TWI859481B - Information processing method, device, electronic equipment, server and medium - Google Patents

Abstract

The present invention discloses an information processing method, device, electronic equipment, server and medium. Among them, an information processing method includes: first, receiving a first input for user identity authentication. Then, in response to the first input, the user's identity information to be authenticated is obtained through near field communication in a trusted execution environment. Furthermore, based on the user's identity information to be authenticated, target information used to represent the user's identity is determined, and the target information includes the user's first biometric information; and a user image obtained within a preset time period, and the user image includes the user's second biometric information. Then, based on the comparison result of the first biometric information and the second biometric information, the user identity authentication result of the identity information to be authenticated is determined. According to the embodiment of the present invention, the accuracy of identity authentication results can be effectively improved, user identity information can be prevented from being leaked and tampered with, and network information security can be improved.

Description

Information processing method, device, electronic equipment, server and medium

The present invention belongs to the field of Internet technology, and in particular relates to an information processing method, device, electronic equipment, server and medium.

With the development of computers and the Internet, there are more and more scenarios that require user identity authentication, such as identity authentication in account login or online payment scenarios.

Currently, identity authentication can be performed by comparing the user ID image with the user image, or by reading the identity information of the chip in the user ID. However, the former identity authentication method is difficult to identify the authenticity of the user ID. In addition, the surface information of the user ID is worn or the image is not well taken, which will reduce the accuracy of the identity authentication result. The latter identity authentication method will also cause the user's identity information to be maliciously tampered with and leaked due to the low security of the platform that reads the user's ID.

The embodiments of the present invention provide an information processing method, device, electronic equipment, server and medium, which can effectively improve the accuracy of identity authentication results, prevent user identity information from being leaked and tampered with, and improve network information security.

In the first aspect, an embodiment of the present invention provides an information processing method, which is applied to electronic equipment and may specifically include:

Receive first input for user authentication;

In response to the first input, in a trusted execution environment, the user's identity information to be authenticated is obtained through near field communication;

According to the user's identity information to be authenticated, target information used to characterize the user's identity is determined, the target information includes the user's first biometric information; and, a user image obtained within a preset time period, the user image includes the user's second biometric information;

Based on the comparison result of the first biometric information and the second biometric information, the user identity authentication result of the identity information to be authenticated is determined.

In the second aspect, the embodiment of the present invention provides an information processing method, which is applied to electronic equipment and may specifically include:

Receive first input for user authentication;

In response to the first input, in a trusted execution environment, the user's identity information to be authenticated is obtained through near field communication;

Send the user's identity information to be authenticated to the server, and the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated;

And, obtaining the user image within a preset time period and sending the user image to the server, the user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result;

Receive the user identity authentication result of the identity information to be authenticated sent by the server.

In the third aspect, the embodiment of the present invention provides an information processing method, which is applied to a server and may specifically include:

Receive the user's identity information to be authenticated sent by the electronic device;

When it is detected that the device type of the electronic device is a preset target device type, target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity is obtained, wherein the target information includes the user's first biometric information;

Receive user images sent by electronic devices;

Based on the comparison result of the first biometric information and the second biometric information in the user image, determine the user identity authentication result of the identity information to be authenticated;

Send user identity authentication results to electronic devices.

In the fourth aspect, the embodiment of the present invention provides an information processing device, which is applied to electronic equipment and may specifically include:

Receiving module, used to receive the first input for user identity authentication;

The acquisition module is used to respond to the first input and obtain the user's identity information to be authenticated through near field communication in a trusted execution environment;

A processing module is used to determine target information used to characterize the user's identity based on the user's identity information to be authenticated, the target information including the user's first biometric information; and a user image obtained within a preset time period, the user image including the user's second biometric information;

The determination module is used to determine the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information.

In the fifth aspect, the embodiment of the present invention provides an information processing device, which is applied to electronic equipment and may specifically include:

Receiving module, used to receive the first input for user identity authentication;

The acquisition module is used to respond to the first input and obtain the user's identity information to be authenticated through near field communication in a trusted execution environment;

The sending module is used to send the user's identity information to be authenticated to the server, and the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated;

The sending module is also used to obtain the user image within a preset time period and send the user image to the server. The user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result;

The receiving module is also used to receive the user identity authentication result of the identity information to be authenticated sent by the server.

In the sixth aspect, the embodiment of the present invention provides an information processing device, which is applied to a server and may specifically include:

Receiving module, used to receive the user's identity information to be authenticated sent by the electronic device;

An acquisition module is used to acquire target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity when the device type of the electronic device is detected to be a preset target device type, wherein the target information includes the user's first biometric information;

The receiving module is also used to receive user images sent by electronic devices;

A determination module is used to determine the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information in the user image;

The sending module is used to send the user identity authentication result to the electronic device.

In the seventh aspect, an embodiment of the present invention provides an electronic device, which includes: a processor and a memory storing computer program instructions;

When the processor executes computer program instructions, the information processing method shown in the first aspect or the second aspect is implemented.

In an eighth aspect, an embodiment of the present invention provides a server, the server comprising: a processor and a memory storing computer program instructions;

When the processor executes computer program instructions, the information processing method shown in the third aspect is implemented.

In the ninth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which computer program instructions are stored, and when the computer program instructions are executed by a processor, the information processing method shown in the first aspect is implemented.

The information processing method, device, equipment and medium of the embodiment of the present invention obtains the user's identity information to be authenticated in a trusted execution environment (TEE) and near field communication (NFC) to obtain trusted target information such as identity certificate information used to represent the user's identity, thereby avoiding the problem of forged identity certificates and the problem of inaccurate target information obtained due to poor photography effects or insufficient shooting hardware, thereby causing incorrect user identity authentication results.

In addition, by obtaining target information in the trusted execution environment TEE and comparing the first biometric information in the target information with the second biometric information in the captured user image, the problem of identity document information being replaced and tampered with by malicious software can be effectively prevented. At the same time, the camera of the electronic device is securely accessed through the trusted execution environment TEE to ensure the accuracy of the user image used for comparison and authentication, and prevent the injection of forged facial photos or videos.

1,2,3,320,330,3301,33011,33012,3302,33021,33022,33023,3311,3312,3313,340,3401,3402,3403,4,5,510,520,530,540,6,7,8,801,802,803,804,805,806,807,808,809,810,811,812,813,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916: Steps

10: Electronic equipment

100: Information processing device

1001: receiving module

1002: Get module

1003: Processing module

1004: Confirm module

101: Electronic device applications

102: Trusted identity authentication service control items

1100: Information processing device

1110: receiving module

1120: Get module

1130: Send module

1200: Information processing device

1210: receiving module

1220: Get module

1230: Confirm module

1240: Send module

1300: Information processing

1301: Processor

1302: Memory

1303: Communication interface

1310:Bus

20: Server

201: Authoritative identity authentication module

202: Trusted identity authentication backend module

203: Face recognition comparison module

30: Near field communication chip

A: Application

Context: Transaction elements

D,D’: distance

d,d’: distance

O,O’: center point

SDK1011: Trusted identity authentication service

TA103: Trusted identity authentication service

x,y:axis

In order to more clearly explain the technical solution of the embodiment of the present invention, the following will briefly introduce the diagrams required for use in the embodiment of the present invention. For ordinary technicians in this field, other diagrams can be obtained based on these diagrams without creative labor.

Figure 1 is a schematic diagram of the information processing architecture of an embodiment of the information processing system provided by the present invention;

Figure 2 is a schematic diagram of the structure of the electronic device and server in an embodiment of the information processing system provided by the present invention;

Figure 3 is a schematic diagram of the application scenario of an embodiment of the information processing system provided by the present invention;

FIG4 is a schematic diagram of the execution position of the Application Protocol Data Unit (APDU) instruction corresponding to the category of the electronic device according to an embodiment of the information processing system provided by the present invention;

Figure 5 is a schematic diagram of the process of an information processing method according to an embodiment of the information processing provided by the present invention;

Figure 6 is a schematic diagram of an information processing interface according to an embodiment of information processing provided by the present invention;

FIG7 is a schematic diagram of an original image bar graph according to an embodiment of information processing provided by the present invention;

Figure 8 is a schematic diagram of the trusted identity authentication initialization process according to an embodiment of the information processing provided by the present invention;

Figure 9 is a schematic diagram of the trusted identity authentication comparison process according to an embodiment of the information processing provided by the present invention;

Figure 10 is a schematic diagram of the structure of an embodiment of an information processing device based on electronic equipment provided by the present invention;

Figure 11 is a schematic diagram of the structure of another embodiment of the information processing device based on electronic equipment provided by the present invention;

Figure 12 is a schematic diagram of the structure of an embodiment of the information processing device based on the server provided by the present invention;

Figure 13 is a schematic diagram of the hardware structure of an embodiment of the information processing device provided by the present invention.

The features and exemplary embodiments of various aspects of the present invention will be described in detail below. In order to make the purpose, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below in combination with drawings and specific embodiments. It should be understood that the specific embodiments described herein are only configured to explain the present invention and are not configured to limit the present invention. For those skilled in the art, the present invention can be implemented without some of these specific details. The following description of the embodiments is only to provide a better understanding of the present invention by showing examples of the present invention.

It should be noted that, in this article, relational terms such as first and second, etc. are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Moreover, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or apparatus including a series of elements includes not only those elements, but also other elements not explicitly listed, or elements inherent to such process, method, article or apparatus. In the absence of more restrictions, the elements defined by the phrase "includes..." do not exclude the existence of other identical elements in the process, method, article or apparatus including the elements.

Currently, most of the operating systems for identity authentication schemes are Android systems. Therefore, the security of identity authentication is highly dependent on the security of the Android system itself. Once the security mechanism of the Android system fails, the identity authentication scheme that relies on the security mechanism of the Android system will also have vulnerabilities. If the identity authentication process is initiated by an application and executed in the Android environment, and the security of the Android system environment itself is relatively low, once it is attacked by an attacker, such as the attacker obtains root privileges, the attacker can steal and tamper with the user's identity authentication information by implanting Trojans, forging identity authentication results that are inconsistent with the actual situation, and even use the forged identity information to carry out illegal activities, resulting in the leakage of the user's identity information.

Existing identity authentication schemes can perform identity authentication by comparing the user image in the user's identity document with the user image obtained in real time, or by reading the identity information of the chip in the user's identity document. However, the former identity authentication method is difficult to identify the authenticity of the user's identity document, and the identity authentication result is inaccurate due to the wear and tear of the surface information of the user's identity document or the poor effect of the electronic device taking the image. The latter identity authentication scheme is usually authorized to the operating organization of the application to read and authenticate the identity. If the personnel of the operating organization intentionally leak the authorization certificate to an unauthorized organization, or the unauthorized organization steals the authorization certificate through reverse engineering, malicious debugging, etc., then the unauthorized organization may use the certificate to obtain improper benefits. In addition, the identity authentication process of performing face matching in the way of obtaining the identity information of the chip in the user's identity document is performed in an Android control item in the Android system, or as part of an Android application. In this way, the user's identity information may be maliciously tampered with and leaked due to the low security of the Android system itself.

Therefore, the embodiments of the present invention provide an information processing method, device, equipment and storage medium, which obtains the user's identity information to be authenticated in a trusted execution environment (TEE) and near field communication (NFC) to obtain trusted target information such as identity certificate information used to represent the user's identity, so as to avoid the problem of forging identity certificates, and also avoid the problem of inaccurate target information obtained due to poor photography effect or insufficient shooting hardware, thereby causing incorrect user identity authentication results.

In addition, by obtaining target information in the trusted execution environment TEE and comparing the first biometric information in the target information with the second biometric information in the captured user image, the problem of identity document information being replaced and tampered with by malicious software can be effectively prevented. At the same time, the trusted execution environment TEE securely accesses the camera of the electronic device to ensure the accuracy of the user image used for comparison and authentication, and prevents the injection of forged facial photos or videos.

In order to better understand the present invention, the information processing method, device, electronic equipment, server and storage medium according to the embodiments of the present invention will be described in detail below in conjunction with Figures 1 to 11. It should be noted that these embodiments are not intended to limit the scope of the disclosure of the present invention.

Figure 1 is a schematic diagram of the information processing architecture of an embodiment of the information processing system provided by the present invention.

As shown in FIG1 , the information processing system includes an electronic device 10, a server 20, and a near field communication chip 30, such as a chip in an identity card, a chip in a bank card, a chip in a prepaid card, etc., which supports near field communication. When the electronic device 10 establishes a communication link with the server 20, a first input for user identity authentication is received. In response to the first input, the electronic device 10 obtains the user's identity information to be authenticated in the near field communication chip 30 through near field communication in a trusted execution environment. The electronic device 10 determines the target information used to characterize the user's identity based on the user's identity information to be authenticated, the target information includes the user's first biometric information; and the user image obtained within a preset time period, the user image includes the user's second biometric information, and, based on the comparison result of the first biometric information and the second biometric information, determines the user identity authentication result of the identity information to be authenticated.

Here, after the electronic device 10 obtains the user's identity information to be authenticated, the user's identity information to be authenticated can also be sent to the server 20, so that the server 20 determines the target information used to characterize the user's identity based on the user's identity information to be authenticated, and determines the user identity authentication result of the identity information to be authenticated through the user image taken by the electronic device 10, and then feeds back the user identity authentication result of the identity information to be authenticated to the electronic device 10, so that the electronic device 10 displays the user identity authentication result to the user.

Based on the above architecture, the electronic device 10 and the server 20 are described in detail below. As shown in FIG2 , in the embodiment of the present invention, the electronic device 10 may include an electronic device application 101, a trusted identity authentication service control item 102, and a trusted identity authentication service TA 103. Among them, the electronic device application 101 includes a trusted identity authentication service SDK 1011, i.e., a software development kit (SDK); the trusted identity authentication service TA 103 is a trusted application (TA).

Furthermore, the electronic device 10 has a trusted execution environment TEE. The electronic device 10 obtains the trusted identity authentication service capability by integrating the trusted identity authentication service SDK 1011 through a third-party application (Application, APP) related to the trusted identity authentication service, which is provided by a user authentication service platform such as a shopping application or an industry party. The trusted identity authentication service control item 102 runs on the electronic device as an independent application; the trusted identity authentication service TA 103 runs in the trusted execution environment TEE.

The server 20 in the embodiment of the present invention can run a platform supporting management such as a trusted identity service platform. The trusted identity service platform can include an authoritative identity authentication module 201, a trusted identity authentication backend module 202, and a face authentication comparison module 203. The authoritative identity authentication module 201 is used to interact with the identity identification server of the identity identification platform to parse the identity information plaintext data of the user's identity information to be authenticated. Here, the trusted identity service platform in the embodiment of the present invention is used to manage third-party applications that access and use the trusted identity service platform, and can combine the authoritative identity authentication module 201 and the face authentication comparison module 203 to provide a business function processing flow for the trusted identity authentication service control item 102.

Based on the structures shown in the above-mentioned electronic device 10 and server 20, the information processing method provided by the embodiment of the present invention is described in detail as follows.

Based on the above, it can be seen that existing identity information such as user identity images and identity numbers are subject to abuse, theft, and malicious leakage. Therefore, in order to ensure the safe and compliant use of identity information, first of all, it is necessary to ensure that the identity information used by the user is authentic and in his or her hands. In this way, secure reading and parsing of identity information through NFC is the technical basis of the embodiment of the present invention. There are two prerequisites for securely reading and parsing identity through NFC: one is to realize the secure transmission of identity information from the electronic device 10 through the server to the identity identification server, and the other is to realize the secure reading of identity information through NFC.

In view of this, the embodiment of the present invention proposes a secure information interaction method from electronic devices to servers based on the TEE security mechanism. First, the embodiment of the present invention grants the function of connecting to the identity identification server to the authoritative identity authentication module 201, and pre-prepare the server certificate granted by the identity identification server in the server, which is used to indicate that the server has the authority to identify the user's identity information to be authenticated. Secondly, the target information data decryption authorization certificate provided by the identity identification server is further securely downloaded to the trusted identity authentication service through the trusted application management platform (TAM) corresponding to the electronic device, realizing a secure communication closed loop from the electronic device to the trusted identity service platform and then to the identity identification platform.

Based on this, when the electronic device receives the first input of the user for user identity authentication, the trusted identity authentication service TA103 can be called through the trusted identity authentication service SDK1011 and the trusted identity authentication service control item 102 in the Android system and/or iOS system in the electronic device, and the collection and processing of the identity information to be authenticated can be initiated, and then it can be trusted to connect to the trusted identity service platform and communicate with the trusted identity authentication backend module 202. Finally, the verification and analysis of the identity information to be authenticated is completed through the authoritative identity authentication module 201.

In this way, on the one hand, the problem of limited capacity of TEE space in electronic devices is effectively avoided, and the requirements for hardware resources of electronic devices to read identity information to be authenticated are reduced. On the other hand, the trusted identity authentication service TA generates a public-private key pair based on the digital certificate of the electronic device, such as the root trust certificate. Among them, the device public key and user address (UserId) in the public-private key pair and the unique identifier of the electronic device will be recorded together on the trusted identity service platform. When a risk is found in an electronic device, the electronic device is quickly located and its continued access to the trusted identity service platform is terminated, providing effective support for the trusted identity service platform to conduct risk prevention and control of electronic devices. In addition, after ensuring the security of identity authentication information transmission from electronic devices to the identity identification platform, the ability to securely accept the verification and analysis of identity information to be authenticated is already available. Next, the process of securely reading identity document information through NFC and securely connecting with the trusted identity service platform can be further solved. The specific process can be explained in detail in conjunction with Figure 3.

FIG3 is a schematic diagram of the architecture of an application scenario of an embodiment of the information processing system provided by the present invention. As shown in FIG3, the near field communication chip is a chip including the user's identity information to be authenticated, and the chip supports NFC communication, such as a second-generation identity certificate. The electronic device 10 includes an NFC module and a trusted identity authentication service TA103, wherein the NFC module is used to read and transmit the user's identity information to be authenticated in the second-generation identity certificate; the trusted identity authentication service TA103 runs in the TEE trusted execution environment, and when the second-generation identity certificate communicates with NFC using the Application Protocol Data Unit (APDU) command, it judges and compares the current Internet of Things electronic device, and determines the communication process between the NFC access and the second-generation identity certificate. For example, in some IoT electronic devices with severely limited resources, such as wearable devices and smart door locks, which cannot carry large computing loads, it is necessary to further customize the process during NFC communication, and execute NFC access and APDU command interaction with the second-generation identity card in the device TEE; the generation, assembly and processing of APDU response of the second-generation identity card access APDU command are placed on the backend of the trusted identity authentication service. The specific content can be specifically referred to in Figure 4.

The server 20 runs a trusted identity service platform, which is used as a support management platform for a method of processing information based on a trusted identity authentication service. In addition, the trusted identity service platform may include an APDU instruction operation module and an authoritative identity authentication module 201, wherein the APDU instruction operation module is used to process the generation, assembly and response of the second-generation identity document access APDU instruction, and mainly interacts with the authoritative identity authentication module 201. The authoritative identity authentication module 201 is used to interact securely with the identity identification platform to determine the identity information plaintext data of the user's identity information to be authenticated.

Based on the system architecture shown in FIG3 , the embodiment of the present invention realizes the secure reading of NFC information through TEE, and then enables the trusted identity authentication service TA103 to fully monitor the NFC reading operation outside the device. When the trusted identity authentication service TA103 receives the identity card swipe operation request, it securely calls the NFC module of the electronic device, executes the APDU instruction set according to the second-generation identity card specification, and returns the identity information to be authenticated in response to the execution instruction. Then, the trusted identity authentication service TA103 sends the received encrypted information of the identity information to be authenticated to the authoritative identity authentication module 201 through the secure connection between the electronic device and the server. After receiving the ciphertext information of the identity information to be authenticated, the authoritative identity authentication module 201 establishes secure communication with the identity identification server, and after the identity identification server parses and assembles the original text string of the target information used to characterize the user's identity according to the identity certificate attribute format, the trusted identity service platform responds the original text string of the target information back to the trusted identity authentication service TA103. At this time, the trusted identity authentication service TA103 can decrypt the identity information to be authenticated, such as the identity certificate number, the identity certificate image, and the user's facial image in the identity certificate image, based on the target information data decryption authorization certificate of the authoritative identity identification agency stored in advance and the original text string of the target information, and obtain the target information, such as the user's facial image in the identity certificate image. In the above process, the trusted identity authentication service TA103 reads the identity information to be authenticated of the second-generation identity document through NFC near field and then passes it to the authoritative identity authentication module 201 service for processing and parsing the identity information plain text data of the identity information to be authenticated.

In addition, it should be noted that the information processing method in the embodiment of the present invention can be executed on the electronic device side, or on the electronic device and the server. Therefore, in some possible embodiments, such as some IoT electronic devices with severely limited resources such as wearable devices, smart door locks, etc. that cannot carry large computing loads, it is necessary to further customize the process during the NFC communication process. Specifically, these IoT electronic devices can be explained in conjunction with Figure 4. As shown in FIG4 , for some IoT electronic devices with severely limited resources (such as wearable devices, smart door locks, etc.) provided by the embodiment of the present invention, it is necessary to further customize the process in the NFC communication process, and execute the NFC access and APDU command interaction with the identity document in the device TEE; the generation, assembly and processing of the identity document access APDU command and APDU response are placed on the trusted identity service platform. That is, the embodiment of the present invention realizes the secure reading of NFC information through TEE, and then enables the trusted identity authentication service TA103 to fully monitor the NFC reading operation outside the device. When the trusted identity authentication service TA103 receives the identity card swiping operation request, it securely calls the NFC module of the electronic device, executes the near field communication instructions in the APDU instruction set according to the second-generation identity card specification, and returns the identity information to be authenticated in response to the execution instruction. Here, the instructions in the APDU instruction set are determined by the server. Then, the trusted identity authentication service TA103 sends the received ciphertext information of the identity information to be authenticated to the authoritative identity authentication module 201 through the secure connection between the electronic device and the server. After receiving the ciphertext information of the identity information to be authenticated, the authoritative identity authentication module 201 establishes secure communication with the identity identification server, and returns the original text string of the target information used to represent the user's identity, which is parsed by the identity identification server and assembled in the identity document attribute format, to the authoritative identity authentication module 201. At this time, the authoritative identity authentication module 201 can decrypt the authorization certificate and the original text string of the target information of the authoritative identity identification agency stored in advance to decrypt the identity information to be authenticated, such as the identity document number, the identity document image, and the user's facial image in the identity document image, so as to obtain the target information such as the user's facial image in the identity document image. In the above process, the trusted identity authentication service TA103 reads the identity information to be authenticated of the second-generation identity document through NFC near field and then hands it over to the authoritative identity authentication module 201 service for processing and parsing the identity information plaintext data of the identity information to be authenticated.

When customizing the communication process between NFC access and identity documents according to the IoT electronic devices, select the appropriate processing process according to the performance, purpose and type of the IoT electronic devices. For example, smart phones, laptops/tablets, smart POS machines, smart cars, self-service vending machines and self-service gates use the solution of calling NFC in TEE to interact with the second-generation identity documents through APDU commands; smart watches/bracelets, smart door locks/access control use the device to execute APDU commands, and generate, assemble and process APDU commands on the trusted identity service platform.

Based on this, when the electronic device receives the first input of the user for user identity authentication, in response to the first input, the user's identity information to be authenticated is obtained through near field communication in a trusted execution environment; the user's identity information to be authenticated is sent to the server, and the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated. In this way, the server receives the user's identity information to be authenticated sent by the electronic device, and when it is detected that the device type of the electronic device is a preset target device type, that is, the device type of the electronic device meets the requirements of wearable devices, smart door locks, and other devices that cannot carry a large amount of calculation, the target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity is obtained, and the target information includes the user's first biometric information. Furthermore, the electronic device obtains the user image within a preset time period and sends the user image to the server, and the user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result. Then, the server receives the user image sent by the electronic device and determines the second biometric information of the user in the user image; based on the comparison result of the first biometric information and the second biometric information, determines the user identity authentication result of the identity to be authenticated; and sends the user identity authentication result of the identity to be authenticated to the electronic device. The electronic device receives the user identity authentication result of the identity to be authenticated sent by the server, so as to prompt the user with the user identity authentication result of the identity to be authenticated. Here, when determining the user's first biometric information, the server may send a user image acquisition instruction to the electronic device, and the user image instruction is used to instruct the electronic device to acquire the user image within a preset time period. When the electronic device receives the user image acquisition instruction sent by the server, it acquires the user image. Alternatively, when the electronic device receives the user's user image acquisition instruction, the electronic device may also acquire the user image.

Furthermore, electronic devices can obtain the user's identity information to be authenticated by executing the near field communication instructions in the protocol data instruction set provided by the server in a trusted execution environment.

When the server obtains the target information, it can specifically go through the following steps: determine the original text string of the target information used to represent the user identity, which is assembled according to the identity document attribute format, based on the ciphertext information of the identity information to be authenticated; decrypt the authorization certificate and the original text string of the target information based on the pre-stored target information data, decrypt the identity information to be authenticated, and obtain the target information.

Furthermore, in the process of determining the original text string, the server sends a protocol data instruction to the identity identification server, and the protocol data instruction is used to instruct the identity identification server to assemble the original text string of the target information used to represent the user's identity according to the identity document attribute format; and receive the original text string of the target information sent by the identity identification server.

Therefore, the embodiment of the present invention proposes an information processing method for trusted identity authentication based on TEE and NFC, which can obtain reliable and credible target information used to represent the user's identity by securely accessing NFC through TEE to read the identity information to be authenticated of the identity certificate, and in some embodiments, can interact with the trusted identity service platform running in the server in the trusted execution environment TEE to avoid the problem of forged identity certificates, and also avoid the inaccurate target information obtained due to poor photography effect, thereby improving the accuracy of identity authentication. By migrating the target information data decryption authorization certificate corresponding to the identity information to be authenticated to the TEE, the problem that the identity information to be authenticated may be stolen by Trojan virus during the interaction between the electronic device and the server is eliminated. In addition, by securely accessing the camera from within the TEE, the source of the user image used for comparison and authentication, i.e., the real-time user image, is ensured to be credible, preventing the injection of forged facial photos or videos.

In addition, in response to the problem of severely limited hardware resources of some IoT electronic devices that support TEE and NFC, the embodiments of the present invention utilize the characteristics of higher transmission rate and lower latency of the 4th generation mobile communication technology (4G) and the 5th generation mobile communication technology (5G) to split the commands for interaction between NFC and the second-generation identity card. Among them, the part of obtaining the user's identity information to be authenticated through near-field communication is implemented in the electronic device, which mainly processes the identity card APDU request response and interaction protocol, and the back-end part is moved to the server to run, which is mainly responsible for the generation and assembly of identity card access APDU instructions and the processing of APDU responses. Through the above-mentioned front-end and back-end separation processing method, the space proportion of the NFC interaction protocol of electronic devices is reduced, and it has stronger applicability for IoT terminal devices with limited resources such as wearable devices. By classifying electronic devices, the method of determining the comparison results between electronic devices and servers is determined, ensuring the availability and adaptability of identity recognition and face comparison functions when the space resources of electronic devices TEE are limited.

In the above, TEE is used to securely access NFC to read the user's identity information to be authenticated to ensure that the data source of the obtained identity information is true and accurate, which plays an anti-counterfeiting effect on the identity card. At the same time, the trusted execution environment TEE prevents malicious software from intercepting the identity information and replacing and tampering with it. In addition, the embodiment of the present invention is based on the secure closed loop between the electronic device TEE and the server, which can ensure that the information is sent to the trusted identity authentication background for decryption and then sent back through the secure TEE secure channel for use, which is applicable to more identity authentication scenarios.

Based on the above information processing architecture and application scenarios, the abnormal node identification method provided by the embodiment of the present invention is described in detail below in conjunction with Figure 5.

Figure 5 is a flow chart of an information processing method provided by an embodiment of the present invention.

As shown in FIG5, the information processing method can be applied to the electronic device shown in FIG1. The information processing method can specifically include the following steps:

First, in step 510, a first input for user identity authentication is received; then, in step 520, in response to the first input, the identity information of the user to be authenticated is obtained through near field communication in a trusted execution environment; further, in step 530, target information for representing the user's identity is determined based on the identity information of the user to be authenticated, the target information includes the first biometric information of the user; and, a user image taken within a preset time period is obtained, the user image includes the second biometric information of the user; then, in step 540, based on the comparison result of the first biometric information and the second biometric information, the user identity authentication result of the identity information to be authenticated is determined.

Therefore, by obtaining the user's identity information to be authenticated in the trusted execution environment TEE and near field communication NFC, the trusted target information used to represent the user's identity, such as identity document information, is obtained to avoid the problem of forged identity documents. At the same time, it also avoids the problem of inaccurate target information obtained due to poor photography or insufficient shooting hardware, which leads to incorrect user identity authentication results.

In addition, by obtaining target information in the trusted execution environment TEE and comparing the first biometric information in the target information with the second biometric information in the captured user image, the problem of identity document information being replaced and tampered with by malicious software can be effectively prevented. At the same time, the camera of the electronic device is securely accessed through the trusted execution environment TEE to ensure the accuracy of the user image used for comparison and authentication, and prevent the injection of forged facial images or videos.

Based on this, the above steps are explained in detail below, as shown below:

First, regarding step 320, the embodiment of the present invention provides at least two methods to obtain the identity information to be authenticated of the user with the identity certificate, as shown below.

In some possible implementations, step 320 may specifically include:

In response to the first input,

When the data interaction environment satisfies the preset interaction environment and is in a trusted execution environment, the NFC chip is read through NFC to obtain the tag content of the NFC chip and the user identity;

Based on the tag content and user identity, generate the user's identity information to be authenticated.

Furthermore, before the step of reading the NFC chip through NFC and obtaining the label content of the NFC chip and the user identity identification, the information processing method also includes:

Detect the data interaction environment with the near-field communication chip, which includes the distance between the electronic device and the near-field communication chip and the contact time between the electronic device and the near-field communication chip within the preset distance;

When the distance value meets the preset distance value and/or the contact market meets the preset contact duration, it is determined that the data interaction environment meets the preset interaction environment.

In some other possible embodiments, in response to the first input, in a trusted execution environment, a target near-field communication chip is determined, and the data interaction environment between the near-field communication chip and the electronic device satisfies a preset near-field communication environment;

Through the preset correspondence between the near field communication chip and the application protocol data, the target application protocol data corresponding to the target near field communication chip is obtained;

According to the target application protocol data, obtain the user's identity information to be authenticated.

Here, in order to ensure the information security of the user, the embodiment of the present invention provides a method for obtaining the target application protocol data corresponding to the target near-field communication chip according to the preset correspondence between the near-field communication chip and the application protocol data. For example, if the near-field communication chip is an identity card, and the preset correspondence indicates that the electronic device can access the user's facial image in the identity card image, then the electronic device can obtain the user's facial image in the identity card image. Similarly, if the preset correspondence indicates that the electronic device can access the identity card number, the identity card image, and the identity information of the identity card user, then the electronic device can obtain the identity card number, the identity card image, and the identity information of the identity card user, thereby obtaining the user's information according to the user's preliminary settings.

In addition, the default correspondence between the near field communication chip and the application protocol data in the embodiment of the present invention can be determined by the following steps, that is, before the step of obtaining the target application protocol data corresponding to the target near field communication chip through the default correspondence between the near field communication chip and the application protocol data, the information processing method provided by the embodiment of the present invention also includes:

Send a permission request to the server. The permission request includes the identity information of the electronic device. The permission request is used to obtain the permission of the near field communication chip;

Receive permission feedback information sent by the server, which includes the permission for the electronic device to communicate with the near field communication chip;

Based on the permission feedback information and the user's preset settings, the default correspondence between the near field communication chip and the application protocol data is obtained.

Next, step 330 is involved. This step can be divided into two parts, one of which is to determine the target information used to characterize the user's identity, and the other is to obtain the captured user image. Based on this, the two parts are explained separately.

First, the process of determining the target information in the embodiment of the present invention is as follows, that is, according to the user's identity information to be authenticated, the target information used to characterize the user's identity is determined, including:

Step 3301, determine the identity information plaintext data of the identity information to be authenticated based on the identity information to be authenticated.

Furthermore, step 3301 may specifically include:

Step 33011, sending an identity authentication request to the server, the identity authentication request includes the identity information to be authenticated, and the identity authentication request is used to request the server to parse the identity information to be authenticated to obtain the identity information plain text data of the identity information to be authenticated;

Step 33012, receiving the identity authentication feedback information sent by the server, the identity authentication feedback information includes the identity information plain text data of the identity information to be authenticated.

Step 3302, decrypt the authorization certificate based on the identity information plaintext data and the target information data to determine the first biometric feature information.

Here, the target information data decryption authorization certificate can be determined according to the following steps, which may specifically include steps 33021-33023.

Step 33021, generate a public and private key pair for the device based on the digital certificate in the electronic device.

Step 33022, send a user identity authentication initialization request to the server through the trusted identity authentication initialization interface. The user identity authentication initialization request includes the public and private key pair of the device. The user identity authentication initialization request is used to establish a secure communication link with the server and exchange keys through the secure communication link.

Among them, based on the pre-stored server public key, the trusted identity authentication initialization interface corresponding to the server can be obtained.

Step 33023, receiving the user identity authentication initialization feedback information from the server, the user identity authentication initialization feedback information includes the target information data decryption authorization certificate.

It should be noted that the user identity authentication initialization request also includes application information, which includes at least one of the following: application identification, signature certificate information, and certificate fingerprint information, wherein the application information is used to determine the execution environment of the user identity authentication result of the identity information to be authenticated.

Therefore, based on the above possibilities, step 3302 in the embodiment of the present invention may specifically include: sending a biometric information request to the server, the biometric information request includes the identity information plaintext data and the target information data decryption authorization certificate, and the biometric information request is used to request the server to decrypt the authorization certificate based on the identity information plaintext data and the target information data to determine the first biometric information;

Receive biometric feedback information sent by the server, which includes the first biometric information encrypted by the device's public key.

It should be noted that the embodiment of the present invention takes into account that some IoT electronic devices with severely limited resources are unable to determine target information and compare results. Thus, before executing the step of sending an identity authentication request to the server, the method also includes:

Send the electronic device's identity to the server. The electronic device's electronic identity is used to determine whether the electronic device meets the conditions for identity authentication;

Receive identification feedback information sent by the server;

When the identity feedback information indicates that the electronic device does not meet the identity authentication conditions, an identity authentication request is sent to the server.

In addition, in addition to the above-mentioned reading and parsing of the identity information to be authenticated based on the user, the embodiment of the present invention also has a key point, which is to compare the parsed first biometric information such as the user's facial image in the ID card image with the second biometric information in the user image of the ID card holder. In this process, there is a key problem that needs to be solved urgently, that is, there is a difference between the user's current facial information and the photo taken when the ID card was originally collected. This may be due to various problems such as time factors, the low accuracy of the original face collection equipment, or even the user's face being injured. Therefore, it is necessary to optimize the facial information of the user's facial image in the parsed ID card image and the user image of the holder.

In view of this, in addition to the image deblurring comparison method, the embodiment of the present invention also proposes a feature model that is insensitive to image clarity, namely the target ID portrait feature model, which is used to optimize the false rejection rate (FRR) of face comparison.

Based on this, the other part of step 330, namely the process of obtaining the user image, specifically includes steps 3311 to 3313.

Step 3311, displaying the fixed portrait position area, the fixed portrait position area is used to obtain the image of the user's body part corresponding to the fixed portrait position area.

For example, as shown in FIG6 , a human body part image is obtained by fixing the portrait position area. Here, in the traditional face recognition process, more facial feature points are selected for detection, and more performance resources are consumed. Due to limited TEE resources, the embodiment of the present invention proposes to use a fixed portrait position in the portrait acquisition interface of the electronic device, and to outline a fixed portrait position area in the portrait acquisition interface to match the best position of the face, while abandoning some special processing of face rotation and alignment, so as to quickly locate the position of the face in the image and improve the positioning accuracy of the facial feature points. After capturing the face area, select the feature points with obvious facial features for detection, such as eyes, nose, cheekbones, mouth, chin, and forehead feature points for detection, so as to reduce the FRR of face contrast, so that the TEE environment can meet the performance consumption of face rotation and alignment. Step 3312, when receiving the second input of the image taken by the user, obtain the image of the human body part to be processed.

Furthermore, the target feature point is filtered from multiple feature points in the human body through a fixed position area;

According to the target feature points, the image of the human body part corresponding to the target feature points is obtained.

In this way, when the portrait acquisition interface outlines the fixed portrait position area to match the best face position, some facial rotation feature points can be discarded to quickly locate the face position in the image and improve the positioning accuracy of facial feature points.

Step 3313, perform grayscale normalization on the human body part image to be processed to obtain the user image.

Furthermore, a first grayscale value of the human body part image to be processed is obtained, and the first grayscale value corresponds to the first grayscale level;

According to the first grayscale, the human body part image to be processed is adjusted by grayscale stretching to obtain a user image with the first grayscale.

Here, the face photo in the captured user image can be subjected to grayscale normalization. Grayscale normalization is to perform illumination compensation processing on the user image to overcome the influence of illumination changes. In the embodiment of the present invention, the grayscale distribution in the original image can be expanded to an image with a full grayscale using the grayscale stretching method. For example, the captured image is an 8-bit grayscale image, which should have 256 grayscale levels. However, due to the influence of factors such as illumination during acquisition, the grayscale of the image is often concentrated in one or several grayscale segments. In this case, the grayscale stretching method can be used to expand the image to 256 grayscale levels. Therefore, after the illumination compensation processing and color mapping of the face photos taken are completed, the photos become brighter and more vivid, which is more conducive to image contrast.

Furthermore, during the grayscale normalization operation, grayscale normalization is performed according to the RGB color mode of the user image, according to the following two formulas:

(1) Brightness is determined by formula (1):

D=R*0.3086+G*0.6094+B*0.0820 (1)

Among them, D is brightness, R is the red color channel, G is the green color channel, and B is the blue color channel.

(2) The color level mapping is determined by formula (2):

D'=0+(D-255*LOW)/(255*HIGH-255*LOW)*255 (2)

Among them, D' is the color level, 255*LOW and 255*HIGH are the lowest point and the highest point of D in the original image bar graph of the user image respectively.

As shown in Figure 7, preliminary screening is performed based on the original image bar graph. Images with obviously abnormal pixel distribution, such as those mainly distributed on the left side of the x-axis, mainly distributed on the right side of the x-axis, and mainly distributed in a very narrow range, are directly regarded as low-quality photos and no subsequent processing is performed. Image bar graphs are all grayscale images, with the x-axis being the grayscale value (usually 0~255) and the y-axis being the number of pixels corresponding to each grayscale level in the image.

Then, step 340 is involved. Based on the user image obtained in step 330, in some embodiments, before step 340,

When the first biometric information includes an identity document image, the identity document image and the user image are compared by geometric normalization to obtain a comparison result between the first biometric information and the second biometric information.

In this way, in order to solve the problem that the first biometric information on the ID card, such as the portrait image, has small pixels and low recognition, this proposal uses geometric normalization and grayscale normalization transformation to process the collected live photos, thereby improving the recognition rate of the comparison between the face photo and the image photo on the ID card, and improving the false rejection rate (FRR) of the face comparison.

Furthermore, this step may specifically include step 3401-step 3403.

Step 3401, identifying the user's facial area in the identity document image, and obtaining the user's facial image corresponding to the user's facial area;

Step 3402, enlarge or reduce the user's facial image or the facial area in the user's image by the same ratio, and calculate the feature values of the user's image and the user's facial image;

Step 3403, based on at least one characteristic value, obtain the comparison result of the first biometric characteristic information and the second biometric characteristic information.

For example, a geometric normalization algorithm is used to compare the first biometric information with the second biometric information. The face recognition comparison module in the trusted identity service platform locates the face feature model of the ID card image to find the user's face area in the ID card image, determines the face position in the user image according to the geometric normalization algorithm, compares the feature values of the two, and in the process of determining the face position in the user image, uses geometrically enlarged and reduced geometric figures of the face in the living face photo for comparison. Further, the geometric normalization algorithm refers to changing the face position in the user's face area in the ID card image to the same position and size according to the comparison target positioning result. The comparison step provided by the embodiment of the present invention includes:

Step 1, find the area where the eyes and nose of the person in the ID card image are located through facial model matching;

Step 2, set the distance between the two eyes to D, and the center point to O;

Step 3, determine the rectangular feature area based on the facial features and geometric model, with O as the center origin, the straight line between the two eyes as the x-axis, and the cutting distance d on both sides, where d=D/2, cutting 1.5d in the direction of the nose on the y-axis, and cutting 0.5d in the other direction, and finally cutting out a square area;

Step 4, find the area where the eyes and nose are located in the user's image through the same face model matching;

Step 5, set the distance between the two eyes in the user image to D’, and the center point to O’;

Step 6, determine the rectangular feature area based on the facial features and geometric model, with O' as the center origin, the straight line between the two eyes as the x-axis, and the cutting distance d' on both sides, where d'=D'/2, cutting 1.5d' in the nose direction of the y-axis, and cutting 0.5d' in the other direction, and finally cutting out a square area;

Step 7, by stretching or scaling in equal proportions, such as stretching ratio V=D’/D, scaling ratio V’=D/D’, the cropped ID card image and the cropped user image are made to be the same size.

Step 8, extract the feature values of the two cropped area images for comparison, and convert them into similarity based on the equal index of the two feature values as the comparison result between the first biometric feature information and the second biometric feature information.

It should be noted that the process of comparing images involved in the embodiment of the present invention can be as shown in the above steps 1 to 8. Here, the comparison result of the two can be determined by the target identity document portrait feature model, that is, further, at least one feature value is input into the target identity document portrait feature model to obtain the comparison result of the first biometric feature information and the second biometric feature information. In addition, in some possible implementations, the target ID portrait feature model involved above can be determined. The specific process is as follows. Since the ID image is small and the image resolution is low, in order to improve the comparison accuracy of the target ID portrait feature model, the points with obvious facial features are selected, and the feature points that are easy to be misdetected under low resolution are discarded. At the same time, a large number of ID image samples are used for training. After each face comparison, the ID portrait feature values with a similarity of more than N% (N is a positive number and can be customized according to the application scenario) are selected to participate in the model repeated calculation training, and then the new target ID portrait feature model is determined.

Based on this, the present invention also provides a method for determining the target identity document portrait feature model, as shown below:

According to the training feature values of the user's facial image in the target ID card, the default ID card portrait feature model is simplified to obtain the target ID card portrait feature model.

Based on the user image obtained in step 340, the embodiment of the present invention provides a process for determining the comparison result of the first biometric information and the second biometric information, as shown below, that is, before step 340, the information processing method also includes:

Encrypt the first biometric information and the second biometric information using a symmetric key to obtain encrypted biometric information;

Send an identity authentication result request to the server, the identity authentication result request includes encrypted biometric information, and the identity authentication result request is used to request the server to calculate the similarity of the biometric comparison result of the first biometric information and the second biometric information based on the first biometric information and the second biometric information;

Receive the identity authentication result feedback information sent by the server, which includes the similarity of the biometric comparison result encrypted by the device's public key;

The biometric comparison result similarity is decrypted by encrypting the device private key to obtain the biometric comparison result similarity, which is used to represent the comparison result between the first biometric information and the second biometric information.

Based on this, step 340 may specifically include: when the similarity of the biometric feature comparison result meets the preset similarity, determining that the user identity authentication of the identity information to be authenticated is successful.

It should be noted that the target information in the embodiment of the present invention also includes at least one of the following: ID number, ID image, ID user identity information such as user name, gender, ethnicity, date of birth, address in the ID; the first biometric information includes at least one of the following: user face image in the ID image, iris image of the user corresponding to the ID.

Therefore, the embodiment of the present invention proposes an information processing method for trusted identity authentication based on TEE and NFC, which can obtain reliable and credible target information used to characterize the user's identity by securely accessing NFC through TEE to read the identity information to be authenticated of the identity document, and in some embodiments, can interact with the trusted identity service platform running in the server in the trusted execution environment TEE to avoid the problem of forged identity documents, and at the same time avoid the inaccurate target information obtained due to poor photography effects, thereby improving the accuracy of identity authentication. By migrating the target information data decryption authorization certificate corresponding to the identity information to be authenticated to the TEE, the problem that the identity information to be authenticated may be stolen by Trojan viruses during the interaction between the electronic device and the server is eliminated. In addition, by securely accessing the camera from within the TEE, the source of the user image used for comparison and authentication, i.e., the real-time user image, is ensured to be credible, preventing the injection of forged facial photos or videos.

In addition, in response to the problem of severely limited hardware resources of some IoT electronic devices that support TEE and NFC, the embodiments of the present invention utilize the characteristics of higher transmission rate and lower latency of the 4th generation mobile communication technology (4G) and the 5th generation mobile communication technology (5G) to split the commands for interaction between NFC and the second-generation identity card. Among them, the part of obtaining the user's identity information to be authenticated through near-field communication is implemented in the electronic device, which mainly processes the identity card APDU request response and interaction protocol, and the back-end part is moved to the server to run, which is mainly responsible for the generation and assembly of identity card access APDU instructions and the processing of APDU responses. Through the above-mentioned front-end and back-end separation processing method, the space proportion of the NFC interaction protocol of electronic devices is reduced, and it has stronger applicability for IoT terminal devices with limited resources such as wearable devices. By classifying electronic devices, the method of determining the comparison results between electronic devices and servers is determined, ensuring the availability and adaptability of identity recognition and face comparison functions when the space resources of electronic devices TEE are limited.

In the above, the method of using TEE to securely access NFC to read the user's identity information to be authenticated ensures that the data source of the obtained identity information is true and accurate, and plays an anti-counterfeiting effect on the identity card. At the same time, the trusted execution environment TEE prevents malicious software from intercepting the identity information and replacing and tampering with it. In addition, the embodiment of the present invention is based on the secure closed loop between the electronic device TEE and the server, which can ensure that the information is sent to the trusted identity authentication background in ciphertext for decryption and then sent back through the secure TEE secure channel for use, and is applicable to more identity authentication scenarios.

In order to better illustrate the above information processing method, the embodiment of the present invention is combined with the architecture shown in Figures 1 and 2 to explain the information processing method in detail. The following example can explain the information processing method through the two processes of Figures 8 and 9, wherein Figure 8 is the trusted identity authentication initialization process provided by the embodiment of the present invention, and Figure 9 is the trusted identity authentication comparison process provided by the embodiment of the present invention, as shown below.

For third-party applications such as consumer applications, the third-party application must first integrate the trusted identity authentication service SDK, install the trusted identity authentication service control item on the electronic device where the third-party application runs, and install the trusted identity authentication service TA in the device TEE trusted execution environment through the Trusted Application Management (TAM) corresponding to the electronic device. Subsequently, the application identity (AppId), signature certificate information, and certificate fingerprint information of the third-party application must be entered into the trusted identity service platform.

As shown in Figure 8, the process of initializing trusted identity authentication in the resource processing method may include steps 801 to 813, as shown below.

Step 801, the electronic device receives the trusted identity authentication initialization operation initiated by the user for application A.

In step 802, application A initiates a trusted identity authentication initialization request to the integrated trusted identity authentication service SDK and passes in the transaction element Context. Here, the transaction elements are detailed in Table 4.

Step 803, the trusted identity authentication service SDK obtains the AppId, signature certificate information and certificate fingerprint information of application A through the Context context, calls the trusted identity authentication initialization interface of the trusted identity authentication service control item, and passes in the AppId, signature certificate information and certificate fingerprint information of transaction element application A.

Step 804, the trusted identity authentication service control item calls the trusted identity authentication service TA initialization interface and inputs the transaction element AppId, signature certificate information and certificate fingerprint information.

Step 805, the trusted identity authentication service TA generates a pair of device public and private keys based on the device root trust certificate.

Step 806, the trusted identity authentication service TA requests the trusted identity service platform and inputs the AppId, signature certificate information and certificate fingerprint information of application A.

Step 807, the server public key of the trusted identity service platform is preset in the trusted identity authentication service TA. The trusted identity authentication service TA establishes a secure connection with the trusted identity service platform through the server public key, uses the device public key and the server public key of the trusted identity service platform to negotiate the working stage key, and then uses the negotiated working stage key for interaction.

The trusted identity authentication service TA encrypts the AppId, signature certificate information, and certificate fingerprint information of application A using the session key and transmits them to the trusted identity service platform.

In step 808, the trusted identity service platform uses the working session key to decrypt and verify whether the AppId, signature certificate information and certificate fingerprint information of application A are consistent with those previously entered in the trusted identity service platform. When the verification is passed, the ciphertext of the decryption authorization certificate of the target information data encrypted by the device public key of the identity authentication service of the Ministry of Public Security can be returned to the trusted identity authentication service TA.

Step 809, after receiving the response, the trusted identity authentication service TA verifies the validity of the message containing the ciphertext of the received target information data decryption authorization certificate. If the verification is valid, the ciphertext of the target information data decryption authorization certificate of the identity identification platform is decrypted by the device private key, and the target information data decryption authorization certificate of the identity identification platform is saved in the trusted identity authentication service TA.

Step 810, the trusted identity authentication service TA returns the operation result corresponding to the trusted identity authentication initialization operation to the trusted identity authentication service control item.

Step 811, the trusted identity authentication service control returns the operation result corresponding to the trusted identity authentication initialization operation to the trusted identity authentication service SDK.

Step 812, the trusted identity authentication service SDK returns the trusted identity authentication initialization result to application A.

Step 813, application A displays the trusted identity authentication initialization result to the user through the electronic device.

After completing the trusted identity authentication initialization or registration as described above, combined with Figure 9, the trusted identity authentication comparison process in the resource processing method provided by the embodiment of the present invention is described in detail.

As shown in Figure 9, the process of trusted identity authentication comparison in the resource processing method includes steps 901 to 916, as shown below.

Step 901, the electronic device receives a comparison operation of a trusted identity authentication initiated by the user for application A.

In step 902, application A initiates a trusted identity authentication comparison request to the integrated trusted identity authentication service SDK, and inputs the transaction element to be authenticated identity information UserId, as shown in Figure 4 for transaction elements.

Step 903, the trusted identity authentication service SDK calls the trusted identity authentication service control item authentication comparison interface and passes in the transaction element identity information to be authenticated UserId.

Step 904, the trusted identity authentication service control item calls the trusted identity authentication service TA authentication comparison interface.

Step 905, the trusted identity authentication service TA accesses the device NFC module to enable the electronic device to display the ID card swiping interface.

Step 906, the electronic device obtains the identity information to be authenticated in the near field communication chip, and the NFC module responds the identity information to be authenticated to the trusted identity authentication service TA, and the trusted identity authentication service TA sends the identity information to be authenticated to the authoritative identity authentication module such as the identity authentication service platform of the Ministry of Public Security.

Step 907, the authoritative identity authentication module processes the received identity information to be authenticated, and returns the processed plain text data of the identity information to be authenticated to the trusted identity authentication service TA.

Step 908, the trusted identity authentication service TA sends the target information data decryption authorization certificate of the authoritative identity authentication module and the identity information to be authenticated in plain text to the trusted identity service platform.

Step 909, the trusted identity service platform obtains the target information through the authoritative identity authentication module. The target information includes the user's facial image in the identity document image, which is encrypted using the device public key and returned to the trusted identity authentication service TA.

Step 910, the trusted identity authentication service TA securely accesses the camera of the electronic device to obtain the user's image.

Step 911, the trusted identity authentication service TA compiles the user's facial image in the identity document image and the user image decrypted using the device's private key using a symmetric key password and submits it to the trusted identity service platform.

In step 912, the trusted identity service platform uses the symmetric key to decrypt the face image in the user image, compares the face image in the user image and the face image in the ID card image according to the pre-processing process, and returns the similarity of the biometric comparison result encrypted with the device public key.

Step 913, the trusted identity authentication service TA uses the device private key to decrypt the similarity of the biometric comparison result and returns it to the trusted identity authentication service control item.

Step 914, the trusted identity authentication service control returns the similarity of the biometric comparison result to the trusted identity authentication service SDK.

Step 915, the trusted identity authentication service SDK returns the similarity of the biometric comparison result to application A.

Step 916, application A displays to the user the user's identity authentication result of the identity information to be authenticated corresponding to the similarity of the biometric comparison result.

It should be noted that the life cycle based on the trusted identity authentication service operation can include the trusted identity authentication service initialization function, the trusted identity authentication service registration function, the trusted identity authentication function, the trusted identity person-certificate comparison function and the trusted identity authentication service logout function. Among them, the trusted identity authentication service can be initialized first, and if the initialization verification passes, the trusted identity authentication registration, trusted identity person-certificate comparison and trusted identity authentication deregistration operations can be performed.

Therefore, the embodiment of the present invention proposes an information processing method for trusted identity authentication based on TEE and NFC, which can obtain reliable and credible target information used to characterize the user's identity by securely accessing NFC through TEE to read the identity information to be authenticated of the identity certificate, and in some embodiments, can interact with the trusted identity service platform running in the server in the trusted execution environment TEE to avoid the problem of forged identity certificates, and at the same time avoid the inaccurate target information obtained due to poor photography effects, thereby improving the accuracy of identity authentication. By migrating the target information data decryption authorization certificate corresponding to the identity information to be authenticated to the TEE, the problem that the identity information to be authenticated may be stolen by Trojan viruses during the interaction between the electronic device and the server is eliminated. In addition, by securely accessing the camera from within the TEE, the source of the user image used for comparison and authentication, i.e., the real-time user image, is ensured to be credible, preventing the injection of forged facial photos or videos.

In addition, in view of the problem that some IoT electronic devices supporting TEE and NFC have severely limited hardware resources, the embodiment of the present invention utilizes the characteristics of higher transmission rate and lower latency of the 4th generation mobile communication technology (4G) and the 5th generation mobile communication technology (5G), and splits the commands for interaction between NFC and the second generation ID card. Among them, the part of obtaining the user's identity information to be authenticated through near field communication is implemented in the electronic device, which mainly processes the identity card APDU request response and interaction protocol, and the back-end part is moved to the server for operation, which is mainly responsible for the generation and assembly of the identity card access APDU command and the processing of the APDU response. Through the above-mentioned front-end and back-end separation processing method, the space proportion of the NFC interaction protocol of electronic devices is reduced, and it has stronger applicability for IoT terminal devices with limited resources such as wearable devices. By classifying electronic devices, the method of determining the comparison results between electronic devices and servers is determined, ensuring the availability and adaptability of identity recognition and face comparison functions when the space resources of electronic devices TEE are limited.

In the above, TEE is used to securely access NFC to read the user's identity information to be authenticated to ensure that the data source of the obtained identity information is true and accurate, which plays an anti-counterfeiting effect on the identity card. At the same time, the trusted execution environment TEE prevents malicious software from intercepting the identity information and replacing and tampering with it. In addition, the embodiment of the present invention is based on the secure closed loop between the electronic device TEE and the server, which can ensure that the information is sent to the trusted identity authentication background for decryption and then sent back through the secure TEE secure channel for use, which is applicable to more identity authentication scenarios.

Based on the same inventive concept, the present invention also provides an information processing device. A detailed description is given in conjunction with FIG. 10.

Figure 10 is a schematic diagram of the structure of an embodiment of an information processing device based on electronic equipment provided by the present invention.

In some embodiments of the present invention, the device shown in FIG. 10 can be arranged in the electronic device shown in FIG. 1 .

As shown in FIG10 , the information processing device 100 may specifically include:

Receiving module 1001, used to receive the first input for user identity authentication;

The acquisition module 1002 is used to respond to the first input and obtain the user's identity information to be authenticated through near field communication in a trusted execution environment;

Processing module 1003 is used to determine target information used to characterize the user's identity based on the user's identity information to be authenticated, the target information including the user's first biometric information; and to obtain a user image taken within a preset time period, the user image including the user's second biometric information;

The determination module 1004 is used to determine the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information.

Therefore, by obtaining the user's identity information to be authenticated in the trusted execution environment TEE and near field communication NFC, the trusted target information used to represent the user's identity, such as identity document information, is obtained to avoid the problem of forged identity documents. At the same time, it also avoids the problem of inaccurate target information obtained due to poor photography or insufficient shooting hardware, which leads to incorrect user identity authentication results.

In addition, by obtaining target information in the trusted execution environment TEE and comparing the first biometric information in the target information with the second biometric information in the captured user image, the problem of identity document information being replaced and tampered with by malicious software can be effectively prevented. At the same time, the camera of the electronic device is securely accessed through the trusted execution environment TEE to ensure the accuracy of the user image used for comparison and authentication, and prevent the injection of forged facial photos or videos.

The information processing device 100 in the embodiment of the present invention is described in detail below.

In some embodiments of the present invention, the acquisition module 1002 can be specifically used to respond to the first input,

When the data interaction environment satisfies the preset interaction environment and is in a trusted execution environment, the NFC chip is read through NFC to obtain the tag content of the NFC chip and the user identity;

Generate the user's identity information to be authenticated based on the tag content and user identity.

Furthermore, the information processing device 100 may also include a detection module for detecting the data interaction environment with the near field communication chip, the data interaction environment including the distance value between the electronic device and the near field communication chip and/or the contact time between the electronic device and the near field communication chip within a preset distance;

When the distance value meets the preset distance value and/or the contact market meets the preset contact duration, it is determined that the data interaction environment meets the preset interaction environment.

In addition, the acquisition module 1002 can be specifically used for,

In response to the first input, in a trusted execution environment, the target near-field communication chip is determined, and the data interaction environment between the near-field communication chip and the electronic device satisfies the preset near-field communication environment;

Through the preset correspondence between the near field communication chip and the application protocol data, the target application protocol data corresponding to the target near field communication chip is obtained;

According to the target application protocol data, obtain the user's identity information to be authenticated.

In some embodiments of the present invention, the processing module 1003 in the embodiments of the present invention can be specifically used to determine the identity information plaintext data of the identity information to be authenticated according to the identity information to be authenticated;

Decrypt the authorization certificate based on the plain text identity information and the target information to determine the first biometric information.

Furthermore, in the embodiment of the present invention, the information processing device 100 may also include a sending module. Based on this, the sending module is used to send an identity authentication request to the server, the identity authentication request includes the identity information to be authenticated, and the identity authentication request is used to request the server to parse the identity information to be authenticated to obtain the identity information plaintext data of the identity information to be authenticated;

The receiving module 1001 in the embodiment of the present invention receives the identity authentication feedback information sent by the server, and the identity authentication feedback information includes the identity information plaintext data of the identity information to be authenticated.

In some possible embodiments, the sending module in the embodiments of the present invention can also be used to send the identity of the electronic device to the server, and the electronic identity of the electronic device is used to determine whether the electronic device meets the conditions for identity authentication;

The receiving module 1001 in the embodiment of the present invention is also used to receive the identity feedback information sent by the server;

The sending module in the embodiment of the present invention can also be used to send an identity authentication request to the server when the identity feedback information indicates that the electronic device does not meet the identity authentication conditions.

In some possible embodiments, the information processing device 100 in the embodiment of the present invention may also include a generating module for generating a public-private key pair of the device according to the digital certificate in the electronic device; based on this, the sending module in the embodiment of the present invention may also be used to send a user identity authentication initialization request to the server through a trusted identity authentication initialization interface, the user identity authentication initialization request includes a public-private key pair of the device, the user identity authentication initialization request is used to establish a secure communication connection with the server, and exchange keys through the secure communication connection; the receiving module 1001 in the embodiment of the present invention is also used to receive the user identity authentication initialization feedback information of the server, the user identity authentication initialization feedback information includes the target information data decryption authorization certificate.

In some possible embodiments, the acquisition module in the embodiment of the present invention can also be used to obtain a trusted identity authentication initialization interface corresponding to the server based on the server public key.

The user identity authentication initialization request in the embodiment of the present invention also includes application information, and the application information includes at least one of the following: application identification, signature certificate information and certificate fingerprint information, wherein the application information is used to determine the execution environment of the user identity authentication result of the identity information to be authenticated.

In some possible embodiments, the processing module 1003 in the embodiment of the present invention can be specifically used to send a biometric information request to the server, the biometric information request includes identity information plaintext data and target information data decryption authorization certificate, and the biometric information request is used to request the server to decrypt the authorization certificate based on the identity information plaintext data and the target information data to determine the first biometric information;

Receive biometric feedback information sent by the server, which includes the first biometric information encrypted by the device's public key.

In some possible embodiments, the information processing device 100 in the embodiment of the present invention may also include a display module for displaying a fixed portrait position area, and the fixed portrait position area is used to obtain the human body part image corresponding to the fixed portrait position area of the user. The acquisition module 1002 in the embodiment of the present invention can be specifically used to obtain the human body part image to be processed through the fixed position area when receiving the second input of the user taking the image; the processing module 1003 in the embodiment of the present invention can be specifically used to perform grayscale normalization processing on the human body part image to be processed to obtain the user image.

Among them, the acquisition module 1002 in the embodiment of the present invention can be specifically used to filter target feature points from multiple feature points in human body parts through a fixed position area;

According to the target feature points, the image of the human body part corresponding to the target feature points is obtained.

The processing module 1003 in the embodiment of the present invention can be specifically used to obtain the first grayscale value of the human body part image to be processed, and the first grayscale value corresponds to the first grayscale level;

According to the first grayscale, the human body part image to be processed is adjusted by grayscale stretching to obtain a user image with the first grayscale.

In some possible embodiments, the determination module 1004 in the embodiment of the present invention can be specifically used to obtain the comparison result of the first biometric information and the second biometric information by geometrically normalizing and comparing the identity document image and the user image when the first biometric information includes an identity document image.

Among them, the determination module 1004 in the embodiment of the present invention can be specifically used to identify the user's facial area in the identity document image and obtain the user's facial image corresponding to the user's facial area;

Enlarge or reduce the user's facial image or the facial area in the user's image in equal proportion, and calculate the feature values of the user's image and the user's facial image;

Based on at least one eigenvalue, a comparison result between the first biometric information and the second biometric information is obtained.

Furthermore, the determination module 1004 in the embodiment of the present invention can be specifically used to input at least one feature value into the target identity document portrait feature model to obtain the comparison result of the first biometric feature information and the second biometric feature information.

In some possible embodiments, the information processing device 100 in the embodiment of the present invention may also include a simplification module, which is used to simplify the preset identity document portrait feature model according to the training feature value of the user's facial image in the target identity document to obtain the target identity document portrait feature model. The information processing device 100 in the embodiment of the present invention may also include an encryption module, which is used to encrypt the first biometric information and the second biometric information by a symmetric key to obtain encrypted biometric information;

The sending module in the embodiment of the present invention is also used to send an identity authentication result request to the server, the identity authentication result request includes encrypted biometric information, and the identity authentication result request is used to request the server to calculate the similarity of the biometric comparison result of the first biometric information and the second biometric information based on the first biometric information and the second biometric information;

The receiving module 1001 in the embodiment of the present invention is also used to receive the identity authentication result feedback information sent by the server, and the identity authentication result feedback information includes the similarity of the biometric comparison result encrypted by the public key of the device;

The processing module 1003 in the embodiment of the present invention is also used to decrypt the similarity of the biometric comparison result through the device private key encryption to obtain the similarity of the biometric comparison result, and the similarity of the biometric comparison result is used to represent the comparison result between the first biometric information and the second biometric information.

In some possible embodiments, the determination module 1004 in the embodiment of the present invention can be specifically used to determine that the user identity authentication of the identity information to be authenticated is successful when the similarity of the biometric comparison result meets the preset similarity.

It should be noted that the target information mentioned above also includes at least one of the following: ID number, ID image; the first biometric information includes at least one of the following: the user's facial image in the ID image, the user's iris image corresponding to the ID.

Therefore, by obtaining the user's identity information to be authenticated in the trusted execution environment TEE and near field communication NFC, the trusted target information used to represent the user's identity, such as identity document information, is obtained to avoid the problem of forged identity documents. At the same time, it also avoids the problem of inaccurate target information obtained due to poor photography or insufficient shooting hardware, which leads to incorrect user identity authentication results.

In addition, by obtaining target information in the trusted execution environment TEE and comparing the first biometric information in the target information with the second biometric information in the captured user image, the problem of identity document information being replaced and tampered with by malicious software can be effectively prevented. At the same time, the camera of the electronic device is securely accessed through the trusted execution environment TEE to ensure the accuracy of the user image used for comparison and authentication, and prevent the injection of forged facial photos or videos.

It should be noted that the information processing device 100 shown in FIG10 can execute each step in the information processing method embodiment shown in FIG1-FIG9, and realize each process and effect in the method embodiment shown in FIG1-FIG9, which will not be elaborated here.

Based on the same invention concept, the present invention also provides an information processing device based on electronic devices such as wearable devices and smart door locks that cannot bear large amounts of computing. Detailed description is given in conjunction with Figure 11.

Figure 11 is a schematic diagram of another embodiment of the information processing device based on electronic equipment provided by the present invention.

In some embodiments of the present invention, the device shown in FIG. 11 can be installed in wearable devices, smart door locks, and other information processing devices that cannot bear large amounts of computation.

As shown in FIG11 , the information processing device 1100 may specifically include:

Receiving module 1110, used to receive the first input for user identity authentication;

The acquisition module 1120 is used to respond to the first input and obtain the user's identity information to be authenticated through near field communication in a trusted execution environment;

The sending module 1130 is used to send the user's identity information to be authenticated to the server, and the user's identity information to be authenticated is used to determine the user identity authentication result of the identity information to be authenticated;

The sending module 1130 is also used to obtain the user image within a preset time period and send the user image to the server. The user image is used to compare with the user's identity to be authenticated to determine the user identity authentication result;

The receiving module 1110 is also used to receive the user identity authentication result of the identity information to be authenticated sent by the server.

In addition, the acquisition module 1120 provided in the embodiment of the present invention is specifically used to obtain the user's identity information to be authenticated by executing the near field communication command in the protocol data command set in a trusted execution environment; wherein the near field communication command is determined by the server.

Based on the same invention concept, the present invention also provides a server. It is specifically described in detail with reference to FIG. 12.

Figure 12 is a schematic diagram of the structure of an embodiment of the information processing device based on the server provided by the present invention.

In some embodiments of the present invention, as shown in FIG. 12 , the information processing device 1200 may specifically include:

Receiving module 1210, used to receive the user's identity information to be authenticated sent by the electronic device;

The acquisition module 1220 is used to acquire target information corresponding to the user's identity information to be authenticated and used to characterize the user's identity when the user's identity information to be authenticated is detected for determining the user's identity authentication result of the identity information to be authenticated, and the target information includes the user's first biometric feature information;

The receiving module 1210 is also used to receive user images sent by electronic devices;

Determination module 1230, used to determine the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information in the user image;

The sending module 1240 is also used to send the user identity authentication result to the electronic device.

Among them, the acquisition module 1220 in the embodiment of the present invention is specifically used to determine the protocol data instruction according to the ciphertext information of the identity information to be authenticated, and the protocol data instruction is used to indicate the original text string of the target information used to represent the user's identity, which is assembled according to the identity certificate attribute format;

According to the pre-stored target information data, the authorization certificate and the original text string of the target information are decrypted, and the identity information to be authenticated is decrypted to obtain the target information.

Furthermore, the sending module 1230 can also be used to send a protocol data instruction to the identity identification server, and the protocol data instruction is used to instruct the identity identification server to assemble the original text string of the target information used to characterize the user's identity according to the identity document attribute format; based on this, the receiving module 1210 can also be used to receive the original text string of the target information sent by the identity identification server.

Based on the same inventive concept, the present invention also provides an information processing device. Detailed description is given in conjunction with FIG. 13.

FIG13 shows a schematic diagram of the hardware structure of the information processing device provided by the embodiment of the present invention.

As shown in FIG. 13 , the information processing 1300 may include an electronic device or server involved in an embodiment of the present invention. The information processing 1300 may include a processor 1301 and a memory 1302 storing computer program instructions.

Specifically, the processor 1301 may include a central processing unit (CPU), or an application specific integrated circuit (ASIC), or may be configured as one or more integrated circuits for implementing the embodiments of the present invention.

The memory 1302 may include a mass storage for data or instructions. By way of example and not limitation, the memory 1302 may include a hard disk drive (HDD), a floppy disk, a flash memory, an optical disk, a magneto-optical disk, a magnetic tape, or a Universal Serial Bus (USB) drive, or a combination of two or more of the above. Where appropriate, the memory 1302 may include a removable or non-removable (or fixed) medium. Where appropriate, the memory 1302 may be inside or outside the integrated gate disaster tolerance device. In a specific embodiment, the memory 1302 is a non-volatile solid-state memory. In a particular embodiment, the memory 1302 includes a read-only memory (ROM). Where appropriate, the ROM may be a mask-programmed ROM, a programmable read-only memory (PROM), an erasable programmable read-only memory (EPROM), an electrically erasable programmable read-only memory (EEPROM), an electrically alterable read-only memory (EAROM), or a flash memory, or a combination of two or more of the above.

The processor 1301 implements any one of the information processing methods in the above embodiments by reading and executing the computer program instructions stored in the memory 1302.

In one example, the data processing device may also include a communication interface 1303 and a bus 1310. As shown in FIG13 , the processor 1301, the memory 1302, and the communication interface 1303 are connected via the bus 1310 and communicate with each other.

The communication interface 1303 is mainly used to realize the communication between the modules, devices, units and/or equipment in the embodiment of the present invention.

Bus 1310 includes hardware, software, or both, coupling components of the flow control device to each other. By way of example and not limitation, a bus may include an Accelerated Graphics Port (AGP) or other graphics bus, an Enhanced Industry Standard Architecture (EISA) bus, a Front Side Bus (FSB), a Hyper Transport (HT) interconnect, an Industry Standard Architecture (ISA) bus, an InfiniBand interconnect, a Low Pin Count (LPC) bus, a memory bus, a Micro Channel Architecture (MCA) bus, a Peripheral Component Interconnect (PCI) bus, a Peripheral Component Interconnect Extension (PCI) bus, and a 10-bit 4K (100-bit) bus. The bus 1310 may include a PCI-Extended (PCI-E) bus, a Serial Advanced Technology Attachment (SATA) bus, a Video Electronics Standards Association Local Bus (VLB) bus, or other suitable bus or a combination of two or more of the above. Where appropriate, bus 1310 may include one or more buses. Although the embodiments of the present invention describe and illustrate specific buses, the present invention contemplates any suitable bus or interconnect.

The data processing device can execute the information processing method in the embodiment of the present invention, thereby realizing the information processing method and device described in conjunction with Figures 1 to 10.

In addition, in combination with the information processing method in the above embodiments, the embodiments of the present invention can provide a computer-readable storage medium for implementation. The computer-readable storage medium stores computer program instructions; when the computer program instructions are executed by the processor, any one of the information processing methods in the above embodiments is implemented.

It should be made clear that the present invention is not limited to the specific configuration and processing described above and shown in the figure. For the sake of simplicity, the detailed description of the known method is omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method process of the present invention is not limited to the specific steps described and shown, and technicians in this field can make various changes, modifications and additions, or change the order between the steps after understanding the spirit of the present invention.

The functional blocks shown in the above structural block diagram can be implemented as hardware, software, firmware or a combination thereof. When implemented in hardware, it can be, for example, an electronic circuit, an application-specific integrated circuit (ASIC), appropriate firmware, a plug-in, a function card, etc. When implemented in software, the elements of the present invention are programs or program code snippets used to perform the required tasks. The program or program code snippet can be stored in a machine-readable medium, or transmitted on a transmission medium or a communication link through a data signal carried in a carrier. "Machine-readable medium" can include any medium that can store or transmit information. Examples of machine-readable media include electronic circuits, semiconductor memory devices, ROM, flash memory, erasable read-only memory (EROM), floppy disks, compact disc read-only memory (CD-ROM), optical disks, hard disks, optical fiber media, radio frequency (RF) links, etc. The code snippet can be downloaded via a computer network such as the Internet, an intranet, etc.

It should also be noted that the exemplary embodiments mentioned in the present invention describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above steps, that is, the steps can be executed in the order mentioned in the embodiments, or in a different order from the embodiments, or several steps can be executed simultaneously.

The above is only a specific implementation of the present invention. The technical personnel in the relevant field can clearly understand that for the convenience and simplicity of description, the specific working process of the system, module and unit described above can refer to the corresponding process in the aforementioned method embodiment, and will not be repeated here. It should be understood that the protection scope of the present invention is not limited to this. Any technical personnel familiar with the technical field can easily think of various equivalent modifications or replacements within the technical scope disclosed by the present invention, and these modifications or replacements should be covered within the protection scope of the present invention.

510,520,530,540: Steps

Claims (26)

An information processing method is applied to an electronic device, comprising: the electronic device receives a first input for user identity authentication; the electronic device responds to the first input and obtains the user's identity information to be authenticated through near field communication in a trusted execution environment; the electronic device determines, based on the user's identity information to be authenticated, target information corresponding to the identity information to be authenticated and used to characterize the user's identity, the target information including the user's first biometric information, the first biometric information including an identity document image; and the user's identity information obtained within a preset time period is used to identify the user's identity. The method further comprises: the electronic device identifying the user's facial area in the identity document image, obtaining a facial area similar to the facial area of the user in the identity document image; the electronic device determining the user's identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information, wherein the comparison result includes the similarity of the biometric comparison result of the first biometric information and the second biometric information; before the electronic device determines the user's identity authentication result of the identity information to be authenticated, the method further comprises: the electronic device identifying the user's facial area in the identity document image, obtaining a facial area similar to the facial area of the user in the identity document image; The electronic device obtains a user facial image corresponding to the user facial area; the electronic device performs proportional magnification or reduction on the user facial image or the facial area in the user image, changes the facial position in the user image in the user facial area in the identity document image to the same position and size, and calculates the feature values of the user image and the user facial image; the electronic device obtains a comparison result of the first biometric feature information and the second biometric feature information according to at least one feature value; the electronic device obtains a user image taken within a preset time period, including ：The electronic device displays a fixed portrait position area, and the fixed portrait position area is used to obtain the human body part image corresponding to the fixed portrait position area of the user; when receiving the second input of the user taking an image, the electronic device obtains the human body part image to be processed through the fixed position area; the electronic device performs grayscale normalization processing on the human body part image to be processed to obtain the user image, and the grayscale normalization processing expands the image whose grayscale is concentrated in one or several grayscale segments to 256 grayscale levels by using the grayscale stretching method. The method of claim 1, wherein the electronic device responds to the first input and obtains the user's identity information to be authenticated through near field communication in a trusted execution environment, including: the electronic device responds to the first input, and when the data interaction environment satisfies the preset interaction environment and is in a trusted execution environment, the electronic device reads the near field communication chip through near field communication to obtain the tag content of the near field communication chip and the user identity; the electronic device generates the user's identity information to be authenticated based on the tag content and the user identity. As described in claim 2, before the electronic device reads the near field communication chip through near field communication and obtains the label content of the near field communication chip and the user identity identification, the method further includes: the electronic device detects the data interaction environment with the near field communication chip, and the data interaction environment includes the distance value between the electronic device and the near field communication chip and/or the contact time between the electronic device and the near field communication chip within a preset distance; when the distance value meets the preset distance value and/or the contact time meets the preset contact time, the electronic device determines that the data interaction environment meets the preset interaction environment. The method of claim 1, wherein the electronic device responds to the first input and obtains the user's identity information to be authenticated through near field communication in a trusted execution environment, including: the electronic device responds to the first input and determines the target near field communication chip in a trusted execution environment, and the data interaction environment between the near field communication chip and the electronic device meets the preset near field communication environment; the electronic device obtains the target application protocol data corresponding to the target near field communication chip through the preset correspondence between the near field communication chip and the application protocol data; the electronic device obtains the user's identity information to be authenticated according to the target application protocol data. The method of claim 1, wherein the electronic device determines the target information used to characterize the user's identity based on the identity information to be authenticated of the user, including: the electronic device determines the identity information plaintext data of the identity information to be authenticated based on the identity information to be authenticated; the electronic device decrypts the authorization certificate based on the identity information plaintext data and the target information data to determine the first biometric feature information. The method of claim 5, wherein the electronic device determines the identity information plaintext data of the identity information to be authenticated according to the identity information to be authenticated, comprising: the electronic device sends an identity authentication request to a server, the identity authentication request includes the identity information to be authenticated, and the identity authentication request is used to request the server to parse the identity information to be authenticated to obtain the identity information plaintext data of the identity information to be authenticated; the electronic device receives the identity authentication feedback information sent by the server, and the identity authentication feedback information includes the identity information plaintext data of the identity information to be authenticated. The method as described in claim 6, wherein before the electronic device sends an identity authentication request to the server, the method further comprises: the electronic device sends an identity of the electronic device to the server, the electronic identity of the electronic device is used to determine whether the electronic device meets the identity authentication conditions; the electronic device receives the identity feedback information sent by the server; when the identity feedback information indicates that the electronic device does not meet the identity authentication conditions, the electronic device sends an identity authentication request to the server. The method as described in claim 5, wherein before the electronic device determines the first biometric information, the method further comprises: the electronic device generates a device public-private key pair according to the digital certificate in the electronic device; the electronic device sends a user identity authentication initialization request to the server through a trusted identity authentication initialization interface, the user identity authentication initialization request includes the device public-private key pair, the user identity authentication initialization request is used to establish a secure communication link with the server, and exchange keys through the secure communication link; the electronic device receives user identity authentication initialization feedback information from the server, the user identity authentication initialization feedback information includes the target information data decryption authorization certificate. As described in claim 8, before the electronic device sends a user identity authentication initialization request to the server through the trusted identity authentication initialization interface, the method further includes: the electronic device obtains a trusted identity authentication initialization interface corresponding to the server based on the server public key. As described in claim 9, the user identity authentication initialization request further includes application information, and the application information includes at least one of the following: application identification, signature certificate information, and certificate fingerprint information, wherein the application information is used to determine the execution environment of the user identity authentication result of the identity information to be authenticated. The method of claim 5 or 6, wherein the electronic device determines the first biometric information by decrypting the authorization certificate based on the identity information plaintext data and the target information data, comprising: the electronic device sends a biometric information request to the server, the biometric information request includes the identity information plaintext data and the target information data decryption authorization certificate, the biometric information request is used to request the server to decrypt the authorization certificate based on the identity information plaintext data and the target information data to determine the first biometric information; the electronic device receives the biometric feedback information sent by the server, the biometric feedback information includes the first biometric information encrypted by the device public key. As described in claim 1, wherein the electronic device obtains the image of the human body part to be processed through the fixed position area, comprising: the electronic device filters the target feature point from multiple feature points in the human body part through the fixed position area; the electronic device obtains the human body part image corresponding to the target feature point based on the target feature point. The method of claim 12, wherein the electronic device performs grayscale normalization processing on the human body part image to be processed to obtain the user image, comprising: the electronic device obtains a first grayscale value of the human body part image to be processed, the first grayscale value corresponds to a first grayscale level; the electronic device adjusts the human body part image to be processed by grayscale stretching according to the first grayscale level to obtain a user image having the first grayscale level. The method of claim 1, wherein the electronic device obtains the comparison result of the first biometric information and the second biometric information according to the at least one feature value, including: the electronic device inputs the at least one feature value into the target identity document portrait feature model to obtain the comparison result of the first biometric information and the second biometric information. The method of claim 14, wherein before the electronic device obtains the comparison result of the first biometric information and the second biometric information, the method further comprises: the electronic device simplifies the preset identity document portrait feature model according to the training feature value of the user's facial image in the target identity document to obtain the target identity document portrait feature model. As described in claim 1, before the electronic device determines the user identity authentication result of the identity information to be authenticated, the method further comprises: the electronic device encrypts the first biometric information and the second biometric information by a symmetric key to obtain encrypted biometric information; the electronic device sends an identity authentication result request to a server, the identity authentication result request includes the encrypted biometric information, and the identity authentication result request is used to request the server to calculate the first biometric information and the second biometric information according to the first biometric information and the second biometric information. The electronic device receives the identity authentication result feedback information sent by the server, and the identity authentication result feedback information includes the biometric comparison result similarity encrypted by the device public key; the electronic device decrypts the biometric comparison result similarity by encrypting the device private key to obtain the biometric comparison result similarity, and the biometric comparison result similarity is used to represent the comparison result between the first biometric information and the second biometric information. The method of claim 16, wherein the electronic device determines the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information, including: when the similarity of the biometric comparison result meets the preset similarity, the electronic device determines that the user identity authentication of the identity information to be authenticated is successful. As described in claim 1, the target information further includes at least one of the following: identity document number, identity document image, identity document user identity information; the first biometric information includes at least one of the following: user face image in the identity document image, iris image of the user corresponding to the identity document. An information processing method is applied to a server, comprising: the server receives identity information of a user to be authenticated sent by an electronic device; when it is detected that the device type of the electronic device is a preset target device type, the server obtains target information corresponding to the identity information of the user to be authenticated and used to characterize the user's identity, the target information includes the user's first biometric information, and the first biometric information includes an identity document image; the server receives the user image sent by the electronic device; the server determines the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information in the user image, the comparison result includes the similarity of the biometric comparison result of the first biometric information and the second biometric information, The comparison result is obtained based on at least one feature value of the user image and the user facial image, the feature value is obtained by proportionally enlarging or reducing the user facial image or the facial area in the user image, and the facial position in the user facial area in the ID image is changed to the same position and size. The user facial image is obtained by identifying the user facial area in the ID image, and the human body part image to be processed is obtained through a fixed position area displayed by the electronic device. The user image is obtained by grayscale normalization processing of the human body part image to be processed. The grayscale normalization processing expands the image with grayscale concentrated in one or several grayscale segments to 256 grayscale levels by grayscale stretching method; the server sends the user identity authentication result to the electronic device. The method of claim 19, wherein the server obtains target information corresponding to the identity information to be authenticated of the user and used to characterize the user's identity, including: the server determines a protocol data instruction according to the ciphertext information of the identity information to be authenticated, the protocol data instruction is used to indicate the original text string of the target information used to characterize the user's identity assembled in accordance with the identity document attribute format; the server decrypts the identity information to be authenticated according to the pre-stored target information data decryption authorization certificate and the original text string of the target information, decrypts the identity information to be authenticated, and obtains the target information. The method of claim 20, wherein the server determines the protocol data instruction according to the ciphertext information of the identity information to be authenticated, including: the server sends the protocol data instruction to the identity identification server, the protocol data instruction is used to instruct the identity identification server to assemble the original text string of the target information used to characterize the user's identity according to the identity certificate attribute format; the server receives the original text string of the target information sent by the identity identification server. An information processing device, applied to an electronic device, comprises: a receiving module, used to receive a first input for user identity authentication; an acquisition module, used to respond to the first input, and obtain the user's identity information to be authenticated through near field communication in a trusted execution environment; a processing module, used to determine, according to the user's identity information to be authenticated, target information corresponding to the identity information to be authenticated and used to characterize the user's identity, wherein the target information comprises the user's first biometric information, and the first biometric information comprises the identity card information. and a user image obtained within a preset time period, the user image including the second biometric information of the user; a determination module, for determining a user identity authentication result of the identity information to be authenticated based on a comparison result of the first biometric information and the second biometric information, the comparison result including a similarity of a biometric comparison result of the first biometric information and the second biometric information; the determination module is further used to: identify a user facial area in the identity document image, and obtain a similarity to the user facial area in the identity document image. The user facial image corresponding to the user facial area; the user facial image or the facial area in the user image is enlarged or reduced in equal proportion, the facial position in the user image in the user facial area in the ID image is changed to the same position and size, and the feature values of the user image and the user facial image are calculated; according to at least one feature value, the comparison result of the first biometric feature information and the second biometric feature information is obtained; a display module is used to display a fixed portrait position area, the fixed The fixed portrait position area is used to obtain the human body part image corresponding to the user and the fixed portrait position area; the acquisition module is also used to obtain the human body part image to be processed through the fixed position area when receiving the second input of the user's image; the processing module is used to perform grayscale normalization processing on the human body part image to be processed to obtain the user image, and the grayscale normalization processing expands the image whose grayscale is concentrated in one or several grayscale segments to 256 grayscale levels by using the grayscale stretching method. An information processing device, applied to a server, comprises: a receiving module, used to receive identity information of a user to be authenticated sent by an electronic device; an obtaining module, used to obtain target information corresponding to the identity information to be authenticated and used to characterize the user's identity when the identity information to be authenticated of the user is detected to be used to determine the user identity authentication result of the identity information to be authenticated, wherein the target information comprises the first biometric information of the user, wherein the first biometric information comprises an identity document image; the receiving module is also used to receive the user image sent by the electronic device; a determining module is used to determine the user identity authentication result of the identity information to be authenticated based on the comparison result of the first biometric information and the second biometric information in the user image, wherein the comparison result comprises the biometric information of the first biometric information and the second biometric information. The feature comparison result similarity is obtained based on at least one feature value of the user image and the user facial image, the feature value is obtained by proportionally enlarging or reducing the user facial image or the facial area in the user image, and changing the facial position in the user image in the user facial area in the ID image to the same position and size. The user facial image is obtained by identifying the user in the ID image. The facial area is obtained, and the image of the human body part to be processed is obtained through the fixed position area displayed by the electronic device. The user image is obtained by grayscale normalization processing of the human body part image to be processed. The grayscale normalization processing expands the image with grayscale concentrated in one or several grayscale segments to 256 grayscale levels by grayscale stretching method; the sending module sends the user identity authentication result to the electronic device. An electronic device, characterized in that the electronic device comprises: a processor and a memory storing computer program instructions; when the processor executes the computer program instructions, the information processing method as described in any one of claims 1 to 18 is implemented. A server, characterized in that the server comprises: a processor and a memory storing computer program instructions; when the processor executes the computer program instructions, the information processing method as described in any one of claim items 19 to 21 is implemented. A computer-readable storage medium, characterized in that a computer program instruction is stored on the computer-readable storage medium, and when the computer program instruction is executed by a processor, the information processing method described in any one of claim items 1 to 18 is implemented; or, the information processing method described in any one of claim items 19 to 21 is implemented.

Images