Patent Application
20250112784
One or more embodiments of this specification relate to network communication technologies, and in particular, to signature authentication methods and apparatuses.
With development of Internet technologies, biometric feature identification has been used as an identity authentication method in many service scenarios. To be specific, a biometric feature of a user, such as fingerprint information or face information, is used instead of a password manually entered by the user, such as a password in a digital/alphabetic form, to authenticate an identity of the user.
To ensure convenience, security, and credibility of biometric feature identification as an identity authentication method, a new signature authentication technology, referred to as Internet Finance Authentication Alliance (IFAA), emerges at present. Referring to
However, current signature authentication methods are not secure enough.
One or more embodiments of this specification describe signature authentication methods and apparatuses, which can improve security of signature authentication.
According to a first aspect, a signature authentication method is provided, applied to a client device. A service private key required for signature authentication is embedded in a TEE of a terminal device in which the client device is located, and the TEE performs verification on a biometric feature of a user. The method includes: The client device sends a signature authentication request to a server. The client device receives authentication data information sent from the server. The client device encrypts the authentication data information by using a key that is synchronized with the TEE in advance. The client device sends encrypted authentication data information to the TEE. The client device receives signature data sent from the TEE and sends the signature data to the server.
The method further includes: In a process in which the client device initiates registration to the server, the client device generates the key. In the process in which the client device initiates registration to the server, the client device stores the key, and sends the key to the TEE to synchronize the key with the TEE.
The sending the key to the TEE includes: The client device sends the key to the TEE when sending a registration response data field to the TEE.
The method further includes: The client device obtains a key ID of the key when generating the key; and synchronizes the key ID of the key to the TEE. The step that the client device sends encrypted authentication data information to the TEE further includes: The client device sends the key ID of the key to the TEE.
According to a second aspect, a signature authentication method is provided, applied to a TEE of a terminal device. A service private key required for signature authentication is embedded in the TEE. The method includes: The TEE receives encrypted authentication data information sent by a client device. The TEE decrypts the authentication data information by using a key that is synchronized with the client device in advance. The TEE receives a biometric feature input by a user. The TEE determines whether the authentication data information can be successfully decrypted, and if yes, generates to-be-signed data after biometric feature verification succeeds. The TEE signs for the to-be-signed data by using the embedded service private key, to obtain signature data. The TEE sends the signature data to the client device.
The method further includes: in a process in which the client device initiates registration to a server, receiving the key sent from the client device to synchronize the key with the client device.
A method for synchronizing the key with the client device in advance includes: receiving the key and an ID of the key that are sent from the client device, and storing a correspondence between the key and the key ID. The determining whether the authentication data information can be successfully decrypted includes: determining whether a key ID sent by the client device is received; and if not, determining that the authentication data information cannot be successfully decrypted, and ending a current procedure; or if yes, retrieving, by using the key ID sent by the client device, a key corresponding to the key ID; and decrypting the authentication data information by using the retrieved key.
According to a third aspect, a signature authentication apparatus is provided, applied to a client device. A service private key required for signature authentication is embedded in a TEE of a terminal device in which the client device is located, and the TEE performs verification on a biometric feature of a user. The apparatus includes: an authentication request module, configured to send a signature authentication request to a server; a receiving module, configured to receive authentication data information sent from the server; an encryption module, configured to encrypt the authentication data information by using a key that is synchronized with the TEE in advance; a sending module, configured to send encrypted authentication data information to the TEE; and a signature data processing module, configured to receive signature data sent from the TEE and send the signature data to the server.
According to a fourth aspect, a signature authentication apparatus is provided, applied to a TEE of a terminal device. A service private key required for signature authentication is embedded in the TEE. The apparatus includes: an encrypted information acquisition module, configured to receive encrypted authentication data information sent by a client device; a decryption module, configured to decrypt the authentication data information by using a key that is synchronized with the client device in advance; a biometric feature receiving module, configured to receive a biometric feature input by a user; a verification module, configured to: determine whether the authentication data information can be successfully decrypted, and perform verification on the biometric feature input by the user; a to-be-signed data generation module, configured to: after it is determined that the authentication data information can be successfully decrypted, and the biometric feature verification succeeds, generate to-be-signed data based on the authentication data information; and a signature data acquisition module, configured to sign for the to-be-signed data by using the embedded service private key, to obtain signature data; and send the signature data to the client device.
According to a fifth aspect, a computing device is provided, including a memory and a processor. The memory stores executable code, and when executing the executable code, the processor implements the method according to any one of the embodiments of this specification.
The signature authentication methods and apparatuses provided in the embodiments of this specification have at least the following beneficial effects:
1. In the embodiments of this specification, an existing signature authentication process is modified. During signature authentication, an authorized client device does not directly send authentication data information to a TEE, but first encrypts to-be-signed data by using a key synchronized with the TEE. In the TEE, signing requires not only a biometric feature verification success, which is performed after the biometric feature verification success only when the following conditions are met: first, the sent authentication data information needs to be encrypted; and second, the authentication data information can be successfully decrypted. Therefore, the methods in the embodiments of this specification ensure that an identity of a client device that invokes a software development kit (SDK) of a signature authentication interface is authorized, that is, only an authorized client device (the authorized client device is a client device that can encrypt authentication data information by using a correct key) can enable the TEE to complete signing. Because an attacker cannot obtain the key, the attacker cannot successfully encrypt the authentication data information. Therefore, the TEE does not sign for data sent by the attacker, thereby ensuring that a signature is not abused.
2. Because it is difficult for the TEE to generate user interface interaction with a rich execution environment (REE), it is difficult to determine whether a signature authentication request currently initiated by a client device is an authorized request of a previously registered authorized client device. According to the methods in the embodiments of this specification, it can be effectively ensured that a client device that initially performs password-free registration and a client device that initiates subsequent password-free verification are a same client device.
3. The embodiments of this specification can prevent a trojan or another malicious APP from impersonating an authorized APP to perform a local signature authentication process, i.e., a password-free verification process.
To describe the technical solutions in the embodiments of this specification or the related art more clearly, the following briefly describes accompanying drawings required for describing the embodiments or the related art. Clearly, the accompanying drawings in the following description show some embodiments of this specification, and a person of ordinary skill in the art may still derive other drawings from these accompanying drawings without creative efforts.
Referring to
It can be seen that the signature authentication process in the related art is not secure.
The following describes, with reference to the accompanying drawings, the solutions provided in this specification.
First notably, terms used in the embodiments of this application are merely used to describe specific embodiments, and are not intended to limit this application. The terms “a”, “an”, and “the” of singular forms used in the embodiments of this application and the appended claims are intended to include plural forms, unless otherwise specified in the context clearly.
Understandably, the term “and/or” used in this specification merely describes an association relationship between associated objects and indicates that three relationships can exist. For example, A and/or B can indicate the following three cases: Only A exists, both A and B exist, and only B exists. In addition, the character “/” in this specification usually indicates an “or” relationship between the associated objects.
To facilitate understanding of the methods provided in this specification, a related system architecture applicable to this specification is described first. As shown in
The client devices are installed and run in the terminal device. The terminal device can include but is not limited to an intelligent mobile terminal, a smart household device, a network device, a wearable device, a smart medical device, a personal computer (PC), etc. The intelligent mobile device can include a mobile phone, a tablet computer, a notebook computer, a personal digital assistant (PDA), an Internet vehicle, etc. The smart household device can include a smart appliance device, such as a smart TV, a smart air conditioner, a smart water heater, a smart refrigerator, a smart air purifier, etc. The smart household device can further include a smart door lock, a smart socket, a smart light, a smart camera, etc. The network device can include a switch, a wireless AP, a server, etc. The wearable device can include a smart watch, smart glasses, a smart band, a virtual reality device, an augmented reality device, a hybrid reality device (i.e., a device that can support virtual reality and augmented reality), etc. The smart medical device can include a smart thermometer, a smart blood pressure monitor, a smart blood glucometer, etc.
The client devices can be various types of applications (APPs), including but not limited to a payment application, a multimedia playback application, a map application, a text editing application, a financial application, a browser application, an instant messaging application, etc.
The server is a serving-end device of a provider that provides network services, and can be a single server, or a server group including a plurality of servers. The server is responsible for providing network services for various applications, for example, security authentication and network service level management.
Understandably, quantities of client devices, terminal devices, and servers in
In the embodiments of this specification, a signature authentication related procedure performed by the client device and the TEE is mainly modified, to improve security of signature authentication. To be specific, the embodiments of this specification include processing of the client device in the terminal device and processing of the TEE in the terminal device, which are separately described below in different embodiments.
Step 301: The client device sends a signature authentication request to a server.
Step 303: The client device receives authentication data information sent from the server.
Step 305: The client device encrypts the authentication data information by using a key that is synchronized with the TEE in advance.
Step 307: The client device sends encrypted authentication data information to the TEE.
Step 309: The client device receives signature data sent from the TEE and sends the signature data to the server.
Step 401: The TEE receives encrypted authentication data information sent by a client device.
Step 403: The TEE decrypts the authentication data information by using a key that is synchronized with the client device in advance.
Step 405: The TEE receives a biometric feature input by a user.
Step 407: The TEE determines whether the authentication data information can be successfully decrypted, and if yes, performs step 411; otherwise, performs step 409.
Step 409: The TEE refuses to sign and ends a current procedure.
Step 411: If verification on the biometric feature succeeds, the TEE generates to-be-signed data based on the authentication data information.
Step 413: The TEE signs for the to-be-signed data by using the embedded service private key, to obtain signature data.
Step 415: The TEE sends the signature data to the client device.
It can be seen from the procedures shown in
In the processes shown in
Therefore, in one or more embodiments of this specification, in a process in which the client device initiates registration to the server, the client device generates the key. In the process in which the client device initiates registration to the server, the client device stores the key, and sends the key to the TEE. In the process in which the client device initiates registration to the server, the TEE receives the key sent from the client device. In this way, the key is synchronized between the client device and the TEE. For example, the client device sends the key to the TEE when sending a registration response data field to the TEE.
In the embodiments of this specification, there are a plurality of service scenarios, that is, the TEE may need to sign for data of different client devices in different service scenarios. Therefore, different client devices/different service scenarios correspond to different keys. To distinguish between keys, each authorized client device generates an ID of a key when generating the key, and sends the identifier (ID) of the key to the TEE when synchronizing the key to the TEE. In other words, the client device synchronizes both the key and the key ID to the TEE. The TEE receives the key and the ID of the key that are sent from the client device, and stores a correspondence between the key and the key ID. In this way, in the process shown in
Using the above-mentioned IFAA protocol as an example, the following uses a specific example to describe how a client device and a TEE cooperatively implement an IFAA signature authentication method. Referring to
Step 501: A client device 1 initiates an IFAA registration request to a server.
Step 501 can be an IFAA registration request initiated by a user when the user needs to enable a password-free payment function of the client device 1, such as a shopping APP, and turns to fingerprint payment or face payment.
Step 503: The client device 1 generates a key subsequently used for IFAA signature authentication and an ID of the key, and stores the key and the ID of the key.
Step 505: After receiving the IFAA registration request, the server serving the client device 1 returns a registration response data field, i.e., a RegisterRespData field, to the client device 1.
Step 507: The client device 1 sends the RegisterRespData field, the key, and the key ID to a TEE.
Step 509: The TEE stores a correspondence between the received key and key ID.
In one or more embodiments of this specification, an IFAA authentication module, denoted as IFAA authenticator, in the TEE can store the correspondence between the key and the key ID.
Then, a subsequent registration procedure to be performed is the same as that in the related art.
It can be seen that through step 503, step 507, and step 509 in which the authorized client device initiates the IFAA registration process to the server, the key and the ID of the key are synchronized between the client device 1 and the TEE.
Step 511: When the user performs a service program function, such as shopping, by using the client device 1, the client device 1 sends an IFAA signature authentication request to the server.
Step 513: The server returns an authentication request response data field, i.e., an AuthReqRespData field, to the client device 1.
Step 515: The client device 1 encrypts the AuthReqRespData field by using the key generated in step 503.
Step 517: The client device 1 sends an encrypted AuthReqRespData field and the key ID of the key to the TEE.
Step 519: The TEE retrieves, based on the received key ID, the key corresponding to the key ID.
Step 521: The TEE decrypts the encrypted AuthReqRespData field by using the retrieved key.
Step 523: The TEE determines whether the AuthReqRespData field can be successfully decrypted, and if yes, performs step 527; otherwise, performs step 525.
Step 525: The TEE refuses to perform IFAA signing and ends a current procedure.
Step 527: The TEE performs biometric feature verification.
Step 529: If the biometric feature verification succeeds, the TEE generates to-be-signed data based on the AuthReqRespData field.
Step 531: The TEE signs for the to-be-signed data by using an IFAA service private key, to obtain IFAA signature data, and sends the IFAA signature data to the client device 1.
Step 533: The client device 1 receives the IFAA signature data sent from the TEE, and sends the signature data to the server.
Then, IFAA signature authentication can be performed based on an IFAA signature authentication process of the related art.
In this embodiment of this specification, it can be verified whether an APP that performs password-free verification and an APP that actually registers are a same APP, to prevent malicious behavior between different APPs on a same mobile phone.
In one or more embodiments of this specification, a signature authentication apparatus is provided, applied to a client device. A service private key required for signature authentication is embedded in a TEE of a terminal device in which the client device is located, and the TEE performs verification on a biometric feature of a user. Referring to
In one or more embodiments of the apparatus shown in
The registration module is configured to: in a process in which the client device initiates registration to the server, generate and store the key, and send the key to the TEE to synchronize the key with the TEE.
In one or more embodiments of the apparatus shown in
In one or more embodiments of the apparatus shown in
In one or more embodiments of this specification, a signature authentication apparatus is provided, applied to a TEE of a terminal device. A service private key required for signature authentication is embedded in the TEE. Referring to
In one or more embodiments of the apparatus shown in
In one or more embodiments of the apparatus shown in
Notably, the above-mentioned apparatuses are generally implemented on a server side, and can be separately disposed on independent servers, or a combination of a part or all of the apparatuses can be disposed on a same server. The server can be a single server, or a server cluster including a plurality of servers. The server can be a cloud server, or referred to as a cloud computing server or a cloud host, and is a host product in a cloud computing service system. The above-mentioned apparatuses can also be implemented in a computer terminal that has a strong computing capability.
One or more embodiments of this specification provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program is executed in a computer, the computer is enabled to perform the method according to any one of the embodiments of this specification.
One or more embodiments of this specification provide a computing device, including a memory and a processor. The memory stores executable code, and when executing the executable code, the processor implements the method according to any one of the embodiments of this specification.
Understandably, the structures shown in the embodiments of this specification constitute no specific limitations on the apparatuses in the embodiments of this specification. In some other embodiments of this specification, the above-mentioned apparatuses may include more or less components than those shown in the figures, or may combine some components, or may split some components, or may have different component arrangements. The illustrated components can be implemented by hardware, software, or a combination of software and hardware.
The embodiments of this specification are described in a progressive way. For same or similar parts of the embodiments, mutual references can be made to the embodiments. Each embodiment focuses on a difference from other embodiments. In particular, the apparatus embodiments are basically similar to the method embodiments, and therefore are described briefly. For related parts, references can be made to related descriptions in the method embodiments.
A person skilled in the art should be aware that in the above-mentioned one or more examples, functions described in this application can be implemented by hardware, software, firmware, or any combination thereof. When the functions are implemented by software, these functions can be stored in a computer-readable medium or transmitted as one or more instructions or code in a computer-readable medium.
The specific implementations described above further describe the purposes, technical solutions, and beneficial effects of this application. Understandably, the descriptions above are merely specific implementations of this application and are not intended to limit the protection scope of this application. Any modification, equivalent replacement, or improvement made based on the technical solutions of this application shall fall within the protection scope of this application.
| Number | Date | Country | Kind |
|---|---|---|---|
| 202211673944.6 | Dec 2022 | CN | national |
This application is a continuation of PCT Application No. PCT/CN2023/127184, filed on Oct. 27, 2023, which claims priority to Chinese Patent Application No. 202211673944.6, filed on Dec. 26, 2022, and each application is hereby incorporated by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/CN2023/127184 | Oct 2023 | WO |
| Child | 18979840 | US |
