification private key;

and the sending module is used for sending the signature information to the second execution unit so that the second execution unit verifies the signature information through the signature verification public key corresponding to the signature verification private key, and after the signature information is determined to pass the verification, service authorization is carried out according to the verification result.

The present specification provides a service authorization device, which is used to solve the problem in the prior art that a verification result of an identity verification generated in one secure environment cannot obtain a trust authentication of another secure environment.

The present specification provides a device for service authorization comprising one or more memories and a processor, the memories storing programs and configured to perform the following steps by the one or more processors:

acquiring information to be verified, and sending the information to be verified to a first execution unit for verification, wherein the first execution unit operates in a first security environment included in a system of the equipment;

and sending the signature information to a second execution unit so that the second execution unit verifies the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information is verified to be passed, performing service authorization according to a verification result, wherein the second execution unit operates in a second secure environment included in a system of the equipment.

the first execution unit receives information to be verified sent by a service application;

verifying the information to be verified, and signing the obtained verification result through a stored signature verification private key to obtain signature information;

and sending the signature information to the second execution unit through the service application so that the second execution unit verifies the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information passes the verification, performing service authorization according to the verification result.

The present specification provides a device for service authorization, a system of an apparatus at least includes a first secure environment and a second secure environment, the device operates in the first secure environment, a second execution unit operates in the second secure environment, and the device includes:

the receiving module is used for receiving information to be verified sent by the service application;

the verification module is used for verifying the information to be verified and signing the obtained verification result through the stored signature verification private key to obtain signature information;

and the sending module is used for sending the signature information to the second execution unit through the service application so as to enable the second execution unit to verify the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information passes the verification, performing service authorization according to the verification result.

a first execution unit receives information to be verified sent by a service application, wherein the first execution unit operates in a first security environment included in a system of the equipment;

and sending the signature information to a second execution unit through the service application so that the second execution unit verifies the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information passes the verification, performing service authorization according to the verification result, wherein the second execution unit operates in a second secure environment included in a system of the equipment.

the second execution unit acquires signature information sent by the first execution unit through a service application, wherein the signature information is obtained after the first execution unit signs a verification result through a signature private key, and the verification result is obtained after the first execution unit verifies information to be verified sent by the service application;

and verifying the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information is determined to pass the verification, performing service authorization according to the verification result analyzed from the signature information.

The present specification provides a device for service authorization, a system of an apparatus at least includes a first secure environment and a second secure environment, a first execution unit operates in the first secure environment, and the device operates in the second secure environment, and the device includes:

the acquisition module is used for acquiring signature information sent by the first execution unit through the service application, wherein the signature information is obtained after the first execution unit signs a verification result through a signature private key, and the verification result is obtained after the first execution unit verifies information to be verified sent by the service application;

and the verification module verifies the signature information through the signature verification public key corresponding to the signature verification private key, and performs service authorization according to the verification result analyzed from the signature information after the signature information is determined to pass the verification.

the method comprises the steps that a second execution unit obtains signature information sent by a first execution unit through a service application, wherein the signature information is obtained after the first execution unit signs a verification result through a signature private key, and the verification result is obtained after the first execution unit verifies information to be verified sent by the service application, wherein the first execution unit operates in a first secure environment included in a system of the equipment, and the second execution unit operates in a second secure environment included in the system of the equipment;

The technical scheme adopted by the specification can achieve the following beneficial effects:

in one or more embodiments of the present disclosure, a first execution unit running in a first secure environment may verify acquired information to be verified, sign an acquired verification result with a stored signature verification private key, and send the acquired signature information to a second execution unit running in a second secure environment through a service application, where the second execution unit may verify the signature information with a signature verification public key corresponding to the signature verification private key, and perform service authorization according to the verification result after determining that the signature information passes verification. In other words, by using the asymmetric encryption manner, the second execution unit running in the second secure environment can perform trust authentication on the verification result obtained by the first execution unit running in the first secure environment, so that the second execution unit can determine whether to authorize the service executed by the service application based on the verification result obtained by the first execution unit, thereby providing a safer and more effective authentication manner for the user.

