CN115001817B

CN115001817B - An offline identity recognition method, device and equipment

Info

Publication number: CN115001817B
Application number: CN202210618724.7A
Authority: CN
Inventors: 李志雄
Original assignee: Alipay Hangzhou Information Technology Co Ltd
Current assignee: Alipay Hangzhou Digital Service Technology Co ltd
Priority date: 2022-06-01
Filing date: 2022-06-01
Publication date: 2023-09-26
Anticipated expiration: 2042-06-01
Also published as: CN115001817A

Abstract

The embodiment of the specification discloses an offline identity recognition method, device and equipment, wherein the method is applied to terminal equipment and comprises the following steps: identifying the identity of the target user based on the reference user biological information and the user biological information of the target user, and if the identity identification is passed, transmitting the user biological information to a second offline identification trusted application in the trusted execution environment through a first offline identification trusted application in the trusted execution environment; in a trusted execution environment, verifying the identity of a target user through a second offline identification trusted application, if the identity verification is passed, creating authentication data, signing the authentication data through a first service key, transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application, signing the signed authentication data through the first offline identification trusted application, and determining an offline identity recognition result of the target user based on the signing result.

Description

Off-line identity recognition method, device and equipment

Technical Field

The present document relates to the field of computer technologies, and in particular, to an offline identity recognition method, device and equipment.

Background

Biological recognition is an indispensable process before or during the execution of many services, for example, mobile payment service is an indispensable process, mobile payment is one of the payment modes with the highest use frequency for people at present, and is convenient for people to circulate resources, but the mobile payment needs network support, and how to safely carry out mobile payment under the condition of off-line or weak network signals becomes a problem which needs to be solved urgently. When the offline payment problem is solved, the offline identification means becomes an urgent problem to be solved. For this reason, it is necessary to provide a more convenient and safer off-line identification method.

Disclosure of Invention

The embodiment of the specification aims to provide a more convenient and safer off-line identification mode.

In order to achieve the above technical solution, the embodiments of the present specification are implemented as follows:

the offline identity recognition method provided by the embodiment of the specification is applied to terminal equipment, and comprises the following steps: and identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity identification of the target user is passed, transmitting the user biological information to a second offline identification trusted application in a trusted execution environment through a first offline identification trusted application in the trusted execution environment. And in the trusted execution environment, verifying the identity of the target user through the second offline identification trusted application based on the user biological information, if the identity verification of the target user is passed, creating authentication data, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data. In the trusted execution environment, the signed authentication data is transmitted to the first offline identification trusted application through the second offline identification trusted application, and the signed authentication data is subjected to signature verification processing through the first offline identification trusted application, so that a signature verification result is obtained. And determining an offline identification result of the target user based on the signature verification result.

The offline identity recognition method provided by the embodiment of the specification is applied to terminal equipment, and comprises the following steps: and identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity identification of the target user is passed, transmitting the user biological information to the trusted execution environment through an offline identification trusted application in the trusted execution environment. And in the trusted execution environment, verifying the identity of the target user through the offline identification trusted application based on the user biological information, if the identity verification of the target user is passed, creating authentication data, and carrying out signature processing on the authentication data by using a pre-stored first service key to obtain signed authentication data. And in the trusted execution environment, carrying out signature verification processing on the signed authentication data to obtain a signature verification result. And determining an offline identification result of the target user based on the signature verification result.

The embodiment of the specification provides an offline identity recognition system, which comprises a terminal device and a first server, wherein: the terminal equipment is configured to identify the identity of a target user based on pre-stored reference user biological information and user biological information of the target user, if the identity of the target user is identified to pass, the user biological information is transmitted to a second offline identification trusted application in a trusted execution environment through a first offline identification trusted application in the trusted execution environment, the identity of the target user is checked based on the user biological information through the second offline identification trusted application, if the identity of the target user is checked to pass, authentication data is created, the authentication data is signed by using a pre-stored first service key, signed authentication data is obtained, the signed authentication data is transmitted to the first offline identification trusted application through the second offline identification trusted application, the signed authentication data is checked to obtain a check result based on the identity check result of the target user, and the check result is determined offline authentication result based on the target user. The first server is configured to synchronize related data in the offline identification process of the target user with a first offline identification trusted application in the trusted execution environment in the terminal device.

An offline identity recognition device provided in an embodiment of the present disclosure, the device includes: and the information processing module is used for identifying the identity of the target user based on the pre-stored reference user biological information and the user biological information of the target user, and transmitting the user biological information to a second offline identification trusted application in the trusted execution environment through a first offline identification trusted application in the trusted execution environment if the identity identification of the target user is passed. And the verification module is used for verifying the identity of the target user through the second offline identification trusted application based on the user biological information in the trusted execution environment, creating authentication data if the identity of the target user is verified, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data. And the signature verification module is used for transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application in the trusted execution environment, and carrying out signature verification processing on the signed authentication data through the first offline identification trusted application to obtain a signature verification result. And the offline identification module is used for determining an offline identification result of the target user based on the signature verification result.

An offline identity recognition device provided in an embodiment of the present disclosure, the device includes: and the information processing module is used for identifying the identity of the target user based on the pre-stored reference user biological information and the user biological information of the target user, and transmitting the user biological information to the trusted execution environment through an offline identification trusted application in the trusted execution environment if the identity identification of the target user is passed. And the verification module is used for verifying the identity of the target user through the offline identification trusted application based on the user biological information in the trusted execution environment, creating authentication data if the identity of the target user passes the verification, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data. And the signature verification module is used for carrying out signature verification processing on the signed authentication data in the trusted execution environment to obtain a signature verification result. And the offline identification module is used for determining an offline identification result of the target user based on the signature verification result.

An offline identification device provided in an embodiment of the present disclosure, where the offline identification device includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: and identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity identification of the target user is passed, transmitting the user biological information to a second offline identification trusted application in a trusted execution environment through a first offline identification trusted application in the trusted execution environment. And in the trusted execution environment, verifying the identity of the target user through the second offline identification trusted application based on the user biological information, if the identity verification of the target user is passed, creating authentication data, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data. In the trusted execution environment, the signed authentication data is transmitted to the first offline identification trusted application through the second offline identification trusted application, and the signed authentication data is subjected to signature verification processing through the first offline identification trusted application, so that a signature verification result is obtained. And determining an offline identification result of the target user based on the signature verification result.

An offline identification device provided in an embodiment of the present disclosure, where the offline identification device includes: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to: and identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity identification of the target user is passed, transmitting the user biological information to the trusted execution environment through an offline identification trusted application in the trusted execution environment. And in the trusted execution environment, verifying the identity of the target user through the offline identification trusted application based on the user biological information, if the identity verification of the target user is passed, creating authentication data, and carrying out signature processing on the authentication data by using a pre-stored first service key to obtain signed authentication data. And in the trusted execution environment, carrying out signature verification processing on the signed authentication data to obtain a signature verification result. And determining an offline identification result of the target user based on the signature verification result.

The present description also provides a storage medium for storing computer-executable instructions that when executed by a processor implement the following: and identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity identification of the target user is passed, transmitting the user biological information to a second offline identification trusted application in a trusted execution environment through a first offline identification trusted application in the trusted execution environment. And in the trusted execution environment, verifying the identity of the target user through the second offline identification trusted application based on the user biological information, if the identity verification of the target user is passed, creating authentication data, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data. In the trusted execution environment, the signed authentication data is transmitted to the first offline identification trusted application through the second offline identification trusted application, and the signed authentication data is subjected to signature verification processing through the first offline identification trusted application, so that a signature verification result is obtained. And determining an offline identification result of the target user based on the signature verification result.

The present description also provides a storage medium for storing computer-executable instructions that when executed by a processor implement the following: and identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity identification of the target user is passed, transmitting the user biological information to the trusted execution environment through an offline identification trusted application in the trusted execution environment. And in the trusted execution environment, verifying the identity of the target user through the offline identification trusted application based on the user biological information, if the identity verification of the target user is passed, creating authentication data, and carrying out signature processing on the authentication data by using a pre-stored first service key to obtain signed authentication data. And in the trusted execution environment, carrying out signature verification processing on the signed authentication data to obtain a signature verification result. And determining an offline identification result of the target user based on the signature verification result.

Drawings

In order to more clearly illustrate the embodiments of the present description or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some of the embodiments described in the present description, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a diagram illustrating an embodiment of an off-line identification method according to the present disclosure;

FIG. 2 is a schematic diagram of a TEE and REE structure;

FIG. 3 is a schematic diagram of another offline identification process according to the present disclosure;

FIG. 4 is a diagram illustrating another embodiment of an off-line identification method according to the present disclosure;

FIG. 5 is a schematic diagram of an off-line identification process according to the present disclosure;

FIG. 6 is a schematic diagram of an off-line identification system according to the present disclosure;

FIG. 7 is an embodiment of an off-line identification device according to the present disclosure;

FIG. 8 is a diagram of another embodiment of an off-line identification device according to the present disclosure;

FIG. 9 is an embodiment of an off-line identification device according to the present disclosure.

Detailed Description

The embodiment of the specification provides an offline identity recognition method, device and equipment.

In order to make the technical solutions in the present specification better understood by those skilled in the art, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present specification, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.

Example 1

As shown in fig. 1, an embodiment of the present disclosure provides an offline identity recognition method, where an execution subject of the method may be a terminal device, where the terminal device may be a mobile terminal device such as a mobile phone, a tablet computer, a computer device such as a notebook computer or a desktop computer, or may also be an IoT device (specifically, such as a smart watch, a vehicle-mounted device, etc.). The terminal device may be provided with a trusted execution environment, which may be TEE (Trusted Execution Environment), and the trusted execution environment may be implemented by a program written in a predetermined programming language (i.e., may be implemented in a software form), may be implemented by a hardware device and a pre-written program together (i.e., may be implemented in a hardware+software form), or the like, and may be a secure execution environment for performing data processing. The method specifically comprises the following steps:

in step S102, the identity of the target user is identified based on the pre-stored reference user biometric information and the user biometric information of the target user, and if the identity of the target user is identified, the user biometric information is transferred to a second offline identification trusted application in the trusted execution environment through a first offline identification trusted application in the trusted execution environment.

The target user may be any user, such as the owner of the terminal device, through which the target user may initiate the biometric request. The user biometric information may include various kinds of fingerprint information, palm print information, face information, iris information, etc. of the user, and in practical application, the carrier of the user biometric information may include various kinds of carrier, for example, the various kinds of user biometric information may be carried by image, etc., and may be specifically set according to practical situations, which is not limited in this embodiment of the present disclosure. The reference user biometric information may be user biometric information previously entered and stored in the terminal device, and the reference user biometric information may include one or more pieces, and may be specifically set according to actual situations. The trusted execution environment may be a data processing environment that is secure and isolated from other environments, i.e., processes performed in the trusted execution environment, data generated during data processing, etc., cannot be accessed by other execution environments or applications outside the executable environment. As shown in fig. 2, the trusted execution environment may be implemented by creating a small operating system that may run independently in a trusted area (e.g., trust zone, etc.), and the trusted execution environment may directly provide services in the form of system calls (e.g., directly handled by the trust zone kernel). The device may include a re (general execution environment) and a trusted execution environment, and an operating system installed in the terminal device may be run under the re, for example, an Android operating system, an iOS operating system, a Windows operating system, a Linux operating system, etc., where features of the re may include, for example, strong functions, better openness and expansibility, etc., all functions of the device may be provided for an upper application program, for example, a camera function, a touch function, etc., but many security risks exist in the re, for example, the operating system may obtain all data of a certain application program, but it is difficult to verify whether the operating system or the application program is tampered, if tampered, the information of the user will have great security risks, and for this reason, the trusted execution environment in the device is required to process. The trusted execution environment has its own execution space, that is, there is an operating system in the trusted execution environment, the trusted execution environment has a higher security level than the REEs, and software and hardware resources in the device that can be accessed by the trusted execution environment are separated from the REEs, but the trusted execution environment can directly obtain information of the REEs, and the REEs cannot obtain information of the trusted execution environment. The trusted execution environment can perform processing such as verification through the provided interface, so that user information (such as payment information, user privacy information and the like) cannot be tampered, passwords cannot be hijacked, and information such as fingerprints or faces cannot be stolen. The first offline identification trusted application may be a preset application that may be used for performing data processing and data transmission in an offline biological identification process, and has a right to transfer data to a trusted execution environment, and the first offline identification trusted application may be an application program that needs to be installed in a terminal device, a code program that is pre-embedded in a certain hardware device of the terminal device, a program that is set in a plug-in form in a background operation system of the terminal device, or the like, and the first offline identification trusted application may be a component or a component (such as a component corresponding to the trusted execution environment or a central processing unit) that has a specified right and may be invoked, and may be specifically set according to an actual situation. The second offline identification trusted application is similar to the first offline identification trusted application, and is not described herein again, in this embodiment of the present disclosure, the first offline identification trusted application may be a trusted application for an offline scene that is preset in a trusted execution environment of the terminal device, and the second offline identification trusted application may be a trusted application corresponding to a function provided by the IFAA alliance.

In implementation, the biometric identification has become an indispensable process before or during the execution of many services, for example, the mobile payment service is an indispensable loop, and the mobile payment is one of the payment modes with the highest frequency of use for people at present, so as to provide convenience for people's resource circulation, but how to safely perform the mobile payment under the conditions of offline or weak network signals is a critical problem for people. In solving the offline payment problem, offline biometric means is an urgent problem to be solved. For this reason, it is desirable to provide a more convenient and safer way of biometric identification. The embodiment of the specification provides a technical scheme which can be realized, and the technical scheme specifically comprises the following steps:

currently, the IFAA alliance provides a secure, universal, open financial level local biometric authentication solution, but since the last, it has not been able to solve the biometric identification well in offline scenarios from the end-to-cloud side. In addition, many off-line payment schemes at present adopt a system api to carry out biological recognition and verification, but the mode can not prevent the attack under the conditions of newly added biological information, hook processing and the like, so that a financial-level biological recognition solution under an off-line scene is urgent.

When the target user needs to make mobile payment, an application program for making mobile payment can be started through the terminal device, a payment page can be obtained through the application program, an input box, a confirmation key, a cancel key and the like can be included in the payment page, the target user can input the amount to be paid in the input box, after the input is completed, the confirmation key can be clicked, at the moment, the terminal device can obtain information in the input box and can start a biological information collecting component (particularly, a fingerprint collecting component, a camera component and the like), user biological information of the target user can be obtained based on the biological information collecting component, in addition, prestored reference user biological information can be obtained, biological recognition processing can be initiated based on the reference user biological information, particularly, the reference user biological information can be compared with the collected user biological information, if the input box is matched with the collected user biological information, the identity of the target user can be confirmed to pass, otherwise, the identity of the target user can be confirmed to not pass, at the moment, the payment can be refused.

If the identity of the target user passes, the offline biological identification process can be continued in the trusted execution environment of the terminal device, specifically, the trusted execution environment of the terminal device can be provided with trusted applications for offline biological identification process, namely, a first offline identification trusted application and a second offline identification trusted application, at this time, the first offline identification trusted application in the trusted execution environment can acquire the user biological information from the terminal device, and can transmit the user biological information to the second offline identification trusted application in the trusted execution environment.

In step S104, in the trusted execution environment, verifying the identity of the target user based on the user biological information by the second offline identification trusted application, if the identity verification of the target user is passed, creating authentication data, and signing the authentication data by using a pre-stored service key to obtain signed authentication data.

The authentication data may be used to verify whether the target user has the right to perform offline biometric identification, and the authentication data may include one or more of identification of the target user, biometric information of the user, information related to the target user having the right to perform offline biometric identification, and the like. The service key may be a key generated by performing offline biometric identification on the target user in advance, and may be generated based on a specified key generation rule, which may be specifically set according to the actual situation, and the embodiment of the present specification is not limited to this.

In implementation, in the trusted execution environment, the second offline identification trusted application may obtain pre-stored reference user biometric information, and then may match the user biometric information with the reference user biometric information to verify the identity of the target user, if the two match, then determine that the target user identity verification is successful, and if the two do not match, then determine that the target user identity verification fails, at which time the payment process may be terminated. If the identity verification of the target user is successful, the data generated in the identity verification process can be obtained, authentication data can be created based on the data, and the authentication data is signed by using a pre-stored service key to obtain signed authentication data.

In step S106, in the trusted execution environment, the signed authentication data is transferred to the first offline identification trusted application through the second offline identification trusted application, and the signed authentication data is subjected to signature verification processing through the first offline identification trusted application, so as to obtain a signature verification result.

In the implementation, in the trusted execution environment, the second offline identification trusted application can transmit the signed authentication data to the first offline identification trusted application for authentication processing, at this time, in the trusted execution environment, the first offline identification trusted application can perform signature verification processing on the signed authentication data to obtain a corresponding signature verification result, wherein if the result of the first offline identification trusted application verifying the signed authentication data is successful in verification, the corresponding verification result is passed in verification, and if the result of the first offline identification trusted application verifying the signed authentication data is failed in verification, the corresponding verification result is failed in verification, at this time, the payment processing can be terminated.

In step S108, an offline identification result for the target user is determined based on the signature verification result.

In implementation, if the verification result is verification passing, the offline identification result of the target user may be determined to pass, and if the verification result is verification failure, the offline identification result of the target user may be determined to fail, at which point the payment process may be terminated.

The embodiment of the specification provides an offline identity recognition method, which is applied to terminal equipment, and is used for recognizing the identity of a target user based on reference user biological information and user biological information of the target user, and if the identity recognition is passed, the user biological information is transmitted to a second offline recognition trusted application in a trusted execution environment through a first offline recognition trusted application in the trusted execution environment; in a trusted execution environment, verifying the identity of a target user through a second offline identification trusted application, if the identity verification is passed, creating authentication data, signing the authentication data by using a first service key, transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application, performing signature verification processing on the signed authentication data through the first offline identification trusted application, and determining an offline identity recognition result of the target user based on the signature verification result, so that an online biological kernel is off-line, so that the biological kernel in an offline scene is not verified by a simple system interface hierarchy any more, under the offline scene, an attacker cannot enter user biological information even if the attacker knows an unlocking password, and cannot finish subsequent payment and other verification.

Example two

As shown in fig. 3, an embodiment of the present disclosure provides an offline identity recognition method, where an execution subject of the method may be a terminal device, where the terminal device may be a mobile terminal device such as a mobile phone, a tablet computer, a computer device such as a notebook computer or a desktop computer, or may also be an IoT device (specifically, such as a smart watch, a vehicle-mounted device, etc.). The terminal device may be provided with a trusted execution environment, which may be TEE (Trusted Execution Environment), and the trusted execution environment may be implemented by a program written in a predetermined programming language (i.e., may be implemented in a software form), may be implemented by a hardware device and a pre-written program together (i.e., may be implemented in a hardware+software form), or the like, and may be a secure execution environment for performing data processing. The method specifically comprises the following steps:

in step S302, a registration request is initiated to a second offline identified trusted application in the trusted execution environment based on pre-stored reference user biometric information.

In implementation, in order to implement offline of the originally online living body scheme, the embodiment implements offline of the online living body scheme by means of a trusted execution environment of the terminal device and by means of security of the trusted execution environment, specifically, before implementing the offline living body, an SDK (Software Development Kit ) capable of implementing offline living body processing may be preset in the terminal device, and offline biological identification processing may be performed by the SDK in the terminal device. In addition, an offline biometric authentication process needs to be registered, based on which the SDK in the terminal device may acquire reference user biometric information stored in the terminal device (may be entered into the terminal device through user authorization in advance), and may initiate a registration request to a second offline identification trusted application in the trusted execution environment based on the reference user biometric information.

In step S304, in the trusted execution environment, a service key pair is generated, and a second service key in the service key pair is signed by using the root key to obtain a signed service key, where the service key pair includes a first service key and a second service key.

The service key pair may be a key pair constructed for different services, where the service key pair may include two service keys, and the two service keys may correspond to each other, for example, the two service keys are a service public key and a service private key, or may be a key pair with the same or similar relationship with the public key and the private key, which may be specifically set according to practical situations, and the embodiment of the present disclosure is not limited to this. The second service key may be a service public key or a service private key, which may be specifically set according to the actual situation. The first service key may be a service private key or a service public key, which may be specifically set according to the actual situation.

In practical applications, the registration request may be a request subjected to signature processing, and based on this, the above processing of generating the service key pair in the trusted execution environment may be various, and the following provides an optional processing manner, which may specifically include the following: in the trusted execution environment, the registration request is subjected to signature verification processing, and if the signature verification is passed, a service key pair is generated.

In step S306, the signed service key and root key information is obtained from the trusted execution environment.

In step S308, the signed service key and the root key information are sent to the second server, where the signed service key and the root key information are used to trigger the second server to perform signature verification processing on the signed service key, and if the signature verification is passed, the second service key is stored, and a notification message that the registration is successful is sent to the terminal device.

The second server may be a server corresponding to the IFAA alliance, and may be configured to perform signature verification on the signed service key, store information such as the service public key and the reference user biological information, and specifically may be set according to an actual situation.

In implementation, the terminal device may send the signed service key and the root key information to the second server, where the second server may verify the request certificate, and may perform signing verification processing on the signed service key, and if the signed service key passes through verification, store the second service key, and send a notification message that the registration is successful to the terminal device.

In step S310, if a notification message of successful registration is received, an offline service provisioning request is sent to the first server, where the provisioning request is used to trigger the first server to query the second server about related information required for the target user to provision offline identification, and if the related information can be queried, a second service key and reference user biological information stored in the second server are obtained, and the second service key and the reference user biological information are sent to a first offline identification trusted application in a trusted execution environment in the terminal device.

Wherein the first server may be a server for performing an offline biometric processing. The relevant information required by the target user for opening the offline identity recognition may include, for example, the second service key and the reference user biological information, and if the reference user biological information is fingerprint information, the relevant information may include, in addition to the fingerprint information, an identifier of a finger corresponding to the fingerprint information (i.e., information of a finger position, which is used for marking which fingerprint information is the current fingerprint information), and the like, and may be specifically set according to practical situations.

In step S312, the second service key and the reference user biometric information are obtained by the first offline identification trusted application in the trusted execution environment.

In step S314, the identity of the target user is identified based on the reference user biometric information and the user biometric information of the target user stored in advance.

The user biometric information may include one or more of fingerprint information, facial information, palm print information, iris information, among others.

In step S316, if the identity of the target user passes, the user biometric information is signed, so as to obtain signed user biometric information.

In step S318, the signed user biometric information is transferred through a first offline identification trusted application in the trusted execution environment to a second offline identification trusted application in the trusted execution environment.

In step S320, in the trusted execution environment, signature verification processing is performed on the signed user biometric information, and if the signature verification passes, the identity of the target user is verified by the second offline identification trusted application based on the user biometric information.

In step S322, if the identity verification of the target user passes, authentication data is created, and the authentication data is signed by using the pre-stored first service key, so as to obtain signed authentication data.

In step S324, in the trusted execution environment, the signed authentication data is transferred to the first offline identification trusted application through the second offline identification trusted application, and the signed authentication data is subjected to signature verification processing through the first offline identification trusted application, so as to obtain a signature verification result.

It should be noted that, the information of the finger position can be verified through the first offline identification trusted application (in the case that the biological information of the user is fingerprint information), so as to obtain a verification result, if the verification is passed and the verification sign is passed, the offline identification of the target user is passed, otherwise, the offline identification of the target user is failed.

In step S326, an offline identification result for the target user is determined based on the signature verification result.

In step S328, relevant data in the offline identification process is synchronized to the first server by the first offline identification trusted application in the trusted execution environment.

It should be noted that, the format of the data interacted between the first offline identification trusted application and the second offline identification trusted application in the trusted execution environment may be TLV format, the format of the data interacted between the terminal device and the second server may be TLV format, and the format of the data interacted between the second server and the first server may be TLV format.

Example III

As shown in fig. 4, an embodiment of the present disclosure provides an offline identity recognition method, where an execution subject of the method may be a terminal device, where the terminal device may be a mobile terminal device such as a mobile phone, a tablet computer, a computer device such as a notebook computer or a desktop computer, or may also be an IoT device (specifically, such as a smart watch, a vehicle-mounted device, etc.). The terminal device may be provided with a trusted execution environment, which may be TEE (Trusted Execution Environment), and the trusted execution environment may be implemented by a program written in a predetermined programming language (i.e., may be implemented in a software form), may be implemented by a hardware device and a pre-written program together (i.e., may be implemented in a hardware+software form), or the like, and may be a secure execution environment for performing data processing. The method specifically comprises the following steps:

in step S402, the identity of the target user is identified based on the pre-stored reference user biometric information and the user biometric information of the target user, and if the identity of the target user is identified, the user biometric information is transferred to the trusted execution environment through the offline identification trusted application in the trusted execution environment.

In this implementation, the first server and the second server related to the above embodiment may be integrated into one server, and the functions of the first server and the functions of the second server may be integrated into the server, so that the server has the functions of the first server and the second server at the same time, and meanwhile, the first offline identification trusted application and the second offline identification trusted application may be integrated into one offline identification trusted application, and the functions of the first offline identification trusted application and the functions of the second offline identification trusted application may be integrated into the offline identification trusted application, so that the offline identification trusted application has the functions of the first offline identification trusted application and the second offline identification trusted application at the same time. Based on this, the processing of step S402 to step S408 can be performed with reference to the relevant contents in the above-described embodiments.

In step S404, in the trusted execution environment, the identity of the target user is verified by offline identifying the trusted application based on the user biological information, if the identity verification of the target user is passed, authentication data is created, and the authentication data is signed by using the pre-stored first service key, so as to obtain signed authentication data.

In step S406, in the trusted execution environment, signature verification processing is performed on the signed authentication data, so as to obtain a signature verification result.

In step S408, an offline identification result of the target user is determined based on the signature verification result.

The specific processing procedures of the steps S402 to S408 may be referred to the above related content, and will not be described herein.

The embodiment of the specification provides an offline identity recognition method which is applied to a server, and is used for recognizing the identity of a target user based on reference user biological information and user biological information of the target user, and if the identity recognition is passed, the user biological information is transmitted to a second offline recognition trusted application in a trusted execution environment through a first offline recognition trusted application in the trusted execution environment; in a trusted execution environment, verifying the identity of a target user through a second offline identification trusted application, if the identity verification is passed, creating authentication data, signing the authentication data by using a first service key, transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application, performing signature verification processing on the signed authentication data through the first offline identification trusted application, and determining an offline identity recognition result of the target user based on the signature verification result, so that an online biological kernel is off-line, so that the biological kernel in an offline scene is not verified by a simple system interface hierarchy any more, under the offline scene, an attacker cannot enter user biological information even if the attacker knows an unlocking password, and cannot finish subsequent payment and other verification.

Example IV

As shown in fig. 5, an embodiment of the present disclosure provides an offline identity recognition method, where an execution subject of the method may be a terminal device, where the terminal device may be a mobile terminal device such as a mobile phone, a tablet computer, a computer device such as a notebook computer or a desktop computer, or may also be an IoT device (specifically, such as a smart watch, a vehicle-mounted device, etc.). The terminal device may be provided with a trusted execution environment, which may be TEE (Trusted Execution Environment), and the trusted execution environment may be implemented by a program written in a predetermined programming language (i.e., may be implemented in a software form), may be implemented by a hardware device and a pre-written program together (i.e., may be implemented in a hardware+software form), or the like, and may be a secure execution environment for performing data processing. The method specifically comprises the following steps:

in step S502, a registration request is initiated to an offline identified trusted application in a trusted execution environment based on pre-stored reference user biometric information.

In step S504, in the trusted execution environment, a service key pair is generated, and a second service key in the service key pair is signed by using the root key to obtain a signed service key, where the service key pair includes a first service key and a second service key.

The second service key may be a service public key or a service private key, which may be specifically set according to the actual situation. The first service key may be a service private key or a service public key, which may be specifically set according to the actual situation.

In step S506, the signed service key and root key information is obtained from the trusted execution environment.

In step S508, the signed service key and the root key information are sent to the server, where the signed service key and the root key information are used to trigger the server to perform signature verification processing on the signed service key, and if the signature verification is passed, the second service key is stored, and a notification message that the registration is successful is sent to the terminal device.

In step S510, if a notification message of successful registration is received, an offline service provisioning request is sent to the server, where the provisioning request is used to trigger the server to query the relevant information required by the target user to provision offline identification, and if the relevant information can be queried, the stored second service key and the reference user biological information are obtained, and the second service key and the reference user biological information are sent to the offline identification trusted application in the trusted execution environment in the terminal device.

In step S512, the second service key and the reference user biometric information are obtained by identifying the trusted application off-line in the trusted execution environment.

In step S514, the identity of the target user is identified based on the reference user biometric information and the user biometric information of the target user stored in advance.

In step S516, if the identity of the target user passes, the user biometric information is signed, so as to obtain signed user biometric information.

In step S518, the signed user biometric information is transferred to the trusted execution environment through the offline identification trusted application in the trusted execution environment.

In step S520, in the trusted execution environment, signature verification processing is performed on the signed user biological information, and if the signature verification passes, the identity of the target user is verified by offline identification trusted application based on the user biological information.

In step S522, if the identity verification of the target user passes, authentication data is created, and the authentication data is signed by using the pre-stored first service key, so as to obtain signed authentication data.

In step S524, in the trusted execution environment, the signed authentication data is subjected to signature verification processing by offline identifying the trusted application, so as to obtain a signature verification result.

In step S526, an offline identification result for the target user is determined based on the signature verification result.

In step S528, the relevant data in the offline identification process is performed to the server synchronization target user through the offline identification trusted application in the trusted execution environment.

It should be noted that, the format of the data interacted between the terminal device and the server may be TLV format.

Example five

As shown in fig. 6, an embodiment of the present disclosure provides an offline identity recognition system, where the system includes a terminal device and a first server, where the terminal device may be a certain terminal device such as a mobile phone, a tablet computer, a computer device such as a notebook computer or a desktop computer, or may also be an IoT device (specifically, such as a smart watch, an in-vehicle device, etc.). The first server may be a single server, may be a server cluster formed by a plurality of servers, and may be a background server such as a financial service or an online shopping service, or may be a background server of an application program. Wherein:

the terminal equipment is configured to identify the identity of a target user based on pre-stored reference user biological information and user biological information of the target user, if the identity of the target user is identified to pass, the user biological information is transmitted to a second offline identification trusted application in a trusted execution environment through a first offline identification trusted application in the trusted execution environment, the identity of the target user is checked based on the user biological information through the second offline identification trusted application, if the identity of the target user is checked to pass, authentication data is created, the authentication data is signed by using a pre-stored first service key, signed authentication data is obtained, the signed authentication data is transmitted to the first offline identification trusted application through the second offline identification trusted application, the signed authentication data is checked to obtain a check result through the first offline identification trusted application, and the check result is checked based on the identity of the target user;

The first server is configured to synchronize related data in the offline identification process of the target user with a first offline identification trusted application in the trusted execution environment in the terminal device.

In an embodiment of the present disclosure, the system further comprises a second server,

the second server is configured to store a second service key corresponding to the first service key and the user biometric information.

In an embodiment of the present disclosure, the user biometric information includes one or more of fingerprint information, facial information, palm print information, and iris information.

In this embodiment of the present disclosure, the terminal device is configured to perform signature processing on the user biological information to obtain signed user biological information; transmitting the signed user biological information to a second offline identification trusted application in the trusted execution environment through a first offline identification trusted application in the trusted execution environment;

the terminal equipment is configured to perform signature verification processing on the signed user biological information in the trusted execution environment, and if the signature verification is passed, the identity of the target user is verified by the second offline identification trusted application based on the user biological information.

In this embodiment of the present disclosure, the terminal device is configured to synchronize, by using a first offline identification trusted application in the trusted execution environment, related data in an offline identification process of the target user to a first server.

In an embodiment of the present disclosure, the terminal device is configured to initiate a registration request to a second offline identified trusted application in the trusted execution environment based on pre-stored reference user biometric information; generating a service key pair in the trusted execution environment, and signing a second service key in the service key pair by using a root key to obtain a signed service key, wherein the service key pair comprises the first service key and the second service key; acquiring the signed service key and the root key information from the trusted execution environment; transmitting the signed service key and the root key information to a second server;

the second server is configured to perform signature verification processing on the signed service key, store the second service key if the signature verification is passed, and send a notification message of successful registration to the terminal device;

The terminal equipment is configured to send an offline service opening request to the second server if a notification message of successful registration is received;

the second server is configured to query the first server about information required by the target user to open offline identification, and if the information can be queried, the second service key and the reference user biological information stored in the first server are acquired, and the second service key and the reference user biological information are sent to a first offline identification trusted application in a trusted execution environment in the terminal equipment;

the terminal device is configured to obtain the second service key and the reference user biometric information by a first offline identification trusted application in a trusted execution environment.

In this embodiment of the present disclosure, the terminal device is configured to perform a signature verification process on the registration request in the trusted execution environment, and if the signature verification passes, generate a service key pair.

In this embodiment of the present disclosure, the format of the data interacted between the first offline identification trusted application and the second offline identification trusted application in the trusted execution environment, between the terminal device and the second server, and between the second server and the first server is TLV format.

The specific processing procedures of the above parts can be referred to the relevant content, and are not repeated here.

The embodiment of the specification provides an offline identity recognition system, wherein terminal equipment recognizes the identity of a target user based on reference user biological information and user biological information of the target user, and if the identity recognition is passed, the user biological information is transmitted to a second offline recognition trusted application in a trusted execution environment through a first offline recognition trusted application in the trusted execution environment; in a trusted execution environment, verifying the identity of a target user through a second offline identification trusted application, if the identity verification is passed, creating authentication data, signing the authentication data by using a first service key, transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application, performing signature verification processing on the signed authentication data through the first offline identification trusted application, and determining an offline identity recognition result of the target user based on the signature verification result, so that an online biological kernel is off-line, so that the biological kernel in an offline scene is not verified by a simple system interface hierarchy any more, under the offline scene, an attacker cannot enter user biological information even if the attacker knows an unlocking password, and cannot finish subsequent payment and other verification.

Example six

Based on the same idea, the embodiment of the present disclosure further provides an offline identity recognition device, as shown in fig. 7.

The off-line identity recognition device comprises: an information processing module 701, a verification module 702, a signature verification module 703 and an offline identification module 704, wherein:

the information processing module is used for identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and transmitting the user biological information to a second offline identification trusted application in the trusted execution environment through a first offline identification trusted application in the trusted execution environment if the identity identification of the target user is passed;

the verification module is used for verifying the identity of the target user through the second offline identification trusted application based on the user biological information in the trusted execution environment, creating authentication data if the identity of the target user is verified, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data;

the signature verification module is used for transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application in the trusted execution environment, and carrying out signature verification processing on the signed authentication data through the first offline identification trusted application to obtain a signature verification result;

And the offline identification module is used for determining an offline identification result of the target user based on the signature verification result.

In an embodiment of the present disclosure, the information processing module includes:

a signature unit for carrying out signature processing on the user biological information to obtain signed user biological information;

the processing unit is used for transmitting the signed user biological information to a second offline identification trusted application in the trusted execution environment through a first offline identification trusted application in the trusted execution environment;

and the verification module is used for carrying out signature verification processing on the signed user biological information in the trusted execution environment, and if the signature verification is passed, the identity of the target user is verified by the second offline identification trusted application based on the user biological information.

In an embodiment of the present disclosure, the apparatus further includes:

and the synchronization module is used for synchronizing the related data in the offline identification process of the target user to the first server through the first offline identification trusted application in the trusted execution environment.

In an embodiment of the present disclosure, the apparatus further includes:

a registration request module for initiating a registration request to a second offline identification trusted application in the trusted execution environment based on pre-stored reference user biometric information;

a key signature module, which is used for generating a service key pair in the trusted execution environment, and signing a second service key in the service key pair by using a root key to obtain a signed service key, wherein the service key pair comprises the first service key and the second service key;

the information acquisition module acquires the signed service key and the information of the root key from the trusted execution environment;

the information sending module is used for sending the signed service key and the root key information to a second server, wherein the signed service key and the root key information are used for triggering the second server to carry out signature verification processing on the signed service key, if the signature verification is passed, the second service key is stored, and a notification message of successful registration is sent to the terminal equipment;

the opening module is used for sending an offline service opening request to the second server if a notification message of successful registration is received, wherein the opening request is used for triggering the second server to inquire about related information required by the target user for opening offline identification to the first server, acquiring the second service key and the reference user biological information stored in the first server if the related information can be inquired, and sending the second service key and the reference user biological information to a first offline identification trusted application in a trusted execution environment in the terminal equipment;

And the service key acquisition module acquires the second service key and the reference user biological information through a first offline identification trusted application in the trusted execution environment.

In the embodiment of the present disclosure, the key signature module performs signature verification processing on the registration request in the trusted execution environment, and if the signature verification passes, generates a service key pair.

The embodiment of the specification provides an offline identity recognition device, which is used for recognizing the identity of a target user based on reference user biological information and user biological information of the target user, and if the identity recognition is passed, transmitting the user biological information to a second offline recognition trusted application in a trusted execution environment through a first offline recognition trusted application in the trusted execution environment; in a trusted execution environment, verifying the identity of a target user through a second offline identification trusted application, if the identity verification is passed, creating authentication data, signing the authentication data by using a first service key, transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application, performing signature verification processing on the signed authentication data through the first offline identification trusted application, and determining an offline identity recognition result of the target user based on the signature verification result, so that an online biological kernel is off-line, so that the biological kernel in an offline scene is not verified by a simple system interface hierarchy any more, under the offline scene, an attacker cannot enter user biological information even if the attacker knows an unlocking password, and cannot finish subsequent payment and other verification.

Example seven

Based on the same idea, the embodiment of the present disclosure further provides an offline identity recognition device, as shown in fig. 8.

The off-line identity recognition device comprises: information processing module 801, identity verification module 802, data verification module 803, and offline identification module 804, wherein:

the information processing module is used for identifying the identity of the target user based on pre-stored reference user biological information and user biological information of the target user, and transmitting the user biological information to the trusted execution environment through an offline identification trusted application in the trusted execution environment if the identity identification of the target user is passed;

the identity verification module is used for verifying the identity of the target user through the offline identification trusted application based on the user biological information in the trusted execution environment, creating authentication data if the identity of the target user is verified, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data;

the data signing verification module is used for carrying out signing verification processing on the signed authentication data in the trusted execution environment to obtain a signing verification result;

Example eight

The offline identification device provided in the embodiment of the present disclosure further provides an offline identification device based on the same concept, as shown in fig. 9.

The offline identification device may provide a terminal device or a server for the above embodiments.

The offline identification device may be quite different due to different configurations or performances, and may include one or more processors 901 and a memory 902, where the memory 902 may store one or more storage applications or data. Wherein the memory 902 may be transient storage or persistent storage. The application program stored in memory 902 may include one or more modules (not shown), each of which may include a series of computer-executable instructions for use in an off-line identification device. Still further, the processor 901 may be configured to communicate with the memory 902 and execute a series of computer executable instructions in the memory 902 on an off-line identification device. The off-line identification device may also include one or more power supplies 903, one or more wired or wireless network interfaces 904, one or more input/output interfaces 905, and one or more keyboards 906.

In particular, in this embodiment, the offline identification device includes a memory, and one or more programs, where the one or more programs are stored in the memory, and the one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the offline identification device, and the execution of the one or more programs by the one or more processors includes computer-executable instructions for:

identifying the identity of a target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity of the target user is identified, transmitting the user biological information to a second offline identification trusted application in a trusted execution environment through a first offline identification trusted application in the trusted execution environment;

in the trusted execution environment, verifying the identity of the target user through the second offline identification trusted application based on the user biological information, if the identity verification of the target user is passed, creating authentication data, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data;

In the trusted execution environment, the signed authentication data is transmitted to the first offline identification trusted application through the second offline identification trusted application, and the signed authentication data is subjected to signature verification processing through the first offline identification trusted application, so that a signature verification result is obtained;

and determining an offline identification result of the target user based on the signature verification result.

In an embodiment of the present disclosure, the transferring the user biological information to the second offline identification trusted application in the trusted execution environment through the first offline identification trusted application in the trusted execution environment includes:

carrying out signature processing on the user biological information to obtain signed user biological information;

transmitting the signed user biological information to a second offline identification trusted application in the trusted execution environment through a first offline identification trusted application in the trusted execution environment;

the verifying, in the trusted execution environment, the identity of the target user by the second offline identification trusted application based on the user biometric information, including:

And in the trusted execution environment, performing signature verification processing on the signed user biological information, and if the signature verification is passed, verifying the identity of the target user based on the user biological information through the second offline identification trusted application.

In this embodiment of the present specification, further includes:

and synchronizing related data in the offline identification process of the target user to a first server through a first offline identification trusted application in the trusted execution environment.

In this embodiment of the present specification, further includes:

initiating a registration request to a second offline identification trusted application in the trusted execution environment based on pre-stored reference user biometric information;

generating a service key pair in the trusted execution environment, and signing a second service key in the service key pair by using a root key to obtain a signed service key, wherein the service key pair comprises the first service key and the second service key;

acquiring the signed service key and the root key information from the trusted execution environment;

the signed service key and the root key information are sent to a second server, the signed service key and the root key information are used for triggering the second server to carry out signature verification processing on the signed service key, if the signature verification is passed, the second service key is stored, and a notification message of successful registration is sent to the terminal equipment;

If the notification message of successful registration is received, an offline service opening request is sent to the second server, wherein the opening request is used for triggering the second server to inquire related information required by the target user for opening offline identification to the first server, if the related information can be inquired, the second service key and the reference user biological information stored in the first server are obtained, and the second service key and the reference user biological information are sent to a first offline identification trusted application in a trusted execution environment in the terminal equipment;

and acquiring the second service key and the reference user biological information through a first offline identification trusted application in a trusted execution environment.

In this embodiment of the present disclosure, the registration request is a signed request, and in the trusted execution environment, generating a service key pair includes:

and in the trusted execution environment, performing signature verification processing on the registration request, and generating a service key pair if the signature verification passes.

identifying the identity of a target user based on pre-stored reference user biological information and user biological information of the target user, and if the identity of the target user is identified, transmitting the user biological information to a trusted execution environment through an offline identification trusted application in the trusted execution environment;

in the trusted execution environment, verifying the identity of the target user based on the user biological information through the offline identification trusted application, if the identity verification of the target user is passed, creating authentication data, and carrying out signature processing on the authentication data by using a pre-stored first service key to obtain signed authentication data;

In the trusted execution environment, signing verification processing is carried out on the signed authentication data, and a signing verification result is obtained;

The embodiment of the specification provides offline identity recognition equipment, which is used for recognizing the identity of a target user based on reference user biological information and user biological information of the target user, and if the identity recognition is passed, transmitting the user biological information to a second offline recognition trusted application in a trusted execution environment through a first offline recognition trusted application in the trusted execution environment; in a trusted execution environment, verifying the identity of a target user through a second offline identification trusted application, if the identity verification is passed, creating authentication data, signing the authentication data by using a first service key, transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application, performing signature verification processing on the signed authentication data through the first offline identification trusted application, and determining an offline identity recognition result of the target user based on the signature verification result, so that an online biological kernel is off-line, so that the biological kernel in an offline scene is not verified by a simple system interface hierarchy any more, under the offline scene, an attacker cannot enter user biological information even if the attacker knows an unlocking password, and cannot finish subsequent payment and other verification.

Example nine

Further, based on the method shown in fig. 1 to 5, one or more embodiments of the present disclosure further provide a storage medium, which is used to store computer executable instruction information, and in a specific embodiment, the storage medium may be a U disc, an optical disc, a hard disk, etc., where the computer executable instruction information stored in the storage medium can implement the following flow when executed by a processor:

In this embodiment of the present specification, further includes:

In addition, in another specific embodiment, the storage medium may be a usb disk, an optical disc, a hard disk, or the like, where the computer executable instruction information stored in the storage medium, when executed by the processor, can implement the following flow:

The embodiment of the specification provides a storage medium, which is used for identifying the identity of a target user based on reference user biological information and user biological information of the target user, and if the identity identification is passed, transmitting the user biological information to a second offline identification trusted application in a trusted execution environment through a first offline identification trusted application in the trusted execution environment; in a trusted execution environment, verifying the identity of a target user through a second offline identification trusted application, if the identity verification is passed, creating authentication data, signing the authentication data by using a first service key, transmitting the signed authentication data to the first offline identification trusted application through the second offline identification trusted application, performing signature verification processing on the signed authentication data through the first offline identification trusted application, and determining an offline identity recognition result of the target user based on the signature verification result, so that an online biological kernel is off-line, so that the biological kernel in an offline scene is not verified by a simple system interface hierarchy any more, under the offline scene, an attacker cannot enter user biological information even if the attacker knows an unlocking password, and cannot finish subsequent payment and other verification.

The foregoing describes specific embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.

In the 90 s of the 20 th century, improvements to one technology could clearly be distinguished as improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) or software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.

The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.

The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing one or more embodiments of the present description.

It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, one or more embodiments of the present description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Moreover, one or more embodiments of the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

Embodiments of the present description are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable fraud case serial-to-parallel device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable fraud case serial-to-parallel device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.

These computer program instructions may also be loaded onto a computer or other programmable apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.

In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.

Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transitory medium which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.

It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

One or more embodiments of the present specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. One or more embodiments of the present description may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.

In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.

The foregoing is merely exemplary of the present disclosure and is not intended to limit the present disclosure. Various modifications and alterations to this specification will become apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present description, are intended to be included within the scope of the claims of the present description.

Claims

1. An offline identity recognition method applied to a terminal device, the method comprising:

2. The method of claim 1, the user biometric information comprising one or more of fingerprint information, facial information, palm print information, iris information.

3. The method of claim 1, the transferring the user biometric information through a first offline identification trusted application in a trusted execution environment to a second offline identification trusted application in the trusted execution environment, comprising:

4. A method according to any one of claims 1-3, the method further comprising:

5. A method according to any one of claims 1-3, the method further comprising:

If the notification message of successful registration is received, an offline service opening request is sent to a first server, wherein the opening request is used for triggering the first server to inquire about related information required by the target user for opening offline identification to the second server, if the related information can be inquired, the second service key and the reference user biological information stored in the second server are obtained, and the second service key and the reference user biological information are sent to a first offline identification trusted application in a trusted execution environment in the terminal equipment;

6. The method of claim 5, wherein the registration request is a signed request, and wherein generating a service key pair in the trusted execution environment comprises:

7. The method of claim 6, wherein the format of the data interacted between the first offline identification trusted application and a second offline identification trusted application in the trusted execution environment, between the terminal device and the second server, and between the second server and the first server is TLV format.

8. An offline identification system, the system comprising a terminal device and a first server, wherein:

9. The system of claim 8, further comprising a second server,

10. The system of claim 8, the terminal device configured to initiate a registration request to a second offline identified trusted application in the trusted execution environment based on pre-stored reference user biometric information; generating a service key pair in the trusted execution environment, and signing a second service key in the service key pair by using a root key to obtain a signed service key, wherein the service key pair comprises the first service key and the second service key; acquiring the signed service key and the root key information from the trusted execution environment; transmitting the signed service key and the root key information to a second server;

11. An offline identity recognition method applied to a terminal device, the method comprising:

12. An offline identity recognition device, the device comprising:

13. An offline identity recognition device, the device comprising:

the verification module is used for verifying the identity of the target user through the offline identification trusted application based on the user biological information in the trusted execution environment, creating authentication data if the identity of the target user is verified, and signing the authentication data by using a pre-stored first service key to obtain signed authentication data;

The signature verification module is used for carrying out signature verification processing on the signed authentication data in the trusted execution environment to obtain a signature verification result;

14. An offline identification device, the offline identification device comprising:

a processor; and

a memory arranged to store computer executable instructions that, when executed, cause the processor to:

15. An offline identification device, the offline identification device comprising:

a processor; and

16. A storage medium for storing computer executable instructions that when executed by a processor implement the following:

17. A storage medium for storing computer executable instructions that when executed by a processor implement the following: