Processing method for enciphered data, and apparatus thereof

[0066] In order to further illustrate the technical means and effects of the present invention to achieve the intended purpose of the invention, the present invention will be further described in detail below with reference to the accompanying drawings and preferred embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention.

[0067] The embodiment of the present invention provides a method for outputting encrypted data, which can be used in an electronic terminal. Specific examples of the electronic terminal include, but are not limited to, personal computers, tablet computers, mobile phones, e-book readers, and wearable electronic devices.

[0068] figure 1 It is a structural block diagram of an electronic terminal provided by an embodiment of the present invention. Such as figure 1 As shown, the electronic terminal 100 includes a memory 102, a processor 104, a storage controller 106, a peripheral interface 108, a network module 110, a display module 112, and sensors. Understandable, figure 1 The structure shown is for illustration only, and does not limit the structure of the electronic terminal 11. For example, the electronic terminal 100 may also include figure 1 More or fewer components shown in the figure 1 Different configurations are shown.

[0069] The memory 102 can be used to store software programs and modules, such as program instructions/modules corresponding to the communication session method and device in the embodiment of the present invention. The processor 104 executes the software programs and modules stored in the memory 102 by running the software programs and modules. This kind of functional application and data processing realizes the above-mentioned method.

[0070] The memory 102 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 102 may further include a memory remotely provided with respect to the processor 106, and these remote memories may be connected to the electronic terminal 100 via a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof. The processor 106 and other possible components may access the memory 102 under the control of the memory controller 104.

[0071] The peripheral interface 108 couples various input/input devices to the processor 106. The processor 106 runs various software in the memory 102 and instructs the electronic terminal 100 to perform various functions and perform data processing. In some embodiments, the peripheral interface 108, the processor 106, and the storage controller 104 may be implemented in a single chip. In some other instances, they can be implemented by independent chips.

[0072] The network module 110 is used for receiving and sending network signals. The aforementioned network signal may include a wireless signal or a wired signal. In an example, the aforementioned network signal is a wired network signal. At this time, the network module 110 may include components such as a processor, a random access memory, a converter, and a crystal oscillator. In one embodiment, the aforementioned network signal is a wireless signal (for example, a radio frequency signal). At this time, the network module 110 is essentially a radio frequency module, which receives and sends electromagnetic waves, realizes mutual conversion between electromagnetic waves and electric signals, and communicates with a communication network or other equipment. The radio frequency module may include various existing circuit elements for performing these functions, such as an antenna, a radio frequency transceiver, a digital signal processor, an encryption/decryption chip, a subscriber identity module (SIM) card, a memory, and so on. The radio frequency module can communicate with various networks such as the Internet, corporate intranet, and wireless networks, or communicate with other devices through wireless networks. The aforementioned wireless network may include a cellular telephone network, a wireless local area network, or a metropolitan area network. The above-mentioned wireless network can use various communication standards, protocols and technologies, including but not limited to Global System for Mobile Communication (GSM), Enhanced Data GSM Environment (EDGE), broadband code Wideband code division multiple access (W-CDMA), code division multiple access (CDMA), time division multiple access (TDMA), wireless fidelity technology (Wireless, Fidelity) , WiFi) (such as the American Institute of Electrical and Electronics Engineers standards IEEE802.11a, IEEE802.11b, IEEE802.11g and/or IEEE802.11n), Internet telephony (Voice over internet protocal, VoIP), Worldwide Interoperability for Microwave Access, Wi-Max), other protocols for mail, instant messaging and short messages, and any other suitable communication protocols, even those that have not yet been developed.

[0073] The display module 112 is used to display information input by the user, information provided to the user, and various graphical user interfaces of the electronic terminal 100. These graphical user interfaces may be composed of graphics, text, icons, videos, and any combination thereof. In one example, the display module 112 includes a display panel. The display panel can be, for example, a Liquid Crystal Display (LCD), Organic Light-Emitting Diode Display (OLED) display panel, Electro-Phoretic Display (EPD), etc. Further, the touch surface 109 may be disposed on the display panel so as to form a whole with the display panel. In other embodiments, the display module 112 may also include other types of display devices, such as a projection display device. Compared with a general display panel, the projection display device also needs to include some components for projection, such as a lens group.

[0074] Examples of the sensor 114 include, but are not limited to: a camera, an iris collector, a fingerprint collector, and a microphone. The camera is used to take photos or videos. The camera can specifically include a lens module, an image sensor, a flash and other components. The lens module is used to image the object being photographed and map the resulting image to the image sensor. The image sensor is used to receive light from the lens module to realize light sensitivity to record image information. Specifically, the image sensor can be implemented based on Complementary Metal Oxide Semiconductor (CMOS), Charge-coupled Device (CCD) or other image sensing principles. The flash is used for exposure compensation when shooting. Generally speaking, the flashlight used in the electronic terminal 100 may be a Light Emitting Diode (LED) flashlight.

[0075] The iris collector is used to collect the iris of the user. It can be a separate component, or it can be combined with the camera, which means that the camera is used as an iris collector at the same time.

[0076] The fingerprint adopter is used to collect the user's fingerprint, and it can be a separate component, or it can be integrated into other components. For example, in one embodiment, the display panel of the display module 112 is also integrated with an image sensor, which can sense the image of an object on the surface of the display module 112. In this case, the display module 112 can be used as a fingerprint adopter at the same time.

[0077] The above-mentioned software programs and modules include: an operating system 122, an interface module 124, an encryption module 126, a decryption module 128, and a detection module 130. The operating system 122 may include various software components and/or drivers for managing system tasks (such as memory management, storage device control, power management, etc.), and may communicate with various hardware or software components to provide other software The operating environment of the component. The interface module 124, the encryption module 126, the decryption module 128, and the detection module 130 run on the basis of the operating system 122.

[0078] The interface module 124 is used to provide a human-computer interaction interface, specifically, it outputs a user interface, for example, displays the user interface in the display module 112, or projects the user interface through a projection display device, or outputs audio. In addition, the interface module 124 also establishes a binding between the user interface and the input event of the electronic terminal 100, so that the user interface can respond to the input event of the electronic terminal 100. The above-mentioned input events include, but are not limited to, mouse events (such as click, double-click, press, release), touch screen events (slide, click, multi-touch gestures), voice events (voice input), Image events (such as a camera shooting a predetermined object) and arbitrary sensor events (such as spatial motion gestures based on cryptometer or gyroscope). According to a predefined definition, the interface module 124 can call the aforementioned encryption module 126 and decryption module 128 to implement data encryption/decryption processing for different input events.

[0079] Refer to figure 2 , Which is a schematic diagram of a user interface displayed by the interface module 124. Such as figure 2 As shown, the user interface 201 includes a button 202 for invoking the private space function, and the user interface 203 is entered when the button 202 is clicked. The user interface 203 is the main interface of the private space function, and its function is to allow the user to select specific data types (such as photos, videos, short messages, or files). The user interface 203 includes a button 204 for entering the photo module, and the user interface 205 is entered when the button 204 is clicked. The user interface 205 includes an icon array 206 and a button 207 for starting the add photo interface. Each icon in the icon array 206 corresponds to an encrypted photo. When the button 207 is clicked, the user interface 208 is entered.

[0080] The user interface 208 is used for adding photos, specifically, it includes an icon array 209 and a button 210 for adding photos. Each icon in the icon array 209 corresponds to a thumbnail generated from a picture in the memory 102, respectively. The user can click on each icon to select the corresponding picture. When the button 210 is clicked, the encryption module 126 is called to encrypt the selected photo, that is, an encryption request is generated, the object to be encrypted or the index information of the object is included in the encryption request, and the encryption request is sent to the encryption module 126. After the encryption is completed, the user interface 205 can be returned. It can be understood that the icon array 206 of the user interface 205 should be updated to include the added photos.

[0081] Refer to image 3 , Which is a schematic diagram of another user interface displayed by the interface module 124. Such as image 3 As shown, the user interface 301 is an interface for object browsing. The objects here may include photos, text messages, files, videos, etc., for example. The user interface 301 includes an icon array 302 and a button 303 for switching interface modes. Each icon in the icon array 302 corresponds to an object (for example, a photo, a video, etc.). When an icon in the icon array 302 is clicked, the user interface 305 is entered, and the user interface 305 includes detailed information 306 corresponding to the clicked icon. When the button 304 is clicked, the user interface 307 is entered. The user interface 307 includes a button 304a for returning to the user interface, an icon array 308, and a button 309 for starting the encryption function. Each icon in the icon array 308 corresponds to an object and can be selected/deselected. When the button 304a is clicked, it returns to the user interface 301. When the button 309 is clicked, the encryption module 126 is called to encrypt the selected object, that is, an encryption request is generated to include the object to be encrypted or the index information (such as the file path) of the object In the encryption request, the encryption request is sent to the encryption module 126.

[0082] The encryption module 126 is configured to encrypt data according to the encryption request, and store the encrypted data in the storage 102 or any cloud storage connected to the electronic terminal 100 via a network. Specifically, the encryption module 126 parses the object to be encrypted or the index of the object to be encrypted from the encryption request. If it is an index, the encryption module 126 can read the corresponding object to be encrypted according to the index information.

[0083] The encryption module 126 may use a symmetric encryption algorithm to encrypt data. In the symmetric encryption algorithm, the encryption module 126 processes the original data and the encryption key together with the encryption algorithm to obtain encrypted ciphertext data.

[0084] In one embodiment, the encryption key when the encryption module 126 performs encryption is obtained in the following manner: the encryption module 126 calls the application programming interface provided by the operating system 122 to read the biometric data output by the sensor 114, and according to the acquired The biometric data generates an encryption key. For example, directly use the acquired biometric data as the aforementioned encryption key, or use an algorithm (such as an information digest algorithm) to perform operations on the acquired biometric data to obtain the aforementioned official key. For fingerprint recognition, iris recognition, and face recognition, the raw data collected by the sensor is all images. For voice recognition, the raw data collected by the sensor is audio. To recognize these images or sounds, some preprocessing is required. The step is to extract the feature information contained in the original image, which can generally be expressed in the form of vectors. The encryption module 126 can use the feature information extracted from the biometric data output by the sensor 114 as the aforementioned encryption key.

[0085] The decryption module 128 is used to decrypt the data according to the decryption request, and return the decrypted data to other modules (for example, the interface module 124) that issued the decryption request. Specifically, the encryption module 126 parses the object to be decrypted or the index of the object to be decrypted from the decryption request. If it is an index, the encryption module 126 can read the corresponding object to be decrypted according to the index information.

[0086] Refer to figure 2 The user interface 203 is the main interface of the private space function, and its function is to allow the user to select a specific data type (such as photos, videos, short messages, or files). The user interface 203 includes a button 204 for entering the photo module, and the user interface 205 is entered when the button 204 is clicked. The user interface 205 includes an icon array 206. It can be understood that each icon in the icon array 206 corresponds to an encrypted photo, and the icon array 206 itself is generated based on the thumbnail of the encrypted photo. Therefore, to display the icon array 206 normally, it is necessary to decrypt the encrypted photos first. That is, after the button 204 is clicked, the interface module 124 calls the decryption module 128 to decrypt the data. Specifically, the interface module 124 obtains the file path list of the photo corresponding to the icon array 206, and passes the file path list to the decryption module 128. It can be understood that the file path list here is equivalent to the aforementioned index of the object to be decrypted.

[0087] After receiving the decryption request, the decryption module 128 first obtains the decryption key. In one embodiment, the decryption key is obtained in the following manner: the decryption module 128 calls the application programming interface provided by the operating system 122 to read the biometric data output by the sensor 114, and generates a decryption key according to the obtained biometric data . For example, directly use the acquired biometric data as the above-mentioned decryption key, or use an algorithm (such as an information digest algorithm) to calculate the acquired biometric data to obtain the above-mentioned decryption key. The decryption module 128 may also use characteristic information extracted from the biometric data output by the sensor 114 as the aforementioned decryption key.

[0088] After obtaining the decryption key, the decryption module 128 performs a decryption operation according to the predetermined decryption algorithm and the obtained decryption key to obtain the decrypted data, and returns the decrypted data to other modules that issued the decryption request (such as the interface module 124). ).

[0089] Refer to Figure 4 After receiving the decrypted data returned by the decrypting module 128, the interface module 124 can verify whether the data is successfully decrypted, and if so, can output the decrypted data (display the user interface 205); otherwise, display the user interface 211. In the user interface 211, prompt information 212 may be included, which is used to prompt the user to perform identity verification, such as placing a finger on a fingerprint recognizer, aiming a face at a camera, aiming an eye at an iris recognizer, and so on.

[0090] The detection module 130 is configured to stop the interface module 124 from outputting the decrypted data when the predetermined condition is met. Generally speaking, for the sake of improving data security, when it is impossible to confirm whether the current user is a legitimate user, the detection module 130 can cause the interface module 124 to stop outputting the decrypted data; or, when it is detected that the current user’s vision leaves the current user When outputting data, the detection module 130 can cause the interface module 124 to stop outputting the decrypted data, so as to minimize the possibility of data leakage.

[0091] In one embodiment, the detection module 130 tracks the current user's line of sight through the eye tracker, and determines whether the current user's line of sight is on the screen. If so, the current display mode of the interface module 124 may not be changed, and the interface module 124 continues to display decryption Otherwise, the detection module 130 sends a notification message to the interface module 124 to stop the interface module from outputting the decrypted data.

[0092] In one embodiment, the detection module 130 continues to detect the biometric data of the current user after outputting the decrypted data. If the detection module 130 does not detect the biometric data of the user, for example, the user's fingerprint and the user's biometric data are not detected. If the face or the iris of the user is not detected, the detection module 130 sends a notification message to the interface module 124 to stop the interface module 124 from outputting the decrypted data.

[0093] Further, if the detection module 130 detects the biometric data of the user, the detection module 130 calls the decryption module 128 to decrypt the encrypted data currently being output. Such as Figure 4 As shown, if the decryption is successful, the decrypted data can continue to be output (display the user interface 205); otherwise, the detection module 130 sends a notification message to the interface module 124 to stop the interface module 124 from outputting the decrypted data.

[0094] The above methods can also be used in combination. For example, only the current user’s line of sight is looking at the screen, the detection module 130 detects the user’s biometric data and decrypts the encrypted data according to the biometric data before it continues to output the decrypted data; otherwise, it detects The module 130 may send a notification message to the interface module 124, so that the interface module 124 stops outputting the decrypted data.

[0095] Refer to Figure 5 , Only when the current user's line of sight is watching the screen and the correct iris data is detected, the decrypted picture is output, that is, the user interface 213 is displayed, otherwise, the output of the decrypted data is stopped, that is, the user interface 214 is displayed. In the user interface 213, the displayed content may be, for example, a picture; and in the user interface 214, the displayed content is prompt information, preset pictures, animations, videos, etc.

[0096] After the interface module 124 stops outputting the decrypted data, the user interface 211 can be displayed. In the user interface 211, prompt information 212 may be included, which is used to prompt the user to perform identity verification, such as placing a finger on a fingerprint recognizer, aiming a face at a camera, aiming an eye at an iris recognizer, and so on. Alternatively, the user interface 211 may also include pictures, animations, videos, etc. covering the entire user interface.

[0097] According to the technical solution described above, the key used for encryption/decryption is generated based on the user’s biometric data. Therefore, there is no need to store the key in the memory of the electronic device, thereby avoiding the possibility of the key being stolen. Improve the data security of electronic devices. In addition, the user's biometric data is still continuously monitored during the process of outputting encrypted data. When the correct user's biometric data is not continuously detected (the data cannot be decrypted), the output of the decrypted data is stopped. Therefore, even if the electronic device is handed over to other users after the encrypted data is decrypted and displayed, other users cannot view the decrypted data, which further improves the data security of the electronic device.

[0098] in figure 1 In the example shown, the sensor 114 may be built into the electronic terminal 100, however, the embodiment of the present invention is not limited to this implementation. For example, see Image 6 , The electronic terminal 100 can also be connected to the external sensor 101 through infrared, Bluetooth, wireless local area network, near field communication, etc., and the biometric data collected by the external sensor 101 can be sent through infrared, Bluetooth, wireless local area network, near field communication, etc. To the electronic terminal 100.

[0099] Further, in Image 6 In the manner shown, the external sensor 101 is a separate sensor, but the pre-present embodiment is not limited to this manner. For example, see Figure 7 The sensor may be a sensor built in the electronic terminal 200, or a sensor connected to the electronic terminal 200 through infrared, Bluetooth, wireless local area network, or the like. The structure of the electronic terminal 200 can be figure 1 The structure shown is similar. The electronic terminal 100 and the electronic terminal 200 can be connected through wireless local area network, near field communication and other methods. The electronic terminal 200 may further include a sending module for collecting user biometric data output by the sensor according to a request of the client (for example, the electronic terminal 100), and returning the collected data to the client. In a specific embodiment, the electronic terminal 100 and the electronic terminal 200 may be different types of electronic terminals. For example, the electronic terminal 100 is a smart phone, and the electronic terminal 200 may be a wearable electronic device such as smart glasses, a wrist watch, and the like.

[0100] Refer to Figure 8 When the first electronic terminal (electronic terminal 100) wants to output the encrypted data, it does not directly call its own built-in sensor, but sends an authorization request to the second electronic terminal (electronic terminal 200). After receiving the authorization request, the sensor is called to collect the user's biometric data, and the original biometric data or the feature information extracted from the original biometric data can be sent to the first electronic terminal. Accordingly, the first electronic terminal is based on the received The biometric data is decrypted and output.

[0101] In a typical application scenario, the encrypted content in the first electronic terminal may also be sent by the second electronic terminal to the first electronic terminal. For example, the second electronic terminal sends the encrypted content to the first electronic terminal through Bluetooth, wireless local area network, or near field communication. Since the content is sent by the second electronic terminal, this part of the content may be sensitive content, and the user of the second electronic terminal may need to restrict the output of encrypted content. In this case, the first electronic terminal can initiate an authorization request to the second electronic terminal, only when the user of the second electronic terminal authorizes (for example, put a finger on the fingerprint reader, or aim the iris recognizer at the eye ), the first electronic terminal can decrypt the data and output it.

[0102] Refer to Picture 9 , The user currently wears the smart glasses 103 and uses the electronic terminal 100 (smartphone) at the same time. When the electronic terminal 100 receives a user instruction and needs to display encrypted data, it sends an authorization request to the smart glasses 103. Accordingly, the smart glasses 103 can turn on sensors such as scanners, cameras, and iris/retina recognizers. If the sensor is not successfully turned on, a predetermined error code is returned; otherwise, the smart glasses collect the user's biometric data, and then send the collected raw data or the characteristic information extracted from the raw data to the electronic terminal 100. The electronic terminal 100 uses the received data to try to decrypt the data. If the data is successfully decrypted, it outputs the decrypted data; otherwise, it displays a prompt message or stops outputting the decrypted data.

[0103] Further, in Figure 7 In the manner shown, the electronic terminal 100 and the electronic terminal 200 are connected in a wireless manner, but they can still be regarded as directly connected. However, the embodiment of the present invention is not limited to this implementation manner. For example, see Picture 10 , The electronic terminal 100 and the electronic terminal 200 are indirectly connected through the server 300. In other words, the electronic terminal 100 and the electronic terminal 200 and the server 300 respectively, and the server 300 is responsible for data forwarding between the two.

[0104] In a typical application scenario, the server 300 may be, for example, a message server of an instant messaging system. In other words, the electronic terminal 100 and the electronic terminal 200 respectively run instant messaging applications.

[0105] The electronic terminal 200 can send the encrypted picture, video, audio and other data to the electronic terminal 100 through an instant messaging application. When the electronic terminal 100 wants to output the encrypted data, it sends an authorization request to the server 300 through an instant messaging application, and the server 300 forwards the authorization request to the electronic terminal 200. After receiving the authorization request, the electronic terminal 200 can display the authorization request of other users, call the sensor to collect the biometric data of the user after the user confirms, and send the collected raw data or the characteristic information extracted from the raw data to the server 300, The server 300 forwards to the electronic terminal 100. Correspondingly, the electronic terminal 100 decrypts the data according to the received biometric data and outputs it.

[0106] According to this method, the content encryption function can be provided in the instant messaging application. A user can send the encrypted content to other users at will. However, the encrypted content can only be decrypted when the user who sends the encrypted content is authorized. Output, so it can maximize data security.

[0107] Picture 11 A partial structural block diagram of the electronic terminal provided in the second embodiment. Such as Picture 11 As shown, the electronic terminal of this embodiment and figure 1 The electronic terminal shown is similar, the difference lies in the included software program modules. The electronic terminal of this embodiment includes a data providing module 10 and a third-party application program 20. The third-party application program 20 here refers to an application program that is independent of the data providing module 10 in operation, but the data providing module 10 and the third-party application program 20 can be provided by the same developer. In addition, the third-party application program 20 is not limited to a third-party application program installed by the user, and may also include a part of the operating system 122 or a pre-installed application program.

[0108] The data providing module 10 includes an encryption module 12 and a data sending module 13. The third-party application 20 includes a data request module 21, a decryption module 22, and an output module 23.

[0109] The encryption module 12 is used to encrypt data, and store the encrypted data in the storage 102 or any cloud storage connected to the electronic terminal 100 via a network. The encryption module 12 can obtain the encryption key in a similar manner to the encryption module 126, that is, collect the biometric data of the current user, and use the biometric data or the feature information extracted from the biometric data as the encryption key.

[0110] The data sending module 13 is used to return encrypted data according to the request. For example, the third-party application 20 may display encrypted data according to user instructions, and the data request module 21 may initiate a data acquisition request to the data sending module 13 through an inter-process communication mechanism to acquire the encrypted data. Correspondingly, the data sending module 13 in the data providing module 10 returns the encrypted data corresponding to the data acquisition request to the data requesting module 21. The data request module 21 passes the received encrypted data to the decryption module 22 for decryption.

[0111] After receiving the data to be decrypted, the decryption module 22 first obtains the decryption key. In one embodiment, the decryption key is obtained in the following manner: the decryption module 22 calls the application programming interface provided by the operating system 122 to read the biometric data output by the sensor 114, and generates a decryption key according to the obtained biometric data . For example, directly use the acquired biometric data as the above-mentioned decryption key, or use an algorithm (such as an information digest algorithm) to calculate the acquired biometric data to obtain the above-mentioned decryption key. The decryption module 22 may also use characteristic information extracted from the biometric data output by the sensor 114 as the aforementioned decryption key.

[0112] After the decryption is completed, the decryption module 22 sends the decrypted data to the output module 23 for output, such as displaying pictures, text, playing videos, audios, and animations.

[0113] According to the electronic terminal of this embodiment, data encryption and decryption are performed in two different application programs, and the data providing module 10 provides encrypted data in a centralized manner, so the data security of third-party applications can be improved.

[0114] In addition, similar to the electronic terminal of the first embodiment, the third-party application 20 may also include a detection module 130 ( figure 1 ) Is used to stop the output module 23 from outputting the decrypted data when the predetermined condition is met. Generally speaking, for the sake of improving data security, when it is impossible to confirm whether the current user is a legitimate user, the detection module 130 can cause the output module 23 to stop outputting the decrypted data; or, when it is detected that the current user’s sight is away from the current user When outputting data, the detection module 130 can cause the output module 23 to stop outputting the decrypted data, so as to minimize the possibility of data leakage.

[0115] in Picture 11 In the electronic terminal shown, the key collected when encrypting data or decrypting data is still obtained through biometric data, but the embodiment of the present invention is not limited to this manner. For example, the key collected when encrypting data or decrypting data can also be generated according to an encryption algorithm.

[0116] Refer to Picture 12 In the electronic terminal provided in the third embodiment, the third-party application 20 may further include a registration request module 24, and the data providing module may further include a registration module 14. The registration request module 24 and the registration module 14 altogether complete the user registration operation, and generate the aforementioned encryption decryption and decryption keys.

[0117] Figure 13 Shown is a schematic diagram of interaction among the data providing module 10 in the electronic terminal, the third-party application program 20 and the user 30 in the third embodiment. First, the user 30 launches the third-party application 20 through an entrance provided by the operating system 122 (for example, an application icon on the home screen).

[0118] After the third-party application 20 is started, the registration request module 24 determines whether the current user has registered to use the data encryption service; if the user is not registered, the registration request module 24 can display a registration interface to guide the user to register. When the user confirms registration in the guide interface displayed by the registration request module 24, the registration request module 24 can start the data providing module 10, and the registration module 14 of the data providing module 10 completes the registration.

[0119] The registration module 14 can complete registration according to different inputs of the user. For example, in one embodiment, the registration module 14 displays a registration interface, prompts the user to collect biometric data (such as fingerprints, iris, face), etc., and starts to read the biometric data of the current user output by the sensor. The registration module 14 can store the collected original biometric data, or store the feature information extracted from the original biometric data.

[0120] In one embodiment, the registration module 14 collects a fingerprint characteristic data of the current user.

[0121] In another embodiment, the registration module 14 collects multiple fingerprint feature data of the current user to form a fingerprint feature queue including multiple fingerprint feature data. In the fingerprint feature queue, the feature data of each fingerprint is arranged in the order of collection. , Or have a serial number associated with the collection sequence.

[0122] In another embodiment, the registration module 14 collects multiple fingerprint characteristic data of the current user, but the multiple fingerprint characteristic data are used separately and do not form the fingerprint characteristic queue described above.

[0123] In addition, the registration module 14 may also use an asymmetric encryption algorithm to generate a key pair (key_1, key_2), wherein the data encrypted by key_1 can only be decrypted by key_2. It can be understood that the encryption module 12 can use the encryption key key_1 when encrypting data, and the decryption module 23 can use the decryption key key_2 when decrypting the data.

[0124] The registration module 14 stores the encryption key key_1, and may also store the mapping relationship between the encryption key key_1 and other index information. The index information here refers to identification information that allows the encryption module 12 to know which encryption key to use when encrypting data. Therefore, if the encryption module 12 only uses one encryption key, there is no need to store the mapping relationship between the encryption key and other index information. However, when the data providing module 10 adopts different encryption keys for different security settings of different third-party applications 20, different users of the same third-party application 20, or even the same user of the same third-party application 20, different encryption keys are required. Store the above index information.

[0125] For example, in one embodiment, the user account of the user in the third-party application 20 may be used as the aforementioned index information. In this way, the third-party application 20 can send the user account to the data providing module 10 when requesting encrypted data, and the encryption module 12 obtains the corresponding encryption key according to the received user account when encrypting the data, and uses the obtained encryption and decryption pair The data is encrypted. As a further improvement, the user account and security settings of the user in the third-party application 20 can be used as the aforementioned index information. In this way, different encryption keys can be used for different security settings of the same user account.

[0126] In another embodiment, the security setting can be used as the aforementioned index information. For example, the security is divided into several levels, and encryption keys of different strengths are used respectively. In this way, when encrypting data, only the security level requested by the third-party application 20 is considered, and the difference in users or applications is not considered. In other words, if two different third-party applications 20 use the same security level, the encryption module 12 will use the same encryption and decryption for data encryption.

[0127] In another embodiment, the biometric information collected during the registration process can be used as the aforementioned index information. In this way, each registration process will generate a new encryption key. The encryption and decryption used by the encryption module 12 depends on the biometric information collected during the user authentication process. It can be understood that in this way, the third-party application 20 cannot determine the decryption key in advance, and therefore, it is necessary to send the corresponding decryption key to the third-party application 20 after the encryption key is determined.

[0128] The registration module 14 also returns the decryption key key_2 to the registration request module 24. The registration request module 24 stores the received decryption key key_2. Similar to the registration module 14, the registration request module 24 may also need to store the mapping relationship between the decryption key key_2 and other index information. It can be understood that if the third-party application 20 only uses one decryption key, there is no need to store the mapping relationship between the decryption key key_2 and other index information. However, when the third-party application 20 uses different decryption keys for different user accounts or different security settings, it is necessary to store the mapping relationship between the decryption key key_2 and other index information.

[0129] Since the third-party application 20 has pre-stored the decryption key key_2 or will receive the decryption key key_2 when receiving encrypted data, the third-party application 20 will return the data encrypted with the encryption key key_1 returned by the data providing module 10 Can be decrypted smoothly.

[0130] Refer to Figure 14 , Which is a schematic diagram of data interaction between the third-party application 20 and the data providing module 10 after registration is completed. First, the user 30 launches or activates the third-party application 20 through an entry provided by the operating system 122 (for example, an application icon on the home screen).

[0131] After the third-party application 20 is started, the data request module 21 will request the data providing module 10 for encrypted data according to user input. For example, when the user requests to display an encrypted picture, the data providing module 10 is requested for the corresponding encrypted picture. It can be understood that the data request module 21 may send some necessary parameters when requesting data, for example, the user account of the current user and/or the security setting information of the user.

[0132] Correspondingly, the verification module 15 can display the corresponding verification interface according to the parameters provided by the data request module 21, prompt the user to collect the biometric data entered during registration again, and combine the collected biometric data of the current user with the pre-stored biometric data or The characteristic information is compared, and if the two match each other, the user identity is passed, otherwise, the identity verification fails.

[0133] Taking fingerprints as an example, if a single fingerprint feature is entered when the user registers, the verification module 15 collects the single fingerprint feature and compares it. If the user entered the fingerprint feature queue during registration, the verification module 15 may prompt the user to enter the fingerprint features of the fingers used during registration one by one. And compare the multiple fingerprint features collected with the pre-stored fingerprint feature queue. The verification module 15 can also randomly select a number of fingerprint features from the collected multiple fingerprint features, prompt the user to enter the fingerprint features of the designated fingers one by one in a given order, and combine the collected multiple fingerprint features with a number of randomly selected fingerprint features. Compare fingerprint features.

[0134] When the user's identity is verified, the verification module 15 may send a notification message to the data sending module 13, and the data sending module 13 will start to return the encrypted data to the third-party application 20 after receiving this message.

[0135] When the user identity verification fails, the verification module 15 may send a notification message to the data sending module 13 to stop the data sending module 13 from sending data to the third-party application 20. Using this method can ensure that the current user is a legitimate user, thereby improving data security. It can be understood that the above solution does not affect the encrypted data that has been sent to the third-party application 20 before.

[0136] In another embodiment, when the user identity verification fails, the verification module 15 also sends a notification message to the third-party application 20 to stop the third-party application 20 from outputting the decrypted data and/or delete the decrypted data. The data. In this way, in addition to stopping the data sending module 13 from sending encrypted data, the third-party application 20 also stops outputting the decrypted data, and even deletes the decrypted data, thereby further improving data security.

[0137] In another embodiment, when the user's identity is verified, the verification module 15 can also regenerate a pair of key pairs (encryption key, decryption key), and the verification module 15 can store the encryption key for encryption by the encryption module 12 For data use, the verification module 15 also sends the decryption key to the third-party application 20 for the decryption module 23 to decrypt the data. It can be understood that the verification module 15 can perform a verification operation every certain time interval. If the user's identity verification fails, it can stop sending encrypted data, and can make the third-party application 20 destroy the decrypted data or have received but not decrypted If the user’s identity is verified, the encrypted data can be sent continuously, or a pair of key pairs can be regenerated, and the data can be encrypted according to the newly generated encryption key and sent to the third-party application 20. The use of this dynamically generated key pair minimizes the risk of key leakage and further improves data security.

[0138] After receiving the encrypted data, the third-party application 20 uses the obtained decryption key to decrypt and output to the user, for example, display text, pictures, play audio, video, or animation on the interface.

[0139] See Figure 15 , Which is a flowchart of the encrypted data processing method of the first embodiment of the present invention. The method of this embodiment includes the following steps:

[0140] Step S101, after receiving the instruction to output encrypted data, collect the first biometric data of the current user through the sensor.

[0141] As mentioned earlier, the application 128 will need to output encrypted data. Refer to image 3 In one embodiment, the application 128 may be, for example, a security management application, which includes a “private space” function. In the private space, users can add and browse private photos, videos, text messages, files and other data. When the user selects a specific category such as a photo in the interface 103, the instruction to output encrypted data is triggered, and accordingly, step S101 is executed.

[0142] Specifically, the operating system 122 may be called to provide an application programming interface to obtain the data output by the sensor. For example, reading the fingerprint of the current user through the fingerprint sensor, or reading the iris of the current user through the iris sensor, that is, collecting the first biometric data of the current user.

[0143] Step S102: Decrypt the acquired encrypted data using a first key generated according to the first biometric data.

[0144] After successfully collecting the first biometric data, you can directly use the first biometric data as the first key, or use an information digest algorithm (such as the MD5 algorithm) to calculate the first biometric data to obtain the first key , It is also possible to use any preset algorithm to calculate the first key from the first biometric data.

[0145] After obtaining the first key, you can try to decrypt the encrypted data using the first key. The encrypted data is encrypted by the encryption module 124 and stored in the memory 102, for example.

[0146] In one embodiment, the encryption module 124 encrypting data includes the following steps: collecting second biometric data, such as fingerprints, iris, sound, or images through the sensor 116, generating a second key based on the collected second biometric data, and using the first The data to be encrypted with both keys, such as photos, short messages, videos, or files, are encrypted, and the encrypted data is stored in the memory 102.

[0147] Step S103, if the encrypted data is successfully decrypted, output the decrypted data.

[0148] According to the decryption result, it can be judged whether the decryption is successful. For example, the decrypted data should be parseable in the corresponding format. For example, for pictures, it can be parsed according to the corresponding format (such as jpg). After the decryption is successful, the decrypted data can be output. For example, for pictures, the decrypted pictures can be displayed. Refer to Figure 4 When the user selects "photo" in the interface 103, the user enters the interface 104, and the decrypted picture 105 can be displayed in the interface 104.

[0149] It can be understood that if the encrypted data is not successfully decrypted, it cannot be output normally. In this case, it can display as Figure 5 The shown prompt message 106 prompts the user to perform user identity verification, such as putting a finger on a fingerprint reader, or collecting an image of the user, if the user collects the iris of the user, and so on.

[0150] Step S104: Detect whether the current user's identity has changed, and if it detects that the current user's identity has changed, stop outputting the decrypted data.

[0151] After outputting the decrypted data, it continues to monitor the data collected by the sensor. It can be understood that each data acquisition of the sensor takes a certain amount of time. Therefore, the continuation here means that the sampling frequency exceeds a certain value, so that the data collection is continuous in the use experience of the general user. Generally speaking, it takes a few seconds or more to transfer a device from one user to another. Therefore, in one embodiment, the sampling frequency may be once every second, or once every two seconds, or once every 5 seconds, or once every 10 seconds.

[0152] As mentioned above, the first biometric data is collected in step S101. In step S104, in each sampling period, when the latest data is obtained, it is compared with the first biometric data obtained in step S101 If it does not match, it is deemed that the first biometric data has not been continuously collected; otherwise, it is determined that the first biometric data has been continuously collected.

[0153] Stop outputting the decrypted data after detecting that the sensor has not continuously collected the first biometric data. For example, hide the displayed data and display as Figure 5 The prompt message shown prompts the user to authenticate again.

[0154] According to the method of this embodiment, if the encrypted data is to be output, the user needs to continuously perform identity verification. For example, keep the finger on the fingerprint reader to generate the key for decrypting the data in real time, which can ensure that the current user is always Authorized users improve data security. In addition, since the key is generated in real time based on the data collected by the sensor, the electronic terminal does not need to store the key, which can prevent the key from being stolen and further improve the security of the data.

[0155] See Figure 16 , Which is a flowchart of the encrypted data processing method of the second embodiment of the present invention. The method of this embodiment is the same as Figure 15 The methods shown are similar, with the difference that, before step S101, it also includes:

[0156] Step S105: Generate a second key according to the collected third biometric data of the user; and

[0157] Step S106: Use the second key to encrypt data.

[0158] For example, in figure 2 The illustrated user interface 205 includes a button 207 for starting the add photo interface. When the button 207 is clicked, the user interface 208 for encrypting the photo is entered. In the user interface 208, the user can select the photos to be encrypted. When the button 210 is clicked, the photo is encrypted. First, the second key is obtained, that is, step S105 is executed.

[0159] Specifically, the application programming interface provided by the operating system 122 can be called to read the biometric data output by the sensor 114, and an encryption key can be generated according to the acquired biometric data. For example, directly use the acquired biometric data as the aforementioned encryption key, or use an algorithm (such as an information digest algorithm) to perform operations on the acquired biometric data to obtain the aforementioned official key.

[0160] After obtaining the second key, a symmetric encryption algorithm can be used for data encryption. In the symmetric encryption algorithm, the original data and the encryption key are processed together by the encryption algorithm to obtain encrypted ciphertext data.

[0161] According to the method of this embodiment, an encryption function is provided for sensitive data, thereby improving data security.

[0162] See Figure 17 , Which is a flowchart of the encrypted data processing method of the third embodiment of the present invention. The method of this embodiment is the same as Figure 15 The methods shown are similar, but the difference is that after step S104, it also includes:

[0163] Step S107: After stopping the output of the decrypted data, delete the decrypted data from the memory of the first electronic terminal.

[0164] For example, delete the decrypted data from non-volatile memory (such as hard disk, flash memory or solid-state memory), random access memory (memory or video memory). In this way, after the output is stopped, the decrypted data is cleared from the first electronic device, thereby preventing the possibility of the decrypted data being illegally copied or stolen, and improving data security.

[0165] See Figure 18 , Which is a partial flowchart of the encrypted data processing method of the fourth embodiment of the present invention. The method of this embodiment is the same as Figure 15 The methods shown are similar, with the difference that step S101 includes the following steps:

[0166] Step S108a: Establish a pairing relationship between the first electronic terminal and the second electronic terminal.

[0167] Step S108: Send a request for acquiring the first biometric data to the second electronic terminal, so that the second electronic terminal calls the sensor to collect the first biometric data and collects the first biometric data Back to the first electronic terminal; and

[0168] Step S109: Receive the first biometric data returned by the second electronic terminal.

[0169] In a specific application scenario, such as Image 6 As shown, the second electronic terminal is an external sensor 101. It can be understood that the sensor 101 has the ability to receive connection requests from other devices and return data according to the connection requests. In other words, the sensor 101 includes a network for sending and receiving network data. Components such as a WiFi module, a Bluetooth module, an infrared module, a sound wave communication module, a near field communication module, and a visible light communication module. The sensor 101 also includes a micro-processing module for processing data.

[0170] In this case, step S108a may include pairing with the second electronic terminal according to protocols such as infrared protocol, Bluetooth protocol, near-field communication protocol, and sonic communication protocol, and using the established connection to transmit instructions and data after the pairing is completed. The instruction may include the aforementioned request for acquiring the first biometric data, and the data may include the first biometric data used by the second electronic terminal.

[0171] In another specific application scenario, such as Figure 7 As shown, the second electronic terminal is an electronic device with a similar architecture to the first electronic terminal. For example, both the first electronic terminal and the second electronic terminal are mobile electronic devices such as mobile phones or tablet computers.

[0172] In this case, the first electronic terminal and the second electronic terminal can generally be connected through a network such as a wireless local area network and the Internet. The second electronic terminal runs a specific network service and monitors a specific network port. The first electronic terminal may send a handshake connection to the network port to establish a network connection (such as a TCP network connection). After the network connection is established, the first electronic terminal can send instructions through the established network connection (the above request for acquiring the first biometric data), and the second electronic terminal transmits the collected first biometric data through the network. The connection is returned to the first electronic terminal.

[0173] Refer to Figure 8 When the first electronic terminal (electronic terminal 100) wants to output the encrypted data, it does not directly call its own built-in sensor, but sends an authorization request to the second electronic terminal (electronic terminal 200). After receiving the authorization request, the sensor is called to collect the user's biometric data, and the original biometric data or the feature information extracted from the original biometric data can be sent to the first electronic terminal. Accordingly, the first electronic terminal is based on the received The biometric data is decrypted and output.

[0174] According to the method of this embodiment, the sensor that collects biometric information is not limited to the electronic terminal that wants to output encrypted data, but can be an external sensor, or even a sensor in another electronic device, so as to provide encrypted data. The identity verification scenario offers more possibilities.

[0175] See Figure 19 , Which is a partial flowchart of the encrypted data processing method of the fifth embodiment of the present invention. The method of this embodiment is the same as Figure 15 The methods shown are similar, with the difference that step S101 includes the following steps:

[0176] Step S110: Send a request for obtaining the first biometric data to a server, so that the server issues the request for obtaining the first biometric data to a second electronic terminal, so that the second electronic The terminal calls the sensor to collect the first biometric data and transmits the collected first biometric data back to the server; and

[0177] Step S111: Receive the first biometric data returned by the server.

[0178] Refer to Picture 20 In a typical application scenario, the first electronic terminal and the second electronic terminal are both mobile electronic devices, and the same instant messaging application (such as WeChat or QQ) is installed in them. The user of the second electronic terminal sends encrypted content (such as encrypted pictures or videos) to the user of the first electronic terminal through the instant messaging application. The encryption operation of the content can be implemented by an encryption module embedded in the instant messaging application, or by a third-party encryption module. The key collected during encryption may be generated based on the collected biometric data of the user.

[0179] Correspondingly, the first electronic terminal will receive the instant messaging information, but because it is encrypted information, the first electronic terminal cannot normally output it. At this time, the first electronic terminal can send an authorization request to the server (used to obtain the first Request for biometric data), after receiving the authorization request, the server issues a request to obtain the first biometric data to the second electronic terminal. After receiving the request, the second electronic terminal calls its sensor to collect the biometrics of the current user And send the collected data to the server, and the server sends the biometric data returned by the second electronic terminal to the first electronic terminal. Finally, the first electronic terminal uses the decryption key generated according to the biometric data returned by the server to decrypt the data and output it.

[0180] It can be understood that in the above process, the authorization request and biometric data transmitted between the first electronic terminal, the server, and the second electronic terminal are not normal instant messaging information, so the message content needs to be encapsulated according to a predetermined protocol. Or add a specific mark to the message so that the instant messaging application does not treat these messages as normal instant messaging information.

[0181] According to the method of this embodiment, data can be shared between two electronic terminals in an encrypted manner, and the data needs to be authorized by the user at the sending end when the data is output, thereby avoiding security threats caused by data leakage and improving data security .

[0182] See Figure 21 , Which is a flowchart of the encrypted data processing method of the sixth embodiment of the present invention. The method of this embodiment is the same as Figure 15 The methods shown are similar, but the difference is that after step S104, it also includes:

[0183] Step S112: After outputting the decrypted data, if it is detected that the current user's sight is away from the decrypted data, stop outputting the decrypted data; and

[0184] Step S113: After detecting that the current user continues to watch the decrypted data, resume outputting the decrypted data.

[0185] Refer to Figure 5 , Only the current user’s line of sight is watching the screen and the user’s identity verification is passed, the decrypted data is output, that is, the user interface 213 is displayed, otherwise the output of the decrypted data is stopped, that is, the user interface 214 is displayed. In the user interface 213, the displayed content may be, for example, a picture; and in the user interface 214, the displayed content is prompt information, preset pictures, animations, videos, etc.

[0186] According to the method of this embodiment, after the encrypted data is decrypted and output, if it is detected that the user's sight is away from the output content, the output of the decrypted data is stopped, and the output of the decrypted data is resumed after detecting that the user pays attention to the output again , While maximizing data security, it can ensure the convenience of users.

[0187] See Figure 22 , Which is a flowchart of the encrypted data processing method of the seventh embodiment of the present invention. The method of this embodiment is the same as Figure 15 The methods shown are similar, but the difference is that after step S104, it also includes:

[0188] Step S114: Display prompt information for prompting the user to perform identity verification; or display predefined pictures, videos or animations.

[0189] Refer to Figure 5 After the output of the decrypted data is stopped, the user interface 214 is still displayed. In the user interface 214, the displayed content is prompt information, preset pictures, animations, videos, etc. The prompt message can be for example Figure 4 The shown prompt information 212 is used to prompt the user to perform identity verification, such as putting a finger on a fingerprint reader or performing iris recognition.

[0190] According to the method of this embodiment, when the output of the decrypted data is stopped, a prompt message is also displayed to prompt the user for the next operation, or a predefined content is used to replace the displayed decrypted data to prevent data leakage and improve data safety.

[0191] See Figure 23 , Which is a flowchart of the encrypted data processing method of the eighth embodiment of the present invention. The method of this embodiment may be used in a mobile electronic terminal, and the method may include the following steps:

[0192] In step S201, when processing encrypted data, it is first displayed that the data is encrypted. For example, when displaying encrypted data, first display a predefined prompt message or a predefined picture, so that the user knows that the data is encrypted.

[0193] Step S202, turn on the eye tracker and the iris/retinal collector; if it is successfully turned on, execute step S203, otherwise, return to step S201. In step S202, the data output by the eye tracker and the iris/retinal collector can be read. If the data is successfully collected, it is deemed that the eye tracker and the iris/retinal collector are successfully opened.

[0194] Step S203, judging whether the current user's line of sight is on the screen according to the data output by the eye tracker; if so, execute step S204; otherwise, return to step S201. In addition, judging whether the current user’s line of sight is on the screen is not limited to the data output by the eye tracker. For example, in an alternative method, the user’s iris/retina information can be continuously collected in real time through the iris/retina collector. The iris/retina collector cannot collect any information, and it can be judged that the user's line of sight has left the device screen.

[0195] Step S204, collect iris/retinal feature information through the iris/retinal collector; if the collection is successful, execute step S205; otherwise, return to step S201.

[0196] Step S205: Generate a decryption key according to the collected iris/retinal characteristic information, and use the generated decryption key to decrypt the encrypted data; if the data is decrypted successfully, execute step S206; otherwise, return to step S201.

[0197] Step S206, output the decrypted data. For example, display text, pictures, play audio, video, or animation.

[0198] After step S206, the flow returns to step S203 to continue tracking whether the current user's line of sight is on the screen.

[0199] It can be understood that, in the above method, step S203 can also be performed between step S205 and step S206.

[0200] According to the method of this embodiment, when the following behaviors occur, the mobile device screen will not display normal original data content, but will display some content that humans cannot perceive (such as garbled characters, black screen, etc.):

[0201] (a) The eye tracker or iris/retinal collector fails or is not turned on;

[0202] (b) The browsing user is not the holder of the encrypted data (that is, the user's iris/retina characteristic information cannot decrypt the data);

[0203] (c) When the viewer leaves the screen;

[0204] When the user pays attention to the screen again and the user's biometric information can decrypt the data, the decrypted data is restored to be output. The method of this embodiment avoids the possibility of data leakage to the greatest extent without affecting user convenience, and improves data security.

[0205] See Figure 24 , Which is a flowchart of the encrypted data processing method of the ninth embodiment of the present invention. The method of this embodiment may include the following steps:

[0206] Step S301, when processing encrypted data, firstly display the atlas image of the encrypted data. Refer to Figure 25 Step S301 is performed by a mobile electronic terminal 100, for example. For example, in the mobile electronic terminal 100, when encrypted data is to be output according to a user's instruction, a graph image that can be parsed into binary data again is generated based on the encrypted data. For example, the encrypted data is converted into a two-dimensional code for display according to the two-dimensional code protocol.

[0207] Step S302, turn on the scanner/camera and iris/retinal collector; if it is successfully turned on, execute step S303, otherwise, return to step S301. In step S302, the data output by the scanner/camera and the iris/retinal collector can be read. If the data is successfully collected, it is deemed that the eye tracker and the iris/retinal collector are successfully opened. Step S302 can be performed by a wearable electronic device 103 such as smart glasses, smart helmets, and the like.

[0208] Step S303, judging whether the current line of sight includes the atlas image of the encrypted data according to the data output by the scanner/camera; if so, execute step S304; otherwise, return to step S301. Such as Figure 25 As shown, if the screen of the mobile electronic terminal 100 includes a map image of encrypted data, it will be captured by the scanner/camera of the wearable electronic device 103. That is, in step S303, it is determined that the atlas image of the encrypted data is included in the current line of sight.

[0209] Step S304: Collect iris/retinal feature information through the iris/retinal collector; if the collection is successful, execute step S305; otherwise, return to step S301.

[0210] Step S305: Generate a decryption key according to the collected iris/retinal characteristic information, and use the generated decryption key to decrypt the encrypted data; if the data is decrypted successfully, execute step S206; otherwise, return to step S301.

[0211] Step S306, output the decrypted data. For example, display text, pictures, play audio, video, or animation. Specifically, the wearable electronic device 103 may output the decrypted data in a projection manner.

[0212] After step S306, the flow returns to step S303 to continue to track whether the atlas image of the encrypted data is included in the line of sight of the current user.

[0213] It can be understood that, in the above method, step S303 can also be performed between step S305 and step S306.

[0214] It can be understood that the atlas image of the encrypted data displayed in step S301 is used for scanning by the wearable electronic device. Therefore, the atlas image of the encrypted data is not limited to be generated by the electronic device in real time. It can also be generated and printed in other media in advance, such as Paper, on the wall.

[0215] During the above process, when the following behaviors occur, the wearable device screen will not display any data content:

[0216] (a) The scanner/camera or iris/retinal collector fails or is not turned on;

[0217] (b) The holder of the non-encrypted data of the browsing user (that is, the user's iris/retina characteristic information cannot decrypt the data);

[0218] (c) When browsing users away from the encrypted content (that is, the scanner/camera cannot scan the atlas image of the encrypted data);

[0219] When the user pays attention to the encrypted content again, and the user's biometric information can decrypt the data, the output of the decrypted data is restored. The method of this embodiment avoids the possibility of data leakage to the greatest extent without affecting user convenience, and improves data security.

[0220] See Figure 26 , Which is a flowchart of the encrypted data processing method of the tenth embodiment of the present invention. The method of this embodiment may include the following steps:

[0221] Step S401, using the encryption key to perform encryption processing on the data to be encrypted.

[0222] Refer to figure 2 and image 3 , In some applications (e.g. Picture 11 and Picture 12 The shown data providing module) can provide data encryption function, and users can choose to encrypt data (such as information, pictures, video, audio) that need to be encrypted. The key used for encryption can be obtained by the following methods: user settings, generated based on the collected user's biometric information, generated using an encryption algorithm, or randomly generated a character string as the encryption key.

[0223] Step S402: After receiving the data acquisition request sent by the third-party application, the first biometric data of the current user is collected for identity verification.

[0224] The third-party application can be Picture 12 and Picture 12 The third-party application program 20 shown may specifically be various application programs such as a picture browsing program, a video playback program, and an instant messaging program. In these applications, when the encrypted data needs to be output, the third-party application data providing module 10 sends a data acquisition request. Correspondingly, the data providing module 10 will receive the data acquisition request.

[0225] After receiving the data acquisition request, the identity verification can be performed according to the method used when the user registered. For example, when a user registers with a fingerprint, fingerprint authentication is performed; when a user registers with an iris, then iris authentication is performed.

[0226] Step S403: If the user's identity verification is passed, the encrypted data is returned to the third-party application.

[0227] It can be understood that after the identity verification is passed, the data can be encrypted in real time and the encrypted data can be returned. That is, step S401 can be executed after step S403. If the data has been encrypted and stored in the memory, the encrypted data may be directly read and returned to the third-party application.

[0228] Step S404, after returning the encrypted data to the third-party application program, continue to perform identity verification based on the collected second biometric data of the current user, and if the user identity verification fails, stop returning the encrypted data to the third-party application. Describe third-party applications.

[0229] After receiving the encrypted data, the third-party application program first obtains the decryption key, and then uses the decryption key to decrypt the received data and output it.

[0230] The decryption key may be input by the user, generated by the collected biometric data of the current user, or sent by the data providing module 10.

[0231] According to the method of this embodiment, data encryption and decryption are performed in two different applications, and the data providing module 10 provides the encrypted data in a centralized manner, so the data security of the third-party application can be improved. Moreover, since the current user's identity is continuously verified after the data is sent, the data is stopped when the user verification fails, which can further improve data security.

[0232] See Figure 27 , Which is a flowchart of the encrypted data processing method of the eleventh embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps:

[0233] Step S405, before step S401, generate the encryption key according to the collected second biometric data of the current user; and

[0234] Step S406, before step S404, generate the decryption key according to the collected second biometric data of the current user.

[0235] According to the method of this embodiment, the encryption key and the decryption key are generated based on the collected biometric data of the user. Therefore, there is no need for the user to input or set the key, which improves the convenience of the user.

[0236] See Figure 28 , Which is a flowchart of the encrypted data processing method of the twelfth embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps before step S401:

[0237] Step S407, using a predetermined encryption algorithm to generate the encryption key and the decryption key corresponding to the encryption key; and

[0238] Step S408: Send the decryption key to the third-party application.

[0239] According to the method of this embodiment, the encryption adopts an asymmetric encryption algorithm, which reduces the risk of key leakage. Moreover, the key is generated in advance, there is no need to collect the user's biometric data during decryption, which improves the convenience of the user.

[0240] See Figure 29 , Which is a flowchart of the encrypted data processing method of the thirteenth embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps before step S401:

[0241] Step S409: Pre-collect user fingerprint characteristic data.

[0242] Step S402a includes: comparing the first biometric data with the fingerprint feature data collected in advance; if the two match with each other, the current user identity verification is passed.

[0243] Refer to Figure 13 After the third-party application 20 is started, it is determined whether the current user has registered to use the data encryption service; if the user is not registered, a registration interface can be displayed to guide the user to register. When the user confirms registration in the displayed guide interface, the data providing module 10 can be started, and the data providing module 10 completes the registration, that is, step S409 is executed.

[0244] Specifically, in step S409, only one piece of fingerprint characteristic data may be collected. Correspondingly, in step S402a, the user may be prompted to place the finger collected last time on the fingerprint recognizer for identity verification.

[0245] According to the method of this embodiment, only a single fingerprint characteristic data can be used for identity verification, which improves the convenience of the user.

[0246] See Figure 30 , Which is a flowchart of the encrypted data processing method of the fourteenth embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps before step S401:

[0247] Step S410, pre-collecting fingerprint characteristic data of multiple fingers of the user to form a fingerprint characteristic sequence;

[0248] Step S402b includes: prompting the user to collect fingerprint characteristic data of the corresponding finger according to the order in the fingerprint characteristic sequence; and

[0249] The collected fingerprint feature data of multiple fingers are compared with the fingerprint feature sequence; if the two match with each other, the current user identity verification is passed.

[0250] It can be understood that in third-party applications, different security levels may be set for different usage scenarios, and some scenarios have lower security levels, and the single fingerprint verification in the thirteenth embodiment can be used. However, some scenarios have a higher security level, and the single fingerprint in the thirteenth embodiment may not meet the security requirements.

[0251] At this time, during the registration process, the user can be guided to collect fingerprint feature data of multiple fingers in advance, and these fingerprint feature data are arranged in the order of collection, thereby forming a fingerprint feature sequence.

[0252] In this way, when performing identity verification, the user may be prompted to collect fingerprint characteristic data of corresponding fingers according to the order in the fingerprint characteristic sequence; compare the fingerprint characteristic data of multiple fingers collected with the fingerprint characteristic sequence; if If the two match each other, the current user authentication is passed.

[0253] It can be understood that in the scenario where the fingerprint feature sequence is used, if any fingerprint feature cannot be matched, the user identity verification can be regarded as failing.

[0254] According to the method of this implementation, since the fingerprint characteristic sequence is used for identity verification, the security is further improved.

[0255] See Figure 31 , Which is a flowchart of a method for processing encrypted data in the fifteenth embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps before step S401:

[0256] Step S411: Collect fingerprint characteristic data of multiple fingers of the user in advance. For example, the fingerprint characteristic data of all the fingers of the user or all the fingers of a hand can be all collected.

[0257] Step S402c includes: randomly selecting one or more fingerprint characteristic data from the multiple fingerprint characteristic data to form a fingerprint characteristic sequence;

[0258] Prompt the user to collect fingerprint characteristic data of the corresponding finger in sequence according to the order in the fingerprint characteristic sequence; and

[0259] The collected fingerprint feature data of multiple fingers are compared with the fingerprint feature sequence; if the two match with each other, the current user identity verification is passed.

[0260] According to the method of this embodiment, the security of identity verification is similar to the fingerprint characteristic sequence in the fifteenth embodiment, but the fingerprint characteristic sequence during each verification is randomly generated, which improves the flexibility of the identity process.

[0261] See Figure 32 , Which is a flowchart of the encrypted data processing method of the sixteenth embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps after step S404:

[0262] Step S412: Perform identity verification based on the collected second biometric data of the current user; if the user's identity verification is passed, continue to return the encrypted data to the third-party application.

[0263] According to the method of this embodiment, after the encrypted data is returned to the third-party application, the user's biometric data is still monitored. If the user becomes an illegal user (the user's identity verification fails), the encrypted data is stopped to be returned. Further improve data security. When the user is still a legitimate user, continuing to return data can improve the convenience of the user.

[0264] See Figure 33 , Which is a flowchart of the encrypted data processing method of the seventeenth embodiment of the present invention. The method of this embodiment is the same as Figure 32 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps after step S413:

[0265] Step S414: Send a notification message to the third-party application to make the third-party application stop outputting the decrypted data.

[0266] In the method of the sixteenth embodiment, although it is detected that the user authentication fails to stop returning encrypted data, the third-party application still continues to output the previously received data; and according to the method of this embodiment, except for stopping In addition to returning the data, it also sends a notification message to the third-party application to stop the third-party application from outputting the decrypted data, which can further reduce the possibility of data leakage and improve data security.

[0267] See Figure 34 , Which is a flowchart of the encrypted data processing method of the eighteenth embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps after step S404:

[0268] Step S415: Detect whether the current user's line of sight leaves the decrypted data; if so, make the third-party application continue to output the decrypted data, if not, stop the third-party application Output the decrypted data.

[0269] For example, the eye tracker detects whether the user's line of sight leaves the screen of the device, or takes a photo within the user's line of sight, and determines whether the photo includes the atlas image of encrypted data to determine whether the user's line of sight leaves the decrypted data.

[0270] According to the method of this embodiment, the output can be stopped when the user does not pay attention to the output decrypted data, thereby reducing the possibility of data leakage and improving data security.

[0271] See Figure 35 , Which is a flowchart of a method for processing encrypted data in the nineteenth embodiment of the present invention. The method of this embodiment is the same as Figure 26 The methods shown are similar, but the difference is that the method of this embodiment further includes the following steps after step S404:

[0272] In step S416, when the predetermined time is exceeded after the encrypted data is returned to the third-party application, the encryption key is updated and the decryption key corresponding to the updated encryption and decryption is sent to the third-party application.

[0273] For example, in the normal sending process of encrypted data, every predetermined time interval, the encryption key and the decryption key are regenerated, then the newly generated encryption and decryption is used for data encryption, and the encrypted data is returned to the third-party application. The decryption key needs to be sent to a third-party application for data decryption.

[0274] According to the method of this embodiment, since the regenerated key is used every interval of time, data security can be further improved and the security risk caused by key leakage can be reduced.

[0275] See Figure 36 , Which is a block diagram of an encrypted data processing device provided by the twentieth embodiment of the present invention. The device of this embodiment includes: an acquisition module 51, a decryption module 52, an output module 53, and a detection module 54.

[0276] The obtaining module 51 is configured to collect the first biometric data of the current user through a sensor after receiving an instruction to output encrypted data.

[0277] The decryption module 52 is configured to decrypt the acquired encrypted data by using the first key generated according to the first biometric data.

[0278] The output module 53 is configured to output the decrypted data if the encrypted data is successfully decrypted.

[0279] The detection module 54 is configured to detect whether the current user's identity has changed after outputting the decrypted data, and if it detects that the current user's identity has changed, the output module stops outputting the decrypted data.

[0280] According to the device of this embodiment, in order to output encrypted data, the user needs to continuously perform identity verification. For example, keep a finger on the fingerprint reader to generate a key to decrypt the data in real time, which can ensure that the current user is always Authorized users improve data security. In addition, since the key is generated in real time based on the data collected by the sensor, the electronic terminal does not need to store the key, which can prevent the key from being stolen and further improve the security of the data.

[0281] See Figure 37 , Which is a block diagram of an encrypted data processing device provided by the twenty-first embodiment of the present invention. The device of this embodiment is the same as Figure 36 The device is similar with the difference that it also includes a key generation module 55 and an encryption module 56.

[0282] The key generation module 55 is configured to generate a second key according to the collected third biometric data of the user; and

[0283] The encryption module 56 is configured to use the second key to encrypt data.

[0284] According to the method of this embodiment, an encryption function is provided for sensitive data, thereby improving data security.

[0285] See Figure 38 , Which is a block diagram of an encrypted data processing device provided by the twenty-second embodiment of the present invention. The device of this embodiment is the same as Figure 36 The device is similar, the difference is that it also includes a deletion module 57.

[0286] The deleting module 57 is configured to delete the decrypted data from the memory of the first electronic terminal after the output module 53 stops outputting the decrypted data.

[0287] For example, delete the decrypted data from non-volatile memory (such as hard disk, flash memory or solid-state memory), random access memory (memory or video memory). In this way, after the output is stopped, the decrypted data is cleared from the first electronic device, thereby preventing the possibility of the decrypted data being illegally copied or stolen, and improving data security.

[0288] See Figure 39 , Which is a partial block diagram of the encrypted data processing device provided by the twenty-third embodiment of the present invention. The device of this embodiment is the same as Figure 36 The device is similar to, and the difference is that the acquiring module 51 includes a pairing module 511, a first request module 512, and a first receiving module 513.

[0289] The pairing module 512 is used to establish a pairing relationship between the first electronic terminal and the second electronic terminal.

[0290] The first request module 512 is configured to send a request for obtaining the first biometric data to the second electronic terminal, so that the second electronic terminal calls the sensor to collect the first biometric data and collects the first biometric data. A biometric data is sent back to the first electronic terminal; and

[0291] The first receiving module 513 is configured to receive the first biometric data returned by the second electronic terminal.

[0292] According to the device of this embodiment, the sensor that collects biometric information is not limited to the electronic terminal that wants to output encrypted data, but can be an external sensor, or even a sensor in another electronic device, so as to provide encrypted data. The identity verification scenario offers more possibilities.

[0293] See Figure 40 , Which is a partial block diagram of the encrypted data processing device provided by the twenty-fourth embodiment of the present invention. The device of this embodiment is the same as Figure 36 The device is similar to, and the difference is that the acquisition module 51 includes: a second request module 521 and a second receiving module 522.

[0294] The second request module 521 is configured to send a request for obtaining the first biometric data to a server, so that the server issues the request for obtaining the first biometric data to a second electronic terminal, so as to Enabling the second electronic terminal to call the sensor to collect the first biometric data and transmit the collected first biometric data back to the server; and

[0295] The second receiving module 522 is configured to receive the first biometric data returned by the server.

[0296] According to the device of this embodiment, data can be shared between two electronic terminals in an encrypted manner, and the data needs to be authorized by the user at the sending end when the data is output, thereby avoiding security threats caused by data leakage and improving data security .

[0297] See Figure 41 , Which is a block diagram of an encrypted data processing device provided by the twenty-fifth embodiment of the present invention. The device of this embodiment is the same as Figure 36 The device is similar to, the difference is that it also includes a tracking module 58 for detecting whether the current user’s line of sight has left the decrypted data after outputting the decrypted data, and if so, stopping the output module Output the decrypted data; otherwise, enable the output module to resume outputting the decrypted data.

[0298] According to the device of this embodiment, after the encrypted data is decrypted and output, if it is detected that the user's sight is away from the output content, the output of the decrypted data is stopped, and the output of the decrypted data is resumed after detecting that the user pays attention to the output again , While maximizing data security, it can ensure the convenience of users.

[0299] See Figure 42 , Which is a block diagram of the encrypted data processing device provided by the twenty-sixth embodiment of the present invention. The device of this embodiment is the same as Figure 36 The device is similar to the device, the difference is that it also includes a prompt module 59 for displaying prompt information for prompting the user to perform identity verification after stopping the output of the decrypted data; or displaying a predefined picture, video or animation .

[0300] According to the device of this embodiment, when the output of decrypted data is stopped, a prompt message is also displayed to prompt the user for the next operation, or a predefined content is used to replace the displayed decrypted data to prevent data leakage and improve data safety.

[0301] See Figure 43 , Which is a block diagram of the encrypted data processing device provided by the twenty-seventh embodiment of the present invention. The device of this embodiment is the same as Figure 36 The device is similar to the device, and the difference is that it also includes a data acquisition module 510, configured to: receive encrypted data sent by the second electronic terminal before acquiring the first biometric data; or take a picture within the current user’s line of sight and The encrypted data is parsed from the picture.

[0302] According to the device of this embodiment, the source of the encrypted data is not limited to the inside of the electronic terminal, but can come from other electronic terminals, and even non-electronic media such as paper and pictures on the wall.

[0303] See Figure 44 , Which is a block diagram of an encrypted data processing device provided by the twenty-eighth embodiment of the present invention. The device of this embodiment includes: an encryption module 61, an identity verification module 62, a data sending module 63, and a detection module 64.

[0304] The encryption module 61 is configured to use an encryption key to perform encryption processing on the data to be encrypted;

[0305] The identity verification module 62 is configured to collect the first biometric data of the current user for identity verification after receiving a data acquisition request sent by a third-party application;

[0306] The data sending module 63 is configured to return the encrypted data to the third-party application if the user's identity verification is passed; and

[0307] The detection module 64 is configured to continuously perform identity verification based on the collected second biometric data of the current user after the data sending module starts to send encrypted data to the third-party application, and if the user identity verification fails, the data The sending module 63 stops returning the encrypted data to the third-party application.

[0308] Such as Figure 44 As shown, the data sent by the data sending module 63 is output after being decrypted by the output module 71 in the third-party application.

[0309] According to the device of this embodiment, data encryption and decryption are performed in two different application programs, and the data providing module 10 provides encrypted data in a centralized manner, so the data security of third-party applications can be improved.

[0310] See Figure 45 , Which is a block diagram of an encrypted data processing device provided by the twenty-ninth embodiment of the present invention. The device of this embodiment is the same as Figure 44 The device shown is similar, with the difference that it further includes: a first key generation module 65, configured to generate the encryption key or the decryption key according to the collected second biometric data of the current user.

[0311] According to the device of this embodiment, the encryption key and the decryption key are generated based on the collected biometric data of the user. Therefore, there is no need for the user to input or set the key, which improves the convenience of the user.

[0312] See Figure 46 , Which is a block diagram of an encrypted data processing device provided by the thirtieth embodiment of the present invention. The device of this embodiment is the same as Figure 44 The device shown is similar, with the difference that it also includes a second key generation module 66 and a key transmission module 67.

[0313] The second key generation module 66 is configured to use a predetermined encryption algorithm to generate the encryption key and the decryption key corresponding to the encryption key; and

[0314] The key sending module 67 is configured to send the decryption key to the third-party application.

[0315] According to the device of this embodiment, the encryption adopts an asymmetric encryption algorithm, which reduces the risk of key leakage. Moreover, the key is generated in advance, there is no need to collect the user's biometric data during decryption, which improves the convenience of the user.

[0316] See Figure 47 , Which is a block diagram of an encrypted data processing device provided by the thirty-first embodiment of the present invention. The device of this embodiment is the same as Figure 44 The device shown is similar, with the difference that it also includes a first registration module 68 for pre-collecting user fingerprint characteristic data. Specifically, the first registration module 68 may only collect one piece of fingerprint characteristic data.

[0317] The identity verification module 62 is configured to compare the first biometric data with the pre-collected fingerprint characteristic data; if the two match with each other, the current user identity verification is passed.

[0318] According to the device of this embodiment, only a single fingerprint characteristic data can be used for identity verification, which improves the convenience of the user.

[0319] See Figure 48 , Which is a block diagram of an encrypted data processing device provided by the thirty-second embodiment of the present invention. The device of this embodiment is the same as Figure 44 The device shown is similar, but the difference lies in that it also includes a second registration module 69 for pre-collecting fingerprint characteristic data of multiple fingers of the user to form a fingerprint characteristic sequence.

[0320] The identity verification module 62 includes: a prompt module 621 and a comparison module 622.

[0321] The prompting module 621 is configured to prompt the user to collect the fingerprint characteristic data of the corresponding finger according to the order in the fingerprint characteristic sequence; and

[0322] The comparison module 622 is used to compare the collected fingerprint feature data of multiple fingers with the fingerprint feature sequence; if the two match with each other, the current user identity verification is passed.

[0323] According to the device in this implementation, the fingerprint feature sequence is used for identity verification, which further improves security.

[0324] See Figure 49 , Which is a block diagram of an encrypted data processing device provided by the thirty-third embodiment of the present invention. The device of this embodiment is the same as Figure 48 The device shown is similar, and the difference lies in that it further includes a third registration module 610 for pre-collecting fingerprint characteristic data of multiple fingers of the user.

[0325] The identity verification module 62 further includes: a selection module 623, configured to randomly select one or more fingerprint characteristic data from the multiple fingerprint characteristic data to form a fingerprint characteristic sequence.

[0326] According to the device of this embodiment, the security of identity verification is similar to the fingerprint characteristic sequence in the fifteenth embodiment, but the fingerprint characteristic sequence during each verification is randomly generated, which improves the flexibility of the identity process.

[0327] See Figure 50 , Which is a block diagram of an encrypted data processing device provided by the thirty-fourth embodiment of the present invention. The device of this embodiment is the same as Figure 44 The device shown is similar, but the difference is that the identity verification module 622 also includes a first notification module 624, which is used to again according to the latest collection after the data sending module returns the encrypted data to the third-party application. Perform identity verification on the biometric data of the current user; if the user identity verification fails, the data sending module is made to stop returning the encrypted data to the third-party application.

[0328] According to the device of this embodiment, after the encrypted data is returned to the third-party application, the user's biometric data is continuously monitored. If the user becomes an illegal user (the user's identity verification fails), the encrypted data is stopped to be returned. Further improve data security.

[0329] See Figure 51 , Which is a block diagram of an encrypted data processing device provided by the thirty-fifth embodiment of the present invention. The device of this embodiment is the same as Figure 51 The device shown is similar, but the difference is that the identity verification module 622 further includes a second notification module 625, configured to send a notification message to the third-party application program if the user’s identity verification fails, so that the third party The application program stops outputting the decrypted data.

[0330] In the device of the thirty-fourth embodiment, although it is detected that the user's identity verification has not passed and the encrypted data is stopped, the third-party application program still continues to output the previously received data; and according to the method of this embodiment, except In addition to stopping returning data, it also sends a notification message to third-party applications to stop the third-party applications from outputting decrypted data, which can further reduce the possibility of data leakage and improve data security.

[0331] See Figure 52 , Which is a block diagram of an encrypted data processing device provided by the thirty-sixth embodiment of the present invention. The device of this embodiment is the same as Figure 44 The device shown is similar, but the difference is that it also includes a tracking module 612 for detecting whether the current user's line of sight leaves the decrypted data after returning the encrypted data to the third-party application; If so, the third-party application is made to continue to output the decrypted data, and if not, the third-party application is made to stop outputting the decrypted data.

[0332] According to the device of this embodiment, the output can be stopped when the user does not pay attention to the output decrypted data, thereby reducing the possibility of data leakage and improving data security.

[0333] See Figure 53 , Which is a block diagram of an encrypted data processing device provided by the thirty-seventh embodiment of the present invention. The device of this embodiment is the same as Figure 44 The device shown is similar, but the difference is that it also includes a key update module 613, which is used to update the encryption key and update the encryption key when it exceeds a predetermined time after returning the encrypted data to the third-party application. The decryption key corresponding to the updated encryption and decryption is sent to the third-party application.

[0334] According to the device of this embodiment, since the regenerated key is used every interval of time, data security can be further improved and the security risk caused by key leakage can be reduced.

[0335] The above are only the preferred embodiments of the present invention and do not limit the present invention in any form. Although the present invention has been disclosed as above in preferred embodiments, it is not intended to limit the present invention. Anyone skilled in the art , Without departing from the scope of the technical solution of the present invention, when the technical content disclosed above can be used to make some changes or modification into equivalent embodiments with equivalent changes, as long as the technical content of the present invention is not deviated from the technical solution of the present invention, according to the technology of the present invention Essentially, any brief modifications, equivalent changes and modifications made to the above embodiments still fall within the scope of the technical solutions of the present invention.