Drawings

The accompanying drawings, which are included to provide a further understanding of the specification and are incorporated in and constitute a part of this specification, illustrate embodiments of the specification and together with the description serve to explain the specification and not to limit the specification in a non-limiting sense. In the drawings:

FIG. 1 is a schematic diagram of a service authorization process provided herein;

fig. 2 is a schematic diagram illustrating a process in which a service application applies for service authorization to a second execution unit through a dynamic parameter sent by the second execution unit, provided in this specification;

FIG. 3 is a schematic diagram of signature information verification by a public key certificate provided in the present specification;

fig. 4 is a schematic diagram of a service authorization apparatus provided in the present specification;

fig. 5 is a schematic diagram of a service authorization apparatus provided in the present specification;

fig. 6 is a schematic diagram of a service authorization apparatus provided in the present specification;

fig. 7 is a schematic diagram of a service authorization apparatus provided in the present specification;

fig. 8 is a schematic diagram of a service authorization apparatus provided in the present specification;

fig. 9 is a schematic diagram of a service authorization apparatus provided in this specification.

Detailed Description

In general, a system in which a device operates usually includes different security environments, and in practical applications, the whole service execution process often needs to be completed through mutual cooperation of execution units or applications in the different security environments. Specifically, the service application running in the first secure environment may send information to be verified, which is acquired by the device, to a first execution unit running in the first secure environment, where the first execution unit may verify the information to be verified and send an obtained verification result to a second execution unit running in the second secure environment, and the second execution unit may determine whether to authorize a service currently executed by the service application according to the verification result.

Since the first execution unit and the second execution unit are located in different secure environments, in a normal situation, the second execution unit running in the second secure environment cannot guarantee that the verification result obtained after the first execution unit running in the first secure environment verifies the information to be verified is not tampered in the process of sending the verification result to the second execution unit, and therefore, how the second execution unit obtains the verification result sent by the first execution unit is a considerable problem.

Therefore, the present specification provides a method for service authorization, after obtaining information to be verified, the information to be verified may be sent to a first execution unit, so that the first execution unit verifies the information to be verified, and signs an obtained verification result through a signature verification private key stored in the first execution unit, so as to obtain signature information. And then, the service application can acquire the signature information returned by the first execution unit, and further send the signature information to a second execution unit, so that the second execution unit verifies the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information is determined to pass the verification, service authorization is performed according to the verification result.

Due to the fact that the asymmetric encryption mode is used, the second execution unit running in the second security environment can conduct trust and authentication on the verification result obtained by the first execution unit running in the first security environment, and therefore the second execution unit can determine whether to authorize the service executed by the service application or not based on the verification result obtained by the first execution unit, and a safer and more effective identity verification mode is provided for a user.

In order to make those skilled in the art better understand the technical solutions in one or more embodiments of the present disclosure, the technical solutions in one or more embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in one or more embodiments of the present disclosure, and it is obvious that the described embodiments are only a part of the embodiments of the present disclosure, and not all embodiments. All other embodiments obtained by a person skilled in the art based on the embodiments in the present specification without any inventive step should fall within the scope of protection of the present specification.

Fig. 1 is a schematic diagram of a service authorization process provided in this specification, and specifically includes the following steps:

s100: and acquiring information to be verified, and sending the information to be verified to the first execution unit for verification.

In this specification, when a user executes a service, information to be authenticated, which needs to be authenticated, may be input to a service application in a device, so that the service application authenticates the information to be authenticated through a first execution unit in the device. The device mentioned here may be a mobile terminal device such as a smartphone, a tablet computer, etc. The information to be verified mentioned here may refer to biometric information such as fingerprint, voiceprint, face information waiting for verification, or may refer to information to be verified in the form of characters. Of course, the device may also directly send the acquired information to be verified to the first execution unit through a preset interface.

After acquiring the to-be-verified information, the first execution unit may verify the to-be-verified information and obtain a corresponding verification result. For example, after acquiring the fingerprint to be authenticated, the first execution unit may match the fingerprint to be authenticated with the fingerprint information of the user that is stored in advance, and determine whether the user passes fingerprint authentication according to a matching result.

It should be noted that, in this specification, the first secure environment may refer to a TEE, and the first execution unit running in the first secure environment may refer to a module for performing information verification, where the module may be in a form of software or a form of hardware. The second secure environment may refer to an execution environment provided by the SE, and accordingly, the second execution unit may refer to a secure application running in the SE.

S102: and receiving signature information obtained by signing the verification result through a signature verification private key returned by the first execution unit.

After the first execution unit verifies the information to be verified, the obtained verification result can be signed through the signature verification private key stored by the first execution unit, corresponding signature information is obtained, and the signature information is returned to the service application in the subsequent process.

In this specification, the first execution unit may obtain, from the first management server corresponding to the first execution unit, a signature verification private key used for signing a verification result. The first management server may generate a unique pair of signature verification private key and signature verification public key for the first execution unit, and issue the signature verification private key to the first execution unit. And the signature verification public key can be sent to a second management server corresponding to a second execution unit by the first management server, so that the signature verification public key is sent to the second execution unit through the second management server, and in the subsequent process, the signature verification public key is used by the second execution unit to verify the signature information generated by the first execution unit.

In this specification, the first execution unit may return the obtained signature information to the service application, so that the service application subsequently sends the signature information to the second execution unit for verification. The reason why the first execution unit needs to send the signature information to the second execution unit through the service application is that the first execution unit and the second execution unit are located in different secure environments, and the second execution unit does not perform access authorization on the first execution unit, so that the first execution unit cannot normally send information to the second execution unit running in the second secure environment. Since the second execution unit needs to authorize the service executed by the service application, the second execution unit generally performs access authorization on the service application, and allows the service application to access the second execution unit. Based on this, the first execution unit needs to send the signature information to the second execution unit through the service application.

S104: and sending the signature information to the second execution unit so that the second execution unit verifies the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information is verified to pass, performing service authorization according to the verification result.

The service application can send the signature information returned by the first execution unit to a second execution unit running in a second safe environment, the second execution unit can verify the signature information through the obtained signature verification public key, and then after the signature information is verified, whether the service executed by the service application is authorized or not can be determined through the analyzed verification result.

The method can be seen that a first execution unit running in a first security environment can verify the acquired information to be verified, the acquired verification result is signed through a stored signature verification private key, the acquired signature information is further sent to a second execution unit running in a second security environment through service application, the second execution unit can verify the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information is confirmed to pass verification, service authorization is carried out according to the verification result. In other words, by using the asymmetric encryption manner, the second execution unit running in the second secure environment can perform trust authentication on the verification result obtained by the first execution unit running in the first secure environment, so that the second execution unit can determine whether to authorize the service executed by the service application based on the verification result obtained by the first execution unit, thereby providing a safer and more effective authentication manner for the user.

In the service authorization process described above, the device used by the user may face the possibility of replay attack, that is, after the lawbreaker obtains the verification result that passes the verification, the lawbreaker may continuously apply for service authorization to the second execution unit through the verification result, so that information or property of the user may be lost.

In order to prevent this, the service application may acquire the dynamic parameter generated by the second execution unit from the second execution unit, and send the dynamic parameter to the first execution unit, so that the first execution unit signs the dynamic parameter and the obtained verification result together to obtain signature information, as shown in fig. 2.

Fig. 2 is a schematic diagram of a process in which a service application applies for service authorization to a second execution unit through a dynamic parameter sent by the second execution unit, provided in this specification.

In fig. 2, the service application may access a second execution unit running in a second secure environment to obtain a dynamic parameter such as a random number, time information, and the like, wherein the dynamic parameter may be generated by the second execution unit and stored in the second execution unit for a set time, and after the set time is reached, the dynamic parameter may be deleted by the second execution unit. It can be understood that the second execution unit sets a valid time for the generated dynamic parameter, that is, only if the service application sends the signature information obtained by signing the dynamic parameter and the verification result by the first execution unit to the second execution unit within the valid time, the second execution unit can verify the dynamic parameter parsed from the signature information by the stored dynamic parameter, and once the valid time is exceeded, the dynamic parameter is invalidated, so that the dynamic parameter parsed from the signature information cannot pass the verification of the second execution unit.

The first execution unit can verify the information to be verified sent by the service application to obtain a corresponding verification result, and signs the verification result and the obtained dynamic parameters through the stored signature verification private key to obtain signature information.

The first execution unit may return the obtained signature information to the service application, which sends the signature information to the second execution unit. The second execution unit can verify the signature information through the signature verification public key acquired from the second management server, and after the signature information is confirmed to pass the verification, verify the dynamic parameter analyzed from the signature information according to the prestored dynamic parameter, namely, compare the analyzed dynamic parameter with the prestored dynamic parameter to determine whether the analyzed dynamic parameter and the prestored dynamic parameter are consistent, and when the analyzed dynamic parameter and the prestored dynamic parameter are consistent, determine that the analyzed dynamic parameter passes the verification, and when the analyzed dynamic parameter and the analyzed dynamic parameter are inconsistent, determine that the analyzed dynamic parameter does not pass the verification. After the dynamic parameter is determined to pass the verification, whether the service executed by the service application is authorized or not can be determined according to the verification result analyzed from the signature information.

The signature verification public key and the signature verification private key mentioned here are generated by a first management server corresponding to a first execution unit, and the first management server may send the generated signature verification private key to the first execution unit for storage, and send the signature verification public key to a second execution unit through a second management server corresponding to a second execution unit.

Because the dynamic parameters acquired by the service application to the second execution unit are different in each service execution process, even if a lawbreaker utilizes the verification result that a certain verification passes, the lawbreaker cannot continuously apply service authorization to the second execution unit in a replay attack mode, thereby ensuring the safety of information and property of users.

It should be noted that the first management server may generate a unique pair of signature verification key pairs for different first execution units, or may generate signature verification key pairs required by a batch of first execution units for the batch of first execution units. In other words, the first management server may generate a pair of verification key pairs corresponding to only one device for each device, or may generate a pair of verification key pairs corresponding to a batch of devices for the batch of devices.

In this specification, there may be many occasions when the service application acquires the dynamic parameter from the second execution unit, for example, the service application may acquire the dynamic parameter from the second execution unit first, and then send the dynamic parameter and the acquired to-be-verified information to the first execution unit, or may send the to-be-verified information to the first execution unit first, and then acquire the dynamic parameter from the second execution unit and send the dynamic parameter to the first execution unit.

In this specification, the signature verification public key generated by the first management server may be sent to a Certificate Authority (CA) center for notarization and obtain a corresponding public key Certificate, and the subsequent second execution unit may verify the signature information sent by the service application through the public key Certificate, as shown in fig. 3.

Fig. 3 is a schematic diagram of verifying signature information by a public key certificate according to this specification.

After the first management server corresponding to the first execution unit generates a pair of signature verification key pairs, the first management server can send the signature verification public key in the signature verification key pair to the CA center for notarization, and the CA center can generate a public key certificate signed by the CA private key stored by the CA center according to the signature verification public key and other information (such as information of an applicant applying notarization to the signature verification public key, time information, and the like). Then, the CA center may send the public key certificate to the first execution unit for storage through the first management server, and send the CA public key corresponding to the CA private key to the second execution unit for storage through the second management server.

In this way, after the first execution unit generates the signature information, the signature information and the public key certificate may be sent to the second execution unit through the service application, and the second execution unit may verify the public key certificate through the acquired CA public key and verify the signature information through the signature verification public key analyzed from the public key certificate. And after the verification of the signature information is confirmed to be passed, further verifying the dynamic parameters analyzed from the signature information, and after the verification of the dynamic parameters is confirmed to be passed, determining whether to authorize the currently executed service of the service application according to the verification result analyzed from the signature information.

