[go: up one dir, main page]

CN116452204A - DID-based payment method and device, readable storage medium and electronic equipment - Google Patents

DID-based payment method and device, readable storage medium and electronic equipment Download PDF

Info

Publication number
CN116452204A
CN116452204A CN202310264155.5A CN202310264155A CN116452204A CN 116452204 A CN116452204 A CN 116452204A CN 202310264155 A CN202310264155 A CN 202310264155A CN 116452204 A CN116452204 A CN 116452204A
Authority
CN
China
Prior art keywords
sdk
payment
comparison result
stored
standard
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310264155.5A
Other languages
Chinese (zh)
Inventor
徐登伟
辛知
万小飞
陈远
孙善禄
张涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alipay Hangzhou Information Technology Co Ltd
Original Assignee
Alipay Hangzhou Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alipay Hangzhou Information Technology Co Ltd filed Critical Alipay Hangzhou Information Technology Co Ltd
Priority to CN202310264155.5A priority Critical patent/CN116452204A/en
Publication of CN116452204A publication Critical patent/CN116452204A/en
Priority to PCT/CN2023/141831 priority patent/WO2024187903A1/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • G06Q20/40145Biometric identity checks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3231Biological data, e.g. fingerprint, voice or retina

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Finance (AREA)
  • Strategic Management (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Biodiversity & Conservation Biology (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The specification relates to a DID-based payment method, a DID-based payment device, a DID-based payment storage medium and an electronic device, wherein the DID-based payment method comprises the following steps: generating a payment request; acquiring a to-be-authenticated biological characteristic input by a user; comparing the biological characteristics to be authenticated with pre-stored DID standard biological characteristics; and when the obtained first local comparison results are the same, signing the payment request by adopting a pre-stored DID private key so as to realize the payment function through the DID.

Description

基于DID的支付方法、装置、可读存储介质及电子设备Payment method, device, readable storage medium and electronic equipment based on DID

技术领域technical field

本说明书涉及去中心化身份领域,更具体地涉及一种基于DID的支付方法、装置、可读存储介质及电子设备。This specification relates to the field of decentralized identity, and more specifically relates to a DID-based payment method, device, readable storage medium and electronic equipment.

背景技术Background technique

去中心化身份(Decentralized Identity,DID)是数字身份的一种,由传统的中心化身份衍化和派生而来,在DID系统中,每个实体(包括个人、组织、设备等等)均用有一个DID标识,DID标识是一个特定格式的字符串,用于代表实体的数字身份。每一个DID标识均对应一个DID文档。DID系统可以实现去中心化,因此更具有安全性,隐私性,在支付领域中具有应用前景。Decentralized Identity (DID) is a kind of digital identity, which is derived and derived from the traditional centralized identity. In the DID system, each entity (including individuals, organizations, devices, etc.) A DID identifier, a DID identifier is a character string in a specific format used to represent the digital identity of an entity. Each DID identifier corresponds to a DID document. The DID system can be decentralized, so it is more secure and private, and has application prospects in the payment field.

在DID系统中,所有基于DID的实体资产(可验证声明VC、碳数据等)等的披露、展示、转移等都需要经过DID私钥签名授权才可以完成。因此,谁控制了DID私钥,谁就持有该DID,也就可以享受相关权益。若在支付过程中,DID私钥被攻击者窃取,将会造成财产损失。In the DID system, the disclosure, display, and transfer of all DID-based physical assets (verifiable statement VC, carbon data, etc.) must be authorized by the DID private key signature before it can be completed. Therefore, whoever controls the DID private key holds the DID and can enjoy related rights and interests. If the DID private key is stolen by an attacker during the payment process, property losses will result.

因此,如何保证DID私钥不被窃取从而保证支付的安全性是本领域技术人员亟待解决的技术问题。Therefore, how to ensure that the DID private key is not stolen so as to ensure the security of payment is a technical problem to be solved urgently by those skilled in the art.

发明内容Contents of the invention

本说明书的目的之一在于提供一种基于DID的支付方法,在本地即可实现生物特征的认证,并在认证通过后,使用DID私钥对支付请求进行签名,从而通过DID实现支付功能,保证安全性。One of the purposes of this manual is to provide a payment method based on DID, which can realize biometric authentication locally, and after the authentication is passed, use the DID private key to sign the payment request, thereby realizing the payment function through DID, ensuring safety.

基于上述目的,本说明书提供一种基于DID的支付方法,所述方法应用于支付应用,所述支付应用安装于移动端,所述支付应用内嵌有DID SDK,所述方法包括:Based on the above purpose, this specification provides a DID-based payment method, the method is applied to a payment application, the payment application is installed on the mobile terminal, and the payment application is embedded with a DID SDK, and the method includes:

生成支付请求;generate payment requests;

获取用户输入的待认证生物特征;Obtain the biometrics input by the user to be authenticated;

通过所述DID SDK将所述待认证生物特征与所述DID SDK预存在TEE中的DID标准生物特征进行对比;Using the DID SDK to compare the biometrics to be authenticated with the DID standard biometrics pre-stored in the TEE by the DID SDK;

在通过所述DID SDK获得第一本地对比结果且所述第一本地对比结果为相同时,通过所述DID SDK采用预存的DID私钥对所述支付请求进行签名,以通过DID实现支付功能。When the first local comparison result is obtained through the DID SDK and the first local comparison result is the same, the DID SDK uses the pre-stored DID private key to sign the payment request, so as to realize the payment function through the DID.

在一些实施方式中,在生成支付请求之前,还包括:In some embodiments, before generating the payment request, it also includes:

通过所述DID SDK接收DID生物认证开通请求;Receive a DID biometric authentication activation request through the DID SDK;

获取所述支付应用存储在TEE中的支付标准生物特征;Obtain the payment standard biometric feature stored in the TEE by the payment application;

通过所述DID SDK将所述支付标准生物特征作为DID标准生物特征存储在TEE中。The payment standard biometric feature is stored in the TEE as a DID standard biometric feature through the DID SDK.

在一些实施方式中,还包括:In some embodiments, also include:

通过所述DID SDK接收DID生物认证更新请求;Receive a DID biometric authentication update request through the DID SDK;

获取用户输入的第一生物特征;Obtaining the first biometric feature input by the user;

通过所述DID SDK将所述第一生物特征与所述DID标准生物特征进行对比,得到第二本地对比结果;Comparing the first biometric feature with the DID standard biometric feature through the DID SDK to obtain a second local comparison result;

在所述第二本地对比结果为相同时,获取用户输入的第二生物特征;When the second local comparison result is the same, acquire a second biological feature input by the user;

通过所述DID SDK将所述第二生物特征作为DID标准生物特征存储在TEE中。The second biometric feature is stored in the TEE as a DID standard biometric feature through the DID SDK.

在一些实施方式中,在所述DID SDK无法获得所述第一本地对比结果时,还包括:In some implementation manners, when the DID SDK cannot obtain the first local comparison result, it further includes:

通过所述DID SDK将所述待认证生物特征发送至DID服务端,以使所述DID服务端将所述待认证生物特征与预存的DID标准生物特征进行对比,获得服务端对比结果,并将所述服务端对比结果发送至所述DID SDK;Send the biometrics to be authenticated to the DID server through the DID SDK, so that the DID server compares the biometrics to be authenticated with the pre-stored DID standard biometrics to obtain the comparison result of the server, and send The comparison result of the server is sent to the DID SDK;

通过所述DID SDK接收所述服务端对比结果;receiving the comparison result of the server through the DID SDK;

在所述服务端对比结果为相同时,通过所述DID SDK采用预存的DID私钥对所述支付请求进行签名,以通过DID实现支付功能。When the comparison result of the server is the same, the DID SDK uses the pre-stored DID private key to sign the payment request, so as to realize the payment function through the DID.

本说明书另一目的在于提供一种基于DID的支付装置,在本地即可实现生物特征的认证,并在认证通过后,使用DID私钥对支付请求进行签名,从而通过DID实现支付功能,保证安全性。Another purpose of this manual is to provide a payment device based on DID, which can realize biometric authentication locally, and after the authentication is passed, use the DID private key to sign the payment request, so as to realize the payment function through DID and ensure security sex.

基于上述目的,本说明书提供一种基于DID的支付装置,所述装置应用于支付应用,所述支付应用安装于移动端,所述支付应用内嵌有DID SDK,所述装置包括:Based on the above purpose, this specification provides a DID-based payment device, the device is applied to a payment application, the payment application is installed on a mobile terminal, and the payment application is embedded with a DID SDK, and the device includes:

生成模块,用于生成支付请求;A generating module for generating payment requests;

获取模块,用于获取用户输入的待认证生物特征;An acquisition module, configured to acquire the biometrics input by the user to be authenticated;

对比模块,用于通过所述DID SDK将所述待认证生物特征与所述DID SDK预存在TEE中的DID标准生物特征进行对比;A comparison module, used to compare the biological characteristics to be authenticated with the DID standard biological characteristics pre-stored in the TEE by the DID SDK through the DID SDK;

签名模块,用于在通过所述DID SDK获得第一本地对比结果且所述第一本地对比结果为相同时,通过所述DID SDK采用预存的DID私钥对所述支付请求进行签名,以通过DID实现支付功能。A signature module, configured to use the DID SDK to sign the payment request with the pre-stored DID private key when the first local comparison result is obtained through the DID SDK and the first local comparison result is the same, so as to pass DID realizes the payment function.

在一些实施方式中,所述装置还包括开通模块,所述开通模块用于:In some embodiments, the device further includes an opening module, and the opening module is used for:

通过所述DID SDK接收DID生物认证开通请求;Receive a DID biometric authentication activation request through the DID SDK;

获取所述支付应用存储在TEE中的支付标准生物特征;Obtain the payment standard biometric feature stored in the TEE by the payment application;

通过所述DID SDK将所述支付标准生物特征作为DID标准生物特征存储在TEE中。The payment standard biometric feature is stored in the TEE as a DID standard biometric feature through the DID SDK.

在一些实施方式中,所述装置还包括更新模块,所述更新模块用于:In some embodiments, the device also includes an update module, the update module is used for:

通过所述DID SDK接收DID生物认证更新请求;Receive a DID biometric authentication update request through the DID SDK;

获取用户输入的第一生物特征;Obtaining the first biometric feature input by the user;

通过所述DID SDK将所述第一生物特征与所述DID标准生物特征进行对比,得到第二本地对比结果;Comparing the first biometric feature with the DID standard biometric feature through the DID SDK to obtain a second local comparison result;

在所述第二本地对比结果为相同时,获取用户输入的第二生物特征;When the second local comparison result is the same, acquire a second biological feature input by the user;

通过所述DID SDK将所述第二生物特征作为DID标准生物特征存储在TEE中。The second biometric feature is stored in the TEE as a DID standard biometric feature through the DID SDK.

在一些实施方式中,所述装置还包括服务端对比模块,所述服务端对比模块用于:In some embodiments, the device also includes a server-side comparison module, and the server-side comparison module is used for:

在所述DID SDK无法获得所述第一本地对比结果时,通过所述DID SDK将所述待认证生物特征发送至DID服务端,以使所述DID服务端将所述待认证生物特征与预存的DID标准生物特征进行对比,获得服务端对比结果,并将所述服务端对比结果发送至所述DIDSDK;When the DID SDK fails to obtain the first local comparison result, send the biometrics to be authenticated to the DID server through the DID SDK, so that the DID server compares the biometrics to be authenticated with the pre-stored compare the DID standard biometrics, obtain the server-side comparison result, and send the server-side comparison result to the DIDSDK;

通过所述DID SDK接收所述服务端对比结果;receiving the comparison result of the server through the DID SDK;

在所述服务端对比结果为相同时,通过所述DID SDK采用预存的DID私钥对所述支付请求进行签名,以通过DID实现支付功能。When the comparison result of the server is the same, the DID SDK uses the pre-stored DID private key to sign the payment request, so as to realize the payment function through the DID.

本说明书的又一目的在于提供一种可读存储介质,其上存储有计算机程序,当计算机程序在计算机中执行时,令计算机执行如上所述的基于DID的支付方法的步骤。Another object of this specification is to provide a readable storage medium on which a computer program is stored, and when the computer program is executed in the computer, the computer is made to execute the steps of the above-mentioned DID-based payment method.

本说明书的又一目的在于提供一种电子设备,其包括存储器和处理器,存储器中存储有可执行代码,当处理器执行可执行代码时,其执行如上所述的基于DID的支付方法的步骤。Another purpose of this specification is to provide an electronic device, which includes a memory and a processor, and executable code is stored in the memory. When the processor executes the executable code, it performs the steps of the above-mentioned DID-based payment method .

附图说明Description of drawings

图1为根据本说明书实施例的基于DID的支付方法的流程图;Fig. 1 is the flow chart of the payment method based on DID according to the embodiment of this description;

图2为根据本说明书实施例的基于DID的支付装置的结构示意图。Fig. 2 is a schematic structural diagram of a DID-based payment device according to an embodiment of the present specification.

具体实施方式Detailed ways

下面结合附图,给出本说明书的较佳实施例,并予以详细描述。The preferred embodiments of this specification are given and described in detail below in conjunction with the accompanying drawings.

在DID系统中,每个实体(包括个人、组织、设备等等)均用有一个DID标识,DID标识是一个特定格式的字符串,用于代表实体的数字身份。每一个DID标识均对应一个DID文档。DID标识可以作为用于定位DID文档的统一资源标识(URI)。DID标识包括方案(Scheme)、DID方法以及DID方法特定字符串(DID method specific string),其中,方案是固定的,用于表示该字符串是一个DID标识字符串,DID方法表示该DID标识是通过哪一套方法来进行定义和操作的,DID方法特定字符串用于表示在该DID方法下的唯一标识字符串。每一个DID标识均对应一个DID文档。DID标识可以作为用于定位DID文档的统一资源标识(URI)。DID文档是包括关于DID标识和DID的所有者的预设格式(例如,JSON-LD)的描述性文本。DID文档可以包括各种属性,例如,上下文、DID主题、公钥、认证、授权和委托、服务端点、创建、更新、证明、可扩展性、其他合适的属性或其任意组合。DID文档可以定义或指向定义多个操作的资源,所述操作可以相对于DID执行。在DID系统中,各个实体的DID私钥由各个实体自己保存,各个实体的DID文档则存储在区块链中,通过实体的DID标识可以在区块链中查询到对应的DID文档。In the DID system, each entity (including individuals, organizations, devices, etc.) is identified by a DID, which is a character string in a specific format used to represent the digital identity of the entity. Each DID identifier corresponds to a DID document. The DID identifier can be used as a uniform resource identifier (URI) for locating a DID document. The DID identifier includes a scheme (Scheme), a DID method, and a DID method specific string (DID method specific string), where the scheme is fixed and is used to indicate that the string is a DID identifier string, and the DID method indicates that the DID identifier is Which set of methods are used to define and operate, and the DID method-specific string is used to represent the unique identification string under the DID method. Each DID identifier corresponds to a DID document. The DID identifier can be used as a uniform resource identifier (URI) for locating a DID document. A DID document is a descriptive text including a preset format (for example, JSON-LD) about the DID identity and the owner of the DID. A DID document may include various attributes such as context, DID subject, public key, authentication, authorization and delegation, service endpoint, creation, update, attestation, extensibility, other suitable attributes, or any combination thereof. A DID document can define or point to a resource that defines a number of operations that can be performed with respect to the DID. In the DID system, the DID private key of each entity is saved by each entity itself, and the DID document of each entity is stored in the blockchain. The corresponding DID document can be queried in the blockchain through the DID identification of the entity.

在基于DID的支付流程中,若A实体具有支付需求,那么A实体会通过其上安装的支付应用生成支付请求,然后通过DID私钥对该支付请求进行签名,然后将该签名后的支付请求发送至B实体,其中B实体上安装有支付应用服务端,用于认证签名后的支付请求,并在认证通过后,根据支付请求完成支付功能。由于A实体和B实体均是DID系统的成员,它们均具有唯一的DID标识,在B实体接收到A实体发送的签名后的支付请求后,B实体首先会根据A实体的DID标识,在区块链中查询到对应的DID文档,然后采用DID文档中的公钥对签名后的支付请求进行验签,若验签通过,说明该支付请求是由A实体发出的,B实体上的支付应用服务端将根据支付请求完成支付操作,实现支付功能;若验签不通过,说明该签名后的支付请求不是由A实体发出的,B实体上的支付应用服务端将不会执行支付操作,因此无法实现支付功能。由上可知,DID私钥是保证安全支付的前提,若DID私钥被攻击者窃取,攻击者可通过DID私钥签名伪造的支付请求,然后实现支付功能,从而造成财产损失。In the DID-based payment process, if entity A has a payment demand, entity A will generate a payment request through the payment application installed on it, then sign the payment request with the DID private key, and then send the signed payment request Send it to entity B, where the payment application server is installed on entity B to authenticate the signed payment request, and complete the payment function according to the payment request after the authentication is passed. Since entity A and entity B are both members of the DID system, they both have a unique DID identifier. After entity B receives the signed payment request sent by entity A, entity B will first use the DID identifier of entity A to pay in the area. Query the corresponding DID document in the block chain, and then use the public key in the DID document to verify the signature of the signed payment request. If the verification is passed, it means that the payment request is issued by entity A, and the payment application on entity B The server will complete the payment operation according to the payment request to realize the payment function; if the signature verification fails, it means that the signed payment request is not issued by entity A, and the payment application server on entity B will not perform the payment operation, so Unable to implement the payment function. It can be seen from the above that the DID private key is the prerequisite for ensuring safe payment. If the DID private key is stolen by an attacker, the attacker can sign a forged payment request through the DID private key, and then realize the payment function, resulting in property loss.

为了保证DID私钥的安全性,在一些方式中,可以通过口令密钥来保护DID私钥,即在生成DID私钥时,设置一个口令密钥,当需要使用DID私钥进行签名时,输入预设的口令来获取DID私钥的使用权,但是口令密钥容易遗忘,且没有找回机制,使用成本高。在另外一些方式中,可以用生物特征代替口令密钥,例如在生成DID私钥时,附上一个声明,需要通过生物认证后才能使用该DID私钥,当需要使用DID私钥时,先获取用户输入的生物特征,然后将该生物特征发送至生物认证服务器中进行认证,若通过,则可以使用DID私钥,否则,无法使用DID私钥;但是这种方式需要中心化的生物认证服务器对生物特征进行认证,因此必须联网,限制了某些离线或弱网场景的使用,而且,由于密钥要通过中心化的生物认证服务器同意后才能使用,与DID系统的去中心化矛盾。In order to ensure the security of the DID private key, in some ways, the DID private key can be protected by a password key, that is, when generating the DID private key, set a password key, and when it is necessary to use the DID private key to sign, enter The preset password is used to obtain the right to use the DID private key, but the password key is easy to forget, and there is no retrieval mechanism, so the cost of use is high. In other ways, biometrics can be used instead of password keys. For example, when generating a DID private key, attach a statement that the DID private key can only be used after passing biometric authentication. When the DID private key needs to be used, first obtain the The biometrics entered by the user, and then sent to the biometric authentication server for authentication, if passed, the DID private key can be used, otherwise, the DID private key cannot be used; but this method requires a centralized biometric authentication server to Biometrics are used for authentication, so it must be connected to the Internet, which limits the use of some offline or weak network scenarios. Moreover, since the key can only be used after being approved by the centralized biometric authentication server, it contradicts the decentralization of the DID system.

基于此,本说明书实施例提供一种基于DID的支付方法,在本地即可实现生物特征的认证,并在认证通过后,使用DID私钥对支付请求进行签名,从而通过DID实现支付功能,保证安全性。Based on this, the embodiment of this specification provides a DID-based payment method, which can realize biometric authentication locally, and after the authentication is passed, use the DID private key to sign the payment request, thereby realizing the payment function through DID, ensuring safety.

如图1所示,本说明书实施例提供一种基于DID的支付方法,所述方法应用于支付应用,所述支付应用安装于移动端,所述支付应用内嵌有DID SDK,所述方法包括步骤:As shown in Figure 1, the embodiment of this specification provides a DID-based payment method, the method is applied to a payment application, the payment application is installed on a mobile terminal, and the payment application is embedded with a DID SDK, and the method includes step:

S100:生成支付请求。S100: Generate a payment request.

在一些实施例中,支付应用可以是支付应用。支付请求可以是由用户操作支付应用触发,也可以是用户操作与支付应用有链接的第三方应用触发。例如,支付应用可以为支付宝,第三方应用可以为美团、饿了么等等,支付请求可以是用户通过支付宝直接发起,也可以由第三方应用通过支付宝发起。In some embodiments, the payment application may be a payment application. The payment request may be triggered by the user operating the payment application, or by the user operating a third-party application linked to the payment application. For example, the payment application can be Alipay, and the third-party application can be Meituan, Ele.me, etc. The payment request can be initiated directly by the user through Alipay, or initiated by the third-party application through Alipay.

S200:获取用户输入的待认证生物特征。S200: Obtain the biometric feature input by the user to be authenticated.

支付应用可以通过调用系统API(应用程序接口)来实现生物特征的采集。具体地,在生成支付请求后,支付应用可以调用用于采集生物特征的系统API,并唤起采集界面,用户通过移动端的生物传感器输入待认证生物特征,支付应用通过系统API获取该待认证生物特征。The payment application can realize the collection of biometrics by calling the system API (application programming interface). Specifically, after a payment request is generated, the payment application can call the system API for collecting biometrics and invoke the collection interface. The user inputs the biometrics to be authenticated through the biometric sensor on the mobile terminal, and the payment application obtains the biometrics to be authenticated through the system API. .

在一些实施例中,生物特征的获取和认证可以基于互联网金融身份认证联盟(Internet Finance Authentication Alliance,IFAA)来实现。IFAA联盟致力于围绕身份识别认证技术,推出“金融级、全链路、标准化”的行业安全解决方案,建立面向万物互联的可信连接。IFAA是金融级移动端生物识别产品,利用内嵌在移动端硬件加密区的计算能力,结合设备原生的指纹、人脸识别等生物识别能力,进行金融级、硬件级身份认证。In some embodiments, the biometric acquisition and authentication can be implemented based on the Internet Finance Authentication Alliance (IFAA). The IFAA Alliance is committed to launching a "financial-level, full-link, standardized" industry security solution around identity authentication technology, and establishing a trusted connection for the Internet of Everything. IFAA is a financial-grade mobile biometric product. It uses the computing power embedded in the hardware encryption area of the mobile terminal, combined with the native fingerprint, face recognition and other biometric capabilities of the device, to perform financial-level and hardware-level identity authentication.

在一些实施例中,支付应用中可以内嵌有IFAA SDK(软件开发工具包,SoftwareDevelopment Kit),支付应用通过调用IFAA SDK可以实现生物识别功能,例如获取用户输入的生物特征、对生物特征进行识别或认证等等。In some embodiments, an IFAA SDK (Software Development Kit) may be embedded in the payment application, and the payment application may implement biometric functions by calling the IFAA SDK, such as obtaining the biometrics input by the user, and identifying the biometrics or authentication and so on.

S300:通过DID SDK将待认证生物特征与DID SDK预存在TEE(可信执行环境)中的DID标准生物特征进行对比。S300: Using the DID SDK, compare the biometrics to be authenticated with the DID standard biometrics pre-stored in the TEE (Trusted Execution Environment) by the DID SDK.

DID SDK用于实现DID功能,包括DID的注册、可验证声明(VC)的生成、DID私钥的存储、使用DID私钥对数据进行加密等等。在获得待认证生物特征后,支付应用可以通过DIDSDK将待认证生物特征与DID SDK预存在TEE中的DID标准生物特征进行对比(即认证),从而根据对比结果确定是否能够使用DID私钥。DID SDK is used to implement DID functions, including DID registration, generation of verifiable statement (VC), storage of DID private key, encryption of data with DID private key, etc. After obtaining the biometrics to be authenticated, the payment application can use the DIDSDK to compare the biometrics to be authenticated with the DID standard biometrics pre-stored in the TEE by the DID SDK (that is, authentication), so as to determine whether the DID private key can be used according to the comparison result.

S400:在通过DID SDK获得第一本地对比结果且第一本地对比结果为相同时,通过DID SDK采用预存的DID私钥对支付请求进行签名,以通过DID实现支付功能。S400: When the first local comparison result is obtained through the DID SDK and the first local comparison result is the same, the DID SDK uses the pre-stored DID private key to sign the payment request, so as to realize the payment function through the DID.

当DID SDK获得本地第一对比结果,且该本地第一对比结果为相同时,说明待认证生物特征与DID标准生物特征相同,通过认证,可以使用DID私钥,因此可通过DID SDK采用预存的DID私钥对支付请求进行签名,以通过DID实现支付功能。若DID SDK获得的本地第一对比结果为不同,说明待认证生物特征与DID标准生物特征不同,该用户不能够使用DID私钥,因此不会利用DID私钥对支付请求进行签名,这样也就无法通过DID实现支付功能,从而实现了对DID私钥的保护,且由于DID标准生物特征是预先存储在本地的TEE中,因此整个对比过程全部在本地完成,无需联网也可以实现(扩展无网或弱网使用场景),对中心化的生物认证服务器也没有依赖(去中心化)。When the DID SDK obtains the local first comparison result, and the local first comparison result is the same, it means that the biometrics to be authenticated are the same as the DID standard biometrics. After passing the authentication, the DID private key can be used, so the pre-stored one can be used through the DID SDK. The DID private key signs the payment request to realize the payment function through DID. If the local first comparison result obtained by the DID SDK is different, it means that the biometrics to be authenticated are different from the DID standard biometrics, and the user cannot use the DID private key, so he will not use the DID private key to sign the payment request. The payment function cannot be realized through DID, thereby realizing the protection of the DID private key, and because the DID standard biometric feature is pre-stored in the local TEE, the entire comparison process is completed locally, and it can be realized without networking (extended without network or weak network usage scenarios), and there is no dependence on centralized biometric authentication servers (decentralization).

在一些场景中,移动端可能不支持本地对比,此时还可以通过中心化的生物认证服务器完成认证。在一些实施例中,当DID SDK无法获得第一本地对比结果时,所述方法还包括:In some scenarios, the mobile terminal may not support local comparison. At this time, the authentication can also be completed through the centralized biometric authentication server. In some embodiments, when the DID SDK cannot obtain the first local comparison result, the method further includes:

支付应用可通过DID SDK将待认证生物特征发送至DID服务端,DID服务端再将待认证生物特征与预存在DID服务端的DID标准生物特征进行对比,获得服务端对比结果,然后将服务端对比结果发送至DID SDK;支付应用通过DID SDK接收服务端对比结果,若服务端对比结果为相同,说明待认证生物特征与DID标准生物特征相同,认证通过,支付应用可通过DID SDK采用预存的DID私钥对支付请求进行签名,以通过DID实现支付功能;若服务端对比结果为不同,说明待认证生物特征与DID标准生物特征不同,认证不通过,无法使用DID私钥。此时,DID服务端充当生物认证服务器,以实现中心化认证。The payment application can send the biometrics to be authenticated to the DID server through the DID SDK, and the DID server will compare the biometrics to be authenticated with the DID standard biometrics pre-existing in the DID server to obtain the server comparison result, and then compare the server The result is sent to the DID SDK; the payment application receives the server-side comparison result through the DID SDK. If the server-side comparison result is the same, it means that the biometrics to be authenticated are the same as the DID standard biometrics. If the authentication is passed, the payment application can use the pre-stored DID through the DID SDK The private key signs the payment request to realize the payment function through DID; if the comparison result of the server is different, it means that the biometrics to be authenticated are different from the DID standard biometrics, the authentication fails, and the DID private key cannot be used. At this time, the DID server acts as a biometric authentication server to achieve centralized authentication.

在一些实施例中,DID标准生物特征可通过开通流程来获得,开通流程包括步骤:In some embodiments, DID standard biometrics can be obtained through a provisioning process, which includes steps:

S402:通过DID SDK接收DID生物认证开通请求;S402: Receive a DID biometric authentication activation request through the DID SDK;

S404:获取支付应用自身存储在TEE中的支付标准生物特征;S404: Obtain the payment standard biometric feature stored in the TEE by the payment application itself;

S406:通过DID SDK将支付标准生物特征作为DID标准生物特征存储在TEE中。S406: Store the payment standard biometric feature in the TEE as the DID standard biometric feature through the DID SDK.

也就是说,需要先开通DID生物认证功能后才能利用生物特征来保护DID私钥不被窃取,上述开通流程通常在支付之前完成。That is to say, the DID biometric authentication function needs to be enabled before the biometric feature can be used to protect the DID private key from being stolen. The above-mentioned activation process is usually completed before payment.

由于生物认证功能是移动端上的一个成熟功能,因此本说明书的方法可以在现有生物认证功能的基础上实现。在一些实施例中,支付应用中内嵌有生物认证SDK(下面以IFAA SDK为例),IFAA SDK可以实现支付应用的支付生物认证,在此基础上,本说明书的方法可以实现DID私钥的生物认证,而不必修改移动端的生物认证功能的底层框架。例如,在接收到DID生物认证开通请求后,支付应用可通过IFAA SDK获取IFAA SDK存储在TEE中的支付标准生物特征,然后再通过IFAA SDK将支付标准生物特征发送至IFAA服务端,IFAA服务端则将支付标准生物特征发送至DID服务端,DID服务端将支付标准生物特征作为DID标准生物特征存储,然后将支付标准生物特征发送至DID SDK,由DID SDK存储在TEE中,作为DID标准生物特征;这样,DID服务端和本地均存储有DID标准生物特征,完成开通流程。Since the biometric authentication function is a mature function on the mobile terminal, the method in this specification can be implemented on the basis of the existing biometric authentication function. In some embodiments, the biometric authentication SDK is embedded in the payment application (the following uses the IFAA SDK as an example), and the IFAA SDK can realize the payment biometric authentication of the payment application. On this basis, the method of this specification can realize the DID private key Biometric authentication without having to modify the underlying framework of the biometric authentication function of the mobile terminal. For example, after receiving the DID biometric authentication activation request, the payment application can obtain the payment standard biometrics stored in the TEE by the IFAA SDK through the IFAA SDK, and then send the payment standard biometrics to the IFAA server through the IFAA SDK, and the IFAA server The payment standard biometrics will be sent to the DID server, and the DID server will store the payment standard biometrics as the DID standard biometrics, and then send the payment standard biometrics to the DID SDK, which will be stored in the TEE by the DID SDK as the DID standard biometrics. In this way, both the DID server and the local store have DID standard biometrics, and the activation process is completed.

若在开通过程中,支付应用自身并没有开通生物认证,那么在步骤S404中,将无法获取到支付标准生物特征,此时需要先开通支付应用的生物认证,即通过IFAA SDK获取用户输入的生物特征,然后通过IFAA SDK将其作为支付标准生物特征存储在TEE中。If the payment application itself has not enabled biometric authentication during the activation process, then in step S404, the payment standard biometric feature cannot be obtained. At this time, it is necessary to enable the biometric authentication of the payment application first, that is, obtain the biometric input entered by the user through the IFAA SDK. characteristics, which are then stored in the TEE as payment standard biometrics via the IFAA SDK.

在一些实施例中,所述方法还可以包括更新流程,从而使用户可以根据自身需求更新DID标准生物特征,更新流程包括步骤:In some embodiments, the method may also include an update process, so that users can update the DID standard biometrics according to their own needs, and the update process includes steps:

S502:通过DID SDK接收DID生物认证更新请求;S502: Receive a DID biometric authentication update request through the DID SDK;

S504:获取用户输入的第一生物特征;S504: Obtain the first biological feature input by the user;

S506:通过所述DID SDK将第一生物特征与DID标准生物特征进行对比,得到第二本地对比结果;S506: Using the DID SDK to compare the first biometric feature with the DID standard biometric feature to obtain a second local comparison result;

S508:在第二本地对比结果为相同时,获取用户输入的第二生物特征;S508: Acquire a second biological feature input by the user when the second local comparison result is the same;

S510:通过DID SDK将第二生物特征作为新的DID标准生物特征存储在TEE中。S510: Using the DID SDK, store the second biometric feature in the TEE as a new DID standard biometric feature.

当用户想要更新DID标准生物特征时,可通过DID SDK触发生物认证更新请求,然后支付应用会获取用户的第一生物特征进行认证,确保该更新流程是由DID标准生物特征对应的用户触发的,认证通过后即可输入新的DID标准生物特征,以完成更新。When the user wants to update the DID standard biometric feature, the biometric authentication update request can be triggered through the DID SDK, and then the payment application will obtain the user's first biometric feature for authentication to ensure that the update process is triggered by the user corresponding to the DID standard biometric feature After passing the authentication, you can enter the new DID standard biometrics to complete the update.

本说明书实施例的基于DID的支付方法,在生物特征认证通过后才能使用DID私钥对支付请求进行签名,保证DID私钥不被窃取,从而确保支付安全性;生物特征认证可在本地完成,而不用依赖中心化的服务器,也不用依赖网络。In the DID-based payment method of the embodiment of this specification, the DID private key can be used to sign the payment request after the biometric authentication is passed, so as to ensure that the DID private key is not stolen, thereby ensuring payment security; the biometric authentication can be completed locally, Instead of relying on a centralized server or network.

如图2所示,本说明书另一实施例提供一种基于DID的支付装置,包括生成模块10、获取模块20、对比模块30和签名模块40。As shown in FIG. 2 , another embodiment of this specification provides a DID-based payment device, including a generation module 10 , an acquisition module 20 , a comparison module 30 and a signature module 40 .

生成模块10用于生成支付请求。The generating module 10 is used for generating payment requests.

在一些实施例中,支付应用可以是支付应用。支付请求可以是由用户操作支付应用触发,也可以是用户操作与支付应用有链接的第三方应用触发。例如,支付应用可以为支付宝,第三方应用可以为美团、饿了么等等,支付请求可以是用户通过支付宝直接发起,也可以由第三方应用通过支付宝发起。In some embodiments, the payment application may be a payment application. The payment request may be triggered by the user operating the payment application, or by the user operating a third-party application linked to the payment application. For example, the payment application can be Alipay, and the third-party application can be Meituan, Ele.me, etc. The payment request can be initiated directly by the user through Alipay, or initiated by the third-party application through Alipay.

获取模块20用于获取用户输入的待认证生物特征。The obtaining module 20 is used to obtain the biometric feature input by the user to be authenticated.

支付应用可以通过调用系统API(应用程序接口)来实现生物特征的采集。具体地,在生成支付请求后,支付应用可以调用用于采集生物特征的系统API,并唤起采集界面,用户通过移动端的生物传感器输入待认证生物特征,支付应用通过系统API获取该待认证生物特征。The payment application can realize the collection of biometrics by calling the system API (application programming interface). Specifically, after a payment request is generated, the payment application can call the system API for collecting biometrics and invoke the collection interface. The user inputs the biometrics to be authenticated through the biometric sensor on the mobile terminal, and the payment application obtains the biometrics to be authenticated through the system API. .

在一些实施例中,支付应用中可以内嵌有IFAA SDK,支付应用通过调用IFAA SDK可以实现生物识别功能,例如获取用户输入的生物特征、对生物特征进行识别或认证等等。In some embodiments, the IFAA SDK can be embedded in the payment application, and the payment application can implement biometric functions by calling the IFAA SDK, such as obtaining the biometric features input by the user, identifying or authenticating the biometric features, and so on.

对比模块30用于通过DID SDK将待认证生物特征与DID SDK预存在TEE(可信执行环境)中的DID标准生物特征进行对比。The comparison module 30 is used to compare the biometrics to be authenticated with the DID standard biometrics pre-stored in the TEE (Trusted Execution Environment) by the DID SDK.

签名模块40用于在通过DID SDK获得第一本地对比结果且第一本地对比结果为相同时,通过DID SDK采用预存的DID私钥对支付请求进行签名,以通过DID实现支付功能。The signature module 40 is used to sign the payment request with the pre-stored DID private key through the DID SDK when the first local comparison result is obtained through the DID SDK and the first local comparison result is the same, so as to realize the payment function through the DID.

当DID SDK获得本地第一对比结果,且该本地第一对比结果为相同时,说明待认证生物特征与DID标准生物特征相同,通过认证,可以使用DID私钥,因此可通过DID SDK采用预存的DID私钥对支付请求进行签名,以通过DID实现支付功能。若DID SDK获得的本地第一对比结果为不同,说明待认证生物特征与DID标准生物特征不同,该用户不能够使用DID私钥,因此不会利用DID私钥对支付请求进行签名,这样也就无法通过DID实现支付功能,从而实现了对DID私钥的保护,且由于DID标准生物特征是预先存储在本地的TEE中,因此整个对比过程全部在本地完成,无需联网也可以实现(扩展无网或弱网使用场景),对中心化的生物认证服务器也没有依赖(去中心化)。When the DID SDK obtains the local first comparison result, and the local first comparison result is the same, it means that the biometrics to be authenticated are the same as the DID standard biometrics. After passing the authentication, the DID private key can be used, so the pre-stored one can be used through the DID SDK. The DID private key signs the payment request to realize the payment function through DID. If the local first comparison result obtained by the DID SDK is different, it means that the biometrics to be authenticated are different from the DID standard biometrics, and the user cannot use the DID private key, so he will not use the DID private key to sign the payment request. The payment function cannot be realized through DID, thereby realizing the protection of the DID private key, and because the DID standard biometric feature is pre-stored in the local TEE, the entire comparison process is completed locally, and it can be realized without networking (extended without network or weak network usage scenarios), and there is no dependence on centralized biometric authentication servers (decentralization).

在一些场景中,移动端可能不支持本地对比,此时还可以通过中心化的生物认证服务器完成认证。在一些实施例中,所述装置还包括服务端对比模块,当DID SDK无法获得第一本地对比结果时,服务端模块可通过DID SDK将待认证生物特征发送至DID服务端,以使DID服务端将待认证生物特征与预存在DID服务端的DID标准生物特征进行对比,获得服务端对比结果,然后将服务端对比结果发送至DID SDK;服务端模块通过DID SDK接收服务端对比结果,若服务端对比结果为相同,说明待认证生物特征与DID标准生物特征相同,认证通过,服务端模块可通过DID SDK采用预存的DID私钥对支付请求进行签名,以通过DID实现支付功能;若服务端对比结果为不同,说明待认证生物特征与DID标准生物特征不同,认证不通过,无法使用DID私钥。此时,DID服务端充当生物认证服务器,以实现中心化认证。In some scenarios, the mobile terminal may not support local comparison. At this time, the authentication can also be completed through the centralized biometric authentication server. In some embodiments, the device also includes a server-side comparison module. When the DID SDK cannot obtain the first local comparison result, the server-side module can send the biological characteristics to be authenticated to the DID server through the DID SDK, so that the DID service The terminal compares the biometrics to be authenticated with the DID standard biometrics pre-existed in the DID server, obtains the comparison result of the server, and then sends the comparison result of the server to the DID SDK; the server module receives the comparison result of the server through the DID SDK, if the service The comparison result of the terminal is the same, indicating that the biometrics to be authenticated are the same as the DID standard biometrics. If the authentication is passed, the server module can use the pre-stored DID private key to sign the payment request through the DID SDK, so as to realize the payment function through DID; if the server The comparison result is different, indicating that the biometrics to be authenticated are different from the DID standard biometrics, the authentication fails, and the DID private key cannot be used. At this time, the DID server acts as a biometric authentication server to achieve centralized authentication.

在一些实施例中,DID标准生物特征可通过开通流程来获得,所述装置可包括开通模块,开通模块用于:In some embodiments, the DID standard biometric feature can be obtained through a provisioning process, and the device can include a provisioning module, the provisioning module is used for:

通过DID SDK接收DID生物认证开通请求;Receive DID biometric authentication activation request through DID SDK;

获取支付应用自身存储在TEE中的支付标准生物特征;Obtain the payment standard biometrics stored in the TEE by the payment application itself;

通过DID SDK将支付标准生物特征作为DID标准生物特征存储在TEE中。The payment standard biometrics are stored in the TEE as DID standard biometrics through the DID SDK.

在一些实施例中,支付应用中内嵌有IFAA SDK,用于实现支付应用的支付生物认证。例如,在接收到DID生物认证开通请求后,开通模块可通过IFAA SDK获取IFAA SDK存储在TEE中的支付标准生物特征,然后再通过IFAA SDK将支付标准生物特征发送至IFAA服务端,IFAA服务端则将支付标准生物特征发送至DID服务端,DID服务端将支付标准生物特征作为DID标准生物特征存储,然后将支付标准生物特征发送至DID SDK,由DID SDK存储在TEE中,作为DID标准生物特征;这样,DID服务端和本地均存储有DID标准生物特征,完成开通流程。In some embodiments, the IFAA SDK is embedded in the payment application, which is used to realize the payment biometric authentication of the payment application. For example, after receiving the DID biometric authentication activation request, the activation module can obtain the payment standard biometrics stored in the TEE by the IFAA SDK through the IFAA SDK, and then send the payment standard biometrics to the IFAA server through the IFAA SDK, and the IFAA server The payment standard biometrics will be sent to the DID server, and the DID server will store the payment standard biometrics as the DID standard biometrics, and then send the payment standard biometrics to the DID SDK, which will be stored in the TEE by the DID SDK as the DID standard biometrics. In this way, both the DID server and the local store have DID standard biometrics, and the activation process is completed.

若在开通过程中,支付应用自身并没有开通生物认证,那么在步骤S404中,将无法获取到支付标准生物特征,此时需要先开通支付应用的生物认证,即通过IFAA SDK获取用户输入的生物特征,然后通过IFAA SDK将其作为支付标准生物特征存储在TEE中。If the payment application itself has not enabled biometric authentication during the activation process, then in step S404, the payment standard biometric feature cannot be obtained. At this time, it is necessary to enable the biometric authentication of the payment application first, that is, obtain the biometric input entered by the user through the IFAA SDK. characteristics, which are then stored in the TEE as payment standard biometrics via the IFAA SDK.

在一些实施例中,所述装置还可以包括更新模块,从而使用户可以根据自身需求更新DID标准生物特征,更新模块用于:In some embodiments, the device may also include an update module, so that users can update the DID standard biometrics according to their own needs, and the update module is used for:

通过DID SDK接收DID生物认证更新请求;Receive DID biometric authentication update request through DID SDK;

获取用户输入的第一生物特征;Obtaining the first biometric feature input by the user;

通过所述DID SDK将第一生物特征与DID标准生物特征进行对比,得到第二本地对比结果;Comparing the first biometric feature with the DID standard biometric feature through the DID SDK to obtain a second local comparison result;

在第二本地对比结果为相同时,获取用户输入的第二生物特征;When the second local comparison result is the same, acquire a second biological feature input by the user;

通过DID SDK将第二生物特征作为新的DID标准生物特征存储在TEE中。The second biological feature is stored in the TEE as a new DID standard biological feature through the DID SDK.

本说明书实施例中所述生物认证所涉及的生物特征,例如可以包括眼部特征、声纹、指纹、掌纹、心跳、脉搏、染色体、DNA、人牙咬痕等。其中眼纹可以包括虹膜、巩膜等生物特征。The biological features involved in the biometric authentication described in the embodiments of this specification may include, for example, eye features, voiceprints, fingerprints, palmprints, heartbeat, pulse, chromosomes, DNA, human teeth bite marks, and the like. The eye pattern may include biological characteristics such as iris and sclera.

本说明书实施例的基于DID的支付装置,在生物特征认证通过后才能使用DID私钥对支付请求进行签名,保证DID私钥不被窃取,从而确保支付安全性;生物特征认证可在本地完成,而不用依赖中心化的服务器,也不用依赖网络。The DID-based payment device in the embodiment of this specification can only use the DID private key to sign the payment request after the biometric authentication is passed, so as to ensure that the DID private key is not stolen, thereby ensuring payment security; the biometric authentication can be completed locally, Instead of relying on a centralized server or network.

本说明书的又一实施例提供一种可读存储介质,其上存储有计算机程序,当计算机程序在计算机中执行时,令计算机执行本说明书上述实施例中的基于DID的支付方法的步骤。Another embodiment of this specification provides a readable storage medium on which a computer program is stored. When the computer program is executed in a computer, the computer is made to execute the steps of the DID-based payment method in the above-mentioned embodiments of this specification.

本说明书又一实施例提供一种电子设备,其包括存储器和处理器,存储器中存储有可执行代码,当处理器执行可执行代码时,其执行本说明书上述实施例中的基于DID的支付方法的步骤。Another embodiment of this specification provides an electronic device, which includes a memory and a processor, and executable code is stored in the memory. When the processor executes the executable code, it executes the DID-based payment method in the above-mentioned embodiments of this specification. A step of.

上述实施例阐明的系统、装置、模块或单元,具体可以由计算机芯片或实体实现,或者由具有某种功能的产品来实现。一种典型的实现设备为计算机。具体的,计算机例如可以为个人计算机、膝上型计算机、蜂窝电话、相机电话、智能电话、个人数字助理、媒体播放器、导航设备、电子邮件设备、游戏控制台、平板计算机、可穿戴设备或者这些设备中的任何设备的组合。The systems, devices, modules, or units described in the above embodiments can be specifically implemented by computer chips or entities, or by products with certain functions. A typical implementing device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or Combinations of any of these devices.

为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本说明书时可以把各单元的功能在同一个或多个软件和/或硬件中实现。For the convenience of description, when describing the above devices, functions are divided into various units and described separately. Of course, when implementing this specification, the functions of each unit can be implemented in one or more pieces of software and/or hardware.

本领域内的技术人员应明白,本说明书的实施例可提供为方法、系统、或计算机程序产品。因此,本说明书可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本说明书可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of this specification may be provided as methods, systems, or computer program products. Accordingly, this description may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本说明书是参照根据本说明书实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The specification is described with reference to flowcharts and/or block diagrams of methods, devices (systems), and computer program products according to embodiments of the specification. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.

这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.

在一个典型的配置中,计算设备包括一个或多个处理器(CPU)、输入/输出接口、网络接口和内存。In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

内存可能包括计算机可读介质中的非永久性存储器,随机存取存储器(RAM)和/或非易失性内存等形式,如只读存储器(ROM)或闪存(flash RAM)。内存是计算机可读介质的示例。Memory may include non-permanent storage in computer readable media, in the form of random access memory (RAM) and/or nonvolatile memory such as read only memory (ROM) or flash RAM. Memory is an example of computer readable media.

计算机可读介质包括永久性和非永久性、可移动和非可移动媒体可以由任何方法或技术来实现信息存储。信息可以是计算机可读指令、数据结构、程序的模块或其他数据。计算机的存储介质的例子包括,但不限于相变内存(PRAM)、静态随机存取存储器(SRAM)、动态随机存取存储器(DRAM)、其他类型的随机存取存储器(RAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、快闪记忆体或其他内存技术、只读光盘只读存储器(CD-ROM)、数字多功能光盘(DVD)或其他光学存储、磁盒式磁带,磁带磁磁盘存储或其他磁性存储设备或任何其他非传输介质,可用于存储可以被计算设备访问的信息。按照本文中的界定,计算机可读介质不包括暂存电脑可读媒体(transitory media),如调制的数据信号和载波。Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can be implemented by any method or technology for storage of information. Information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Flash memory or other memory technology, Compact Disc Read-Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cartridge, tape magnetic disk storage or other magnetic storage device or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media excludes transitory computer-readable media, such as modulated data signals and carrier waves.

还需要说明的是,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、商品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、商品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、商品或者设备中还存在另外的相同要素。It should also be noted that the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes Other elements not expressly listed, or elements inherent in the process, method, commodity, or apparatus are also included. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.

本领域技术人员应明白,本说明书的实施例可提供为方法、系统或计算机程序产品。因此,本说明书可采用完全硬件实施例、完全软件实施例或结合软件和硬件方面的实施例的形式。而且,本说明书可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of this specification may be provided as methods, systems or computer program products. Accordingly, this description may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

本说明书可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本说明书,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。The specification may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The present description may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.

本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于系统实施例而言,由于其基本相似于方法实施例,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。Each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and for relevant parts, refer to part of the description of the method embodiment.

上述对本说明书特定实施例进行了描述。其它实施例在所附权利要求书的范围内。在一些情况下,在权利要求书中记载的动作或步骤可以按照不同于实施例中的顺序来执行并且仍然可以实现期望的结果。另外,在附图中描绘的过程不一定要求示出的特定顺序或者连续顺序才能实现期望的结果。在某些实施方式中,多任务处理和并行处理也是可以的或者可能是有利的。The foregoing describes specific embodiments of this specification. Other implementations are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in an order different from that in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. Multitasking and parallel processing are also possible or may be advantageous in certain embodiments.

以上所述的,仅为本说明书的较佳实施例,并非用以限定本说明书的范围,本说明书的上述实施例还可以做出各种变化。即凡是依据本说明书申请的权利要求书及说明书内容所作的简单、等效变化与修饰,皆落入本说明书专利的权利要求保护范围。本说明书未详尽描述的均为常规技术内容。The above descriptions are only preferred embodiments of this specification, and are not intended to limit the scope of this specification. Various changes can also be made to the above embodiments of this specification. That is to say, all simple and equivalent changes and modifications made according to the claims of the application in this specification and the content of the specification fall within the scope of protection of the claims of the patent in this specification. Everything that is not described in detail in this manual is conventional technical content.

Claims (10)

1. A DID-based payment method applied to a payment application installed on a mobile terminal, the payment application having a DID SDK embedded therein, the method comprising:
generating a payment request;
acquiring a to-be-authenticated biological characteristic input by a user;
comparing the to-be-authenticated biological characteristics with DID standard biological characteristics of a TEE pre-stored in the DID SDK through the DID SDK;
and when a first local comparison result is obtained through the DID SDK and the first local comparison result is the same, signing the payment request through the DID SDK by adopting a pre-stored DID private key so as to realize a payment function through the DID.
2. The DID-based payment method of claim 1, further comprising, prior to generating the payment request:
receiving a DID biometric authentication opening request through the DID SDK;
acquiring a payment standard biometric of the payment application stored in the TEE;
and storing the payment standard biometric as a DID standard biometric in the TEE by the DID SDK.
3. The DID-based payment method according to claim 2, further comprising:
receiving a DID biometric update request through the DID SDK;
acquiring a first biological characteristic input by a user;
comparing the first biological characteristic with the DID standard biological characteristic through the DID SDK to obtain a second local comparison result;
when the second local comparison result is the same, acquiring a second biological feature input by the user;
the second biometric feature is stored as a DID standard biometric feature in the TEE by the DID SDK.
4. The DID-based payment method of claim 1, further comprising, when the DID SDK fails to obtain the first local comparison result:
the to-be-authenticated biological feature is sent to a DID server through the DID SDK, so that the DID server compares the to-be-authenticated biological feature with a pre-stored DID standard biological feature to obtain a server comparison result, and the server comparison result is sent to the DID SDK;
receiving the server side comparison result through the DID SDK;
and when the comparison results of the server are the same, signing the payment request by adopting a pre-stored DID private key through the DID SDK so as to realize the payment function through the DID.
5. A DID-based payment device applied to a payment application installed on a mobile terminal, the payment application having a DID SDK embedded therein, the device comprising:
the generation module is used for generating a payment request;
the acquisition module is used for acquiring the to-be-authenticated biological characteristics input by the user;
the comparison module is used for comparing the to-be-authenticated biological characteristics with DID standard biological characteristics of the DID SDK pre-stored in a TEE through the DID SDK;
and the signature module is used for signing the payment request by adopting a pre-stored DID private key through the DID SDK when a first local comparison result is obtained through the DID SDK and the first local comparison result is the same, so that the payment function is realized through the DID.
6. The DID-based payment device of claim 5, further comprising an provisioning module to:
receiving a DID biometric authentication opening request through the DID SDK;
acquiring a payment standard biometric of the payment application stored in the TEE;
and storing the payment standard biometric as a DID standard biometric in the TEE by the DID SDK.
7. The DID-based payment device of claim 6, further comprising an update module to:
receiving a DID biometric update request through the DID SDK;
acquiring a first biological characteristic input by a user;
comparing the first biological characteristic with the DID standard biological characteristic through the DID SDK to obtain a second local comparison result;
when the second local comparison result is the same, acquiring a second biological feature input by the user;
the second biometric feature is stored as a DID standard biometric feature in the TEE by the DID SDK.
8. The DID-based payment device of claim 5, further comprising a server side comparison module configured to:
when the DID SDK cannot obtain the first local comparison result, the to-be-authenticated biological feature is sent to a DID server through the DID SDK, so that the DID server compares the to-be-authenticated biological feature with a pre-stored DID standard biological feature to obtain a server comparison result, and the server comparison result is sent to the DID SDK;
receiving the server side comparison result through the DID SDK;
and when the comparison results of the server are the same, signing the payment request by adopting a pre-stored DID private key through the DID SDK so as to realize the payment function through the DID.
9. A readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the steps of the DID-based payment method as claimed in any one of claims 1 to 4.
10. An electronic device comprising a memory and a processor, the memory having executable code stored therein, which when executed by the processor performs the steps of the DID-based payment method of any one of claims 1-4.
CN202310264155.5A 2023-03-10 2023-03-10 DID-based payment method and device, readable storage medium and electronic equipment Pending CN116452204A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202310264155.5A CN116452204A (en) 2023-03-10 2023-03-10 DID-based payment method and device, readable storage medium and electronic equipment
PCT/CN2023/141831 WO2024187903A1 (en) 2023-03-10 2023-12-26 Did-based payment method and apparatus, readable storage medium, and electronic device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310264155.5A CN116452204A (en) 2023-03-10 2023-03-10 DID-based payment method and device, readable storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN116452204A true CN116452204A (en) 2023-07-18

Family

ID=87131172

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310264155.5A Pending CN116452204A (en) 2023-03-10 2023-03-10 DID-based payment method and device, readable storage medium and electronic equipment

Country Status (2)

Country Link
CN (1) CN116452204A (en)
WO (1) WO2024187903A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024187903A1 (en) * 2023-03-10 2024-09-19 支付宝(杭州)信息技术有限公司 Did-based payment method and apparatus, readable storage medium, and electronic device

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110383757A (en) * 2016-12-16 2019-10-25 维萨国际服务协会 System and method for securely processing electronic identities
US20200067907A1 (en) * 2018-08-21 2020-02-27 HYPR Corp. Federated identity management with decentralized computing platforms
CN111066020A (en) * 2019-07-02 2020-04-24 阿里巴巴集团控股有限公司 System and method for creating a decentralized identity
US20200145219A1 (en) * 2016-11-08 2020-05-07 Aware, Inc. Decentralized biometric identity authentication
CH716293A2 (en) * 2019-06-07 2020-12-15 Lapsechain Sa C/O Leax Avocats Decentralized signature process, under biometric control and subject to personal identification, of a transaction intended for a blockchain.
CN113779604A (en) * 2021-09-13 2021-12-10 网易(杭州)网络有限公司 Business service implementation method, device, equipment and storage medium based on block chain
US20210392003A1 (en) * 2020-06-12 2021-12-16 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
KR20220006234A (en) * 2020-07-08 2022-01-17 비트레스 주식회사 Method for creating decentralized identity able to manage user authority and system for managing user authority using the same
KR20220013328A (en) * 2020-07-24 2022-02-04 주식회사 코인플러그 Method for authenticating user contactlessly based on decentralized identifier using verifiable credential and authentication supporting server using the same
KR20220028870A (en) * 2020-08-31 2022-03-08 한국조폐공사 Method for mobile identification card authentication service using decentralized identifier based on blockchain networks and user device executing mobile identification card authentication service

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110046482A (en) * 2018-12-25 2019-07-23 阿里巴巴集团控股有限公司 Identity verification method and its system
KR102197218B1 (en) * 2019-07-31 2021-01-04 주식회사 티이이웨어 System and method for providing distributed id and fido based block chain identification
CN115544526A (en) * 2021-06-29 2022-12-30 深圳市汇顶科技股份有限公司 Block chain encrypted currency transaction method and terminal equipment
CN116452204A (en) * 2023-03-10 2023-07-18 支付宝(杭州)信息技术有限公司 DID-based payment method and device, readable storage medium and electronic equipment

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200145219A1 (en) * 2016-11-08 2020-05-07 Aware, Inc. Decentralized biometric identity authentication
CN110383757A (en) * 2016-12-16 2019-10-25 维萨国际服务协会 System and method for securely processing electronic identities
US20200067907A1 (en) * 2018-08-21 2020-02-27 HYPR Corp. Federated identity management with decentralized computing platforms
CH716293A2 (en) * 2019-06-07 2020-12-15 Lapsechain Sa C/O Leax Avocats Decentralized signature process, under biometric control and subject to personal identification, of a transaction intended for a blockchain.
CN111066020A (en) * 2019-07-02 2020-04-24 阿里巴巴集团控股有限公司 System and method for creating a decentralized identity
US20210392003A1 (en) * 2020-06-12 2021-12-16 Login Id Inc. Decentralized computing systems and methods for performing actions using stored private data
KR20220006234A (en) * 2020-07-08 2022-01-17 비트레스 주식회사 Method for creating decentralized identity able to manage user authority and system for managing user authority using the same
KR20220013328A (en) * 2020-07-24 2022-02-04 주식회사 코인플러그 Method for authenticating user contactlessly based on decentralized identifier using verifiable credential and authentication supporting server using the same
KR20220028870A (en) * 2020-08-31 2022-03-08 한국조폐공사 Method for mobile identification card authentication service using decentralized identifier based on blockchain networks and user device executing mobile identification card authentication service
CN113779604A (en) * 2021-09-13 2021-12-10 网易(杭州)网络有限公司 Business service implementation method, device, equipment and storage medium based on block chain

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2024187903A1 (en) * 2023-03-10 2024-09-19 支付宝(杭州)信息技术有限公司 Did-based payment method and apparatus, readable storage medium, and electronic device

Also Published As

Publication number Publication date
WO2024187903A1 (en) 2024-09-19

Similar Documents

Publication Publication Date Title
US20220052852A1 (en) Secure biometric authentication using electronic identity
JP3222165U (en) System to realize universal distributed solution for user authentication by mutual authentication configuration
US20220058655A1 (en) Authentication system
US11588804B2 (en) Providing verified claims of user identity
CN108777684B (en) Identity authentication method, system and computer readable storage medium
JP6882254B2 (en) Safety verification methods based on biological characteristics, client terminals, and servers
US9755830B2 (en) Dynamic seed and key generation from biometric indicia
EP3641218B1 (en) Service authorization method, apparatus and device
US9935953B1 (en) Secure authenticating an user of a device during a session with a connected server
WO2017167093A1 (en) Method and device for registering biometric identity and authenticating biometric identity
CN110768967A (en) Service authorization method, device, equipment and system
CN105516104A (en) A TEE-based dynamic password authentication method and system
CN105868970B (en) authentication method and electronic equipment
CN104935438A (en) Method and apparatus for identity verification
CN110222531A (en) A kind of method, system and equipment accessing database
WO2021190197A1 (en) Method and apparatus for authenticating biometric payment device, computer device and storage medium
CN112313983A (en) User Authentication Using Companion Devices
AU2020329197A1 (en) Systems and methods for use in provisioning tokens associated with digital identities
CN106533685B (en) Identity authentication method, device and system
Yıldırım et al. Android based mobile application development for web login authentication using fingerprint recognition feature
CN108965335B (en) Method for preventing malicious access to login interface, electronic device and computer medium
WO2021249527A1 (en) Method and apparatus for implementing motopay, and electronic device
CN116452204A (en) DID-based payment method and device, readable storage medium and electronic equipment
KR20170111942A (en) Electronic commercial transaction authentication method and system by specific infomation related otp
CN105827625A (en) Authentication method and authentication system, electronic device based on biological identification information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40093270

Country of ref document: HK

CB02 Change of applicant information

Country or region after: China

Address after: 310000 Zhejiang Province, Hangzhou City, Xihu District, Xixi Road 543-569 (continuous odd numbers) Building 1, Building 2, 5th Floor, Room 518

Applicant after: Alipay (Hangzhou) Digital Service Technology Co.,Ltd.

Address before: 801-11, Section B, 8th Floor, No. 556, Xixi Road, Xihu District, Hangzhou, Zhejiang 310063

Applicant before: Alipay (Hangzhou) Information Technology Co., Ltd.

Country or region before: China

CB02 Change of applicant information