CN115146253A - A mobile App login method, mobile device and system - Google Patents

Abstract

The embodiment of the application provides a mobile App login method, mobile equipment and a system, and relates to the technical field of terminals. The electronic equipment receives a user name and a login password of the mobile App, acquires an automatic login key pair generated and stored in the TEE, and submits a first login request comprising the user name, the login password and a public key of the automatic login key pair to the server; the server generates an automatic login credential according to the first login request and sends the automatic login credential to the electronic device; the electronic equipment responds to the operation of opening the mobile App by the user, and provides a second login request to the server, wherein the second login request comprises a first signature result and an automatic login credential; the first signature result is obtained by adopting a private key to sign a local timestamp of the electronic equipment; and the server verifies the first signature result according to the public key in the automatic login credential of the second login request, and if the verification is passed, the mobile App is successfully logged in. Therefore, the risk of revealing the authentication credential can be reduced, and the safety of the mobile App login process is enhanced.

Description

A mobile App login method, mobile device and system

technical field

The present application relates to the field of terminal technologies, and in particular, to a mobile App login method, mobile device and system.

Background technique

Many mobile applications (application, App) need to log in to a user account, and the user's identity can be used before they can be used. These mobile apps are usually divided into server and client. After the client enters the user name and login password, submit the user name and login password to the server for authentication. After the authentication is passed, the client and server will keep the user's login status for a certain period of time. Many mobile apps are designed so that the user account is logged in for a long time to avoid the user having to enter the user name and login password every time the app is opened. In order to keep the mobile app logged in for a long time, authentication credentials are usually stored in the client device for the server to authenticate the identity of the client.

Since the client device is at risk of being hacked, there is a risk of leakage of authentication credentials stored on the client device. If the hacker impersonates the user's identity on other devices, it will cause losses to the user. Therefore, how to prevent the leakage of authentication credentials is an urgent problem to be solved.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a mobile App login method, mobile device and system, which can reduce the risk of authentication credential leakage and enhance the security of the mobile App login process.

To achieve the above object, the application adopts the following technical solutions:

In a first aspect, the present application provides a mobile App login method, which is applied to an electronic device. The electronic device includes a Trusted Execution Environment (TEE), and the method includes: the electronic device receives a user name and a login password of a mobile application App entered by a user; the electronic device Generate an automatic login key pair; the automatic login key pair includes a public key and a private key, and the automatic login key pair is generated and saved by the TEE; the electronic device sends a first login request to the server, and the first login request is used to request to log in to the mobile App The first login request includes a user name, a login password and a public key; the electronic device receives the automatic login credentials; the automatic login credentials are generated according to the user name and the public key; the electronic device receives the operation of the user opening the mobile App; Operation, the electronic device sends a second login request to the server, and the second login request is used to request to log in to the mobile App; the second login request includes a first signature result and an automatic login credential, and the first signature result is a local key to the electronic device using the private key. Timestamp for signature generation; automatic login credentials are used to verify the first signature result.

In this method, a non-exportable automatic login key pair is generated and saved in the TEE of the electronic device, and after submitting the user name, login password and the public key of the automatic login key pair to the server, the automatic login credentials are received. The automatic login credentials bind the automatic login key pair with the user identity information, and convert the authentication of the user identity into the authentication of the automatic login key pair. In this way, even if the REE is hacked, as long as the TEE is not compromised, the user's identity information cannot be stolen. The non-export of the automatic login key pair in the TEE is used to prevent the user's login credentials from being stolen, enhance the security of the mobile App login process, and reduce the risk of authentication credentials being leaked.

With reference to the first aspect, in a possible implementation manner, the method further includes: the electronic device receives a session identifier from the server, where the session identifier is a credential for data transmission between the electronic device and the server.

That is to say, a new session ID is generated each time you log in manually and each time you log in automatically, and the storage time of the session ID can be set to a short time; The storage time is shorter. In this way, the session ID can be stored in the memory of the mobile device; it is safer to save the session ID in the disk for a long time.

With reference to the first aspect, in a possible implementation manner, the method further includes: the second login request further includes a local timestamp of the electronic device.

With reference to the first aspect, in a possible implementation manner, the method further includes: the electronic device receives the current time of the server from the server; the electronic device sends a third login request to the server, where the third login request includes the current time of the server, The second signature result and the automatic login credentials; the second signature result is generated by using the private key to sign the current time of the server. In this way, fault-tolerant processing in the event that the time of the mobile device is inaccurate can be realized. The login process of fault-tolerant processing is the same as the normal login process, which can simplify the development work and space occupation of the server program.

With reference to the first aspect, in a possible implementation manner, the method further includes: before the electronic device sends the second login request to the server, the electronic device performs biometric verification on the user, and the biometric verification includes fingerprint recognition, facial recognition, At least one of iris recognition. In this way, the user's identity can be verified during each login process of the mobile app. Even if the mobile device is lost or temporarily borrowed by others, it is impossible to use the user's identity to log in to the mobile app, which improves the security of mobile app login.

In a second aspect, an embodiment of the present application provides a mobile App login method, the method includes: the server receives a first login request, where the first login request is used to request to log in to the mobile App; the first login request includes a user name and a login password of the mobile App and the public key of the automatic login key pair; the server generates the automatic login credentials according to the user name and the public key; the server sends the automatic login credentials to the electronic device; the server receives the second login request, and the second login request is used to request to log in to the mobile App; The login request includes a signature result and an automatic login credential, and the signature result is obtained by using the private key of the automatic login key pair to sign the local timestamp of the electronic device; the server decrypts the automatic login credential and verifies the integrity of the automatic login credential; if If the integrity of the automatic login credentials is verified, the server obtains the public key according to the automatic login credentials, and verifies the signature result according to the public key; if the verification of the signature result according to the public key is passed, the server determines that the login to the mobile app is successful.

In this method, the server binds a user name and an automatic login key pair according to the first login request, generates an automatic login credential, and sends it to the electronic device. And use the public key of the automatic login key pair in the automatic login credentials to verify the signature result, convert the authentication of the user's identity into the authentication of the automatic login key pair, prevent the user's login credentials from being stolen, and enhance the mobile App login process. security, reducing the risk of authentication credentials being leaked. In this way, the server side also does not need to store and search for the binding relationship between the user identity information and the automatic login key pair. The data retrieval time and data storage space of the server during the automatic login process are reduced, and the login efficiency is not affected by the user scale. It can improve the efficiency of the login process in scenarios with a large user scale.

With reference to the second aspect, in a possible implementation manner, the method further includes: generating the automatic login credential by the server according to the user name and the public key includes: the server encrypting the user name and the public key to generate the automatic login credential.

In a possible design, the key module uses a symmetric encryption key for encryption, and uses an authenticated encryption with associated data (AEAD) mode with additional authentication data, such as GCM (Galois/counter mode), CCM (counter mode with CBC-MAC) mode. In this way, the confidentiality and integrity of the encrypted data can be guaranteed at the same time.

With reference to the second aspect, in a possible implementation manner, the method further includes: before verifying the signature result according to the public key, verifying that the signature result does not exist on the server.

That is to say, using the signature result submitted by the electronic device as a check item for preventing replay attacks can realize effective detection of replay attacks. If the server detects that the signature result does not exist, it is considered not to be a replay attack, which can ensure accuracy without introducing additional information.

With reference to the second aspect, in a possible implementation manner, the method further includes: the server includes one or more bloom filters, and one bloom filter is used to store the signature results within a time range; the second login request further includes: Including the local timestamp of the electronic device; verifying that the signature result does not exist on the server, including: obtaining the first Bloom filter in the one or more Bloom filters according to the local timestamp of the electronic device in the second login request; verifying the second The signed result in the login request does not exist in the first bloom filter.

In a possible design method, by dividing the set time error range into multiple time segments, and creating a bloom filter in each time segment, the signature of the corresponding time segment is saved in the bloom filter result. As time changes, the time segment corresponding to the previously created Bloom filter will exceed the set time error range. Deleting the Bloom filter that exceeds the set time error range can solve the problem that the information in the Bloom filter cannot be Deleted question. In this way, the server only needs to save the signature results within the maximum time error range, and only needs to check the signature results in a certain time segment, which not only saves the storage space of the server, but also takes less time for the query process, which greatly improves the detection efficiency.

With reference to the second aspect, in a possible implementation manner, the method further includes: before obtaining the first bloom filter in the one or more bloom filters according to the local timestamp of the electronic device in the second login request, It is determined that the difference between the local timestamp of the electronic device and the current time of the server in the second login request is less than a set time error range. In this way, user login can be achieved without additional network interaction. At the same time, it can also filter out login requests that are not within the time error range, reducing the detection range of replay attacks.

With reference to the second aspect, in a possible implementation manner, the method further includes: if the difference between the local timestamp of the electronic device in the second login request and the current time of the server is greater than or equal to a set time error range , the server sends the current time of the server to the electronic device. In this way, fault-tolerant processing in the event that the time of the mobile device is inaccurate can be realized. The login process of fault-tolerant processing is the same as the normal login process, which can simplify the development work and space occupation of the server program.

With reference to the second aspect, in a possible implementation manner, the method further includes: before the server generates automatic login credentials according to the user name and the public key, the server verifies the user name and the login password. In this way, the authenticity of the user's identity can be confirmed.

With reference to the second aspect, in a possible implementation manner, the method further includes: after the server determines that the login to the mobile App is successful, the server sends a session identifier to the electronic device, where the session identifier is a credential for data transmission between the electronic device and the server.

That is to say, a new session ID is generated each time you log in manually and each time you log in automatically, and the storage time of the session ID can be set to a short time; The storage time is shorter. In this way, the session ID can be stored in the memory of the mobile device; it is safer to save the session ID in the disk for a long time.

In a third aspect, the present application provides a mobile App login method. The method includes: an electronic device receives a user name and a login password of a mobile application program App input by a user; the electronic device generates an automatic login key pair; the automatic login key pair includes a public key pair. key and private key, the automatic login key pair is generated and saved by the TEE; the electronic device sends a first login request to the server, and the first login request is used to request to log in to the mobile App; the first login request includes the user name, login password and public key The server receives the first login request, and generates automatic login credentials according to the user name and the public key; the server sends the automatic login credentials to the electronic device; the electronic device receives the operation of the user opening the mobile App; in response to the operation of opening the mobile App, the electronic device submits to the server The second login request, the second login request is used to request to log in to the mobile App; the second login request includes a first signature result and an automatic login credential, and the first signature result is obtained by using a private key to sign the local timestamp of the electronic device; The server receives the second login request, and obtains the first signature result and the automatic login credential according to the second login request; the server decrypts the automatic login credential and verifies the integrity of the automatic login credential; The public key is obtained by the credentials, and the first signature result is verified according to the public key; if the verification of the first signature result is passed according to the public key, the server determines that the login to the mobile App is successful.

In this method, a non-exportable automatic login key pair is generated and saved in the TEE of the electronic device, and a first login request is submitted to the server, and the server binds the user name and the automatic login key pair according to the first login request , which generates automatic login credentials and sends them to the electronic device. The automatic login credentials bind the user identity information such as the automatic login key pair and the user name. The server uses the public key of the automatic login key pair in the automatic login credentials to verify the signature result. If the verification is passed, the login is confirmed to be successful. The authentication of the mobile app is transformed into the authentication of the automatic login key pair, which prevents the user's login credentials from being stolen, enhances the security of the mobile app login process, and reduces the risk of authentication credentials being leaked. In this way, even if the REE is hacked, as long as the TEE is not compromised, the user's identity information cannot be stolen. The server side also does not need to store and search for the binding relationship between the user identity information and the automatic login key pair. The data retrieval time and data storage space of the server during the automatic login process are reduced, and the login efficiency is not affected by the user scale. It can improve the efficiency of the login process in scenarios with a large user scale.

With reference to the third aspect, in a possible implementation manner, the method further includes: after the server determines that the login to the mobile App is successful, the server sends a session identifier to the electronic device, where the session identifier is a credential for data transmission between the electronic device and the server; The device receives the session ID.

That is to say, a new session ID is generated each time you log in manually and each time you log in automatically, and the storage time of the session ID can be set to a short time; The storage time is shorter. In this way, the session ID can be stored in the memory of the mobile device; it is safer to save the session ID in the disk for a long time.

With reference to the third aspect, in a possible implementation manner, the method further includes: before the electronic device sends the second login request to the server, the electronic device performs biometric verification on the user, and the biometric verification includes fingerprint recognition, facial recognition, At least one of iris recognition. In this way, the user's identity can be verified during each login process of the mobile app. Even if the mobile device is lost or temporarily borrowed by others, it is impossible to use the user's identity to log in to the mobile app, which improves the security of mobile app login.

With reference to the third aspect, in a possible implementation manner, the method further includes: before the server verifies the first signature result according to the public key, the server verifies that the first signature result does not exist on the server.

That is to say, using the signature result submitted by the electronic device as a check item for preventing replay attacks can realize effective detection of replay attacks. If the server detects that the signature result does not exist, it is considered not to be a replay attack, which can ensure accuracy without introducing additional information.

With reference to the third aspect, in a possible implementation manner, the method further includes: the server includes one or more bloom filters, and one bloom filter is used to store the signature results within a time range; the second login request further includes: Including the local timestamp of the electronic device; the server verifies that the first signature result does not exist on the server, including: the server obtains the first Bloom filter in one or more Bloom filters according to the local timestamp of the electronic device in the second login request ; The server verifies that the first signature result in the second login request does not exist in the first bloom filter.

In a possible design method, by dividing the set time error range into multiple time segments, and creating a bloom filter in each time segment, the signature of the corresponding time segment is saved in the bloom filter result. As time changes, the time segment corresponding to the previously created Bloom filter will exceed the set time error range. Deleting the Bloom filter that exceeds the set time error range can solve the problem that the information in the Bloom filter cannot be Deleted question. In this way, the server only needs to save the signature results within the maximum time error range, and only needs to check the signature results in a certain time segment, which not only saves the storage space of the server, but also takes less time for the query process, which greatly improves the detection efficiency.

With reference to the third aspect, in a possible implementation manner, the method further includes: before acquiring the first bloom filter in the one or more bloom filters according to the local timestamp of the electronic device in the second login request, The server determines that the difference between the local timestamp of the electronic device in the second login request and the current time of the server is less than a set time error range. In this way, user login can be achieved without additional network interaction. At the same time, it can also filter out login requests that are not within the time error range, reducing the detection range of replay attacks.

With reference to the third aspect, in a possible implementation manner, the method further includes: if the difference between the local timestamp of the electronic device in the second login request and the current time of the server is greater than or equal to a set time error range , the server sends the current time of the server to the electronic device. The electronic device receives the current time of the server from the server; the electronic device sends a third login request to the server, and the third login request includes the current time of the server, the second signature result and the automatic login credentials; the second signature result is a private key to the server. The signature is generated at the current time.

With reference to the third aspect, in a possible implementation manner, the method further includes: if the difference between the local timestamp of the electronic device in the second login request and the current time of the server is greater than or equal to a set time error range , the server sends the current time of the server to the electronic device; the electronic device receives the current time of the server from the server; the electronic device sends a third login request to the server, and the third login request includes the current time of the server, the second signature result and automatic login credentials; The second signature result is generated by using the private key to sign the current time of the server. In this way, fault-tolerant processing in the event that the time of the mobile device is inaccurate can be realized. The login process of fault-tolerant processing is the same as the normal login process, which can simplify the development work and space occupation of the server program.

In a fourth aspect, the present application provides an electronic device, which can implement the application running method described in the first aspect and its possible implementation manners, and can implement the above-mentioned method through software, hardware, or executing corresponding software through hardware. method. In one possible design, the electronic device may include a processor and memory. The processor is configured to support the electronic device to perform the corresponding functions in the method of the first aspect. The memory is for coupling with the processor, which holds the necessary program instructions and data for the electronic device.

In a fifth aspect, the present application provides a server, which can implement the application running method described in the second aspect and its possible implementation manners, and can implement the above method through software, hardware, or executing corresponding software through hardware. In one possible design, the server may include a processor and memory. The processor is configured to support the server to perform the corresponding functions in the method of the second aspect. The memory is for coupling with the processor, which holds the necessary program instructions and data for the server.

In a sixth aspect, the present application provides a computer-readable storage medium, the computer-readable storage medium comprising computer instructions, when the computer instructions are executed on an electronic device, the electronic device is made to perform the above-mentioned first aspect and its possible The application running method described in the implementation manner is implemented.

In a seventh aspect, the present application provides a computer-readable storage medium, where the computer-readable storage medium includes computer instructions, when the computer instructions are executed on a server, the server is made to execute the second aspect and possible implementations thereof. The described application running method.

Description of drawings

1 is a schematic diagram of a mobile application App login method in the prior art mobile;

FIG. 2 is a schematic diagram of a scenario of an application running method provided by an embodiment of the present application;

3 is a schematic diagram of a hardware structure of an electronic device provided by an embodiment of the present application;

4 is a software architecture of a mobile App login system provided by an embodiment of the present application;

5 is a schematic diagram of a mobile App login process switching scenario provided by an embodiment of the present application;

6 is a schematic diagram of a mobile App login process switching method provided by an embodiment of the present application;

7 is a schematic diagram of a manual login method for a mobile App provided by an embodiment of the present application;

8 is a schematic diagram of a mobile App user login interface provided by an embodiment of the present application;

9 is a schematic diagram of an automatic login method for a mobile App provided by an embodiment of the present application;

10 is a schematic diagram of a Bloom filter provided by an embodiment of the application;

FIG. 11 is a schematic structural diagram of an electronic device according to an embodiment of the application;

FIG. 12 is a schematic structural composition diagram of a server according to an embodiment of the present application.

Detailed ways

The terms used in the following embodiments are for the purpose of describing particular embodiments only, and are not intended to be limitations of the present application. As used in the specification of this application and the appended claims, the singular expressions "a," "an," "the," "above," "the," and "the" are intended to also Expressions such as "one or more" are included unless the context clearly dictates otherwise. It should also be understood that, in the following embodiments of the present application, "at least one" and "one or more" refer to one or more than two (including two). The term "and/or", used to describe the association relationship of related objects, indicates that there can be three kinds of relationships; for example, A and/or B, can indicate: A alone exists, A and B exist at the same time, and B exists alone, A and B can be singular or plural. The character "/" generally indicates that the associated objects are an "or" relationship.

References in this specification to "one embodiment" or "some embodiments" and the like mean that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the present application. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," "in other embodiments," etc. in various places in this specification are not necessarily All refer to the same embodiment, but mean "one or more but not all embodiments" unless specifically emphasized otherwise. The terms "including", "including", "having" and their variants mean "including but not limited to" unless specifically emphasized otherwise. The term "connected" includes both direct and indirect connections unless otherwise specified.

Hereinafter, the terms "first" and "second" are only used for descriptive purposes, and should not be construed as indicating or implying relative importance or implicitly indicating the number of indicated technical features. Thus, a feature defined as "first" or "second" may expressly or implicitly include one or more of that feature.

In the embodiments of the present application, words such as "exemplarily" or "for example" are used to represent examples, illustrations or illustrations. Any embodiment or design described in the embodiments of the present application as "exemplarily" or "such as" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplarily" or "such as" is intended to present the related concepts in a specific manner.

Mobile apps are usually divided into server and client. After the client enters the user name and login password, submit the user name and login password to the server for authentication. After the authentication is passed, the authentication credentials are usually stored in the client device, so that the client and the server keep the user's login state for a certain period of time.

In some examples, the authentication credentials are username and login password. After receiving the user name and login password entered by the user, the client device saves the user name and login password, and is used for submitting the user name and login password to the server for authentication during the automatic login process, so as to maintain the user's login status.

In other examples, the authentication credential is a token. The client device submits the user name and login password to the server device, and the server encrypts the user name and login password to generate a token, and sends the generated token to the client for storage. When logging into the mobile app again, the client submits the token to the server for authentication.

In other examples, the authentication credential is a session ID. Exemplarily, as shown in FIG. 1 , the client of the mobile App runs on the operating system of the mobile device, and the server of the mobile App runs on the server. The user enters the user name and login password on the mobile App client; the mobile device submits the user name and login password to the server for authentication. The identity authentication module of the mobile App server authenticates the received user name and login password; after the authentication is passed, the session identifier is returned to the mobile device. The mobile device stores the session identifier, and the session identifier is the credential for data transmission between the client and the server of the mobile App. Every time the mobile App client accesses the server, it carries the session identifier in the request. The server can look up the user name and the login status according to the session ID. After finding the above information, the user name is obtained and the user is in the login status.

In order to prevent users from frequently entering user names and login passwords, the validity period of the authentication credentials stored in the client device is usually set to a longer period of time. The storage space in which the client device stores the authentication credentials is a rich execution environment (REE). The risk of REE being hacked is high, and the authentication credentials are easily leaked. As a result, the security of the mobile app login process cannot be guaranteed, and other devices may imitate the user to log in, causing losses to the user.

Embodiments of the present application provide a mobile App login method, mobile device, and system. The mobile device has a trusted execution environment (TEE), and the TEE is a small operating system that is independent of the REE. TEE can be used to generate keys, and the generated keys cannot be exported. Therefore, the key generated in the TEE has the ability to prevent theft. The mobile App login method provided by the embodiment of the present application includes a manual login process and an automatic login process. The manual login process is executed when the user logs in to the mobile app for the first time or logs in again after logging out of the mobile app. The automatic login process is executed every time the user opens the mobile app after the user manually logs in to the mobile app and before logging out. During manual login, TEE is called to generate an automatic login key pair, which is used for user authentication during automatic login. The auto-login key pair generated in the TEE is not exportable, thus preventing authentication credentials from being stolen by utilizing the non-exportability of the key pair. In this way, even if the REE is compromised, as long as the TEE is not compromised, the user's identity information cannot be stolen, thereby reducing the risk of leakage of authentication credentials, enhancing the security of the mobile app login process, and improving the user experience.

等。TEE 20用于生成在自动登录过程中用于对客户端的身份进行认证的自动登录密钥对。REE 10和TEE 20相互独立。服务器200用于对客户端的身份进行认证，以实现移动App的登录。FIG. 2 is a schematic diagram of a mobile App login system provided by an embodiment of the present application. As shown in FIG. 2 , the system may at least include: a mobile device 100 and a server 200 . Mobile device 100 includes REE 10 and TEE 20 . The client of the mobile app runs in REE 10; for example, the REE 10 can be

Wait. The TEE 20 is used to generate an automatic login key pair for authenticating the identity of the client during the automatic login process. REE 10 and TEE 20 are independent of each other. The server 200 is used to authenticate the identity of the client, so as to realize the login of the mobile App.

Windows、Linux或者其它操作系统的便携式移动设备。上述移动设备也可为其它便携式移动设备，诸如膝上型计算机(Laptop)等。还应当理解的是，在其他一些实施例中，上述移动设备也可以不是便携式移动设备，而是台式计算机。需要说明的是，上述移动设备100还可以是其他具备防止密钥被窃取能力的电子设备；比如，具备可信赖平台模块(trusted platform module，TPM)等安全芯片的PC等，TPM用于生成和保存自动登录密钥对。以下实施例对该移动设备100的具体形式不做特殊限制。The above-mentioned mobile device 100 may be an electronic device including a TEE, and the electronic device includes a portable mobile communication device (such as a mobile phone, etc.), a handheld computer, a tablet computer, a notebook computer, a netbook, a personal computer (personal computer, PC), a smart home device (such as , smart TV, smart screen, large screen, etc.), personal digital assistant (PDA), wearable electronic devices (such as smart watches), augmented reality (AR) \ virtual reality (virtual reality, VR) devices , car computer, etc. Exemplary embodiments of mobile devices include, but are not limited to, piggybacks

Portable mobile devices for Windows, Linux or other operating systems. The above-mentioned mobile device may also be other portable mobile devices, such as a laptop computer (Laptop) or the like. It should also be understood that, in other embodiments, the above-mentioned mobile device may not be a portable mobile device, but a desktop computer. It should be noted that the above-mentioned mobile device 100 may also be other electronic devices capable of preventing key theft; for example, a PC with a security chip such as a trusted platform module (TPM), etc. Save the auto-login key pair. The following embodiments do not specifically limit the specific form of the mobile device 100 .

Exemplarily, please refer to FIG. 3 , which shows a schematic structural diagram of a mobile device 100 . The mobile device 100 may include a processor 110, an external memory interface 120, an internal memory 121, an audio module 130, a speaker 130A, a microphone 130B, a display screen 140, a mobile communication module 150, a wireless communication module 155, a camera 160, a SIM card interface 170, Fingerprint sensor 180, touch sensor 185, power module 190, etc.

It can be understood that the structures illustrated in the embodiments of the present application do not constitute a specific limitation on the mobile device 100 . In other embodiments of the present application, the mobile device 100 may include more or less components than shown, or some components may be combined, or some components may be split, or different component arrangements. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.

Processor 110 may include one or more processing units. For example, the processor 110 may include an application processor (AP), a modem processor, a graphics processor (graphics processing unit, GPU), an image signal processor (ISP), a controller, a video encoder A decoder, a digital signal processor (DSP), and/or a neural-network processing unit (NPU), etc. Wherein, different processing units may be independent components, or may be integrated in one or more processors. In some embodiments, mobile device 100 may also include one or more processors 110 .

The controller is the nerve center and command center of the mobile device 100 . The operation control signal can be generated according to the instruction operation code and the timing signal to complete the control of fetching and executing the instruction.

The operating system of the mobile device 100 can be run on the application processor to manage the hardware and software resources of the mobile device 100 . For example, managing and configuring memory, prioritizing the supply and demand of system resources, controlling input and output devices, operating networks, managing file systems, managing drivers, etc. The operating system can also be used to provide an operating interface for the user to interact with the system. Wherein, various types of software can be installed in the operating system, for example, a driver program, an application program (application, App), and the like.

A memory may also be provided in the processor 110 for storing instructions and data. In some embodiments, the memory in processor 110 is cache memory. This memory may hold instructions or data that have just been used or recycled by the processor 110 . If the processor 110 needs to use the instruction or data again, it can be called directly from the memory. Repeated accesses are avoided and the latency of the processor 110 is reduced, thereby increasing the efficiency of the system.

In some embodiments, the processor 110 may include one or more interfaces. The interface may include an inter-integrated circuit (I2C) interface, an inter-integrated circuit sound (I2S) interface, a pulse code modulation (PCM) interface, a universal asynchronous receiver (universal asynchronous receiver) /transmitter, UART) interface, mobile industry processor interface (mobile industry processor interface, MIPI), general-purpose input/output (general-purpose input/output, GPIO) interface, SIM card interface, and/or USB interface, etc.

It can be understood that the interface connection relationship between the modules illustrated in the embodiments of the present application is only a schematic illustration, and does not constitute a structural limitation of the mobile device 100 . In other embodiments of the present application, the mobile device 100 may also adopt different interface connection manners in the foregoing embodiments, or a combination of multiple interface connection manners.

The external memory interface 120 can be used to connect an external memory card, such as a Micro SD card, to expand the storage capacity of the mobile device 100 . The external memory card communicates with the processor 110 through the external memory interface 120 to realize the data storage function. For example to save files like music, video etc in external memory card.

Internal memory 121 may be used to store one or more computer programs including instructions. The processor 110 may execute the above-mentioned instructions stored in the internal memory 121, thereby causing the mobile device 100 to execute the application running methods, various applications and data management provided in some embodiments of the present application. The internal memory 121 may include a code storage area and a data storage area. The data storage area may store data and the like created during the use of the mobile device 100 . In addition, the internal memory 121 may include high-speed random access memory, and may also include non-volatile memory, such as one or more disk storage components, flash memory components, universal flash storage (UFS), and the like. In some embodiments, the processor 110 may cause the mobile device 100 to execute the instructions provided in the embodiments of the present application by executing the instructions stored in the internal memory 121 and/or the instructions stored in the memory provided in the processor 110 Application run method, and other application and data management.

The mobile device 100 may implement audio functions through an audio module 130, a speaker 130A, a microphone 130B, an application processor, and the like. Such as music playback, recording, etc. The audio module 130 is used for converting digital audio information into analog audio signal output, and also for converting analog audio input into digital audio signal. Audio module 130 may also be used to encode and decode audio signals. In some embodiments, the audio module 130 may be provided in the processor 110 , or some functional modules of the audio module 130 may be provided in the processor 110 .

Speaker 130A, also referred to as a "speaker", is used to convert audio electrical signals into sound signals.

The microphone 130B, also called "microphone" or "microphone", is used to convert sound signals into electrical signals. The user can make a sound by approaching the microphone 130B through the human mouth, and input the sound signal to the microphone 130B.

The wireless communication function of the mobile device 100 may be implemented by an antenna, a mobile communication module 150 and the like.

The mobile communication module 150 may provide wireless communication solutions applied on the mobile device 100 including Wi-Fi, Bluetooth (BT), and wireless data transmission modules (eg, 433MHz, 868MHz, 915MHz). The mobile communication module 150 may be one or more devices integrating at least one communication processing module. The mobile communication module 150 receives electromagnetic waves via the antenna 1 , filters and frequency modulates the electromagnetic wave signals, and sends the processed signals to the processor 110 . The mobile communication module 150 can also receive the signal to be sent from the processor 110 , perform frequency modulation on it, amplify the signal, and then convert it into electromagnetic waves for radiation through the antenna 1 .

The wireless communication module 155 can provide applications on the mobile device 100 including wireless local area networks (WLAN) (such as wireless fidelity (Wi-Fi) networks), bluetooth (BT), global navigation satellite system (global navigation satellite system, GNSS), frequency modulation (frequency modulation, FM), near field communication technology (near field communication, NFC), infrared technology (infrared, IR) and other wireless communication solutions. The wireless communication module 155 may be one or more devices integrating at least one communication processing module. The wireless communication module 155 receives electromagnetic waves via the antenna 2 , frequency modulates and filters the electromagnetic wave signals, and sends the processed signals to the processor 110 . The wireless communication module 155 can also receive the signal to be sent from the processor 110 , perform frequency modulation on it, amplify the signal, and then convert it into electromagnetic waves for radiation through the antenna 2 .

In some embodiments, the antenna 1 of the mobile device 100 is coupled to the mobile communication module 150, and the antenna 2 is coupled to the wireless communication module 155, so that the mobile device 100 can communicate with the network and other devices through wireless communication technology. The wireless communication technology may include global system for mobile communications (GSM), general packet radio service (GPRS), code division multiple access (CDMA), wideband code Wideband code division multiple access (WCDMA), time-division code division multiple access (TD-SCDMA), long term evolution (LTE), BT, GNSS, WLAN, NFC, FM , and/or IR technology, etc. The GNSS may include a global positioning system (GPS), a global navigation satellite system (GLONASS), a Beidou satellite navigation system (BDS), a quasi-zenith satellite system (quasi- zenith satellite system, QZSS) and/or satellite based augmentation systems (SBAS).

The mobile device 100 implements a display function through a GPU, a display screen 140, an application processor, and the like. The GPU is a microprocessor for image processing, and is connected to the display screen 140 and the application processor. The GPU is used to perform mathematical and geometric calculations for graphics rendering. Processor 110 may include one or more GPUs that execute program instructions to generate or alter display information.

The display screen 140 is used to display images, videos, and the like. The display screen 140 includes a display panel. The display panel can be a liquid crystal display (LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode or an active-matrix organic light-emitting diode (active-matrix organic light-emitting diode). , AMOLED), flexible light-emitting diode (flex light-emitting diode, FLED), Miniled, MicroLed, Micro-oLed, quantum dot light-emitting diodes (quantum dot light emitting diodes, QLED) and so on. In some embodiments, the mobile device 100 may include 1 or N display screens 140 , where N is a positive integer greater than 1. In this embodiment of the present application, the display screen 140 may be used to display a user login interface, and receive a user name and a login password entered by the user on the user login interface.

The fingerprint sensor 180 is used to collect fingerprints. The mobile device 100 can use the collected fingerprint characteristics to perform fingerprint identification, realize fingerprint unlocking, access application locks, take photos with fingerprints, answer incoming calls with fingerprints, and the like.

The touch sensor 185 is also referred to as a "touch panel". The touch sensor 185 may be disposed on the display screen 140 , and the touch sensor 185 and the display screen 140 form a touch screen, also referred to as a “touch screen”. The touch sensor 185 is used to detect a touch operation on or near it. The touch sensor can pass the detected touch operation to the application processor to determine the type of touch event. Visual output related to touch operations may be provided through display screen 140 . In other embodiments, the touch sensor 185 may also be disposed on the surface of the mobile device 100 at a different location than the display screen 140 .

The SIM card interface 170 is used to connect a SIM card. The SIM card can be contacted and separated from the mobile device 100 by inserting into the SIM card interface 170 or pulling out from the SIM card interface 170 . The SIM card interface 170 can support Nano SIM cards, Micro SIM cards, SIM cards and the like. Multiple cards can be inserted into the same SIM card interface 170 at the same time. The types of the plurality of cards may be the same or different. The SIM card interface 170 can also be compatible with different types of SIM cards. The SIM card interface 170 may also be compatible with external memory cards. The mobile device 100 interacts with the network through the SIM card to implement functions such as call and data communication. In some embodiments, the mobile device 100 employs an eSIM, ie: an embedded SIM card. The eSIM card can be embedded in the mobile device 100 and cannot be separated from the mobile device 100 .

Camera 160 is used to capture still images or video. The object is projected through the lens to generate an optical image onto the photosensitive element. The photosensitive element may be a charge coupled device (CCD) or a complementary metal-oxide-semiconductor (CMOS) phototransistor. The photosensitive element converts the optical signal into an electrical signal, and then transmits the electrical signal to the ISP to convert it into a digital image signal. The ISP outputs the digital image signal to the DSP for processing. DSP converts digital image signals into standard RGB, YUV and other formats of image signals. In some embodiments, the mobile device 100 may include 1 or N cameras 160 , where N is a positive integer greater than 1. In this embodiment of the present application, the camera 160 may be used to collect a user's facial image for facial recognition, iris recognition, and the like.

The power module 185 can be used to supply power to various components included in the mobile device 100 . In some embodiments, the power module 185 may be a battery, such as a rechargeable battery.

The software architecture of the mobile App login system provided by the embodiment of the present application is shown in FIG. 4 .

The mobile device 100 includes the REE 10 and the TEE 20, and the two operating systems are isolated from each other; the REE 10 can call the TEE 20 through commands and cannot directly control the TEE 20; even if the REE 10 is invaded, it will not directly lead to the security of the TEE 20 Sexuality is destroyed. The client 1010 of the mobile app runs in the REE 10. The mobile App client 1010 includes a manual login module 1011 and a public key automatic login module 1012 . The manual login module 1011 is used to display the user login interface on the display screen of the mobile device 100 when the user manually logs in (the user logs in to the mobile App for the first time or logs in again after logging out of the mobile App); name and login password; also used to submit information to the server for authentication during manual login. The public key automatic login module 1012 is used to submit information for authentication to the server 200 during the automatic login process. The REE 10 also includes local storage 1020 and key management functions 1030. Local storage 1020 is used to store usernames and automatic login credentials, among others. The key management function 1030 is used to invoke the TEE 20 to generate an automatic login key pair. TEE 20 is used to generate and save automatic login key pairs.

The server 2010 of the mobile App runs in the server 200 , and the server 2010 includes a manual login processing module 2011 , an automatic login processing module 2012 and a key module 2013 . The manual login processing module 2011 is used for identity authentication in the manual login process; it is also used for invoking the key module 2013 to encrypt the information submitted by the mobile device 100 in the manual login process to generate automatic login credentials. The automatic login processing module 2012 is configured to call the key module 2013 to decrypt the information submitted by the mobile device 100 during the automatic login process, and perform identity authentication according to the information submitted by the mobile device 100 .

The mobile App login method provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

Exemplarily, as shown in FIG. 5 , after the mobile App client is installed on the mobile device, the user logs in to the mobile App for the first time or logs in again after logging out of the mobile App, and performs a manual login process. After the user manually logs in to the mobile app and before logging out, each time the user opens the mobile app, an automatic login process is performed; in this way, the user is prevented from manually entering the user name and password each time he logs in.

Every time the mobile device detects that the mobile App is opened, it determines to execute the manual login process or the automatic login process. In an example, as shown in FIG. 6 , the method for the mobile device to determine to perform a manual login process or to perform an automatic login process includes:

S101. The mobile App client determines whether an automatic login key pair exists in the key management function.

The automatic login key pair is used to bind the user's identity information such as username in the manual login process. Each time the mobile App client is started, determine whether there is an automatic login key pair in the key management function; if it is determined that the automatic login key pair does not exist, perform S102, and the key management function obtains the automatic login key pair; if it is determined that the automatic login key pair If the key pair exists, go to S103 to determine whether there is an automatic login credential in the local storage.

S102, the key management function acquires an automatic login key pair.

When a user logs in to the mobile app for the first time or logs in again after logging out of the mobile app, there is no automatic login key pair in the key management function. The key management function module calls the TEE to generate an automatic login key pair. The generated automatic login key pair is stored in the TEE and will not leave the TEE during the entire life cycle. Since TEE is not easily attacked by hackers, and the generated auto-login key pair cannot be exported. In this way, the automatic login key pair is not easily stolen.

In one implementation, the automatic login key pair is an asymmetric key, which consists of a public key and a private key. The public key and the private key are paired and used, the private key is used for signature, and the public key is used to verify the signature of the private key. sign. It can be understood that the automatic login key pair may also be a symmetric key, which is not limited in this embodiment of the present application.

In one implementation, when the automatic login key pair is generated, it can be specified whether the user's biometrics needs to be verified before each use of the private key. Authenticating user's biometrics includes fingerprint recognition, facial recognition, iris recognition, etc. If the user's biometrics needs to be verified before each use of the private key (for example, the user's fingerprint information is verified before the timestamp is signed using the private key of the automatic login key pair during the automatic login process), every time you log in to the mobile app During the process, the user's identity can be verified. Even if the mobile device is lost or temporarily borrowed by others, it is impossible to use the user's identity to log in to the mobile app, which improves the security of mobile app login.

It takes a certain amount of time for the TEE to generate an automatic login key pair. The automatic login key pair generated when the mobile App client starts does not occupy the login process time, which can avoid the delay in the login process and affect the user experience. It should be noted that, in other embodiments, an automatic login key pair may also be generated during the login process, which does not affect the execution correctness of the mobile App login method provided by the embodiments of the present application.

S103, the mobile App client determines whether there is an automatic login credential in the local storage. If it is determined that the automatic login credentials do not exist in the local storage, the manual login process is performed; if it is determined that the automatic login credentials exist in the local storage, the automatic login process is performed.

During the manual login process, the key module of the mobile app server encrypts the user name and the public key of the automatic login key pair to generate automatic login credentials, and saves the generated automatic login credentials in the local storage of the mobile device. In another implementation manner, the key module of the mobile App server can also encrypt the user name, login password and the public key of the automatic login key pair to generate automatic login credentials, and save the generated automatic login credentials in the mobile device's in local storage. The mobile app determines whether there is an automatic login credential in the local storage. If it is determined that there is no automatic login credential in the local storage, it indicates that the manual login process has not been performed or the mobile app has been logged out, and the manual login process is performed; if it is determined that there is an automatic login credential in the local storage. Login credentials to perform an automatic login process.

As shown in FIG. 7 , the manual login process of the mobile App provided by the embodiment of the present application includes:

S201, the client obtains a user name and a login password.

The mobile device displays the user login interface of the mobile app. The user can enter a user name and a login password on the user login interface. Exemplarily, FIG. 8 shows an example of a mobile App user login interface. Taking a mobile phone as a mobile device as an example, the mobile phone 800 displays a mobile App user login interface 810 . The user can input a user name in the “Username” input box 811 , and input a login password corresponding to the user name in the “Password” input box 812 . The user can click the "OK" button 813 to log in.

The mobile device receives the user name and login password entered by the user, and the mobile App client obtains the user name and login password.

S202, the client invokes the key management function to obtain the public key of the automatic login key pair.

The mobile App client invokes the API of the key management function to obtain the public key of the automatic login key pair from the TEE.

S203, the client submits the user name, the login password and the public key of the automatic login key pair to the server.

In an implementation manner, the client sends a first login request message to the server; the first login request is used to request to log in to the mobile App, which includes information such as a user name, a login password, and the public key of an automatic login key pair.

S204, the manual login processing module of the server receives the user name, the login password and the public key of the automatic login key pair. The manual login processing module verifies the user name and the login password; if the verification fails, execute S205; if the verification passes, execute S206.

In an implementation manner, when a user registers a user account in the mobile App, the server saves the user name and login password of the user account. The manual login processing module receives the user name and login password, and determines whether the received user name is an authorized user name according to the stored user name list of the mobile App; for example, determines that the received user name belongs to the mobile App saved by the server A list of usernames to determine if the username received is an authorized username.

If it is determined that the received user name is an authorized user name, the manual login processing module compares the received login password with the locally stored login password corresponding to the user name, and if it is determined that the received login password corresponds to the locally stored user name If it is determined that the received login password is not the same as the login password corresponding to the user name saved locally, the verification fails.

If it is determined that the received username is not an authorized username, the authentication fails.

S205, the manual login processing module of the server returns an error message to the client, and jumps to S201.

Exemplarily, if the user inputs the username or the login password incorrectly on the user login interface, the manual login processing module fails the verification. The manual login processing module returns an error message to the client of the mobile app. The client receives the error message, displays the user login interface, and obtains the user name and login password.

S206, the manual login processing module of the server invokes the key module to encrypt the user name and the public key of the automatic login key pair.

S207, the key module of the server encrypts the user name and the public key of the automatic login key pair to generate automatic login credentials.

In an implementation manner, the key module uses a symmetric encryption key for encryption; optionally, an authenticated encryption with associated data (AEAD) mode with additional authentication data, such as GCM (Galois/counter mode), CCM (counter mode with CBC-MAC) mode. In this way, the confidentiality and integrity of the encrypted data can be guaranteed at the same time. In other implementations, the key module may also select an asymmetric encryption key to encrypt and sign the user name and the public key of the automatic login key pair, so as to ensure the confidentiality and integrity of the encrypted data. This embodiment of the present application does not limit this.

The key module performs cryptographic operations and generates automatic login credentials. In this way, the user name and the automatic login key pair are bound, and the authentication of the automatic login key pair is the authentication of the user identity information. Since the automatic login key pair is generated and saved by TEE, it is not easy to be leaked, and the security is higher.

Exemplarily, the key module can also encrypt the user name, the login password and the public key of the automatic login key pair, generate the automatic login credentials, and verify the login password during the automatic login process. In this way, when the user finds that his account is at risk and modifies the login password of the mobile app on the current device, since the login password needs to be verified during the automatic login process, it can prevent other devices that have saved the automatic login credentials from directly logging in, making other devices The automatic login credentials saved on the system are invalid, which can further increase the security of the automatic login process.

S208, the key module of the server sends the automatic login credentials to the manual login processing module.

S209, the manual login processing module of the server receives the automatic login credentials, determines that the login is successful, and creates a session.

S210. The manual login processing module of the server returns the automatic login credentials and the session identifier to the mobile App client.

Session ID is used to transmit data between client and server. Every time the mobile App client accesses the server, it carries the session identifier in the request. The server can look up the user name and the login status according to the session ID, and after finding the above information, it will obtain the user name and make the user account in the login status.

S211 , the mobile App client saves the automatic login credentials to the local storage.

The mobile App client receives the automatic login credentials, and saves the automatic login credentials in the local storage for use in the automatic login process.

In the embodiment of the present application, a new session ID is generated during manual login and automatic login each time, and the storage time of the session ID can be set to be shorter; for example, the session ID is only saved during the period from when the user logs in to the mobile App to when the mobile App is closed; Session IDs are kept for a short period of time. In this way, the session ID can be stored in the memory of the mobile device; it is safer to save the session ID in the disk for a long time.

In the mobile App login method provided by the embodiment of the present application, during the manual login process, the public key of the automatic login key pair and the user name are bound together to generate the automatic login credentials; the automatic login credentials are verified during the automatic login process. Convert authentication of user identity to authentication of automatic login key pair. Since the automatic login key pair is generated and saved in the TEE, it is not easy to be stolen, which reduces the risk of authentication credential leakage.

In order to prevent the user from having to enter a user name and a login password every time the mobile app is opened, if the mobile app does not log out, the user will automatically log in every time the user opens the mobile app.

As shown in FIG. 9 , the automatic login process of the mobile App provided by the embodiment of the present application includes:

S301, the client obtains a local timestamp.

S302, the client sends the local timestamp to the public key automatic login module.

S303, the public key automatic login module of the client invokes the key management function, and uses the private key of the automatic login key pair to sign the local time stamp to obtain a first signature result.

In one implementation, if the TEE generates an automatic login key pair, it is specified that the user's biometrics needs to be verified before each use of the private key; the public key automatic login module uses the private key of the automatic login key pair to pair the local timestamp Verify the user's biometrics before signing. For example, fingerprint recognition, facial recognition, or iris recognition is performed on the user.

S304, the public key automatic login module of the client reads the automatic login credentials from the local storage.

S305, the public key automatic login module of the client submits the local timestamp, the signature result and the automatic login credentials to the server to perform automatic login.

In an implementation manner, the public key automatic login module of the client sends a second login request message to the server; the second login request message is used to request to log in to the mobile App; which includes the first signature result, the automatic login credentials and the local timestamp and other information.

S306, the automatic login processing module of the server verifies whether the local timestamp reported by the client is within the allowable time range; if the verification fails, execute S307; if the verification passes, execute S308.

During the login process of the mobile app, there will be a large number of replay attacks. A replay attack refers to a process in which an attacker steals authentication credentials by using network monitoring or other methods, and then resends the authentication credentials to the authentication server, thereby impersonating the user's identity to log in. In the mobile App login method provided by the embodiment of the present application, replay attack detection is performed for automatic login information whose local timestamp submitted by the mobile App client is within the allowable time range; the local timestamp submitted by the mobile App client is not allowed Automatic login information within the specified time range will not be detected for replay attacks; by verifying whether the local timestamp submitted by the mobile app client is within the allowed time range, the detection range of replay attacks is narrowed and login efficiency is improved.

In an implementation manner, the automatic login processing module of the server compares the received local timestamp of the client with the current time of the server, and determines whether the difference between the two is within a set time error range. If the difference between the client's local timestamp and the server's current time is less than the set time error range, the verification is passed; if the difference between the client's local timestamp and the server's current time is greater than or equal to the set time error range, the verification fails . For example, the set time error range is 3 minutes. If the received local timestamp of the client is 9:00 and the current time of the server is 9:05, the automatic login processing module determines the difference between the local timestamp of the client and the current time of the server. If the difference is greater than the set time error range, the local time stamp submitted by the mobile app client is not within the allowed time range, and the verification fails; if the received local time stamp of the client is 9:00, the current time of the server is At 9:02, the automatic login processing module determines that the difference between the client's local timestamp and the server's current time is less than the set time error range, and the local timestamp submitted by the mobile App client is within the allowable time range, and the verification is passed.

It should be noted that the mobile device usually enables the network time calibration function to make the local time of the mobile device accurate. The network delay will cause an error between the local timestamp of the mobile app client and the current time of the server. Generally speaking, the time error caused by the network delay is small. In an implementation manner, the above set time error range is greater than the usual maximum network delay (an empirical value) in the network. In some scenarios, the network timing function is not enabled on the mobile device, and the time error between the local timestamp of the mobile device and the current time of the server is large. The time error range set above is larger than the time error (experience value) between the normal mobile App client and the server, that is, the time deviation between the mobile device and the server when the user turns off the network timing function.

The larger the set time error range, the less sensitive the mobile App client is to the time accuracy requirements. The set time error range is relatively large. Even if the local time of the mobile device is inaccurate or there is a network delay, the mobile app does not require additional network interaction. On the other hand, the set time error range value is small, which can narrow the detection range of replay attacks. In this way, by setting an appropriate set time error range, the login efficiency can be improved.

S307. The automatic login processing module returns the current time of the server to the mobile App client, and the client uses the received current time of the server as a local timestamp, and re-initiates the automatic login process.

If the difference between the client's local timestamp and the server's current time is greater than or equal to the set time error range, the server returns the server's current time to the client. The client receives the current time of the server, uses the current time of the server as a local timestamp, and sends a third login request to the server. The third login request includes the current time of the server, the second signature result, and the automatic login credentials. In this way, the mobile App client submits the automatic login request again, so as to realize fault-tolerant processing when the time of the mobile device is inaccurate. The fault-tolerant automatic login process is the same as the normal automatic login process, which can simplify the development work and space occupation of the server program.

S308, the automatic login processing module of the server detects whether there is a replay attack according to the signature result. If it is determined that there is a replay attack, S309 is performed, and if it is determined that there is no replay attack, S310 is performed.

In one implementation, the automatic login processing module checks whether the signature result has been used using a sequence of Bloom filters based on time slices to detect whether there is a replay attack. If it is determined that the signature result already exists on the server side, it is determined to be a replay attack; if it is determined that the signature result does not exist on the server side, it is determined that it is not a replay attack, and the signature result is added to the Bloom corresponding to the current timestamp of the mobile app client inside the filter.

The signature result submitted by the mobile app client is used as the check item for anti-replay attack, which can realize effective detection of replay attack. If the server detects that the signature result already exists, it is considered a replay attack, which can ensure the accuracy without introducing additional information.

The Bloom filter is an efficient time query device, which can add a series of messages to the Bloom filter, and then query whether there is a certain message in the filter. The query efficiency has nothing to do with the number of messages saved in it. The elements in the Bloom filter are easy to add but difficult to delete. After the elements inside exceed a reasonable range, the accuracy will be greatly reduced. In an implementation manner, the set time error range is divided into multiple time segments, and a Bloom filter is created in each time segment, and the relevant data of the corresponding time segment is stored in the Bloom filter. As time changes, the time segment corresponding to the previously created Bloom filter will exceed the set time error range. Deleting the Bloom filter that exceeds the set time error range can solve the problem that the information in the Bloom filter cannot be Deleted question. In this way, the server only needs to save the data within the maximum time error range, and only needs to check the data in a certain time segment, which not only saves the storage space of the server, but also takes less time for the query process, which greatly improves the detection efficiency.

Exemplarily, the set time error range is 3 minutes, each time segment corresponds to 1 minute, and the created Bloom filter is shown in Figure 10. Filter 1 is the bloom filter that has expired and deleted, filter 2 to filter 6 are the bloom filters in use within the valid time range, and filter 4 is the bloom filter corresponding to the current time, filter 2 ~ Filter 3 is the Bloom filter corresponding to 3 minutes earlier than the current time, and Filter 5 to Filter 6 are the corresponding Bloom filters that are 3 minutes later than the current time. For example, when the local time of the mobile app client is 1 minute faster than the current time of the server, filter 5 is used to check. When the server time changes to the next minute, a new bloom filter (filter 7) will be created, the bloom filter within the valid time range will also become filter 3 to filter 7, and filter 2 will be deleted after expiration .

In another implementation, a time segment-based data cache list can also be used to check whether the signature result has been used. The data cache list uses the data list to save the received message data. When querying whether there is a certain message, it is judged by comparing the message with the content in the cache list one by one.

By verifying whether the local timestamp submitted by the mobile app is within the set time error range, the detection scope of replay attacks can be narrowed; the signature result can be checked using a time-segment-based Bloom filter sequence or a time-segment-based data cache list If it has been used, it can be determined whether the automatic login process is a replay attack. The combined use of the above-mentioned verification of the timeliness of the client's local timestamp and the query based on the Bloom filter not only ensures the security of the automatic login process, but also ensures the efficiency of the automatic login process.

S309, the automatic login processing module of the server returns an error message to the mobile App client, and jumps to S301.

S310 , the automatic login processing module of the server invokes the key module to decrypt the automatic login credentials and verify the integrity of the automatic login credentials, and obtain the public key and user name of the automatic login key pair. If the decryption fails, go to S311; if the decryption succeeds, go to S312.

S311. The automatic login processing module of the server returns an error message to the mobile App client. The client receives the error message, deletes the automatic login credentials saved in the local storage, and jumps to S102.

S312. The automatic login processing module of the server verifies the signature result of the local timestamp submitted by the mobile App client using the obtained public key of the automatic login key pair. If the verification fails, perform S313, and if the verification succeeds, perform S314.

Using the public key of the automatic login key pair to verify the signature result submitted by the mobile App client can effectively prevent attackers from impersonating the user's identity to log in. For example, when a mobile device is attacked, the auto-login credentials in the local storage are stolen, but the auto-login key pair stored in the TEE cannot be stolen. After the automatic login credentials are stolen, the attacker may generate another automatic login key pair on the client side, use the private key part of the generated automatic login key pair to sign the local timestamp, and use the signature result to the local time stamp. The timestamp and the stolen automatic login credentials are submitted to the server for automatic login. This login process can pass the verification of steps S306, S308 and S310. However, the signature result submitted to the server during this login process cannot match the public key of the automatic login key pair, so the verification fails and the verification fails.

If the automatic login credentials also include the login password of the mobile app, after the automatic login processing module uses the public key to successfully verify the signature result of the local timestamp submitted by the mobile app client, verify the correctness of the login password, and determine the login password After correct, execute S314.

S313. The automatic login processing module of the server returns an error message to the mobile App client. When the client receives the error message, the mobile App client deletes the automatic login credentials saved in the local storage, and jumps to S102.

S314, the automatic login processing module of the server determines that the login is successful, and creates a session.

S315. The automatic login processing module of the server returns the session identifier to the mobile App client.

The automatic login processing module sends the session identifier to the client of the mobile App, which is used as a credential for data transmission between the client of the mobile App and the server.

The mobile App login method provided by the embodiments of the present application converts the authentication of the user identity into For the authentication of the automatic login key pair, the non-export of the automatic login key pair in the TEE is used to prevent the user's login credentials from being stolen. Even if the REE is compromised, as long as the TEE is not compromised, the user's identity information cannot be stolen, which enhances the security of the mobile app login process and reduces the risk of leakage of authentication credentials. In the embodiment of the present application, the binding relationship between the user name and the public key is not stored on the server, but is encrypted by the key module of the server, and an automatic login credential is generated and saved in the mobile device. During the user login process, the mobile app uses the private key part of the automatic login key pair to sign the local timestamp, and submits the automatic login credentials and the signature result to the server, where the server verifies, decrypts, and uses the automatic login credentials The public key in verifies the signature result, and after the verification is passed, the user's identity information is obtained from the automatic login credentials. The embodiment of the present application does not need to find the relationship between the public key and the user name on the server side, which reduces the data retrieval time and data storage space of the server during the automatic login process, and the login efficiency is not affected by the user scale. It can improve the efficiency of the login process in scenarios with a large user scale. The embodiment of the present application also realizes that the real identity of the user can be verified in each automatic login process by setting the automatic login key pair to require biometric verification before the data can be used. In this way, even if the mobile device is lost or temporarily lent to others, it is impossible to use the user's identity to log in, which improves the user experience.

It can be understood that, in order to implement the above functions, the above-mentioned mobile devices and servers include corresponding hardware structures and/or software modules for executing each function. Those skilled in the art should easily realize that, in conjunction with the units and algorithm steps of each example described in the embodiments disclosed herein, the embodiments of the present application can be implemented in hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art may use different methods to implement the described functions for each specific application, but such implementation should not be considered beyond the scope of the embodiments of the present application.

In this embodiment of the present application, the mobile device and the server can be divided into functional modules according to the above method examples. For example, each functional module can be divided according to each function, or two or more functions can be integrated into one processing module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. It should be noted that, the division of modules in the embodiments of the present application is schematic, and is only a logical function division, and there may be other division manners in actual implementation.

As shown in FIG. 11 , an embodiment of the present application discloses a mobile device 1100. The mobile device may run two operating systems, REE and TEE, in the above-mentioned embodiment, and install the REE operating system using user identity information for The mobile device on which the mobile app is logged in.

In an example, please refer to FIG. 11 , which shows a possible schematic structural diagram of the mobile device involved in the above embodiment. The mobile device 1100 includes: a processing unit 1101 , a storage unit 1102 , a communication unit 1103 and a display unit 1104 .

The processing unit 1101 is configured to control and manage the actions of the mobile device 1100 . For example, it can be used to execute the processing steps of S101, S102, and S103 in FIG. 6, S201-S203, S211 in FIG. 7, and S301-S305 in FIG. 9, and/or other processing steps in the embodiment of the present application.

The storage unit 1102 is used to store program codes and data of the mobile device 1100 . For example, it can be used to save relevant data during the login process.

The communication unit 1103 is used to support the communication between the mobile device 1100 and other devices. For example, it may be used to execute the processing steps of S203 in FIG. 7 and S305 in FIG. 9 in this embodiment of the present application, and/or other processing steps in this embodiment of the present application.

The display unit 1104 is used to display the interface of the mobile device 1100 . For example, a user login interface 810 for displaying a mobile App.

Of course, the unit modules in the above-mentioned mobile device 1100 include but are not limited to the above-mentioned processing unit 1101 , storage unit 1102 , communication unit 1103 and display unit 1104 . For example, the mobile device 1100 may further include a power supply unit and the like. The power supply unit is used to power the mobile device 1100 .

The processing unit 1101 may be a processor or a controller, such as a central processing unit (CPU), a digital signal processor (DSP), or an application-specific integrated circuit (ASIC). , a field programmable gate array (FPGA) or other programmable logic devices, transistor logic devices, hardware components or any combination thereof. The storage unit 1102 may be a memory. The communication unit 1103 may be a transceiver, a transceiver circuit, or the like. The display unit 1104 may be a liquid crystal display (LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode, or an active-matrix organic light. emitting diode, AMOLED) and so on.

For example, the processing unit 1101 may be a processor (such as the processor 110 shown in FIG. 3 ), the storage unit 1102 may be a memory (such as the internal memory 121 shown in FIG. 3 ), and the communication unit 1103 may be referred to as a communication interface, including wireless communication module (the wireless communication module 155 shown in FIG. 3 ), the display unit 1104 is a display screen (the display screen 140 shown in FIG. 3 , the display screen 140 may be a touch screen, and a display panel and a touch panel may be integrated in the touch screen ). The mobile device 1100 provided in this embodiment of the present application may be the mobile device 100 shown in FIG. 3 . Wherein, the above-mentioned processor, memory, communication interface, display screen, etc. can be connected together, for example, through a bus connection.

Wherein, the above-mentioned processors, memories, communication interfaces, etc. can be connected together, for example, connected by a bus.

In an example, please refer to FIG. 12 , which shows a possible schematic structural diagram of the server involved in the above embodiment. The server 1200 includes: a processor 1201 , a memory 1202 and a communication interface 1203 .

The processor 1201 is the control center of the server, and controls and manages the actions of the server 1200 . For example, the processing steps of S205 and S210 in FIG. 7 in the embodiment of the present application, and/or other processing steps in the embodiment of the present application may be performed.

The memory 1202 is used to store program codes and data of the server 1200 . For example, it can be used to save data related to user accounts such as usernames and automatic login credentials.

The communication interface 1203 is used to support the communication between the server 1200 and other devices. For example, it can be used to send automatic login credentials and session IDs to mobile devices, etc.

Certainly, the unit modules in the foregoing server 1200 include but are not limited to the foregoing processor 1201 , memory 1202 and communication interface 1203 .

The processor 1201 may be a processor, or may be a general term for multiple processing elements. For example, the processor 1201 is a central processing unit (CPU), and may also be an application specific integrated circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application. , for example: one or more microprocessors (digital signal processor, DSP), or, one or more field programmable gate array (field programmable gate array, FPGA) and so on. Memory 1202 may be read-only memory (ROM) or other type of static storage device that can store static information and instructions, random access memory (RAM), or other type of static storage device that can store information and instructions dynamic storage devices, etc. The communication interface 1203 uses any device such as a transceiver for communicating with other devices or communication networks, such as application servers, radio access networks (RAN), wireless local area networks (WLAN), and the like. The communication interface 1203 may include a receiving unit to implement a receiving function, and a transmitting unit to implement a transmitting function.

Wherein, the above-mentioned processors, memories, communication interfaces, etc. can be connected together, for example, connected by a bus. Embodiments of the present application further provide a computer-readable storage medium, where computer program codes are stored in the computer-readable storage medium, and when the processor executes the computer program codes, the mobile device executes the methods in the foregoing embodiments.

Embodiments of the present application further provide a computer-readable storage medium, where computer program codes are stored in the computer-readable storage medium, and when the processor executes the computer program codes, the server executes the methods in the foregoing embodiments.

Embodiments of the present application also provide a computer program product, which when the computer program product runs on a computer, causes the computer to execute the method in the above-mentioned embodiments.

The embodiment of the present application further provides a mobile App login system, where the mobile App login system includes: a mobile device 1100 and a server 1200 .

Among them, the mobile device 1100, the server 1200, the computer-readable storage medium, the computer program product, and the mobile App login system provided in the embodiments of the present application are all used to execute the corresponding methods provided above. For the effects, reference may be made to the beneficial effects in the corresponding methods provided above, which will not be repeated here.

From the description of the above embodiments, those skilled in the art can clearly understand that for the convenience and brevity of the description, only the division of the above functional modules is used as an example for illustration. In practical applications, the above functions can be allocated as required. It is completed by different functional modules, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the device embodiments described above are only illustrative. For example, the division of the modules or units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be Incorporation may either be integrated into another device, or some features may be omitted, or not implemented. On the other hand, the shown or discussed mutual coupling or direct coupling or communication connection may be through some interfaces, indirect coupling or communication connection of devices or units, and may be in electrical, mechanical or other forms.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned integrated units can be implemented in the form of hardware, and can also be implemented in the form of software functional units.

If the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application can be embodied in the form of software products in essence, or the parts that contribute to the prior art, or all or part of the technical solutions, which are stored in a storage medium , including several instructions to make a device (may be a single chip microcomputer, a chip, etc.) or a processor (processor) to execute all or part of the steps of the methods described in the various embodiments of the present application. The aforementioned storage medium includes: a U disk, a removable hard disk, a ROM, a magnetic disk, or an optical disk and other mediums that can store program codes.

The above are only specific embodiments of the present application, but the protection scope of the present application is not limited to this, and any changes or substitutions within the technical scope disclosed in the present application should be covered within the protection scope of the present application. . Therefore, the protection scope of the present application should be subject to the protection scope of the claims.

Claims (24)

1. A mobile App login method is applied to electronic equipment, the electronic equipment comprises a Trusted Execution Environment (TEE), and the method comprises the following steps:

the electronic equipment receives a user name and a login password of a mobile application program (App) input by a user;

the electronic equipment generates an automatic login key pair; the automatic login key pair comprises a public key and a private key, and is generated and stored by the TEE;

the electronic equipment sends a first login request to a server, wherein the first login request is used for requesting to login the mobile App; the first login request comprises the user name, a login password and the public key;

the electronic device receives an automatic login credential; the automatic login credential is generated according to the user name and the public key;

the electronic equipment receives an operation of opening the mobile App by a user;

in response to the operation of opening the mobile App, the electronic equipment sends a second login request to the server, wherein the second login request is used for requesting to login the mobile App; the second login request comprises a first signature result and the automatic login credential, wherein the first signature result is generated by signing a local timestamp of the electronic device by using the private key; the automatic login credential is used to verify the first signature result.

2. The method of claim 1, further comprising:

the electronic equipment receives a session identification from the server, wherein the session identification is a certificate for transmitting data between the electronic equipment and the server.

3. The method of claim 1 or 2, wherein the second login request further comprises a local timestamp of the electronic device.

4. The method of claim 3, further comprising:

the electronic device receiving a current time of the server from the server;

the electronic equipment sends a third login request to the server, wherein the third login request comprises the current time of the server, a second signature result and an automatic login credential; the second signature result is generated by signing the current time of the server by using the private key.

5. The method of any of claims 1-4, wherein prior to the electronic device sending a second login request to the server, the method further comprises:

the electronic equipment carries out biological feature verification on the user, wherein the biological feature verification comprises at least one of fingerprint identification, face identification and iris identification.

6. A mobile App login method, the method comprising:

the method comprises the steps that a server receives a first login request, wherein the first login request is used for requesting to login the mobile App; the first login request comprises a user name and a login password of the mobile App and a public key of an automatic login key pair;

the server generates an automatic login credential according to the user name and the public key;

the server sends the automatic login credentials to the electronic device;

the server receives a second login request, wherein the second login request is used for requesting to login the mobile App; the second login request comprises a signature result and the automatic login credential, wherein the signature result is obtained by adopting a private key of an automatic login key pair to sign a local timestamp of the electronic equipment;

the server decrypts the automatic login credential and verifies the integrity of the automatic login credential;

if the integrity of the automatic login credential passes the verification, the server acquires the public key according to the automatic login credential and verifies the signature result according to the public key;

and if the signature result is verified according to the public key, the server determines that the mobile App is successfully logged in.

7. The method of claim 6, wherein the server generating auto-login credentials based on the username and the public key comprises:

and the server encrypts the user name and the public key to generate an automatic login credential.

8. The method according to claim 6 or 7, wherein before said verifying the signature result according to the public key, the method further comprises:

verifying that the signature result does not exist at the server.

9. The method of claim 8, wherein the server comprises one or more bloom filters, one for storing signature results over a time range; the second login request further comprises a local timestamp of the electronic device;

the verifying that the signature result does not exist at the server comprises:

acquiring a first bloom filter of the one or more bloom filters according to a local timestamp of the electronic equipment in the second login request;

verifying that the signature result in the second login request is not present in the first bloom filter.

10. The method of claim 9, wherein prior to obtaining a first bloom filter of the one or more bloom filters based on a local timestamp of the electronic device in the second login request, the method further comprises:

and determining that the difference value between the local timestamp of the electronic equipment in the second login request and the current time of the server is smaller than a set time error range.

11. The method of claim 8, further comprising:

and if the difference value between the local timestamp of the electronic equipment in the second login request and the current time of the server is larger than or equal to the set time error range, the server sends the current time of the server to the electronic equipment.

12. The method of any of claims 6-11, wherein prior to the server generating auto-login credentials based on the username and the public key, the method further comprises:

and the server verifies the user name and the login password.

13. The method according to any of claims 6-12, wherein after the server determines that logging on the mobile App is successful, the method further comprises:

and the server sends a session identifier to the electronic equipment, wherein the session identifier is a certificate for transmitting data between the electronic equipment and the server.

14. A mobile App login method is applied to a mobile App login system, the mobile App login system comprises electronic equipment and a server, the electronic equipment comprises a Trusted Execution Environment (TEE), and the method comprises the following steps:

the electronic equipment receives a user name and a login password of a mobile application program (App) input by a user;

the electronic equipment generates an automatic login key pair; the automatic login key pair comprises a public key and a private key, and is generated and stored by the TEE;

the electronic equipment sends a first login request to a server, wherein the first login request is used for requesting to login the mobile App; the first login request comprises the user name, a login password and the public key;

the server receives the first login request and generates an automatic login credential according to the user name and the public key;

the server sends the automatic login credentials to the electronic device;

the electronic equipment receives an operation of opening the mobile App by a user;

in response to the operation of opening the mobile App, the electronic equipment submits a second login request to the server, wherein the second login request is used for requesting to login the mobile App; the second login request comprises a first signature result and the automatic login credential, wherein the first signature result is obtained by signing a local timestamp of the electronic device by using the private key;

the server receives the second login request, and acquires the first signature result and the automatic login credential according to the second login request;

the server decrypts the automatic login credential and verifies the integrity of the automatic login credential;

if the integrity of the automatic login credential passes the verification, the server acquires the public key according to the automatic login credential and verifies the first signature result according to the public key;

and if the first signature result is verified according to the public key, the server determines that the mobile App is successfully logged in.

15. The method of claim 14, wherein after the server determines that logging on the mobile App is successful, the method further comprises:

the server sends a session identifier to the electronic equipment, wherein the session identifier is a certificate for transmitting data between the electronic equipment and the server;

the electronic device receives the session identification.

16. The method of claim 14 or 15, wherein before the electronic device sends the second login request to the server, the method further comprises:

the electronic equipment carries out biological feature verification on the user, wherein the biological feature verification comprises at least one of fingerprint identification, face identification and iris identification.

17. The method according to any of claims 14-16, wherein before the server verifies the first signature result according to the public key, the method further comprises:

the server verifies that the first signature result does not exist at the server.

18. The method of any one of claims 14-17, wherein the server comprises one or more bloom filters, one for storing signature results over a time range; the second login request further comprises a local timestamp of the electronic device;

the server verifying that the first signature result does not exist at the server, comprising:

the server acquires a first bloom filter in the one or more bloom filters according to the local timestamp of the electronic equipment in the second login request;

the server verifies that the first signature result in the second login request is not present in the first bloom filter.

19. The method of claim 18, wherein prior to obtaining a first bloom filter of the one or more bloom filters based on a local timestamp of the electronic device in the second login request, the method further comprises:

and the server determines that the difference value between the local time stamp of the electronic equipment in the second login request and the current time of the server is smaller than a set time error range.

20. The method of claim 19, further comprising:

if the difference value between the local timestamp of the electronic equipment in the second login request and the current time of the server is larger than or equal to the set time error range, the server sends the current time of the server to the electronic equipment;

the electronic device receiving a current time of the server from the server;

the electronic equipment sends a third login request to a server, wherein the third login request comprises the current time of the server, a second signature result and an automatic login credential; and the second signature result is generated by signing the current time of the server by using the private key.

21. An electronic device, comprising: a processor; a memory for storing the processor-executable instructions;

wherein the processor is configured to execute the instructions to cause the electronic device to implement the method of any of claims 1-5.

22. A server, comprising: a processor; a memory for storing the processor-executable instructions;

wherein the processor is configured to execute the instructions to cause the server to implement the method of any one of claims 6-13.

23. A computer-readable storage medium comprising computer instructions that, when executed on an electronic device, cause the electronic device to perform the method of any of claims 1-5.

24. A computer-readable storage medium comprising computer instructions that, when executed on an electronic device, cause the server to perform the method of any one of claims 6-13.

Images