In this specification, the first execution unit may perform signature on the obtained dynamic parameter after determining that the to-be-verified information sent by the service application passes verification, so as to obtain corresponding signature information. And when the second execution unit receives the signature information through the service application, the second execution unit can determine that the previous information to be verified has passed the verification of the first execution unit, and further can authorize the service currently executed by the service application when determining that the dynamic parameter analyzed from the signature information passes the verification.

In this specification, the service application may display data, such as signature information, acquired from the first execution unit to the user through an interface that the service application can provide when running in the first secure environment. Similarly, the first execution unit may also display the verification result after verifying the information to be verified through an interface that the first execution unit can provide when running in the first secure environment, so that the user can view the verification result.

As can be seen from the above method, in an asymmetric encryption manner, a second execution unit running in a second secure environment can perform trust authentication on a verification result obtained by a first execution unit running in a first secure environment, so that the second execution unit can determine whether to authorize a service executed by a service application based on the verification result obtained by the first execution unit.

In addition, through the above manner, the second execution unit can trust the biometric authentication performed by the first execution unit, so that for a service which needs to be completed in cooperation with two different security environments, a user can perform the authentication through a simple and easily-operated authentication manner, such as biometric authentication, thereby bringing good user experience to the user in the service execution process.

Based on the same idea, the service authorization method provided above for one or more embodiments of the present specification further provides a corresponding service authorization device, as shown in fig. 4, 5, and 6.

Fig. 4 is a schematic diagram of a service authorization apparatus provided in this specification, which specifically includes:

the obtaining module 401 obtains information to be verified, and sends the information to be verified to the first execution unit for verification;

the receiving module 402 receives signature information obtained by signing the verification result through a signature private key returned by the first execution unit;

the sending module 403 is configured to send the signature information to the second execution unit, so that the second execution unit verifies the signature information through the signature verification public key corresponding to the signature verification private key, and performs service authorization according to the verification result after it is determined that the signature information passes verification.

The first secure environment includes: a trusted execution environment TEE; the second secure environment includes: the secure element SE provides an execution environment.

The information to be verified includes: biometric information to be verified.

The obtaining module 401 obtains the dynamic parameters sent by the second execution unit, where the dynamic parameters include: at least one of a random number and time information; and sending the dynamic parameters to the first execution unit, so that the first execution unit signs the verification result and the dynamic parameters through the signature verification private key.

Fig. 5 is a schematic diagram of a service authorization apparatus provided in this specification, which specifically includes:

the receiving module 501 receives information to be verified sent by a service application;

the verification module 502 is used for verifying the information to be verified and signing the obtained verification result through the stored signature verification private key to obtain signature information;

the sending module 503 is configured to send the signature information to the second execution unit through the service application, so that the second execution unit verifies the signature information through the signature verification public key corresponding to the signature verification private key, and performs service authorization according to the verification result after the signature information passes verification.

The business application is run in the first secure environment.

The receiving module 501 receives the dynamic parameter sent by the second execution unit through the service application.

The verification module 502 performs signature on the verification result and the dynamic parameter through the signature verification private key to obtain signature information.

The device further comprises:

the obtaining module 504 obtains the signature verification private key from a first management server corresponding to the device.

The obtaining module 504 obtains a public key certificate of the signature verification public key from the first management server, where the public key certificate is obtained by the first management server from a certificate authority CA center, and the public key certificate is obtained by the CA center after authenticating the signature verification public key according to a stored CA private key.

The sending module 503 sends the public key certificate and the signature information to the second execution unit through the service application, so that the second execution unit verifies the public key certificate through the CA public key acquired from the CA center, and verifies the signature information through the signature verification public key analyzed from the public key certificate after the public key certificate is verified.

Fig. 6 is a schematic diagram of a service authorization apparatus provided in this specification, which specifically includes:

the obtaining module 601 is configured to obtain signature information sent by the first execution unit through a service application, where the signature information is obtained by the first execution unit signing a verification result through a signature private key, and the verification result is obtained by the first execution unit verifying information to be verified sent by the service application;

the verification module 602 verifies the signature information through the signature verification public key corresponding to the signature verification private key, and performs service authorization according to the verification result analyzed from the signature information after determining that the signature information passes verification.

The signature verification public key is acquired by the device from a first management server corresponding to the first execution unit through a second management server corresponding to the device.

The obtaining module 601 obtains the CA public key from the certificate authority CA center through the second management server corresponding to the apparatus.

The verification module 602 verifies, by using the CA public key, a public key certificate sent from the service application, where the public key certificate is obtained by the CA center after authenticating the signature verification public key according to a CA private key corresponding to the CA public key, the public key certificate is obtained by the service application from the first execution unit, and the public key certificate is obtained by the first execution unit from the CA center through a first management server corresponding to the first execution unit; and after the public key certificate is confirmed to pass the verification, verifying the signature information through a signature verification public key analyzed from the public key certificate, and after the signature information is confirmed to pass the verification, performing service authorization according to the verification result analyzed from the signature information.

The device further comprises:

the sending module 603 sends dynamic parameters to the service application, so that the first execution unit signs the verification result and the dynamic parameters obtained from the service application through the signature verification private key to obtain signature information.

The verification module 602 verifies the public key certificate through the CA public key; after the public key certificate is confirmed to pass verification, verifying the signature information through a signature verification public key analyzed from the public key certificate; and when the signature information is confirmed to pass the verification, verifying the dynamic parameters analyzed from the signature information, and after the dynamic parameters are confirmed to pass the verification, performing service authorization according to the verification result analyzed from the signature information.

Based on the service authorization method described above, the present specification further provides a device for service authorization, as shown in fig. 7. The apparatus includes one or more memories and a processor, the memories storing programs and configured to perform the following steps by the one or more processors:

Based on the service authorization method described above, the present specification further provides a device for service authorization, as shown in fig. 8. The apparatus includes one or more memories and a processor, the memories storing programs and configured to perform the following steps by the one or more processors:

Based on the service authorization method described above, the present specification further provides a device for service authorization, as shown in fig. 9. The apparatus includes one or more memories and a processor, the memories storing programs and configured to perform the following steps by the one or more processors:

In one or more embodiments of the present description, after obtaining the information to be verified, the information to be verified may be sent to the first execution unit, so that the first execution unit verifies the information to be verified, and signs an obtained verification result through a signature verification private key stored in the first execution unit, so as to obtain signature information. And then, the service application can acquire the signature information returned by the first execution unit, and further send the signature information to a second execution unit, so that the second execution unit verifies the signature information through a signature verification public key corresponding to the signature verification private key, and after the signature information is determined to pass the verification, service authorization is performed according to the verification result.

In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Language Description Language), traffic, pl (core unified Programming Language), HDCal, JHDL (Java Hardware Description Language), langue, Lola, HDL, laspam, hardsradware (Hardware Description Language), vhjhd (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.

The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functions of the various elements may be implemented in the same one or more software and/or hardware implementations of the present description.

As will be appreciated by one skilled in the art, embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the description may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.

The description has been presented with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to one or more embodiments of the description. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

This description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

The foregoing description has been directed to specific embodiments of this disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims may be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing may also be possible or may be advantageous.

The above description is merely one or more embodiments of the present disclosure and is not intended to limit the present disclosure. Various modifications and alterations to one or more embodiments of the present description will be apparent to those skilled in the art. Any modification, equivalent replacement, improvement or the like made within the spirit and principle of one or more embodiments of the present specification should be included in the scope of the claims of the present specification.

Claims

1. A method for service authorization, a system of a device at least includes a first secure environment and a second secure environment, a first execution unit runs in the first secure environment, and a second execution unit runs in the second secure environment, the method includes:

2. The method of claim 1, the first secure environment comprising: a trusted execution environment TEE; the second secure environment includes: the secure element SE provides an execution environment.

3. The method of claim 1 or 2, the information to be verified comprising: biometric information to be verified.

4. The method according to claim 1 or 2, before receiving the signature information obtained by signing the verification result by the verification private key returned by the first execution unit, the method further comprises:

acquiring dynamic parameters sent by the second execution unit, wherein the dynamic parameters include: at least one of a random number and time information;

and sending the dynamic parameters to the first execution unit, so that the first execution unit signs the verification result and the dynamic parameters through the signature verification private key.

5. A method for service authorization, a system of a device at least includes a first secure environment and a second secure environment, a first execution unit runs in the first secure environment, and a second execution unit runs in the second secure environment, the method includes:

6. The method of claim 5, the business application running in the first secure environment.

7. The method of claim 5, wherein before the obtained verification result is signed by the stored private signature verification key to obtain the signature information, the method further comprises:

and receiving the dynamic parameters sent by the second execution unit through the service application.

8. The method according to claim 7, wherein the obtained verification result is signed by the stored signature verification private key to obtain signature information, and specifically comprises:

and signing the verification result and the dynamic parameters through the signature verification private key to obtain signature information.

9. The method according to claim 5 or 8, before receiving the information to be verified sent by the business application, the method further comprising:

and acquiring the signature verification private key from a first management server corresponding to the first execution unit.

10. The method of claim 9, before sending the signature information to the second execution unit via a service application, the method further comprising:

and acquiring a public key certificate of the signature verification public key from the first management server, wherein the public key certificate is acquired by the first management server from a Certificate Authority (CA) center, and the public key certificate is acquired by the CA center after authenticating the signature verification public key according to a stored CA private key.

11. The method according to claim 10, wherein sending the signature information to the second execution unit through a service application specifically includes:

and sending the public key certificate and the signature information to the second execution unit through the service application, so that the second execution unit verifies the public key certificate through a CA (certificate authority) public key acquired from the CA center, and after the public key certificate is determined to pass the verification, verifying the signature information through a signature verification public key analyzed from the public key certificate.

12. A method for service authorization, a system of a device at least includes a first secure environment and a second secure environment, a first execution unit runs in the first secure environment, and a second execution unit runs in the second secure environment, the method includes:

13. The method according to claim 12, wherein the signature verification public key is acquired by the second execution unit from the first management server corresponding to the first execution unit through the second management server corresponding to the second execution unit.

14. The method of claim 12, wherein before verifying the signature information by the signature verification public key corresponding to the signature verification private key, the method further comprises:

and acquiring a CA public key from a Certificate Authority (CA) center through a second management server corresponding to the second execution unit.

15. The method according to claim 14, wherein the signature information is verified through a signature verification public key corresponding to the signature verification private key, and after it is determined that the signature information is verified, service authorization is performed according to the verification result analyzed from the signature information, which specifically includes:

verifying a public key certificate sent from the service application through the CA public key, wherein the public key certificate is obtained after the CA center authenticates the signature verification public key according to a CA private key corresponding to the CA public key, the public key certificate is obtained by the service application from the first execution unit, and the public key certificate is obtained by the first execution unit from the CA center through a first management server corresponding to the first execution unit;

and after the public key certificate is confirmed to pass the verification, verifying the signature information through a signature verification public key analyzed from the public key certificate, and after the signature information is confirmed to pass the verification, performing service authorization according to the verification result analyzed from the signature information.

16. The method of claim 15, prior to obtaining signature information sent by the first execution unit via a service application, the method further comprising:

and sending dynamic parameters to the service application so that the first execution unit signs the verification result and the dynamic parameters acquired from the service application through the signature verification private key to obtain signature information.

17. The method according to claim 16, wherein the signature information is verified through a signature verification public key corresponding to the signature verification private key, and after it is determined that the signature information is verified, service authorization is performed according to the verification result analyzed from the signature information, which specifically includes:

verifying the public key certificate through the CA public key;

after the public key certificate is confirmed to pass verification, verifying the signature information through a signature verification public key analyzed from the public key certificate;

and when the signature information is confirmed to pass the verification, verifying the dynamic parameters analyzed from the signature information, and after the dynamic parameters are confirmed to pass the verification, performing service authorization according to the verification result analyzed from the signature information.

18. An apparatus for service authorization, a system of a device including the apparatus including at least a first secure environment and a second secure environment, a first execution unit operating in the first secure environment, and a second execution unit operating in the second secure environment, the apparatus comprising:

19. The apparatus of claim 18, the first secure environment comprising: a trusted execution environment TEE; the second secure environment includes: the secure element SE provides an execution environment.

20. The apparatus of claim 18 or 19, the information to be authenticated comprising: biometric information to be verified.

21. The apparatus according to claim 18 or 19, wherein the obtaining module obtains the dynamic parameters sent by the second execution unit, and the dynamic parameters include: at least one of a random number and time information; and sending the dynamic parameters to the first execution unit, so that the first execution unit signs the verification result and the dynamic parameters through the signature verification private key.

22. An apparatus for service authorization, a system of devices including at least a first secure environment and a second secure environment, the apparatus operating in the first secure environment, and a second execution unit operating in the second secure environment, the apparatus comprising:

23. The apparatus of claim 22, the business application running in the first secure environment.

24. The apparatus of claim 22, the receiving module to receive the dynamic parameters sent by the second execution unit through the service application.

25. The apparatus of claim 24, wherein the verification module is configured to sign the verification result and the dynamic parameter with the signature verification private key to obtain signature information.

26. The apparatus of claim 22 or 25, further comprising:

and the acquisition module acquires the signature verification private key from a first management server corresponding to the device.

27. The apparatus according to claim 26, wherein the obtaining module obtains, from the first management server, a public key certificate of the signing verification public key, where the public key certificate is obtained by the first management server from a certificate authority CA center, and the public key certificate is obtained by the CA center after authenticating the signing verification public key according to a stored CA private key.

28. The apparatus according to claim 27, wherein the sending module sends the public key certificate and the signature information to the second execution unit through the service application, so that the second execution unit verifies the public key certificate through a CA public key acquired from the CA center, and verifies the signature information through a signature verification public key parsed from the public key certificate after determining that the public key certificate passes verification.

29. An apparatus for service authorization, a system of devices including at least a first secure environment and a second secure environment, a first execution unit operating in the first secure environment, the apparatus operating in the second secure environment, the apparatus comprising:

30. The apparatus according to claim 29, wherein the signature verification public key is acquired by the apparatus from a first management server corresponding to the first execution unit through a second management server corresponding to the apparatus.

31. The apparatus of claim 29, wherein the obtaining module obtains the CA public key from a Certificate Authority (CA) center through a second management server corresponding to the apparatus.

32. The apparatus according to claim 31, wherein the verifying module verifies, by using the CA public key, a public key certificate sent from the service application, where the public key certificate is obtained by the CA center after authenticating the signature verification public key according to a CA private key corresponding to the CA public key, the public key certificate is obtained by the service application from the first executing unit, and the public key certificate is obtained by the first executing unit from the CA center through a first management server corresponding to the first executing unit; and after the public key certificate is confirmed to pass the verification, verifying the signature information through a signature verification public key analyzed from the public key certificate, and after the signature information is confirmed to pass the verification, performing service authorization according to the verification result analyzed from the signature information.

33. The apparatus of claim 32, the apparatus further comprising:

and the sending module is used for sending dynamic parameters to the service application so that the first execution unit signs the verification result and the dynamic parameters acquired from the service application through the signature verification private key to obtain signature information.

34. The apparatus of claim 33, the verification module to verify the public key certificate with the CA public key; after the public key certificate is confirmed to pass verification, verifying the signature information through a signature verification public key analyzed from the public key certificate; and when the signature information is confirmed to pass the verification, verifying the dynamic parameters analyzed from the signature information, and after the dynamic parameters are confirmed to pass the verification, performing service authorization according to the verification result analyzed from the signature information.

35. An apparatus for service authorization comprising one or more memories and a processor, the memories storing programs and configured to perform the following steps by the one or more processors:

36. An apparatus for service authorization comprising one or more memories and a processor, the memories storing programs and configured to perform the following steps by the one or more processors:

37. An apparatus for service authorization comprising one or more memories and a processor, the memories storing programs and configured to perform the following steps by the one or more processors: