A web-based biometric method, apparatus and device
By introducing a Trusted Execution Environment (TEE) into an HTML5-based application and using a TEE layer module to collect and sign biological information, the problem of biological information being hijacked on the transmission link is solved, and the secure acquisition and integrity protection of biological information is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANGHAI JIAOTONG UNIV
- Filing Date
- 2022-06-27
- Publication Date
- 2026-06-09
AI Technical Summary
HTML5-based applications are vulnerable to hijacking by attackers during the bioinformatics collection process, which can compromise the integrity of the bioinformatics data.
A Trusted Execution Environment (TEE) is used to protect the biometric information acquisition process. The TEE layer module calls the camera component to collect biometric information, and the signature is processed in the Trusted Execution Environment to ensure that the information is not hijacked on the transmission link.
It enables the secure extraction of biological information on a web page and protects its integrity in a TEE environment to prevent hijacking by attackers and ensure the security of biological information.
Smart Images

Figure CN115062314B_ABST
Abstract
Description
Technical Field
[0001] This document relates to the field of computer technology, and in particular to a web-based biometric method, apparatus, and device. Background Technology
[0002] With the development of the Internet and the popularization of smart terminals, HTML5-based applications are becoming increasingly popular. The advantage of HTML5-based applications is that users can open the corresponding applications without downloading the application (i.e., APP). In other words, users can access the application's URI address through the webview control embedded in the application to achieve the purpose of accessing HTML5-based applications.
[0003] For login authentication or identification processes of HTML5-based applications, the current methods still involve scanning image codes by opening the login app or entering user credentials on a webpage. However, during the authentication process, data collected by HTML5-based applications is easily intercepted. Therefore, there is a need for a technical solution that enables HTML5-based applications to securely acquire biometric information, ensure the integrity of this information, and prevent interception by attackers during transmission. Summary of the Invention
[0004] The purpose of the embodiments in this specification is to provide a technical solution for an HTML5-based application to securely acquire biological information, ensure the integrity of the biological information, and prevent the biological information from being hijacked by attackers on the transmission link.
[0005] To achieve the above technical solution, the embodiments in this specification are implemented as follows:
[0006] This specification provides an embodiment of a web-based biometric identification method applied to a terminal device, the terminal device including a trusted execution environment. The method includes: obtaining a biometric identification command initiated by a target user through a target web application; sending a biometric identification request corresponding to the biometric identification command to the trusted execution environment through the target web application; invoking a biometric information collection component through the trusted execution environment and collecting the target user's biometric information through the biometric information collection component, and providing the biometric information to the trusted execution environment; and sending the biometric information and the biometric identification request to a server, the biometric information and the biometric identification request being used to trigger the server to perform biometric identification processing on the target user based on the biometric information.
[0007] This specification provides an embodiment of a web-based biometric device, equipped with a trusted execution environment (TEE). The device includes: a webview module integrated into the target webpage program; a webview module that calls the API of the application layer module to obtain a biometric command initiated by the target user and sends a biometric request corresponding to the command to the application layer module; the application layer module that sends the biometric request to the native layer module; the native layer module that sends the biometric request to the TEE layer module; the TEE layer module that, through the trusted execution environment, calls a camera component to collect the target user's biometric information, provides the biometric information to the trusted execution environment, signs the biometric information in the trusted execution environment, and sends the signed biometric information to the native layer module; the native layer module that sends the signed biometric information to the application layer module; and the application layer module that sends the signed biometric information and the biometric request to a server. The signed biometric information and the biometric request trigger the server to verify the signed biometric information, and upon successful verification, performs biometric processing on the target user based on the biometric information.
[0008] This specification provides an embodiment of a web-based biometric device, comprising: a processor; and a memory configured to store computer-executable instructions, wherein the executable instructions, when executed, cause the processor to: acquire a biometric instruction initiated by a target user through a target webpage program; send a biometric request corresponding to the biometric instruction to a trusted execution environment through the target webpage program; invoke a biometric information acquisition component through the trusted execution environment, and acquire the target user's biometric information through the biometric information acquisition component, and provide the biometric information to the trusted execution environment; and send the biometric information and the biometric request to a server, wherein the biometric information and the biometric request are used to trigger the server to perform biometric processing on the target user based on the biometric information.
[0009] This specification also provides a storage medium for storing computer-executable instructions. When executed by a processor, these instructions implement the following process: Obtaining a biometric instruction initiated by a target user through a target webpage program; sending a biometric request corresponding to the biometric instruction to a trusted execution environment through the target webpage program; invoking a biometric information acquisition component through the trusted execution environment, and collecting the target user's biometric information through the biometric information acquisition component, and providing the biometric information to the trusted execution environment; sending the biometric information and the biometric request to a server, whereby the biometric information and the biometric request trigger the server to perform biometric processing on the target user based on the biometric information. Attached Figure Description
[0010] To more clearly illustrate the technical solutions in the embodiments or prior art of this specification, the drawings used in the description of the embodiments or prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0011] Figure 1 This specification provides an example of a web-based biometric device.
[0012] Figure 2 This is a schematic diagram of the structure of a REE and a TEE;
[0013] Figure 3 This is another embodiment of a web-based biometric device described in this specification;
[0014] Figure 4A This is an embodiment of a webpage-based biometric identification method described in this specification;
[0015] Figure 4B This is a schematic diagram of a web-based biometric process described in this specification;
[0016] Figure 5 This is a schematic diagram of another web-based biometric process described in this manual;
[0017] Figure 6 This is a schematic diagram of yet another web-based biometric process described in this specification;
[0018] Figure 7 This specification describes an example of a web-based biometric device.
[0019] Legend:
[0020] 110 - WebView module, 120 - Application layer module, 130 - Native layer module, 140 - TEE layer module, 150 - Bioinformatics acquisition component, 160 - Memory, 170 - Trusted application, 200 - Server. Detailed Implementation
[0021] This specification provides a web-based biometric identification method, apparatus, and device.
[0022] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this specification, and not all embodiments. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this specification.
[0023] Example 1
[0024] like Figure 1 As shown in the embodiments of this specification, a web-based biometric device is provided. This device can be a terminal device, such as a mobile terminal device like a mobile phone or tablet, or a terminal device like a personal computer or laptop. The device is equipped with a Trusted Execution Environment (TEE). This TEE can be implemented using a program written in a predetermined programming language (i.e., in software form), or it can be implemented using both hardware and a pre-written program (i.e., in a hardware + software form). This TEE can serve as a secure operating environment for data processing. The device includes a webview module 110, an application layer module 120, a native layer module 130, and a TEE layer module 140, wherein:
[0025] With the development of the internet and the widespread adoption of smart terminals, HTML5-based applications are becoming increasingly common. The advantage of HTML5 applications is that users can open them without downloading the application (i.e., an app). Users can access the application's URI address through an embedded webview control. Typically, apps use biometric authentication to verify user identity. Biometric authentication eliminates the need for users to input other credentials, greatly simplifying the login process. However, implementing biometric login authentication usually requires high security. Conventional applications control components such as cameras and request users to blink or open their mouths to verify user authenticity, or they use secure cameras within a trusted execution environment to obtain biometric information, ensuring the process is not vulnerable to attackers. HTML5 application login authentication, however, still uses traditional methods: scanning an image code by opening the login app, or entering user credentials on a webpage. Since web applications have limited control over components like cameras on terminal devices, the aforementioned app-based user authentication methods are generally not applicable to HTML5 applications. Biometric authentication in HTML5-based applications is easily vulnerable to attacks. By injecting pre-prepared data into the data transmission link during the authentication process, user identity hijacking attacks can be achieved. Therefore, there is a need for a technical solution that can securely acquire biometric information, ensure its integrity, and prevent hijacking during transmission. This specification provides an achievable technical solution, which may include the following:
[0026] A web-based biometric system based on a TEE can be implemented on a mobile smart terminal system. The terminal device can run a Trusted Execution Environment (REE), consisting of parallel-running REEs and a general-purpose REE. The REE can be a secure data processing environment isolated from other environments; that is, processing performed within the REE, and the data generated during data processing, cannot be accessed by other execution environments or applications outside the REE. For example... Figure 2As shown, a Trusted Execution Environment (REE) can be implemented by creating a small operating system that can run independently in a trusted zone (such as TrustZone). The REE can provide services directly through system calls (such as those handled directly by the TrustZone kernel). A device can include both a REE (Generic Execution Environment) and a REE. The REE can run the operating system installed on the terminal device, such as Android, iOS, Windows, and Linux. REEs are characterized by powerful features, openness, and good scalability, providing all the device's functionalities, such as camera and touch functionality, to upper-layer applications. However, REEs have many security vulnerabilities. For example, the operating system can obtain all the data of an application, but it is difficult to verify whether the operating system or the application has been tampered with. If tampered with, user information will be at significant security risk. Therefore, a REE within the device is needed to address these vulnerabilities. The Trusted Execution Environment (TEE) has its own execution space, meaning that an operating system also exists within the TEE. The TEE offers a higher level of security than the Reliable Execution Environment (REE). The software and hardware resources accessed by the TEE on the device are separate from those of the REE. However, the TEE can directly access information from the REE, while the REE cannot access information from the TEE. The TEE can perform verification and other processing through provided interfaces, thereby ensuring that user information (such as payment information and user privacy information) is not tampered with, passwords are not hijacked, and fingerprints or facial recognition information is not stolen. Specifically, the TEE runs the TEE layer module 140, while the REE runs the native layer module 130, the application layer module 120, and the webview module 110.
[0027] The WebView module 110 can be a module used to create a webpage view. The WebView module 110 can be embedded within the target webpage application on the terminal device. The WebView module 110 enables hybrid front-end development, and most hybrid development frameworks can be further developed based on the WebView model. The target webpage application can be a webpage built based on Hypertext Markup Language (HTML), specifically, it can be a webpage built based on HTML5.
[0028] Application layer module 120 can integrate functions such as biometric information collection and login authentication. Application layer module 120 can call native layer module 130 and interact with native layer module 130 and webview module 110. In addition, it can establish a secure link with server 200 and interact with information through this secure link.
[0029] The native layer module 130 can provide a link for interaction with the TEE layer module 140 of the Trusted Execution Environment (TEE), and can write code to interact with the TEE layer module 140 to implement corresponding functions. The native layer module 130 can establish a session with the TEE layer module 140, which can trigger the TEE layer module 140 to create a trusted application 170 instance and the aforementioned session. Furthermore, the native layer module 130 can close the session with the TEE layer module 140 and can trigger the TEE layer module 140 to close the aforementioned session and shut down the trusted application 170.
[0030] TEE layer module 140 can provide a secure link for calling biometric information acquisition components such as camera components, and can write code to interact with native layer module 130. Through this code, an instance of trusted application 170 can be created, a session with native layer module 130 can be created, corresponding function calls can be made, and the aforementioned session and the instance of trusted application 170 can be closed.
[0031] In practical applications, the TEE layer module 140, native layer module 130, application layer module 120, and webview module 110 can be installed sequentially on the terminal device. Through these modules, the following functions can be achieved:
[0032] The webview module 110 can be integrated into the target web application. When a user (i.e., the target user) needs to perform biometric identification, the biometric instruction mechanism provided in the webview module 110 can be triggered. At this time, the target web application generates a biometric instruction. The terminal device can obtain the biometric instruction initiated by the target web application. The webview module 110 can call the API of the application layer module 120 and obtain the biometric instruction initiated by the target user. Then, it can send the biometric request corresponding to the biometric instruction to the application layer module 120.
[0033] Application layer module 120 can send the aforementioned biometric request to native layer module 130. Native layer module 130 can then send the biometric request to TEE layer module 140. TEE layer module 140 can invoke the camera component through a trusted execution environment (TEE) and collect the target user's biometric information. It can then provide this biometric information to the TEE, perform signature processing on the biometric information within the TEE, and send the signed biometric information to native layer module 130. Native layer module 130 can then send the signed biometric information to application layer module 120. Application layer module 120 can send the signed biometric information and the aforementioned biometric request to server 200. Server 200 can verify the signed biometric information and, upon successful verification, perform biometric processing on the target user based on the corresponding biometric information. The server can then obtain the corresponding identification result and send it to application layer module 120. Application layer module 120 can forward the identification result to webview module 110, which can then present the identification result to the target user.
[0034] It should be noted that the biometric information in the embodiments of this specification may include various types, such as fingerprint information, facial information, palm print information, iris information, etc. The above information may be presented as an image or as data composed of characters, etc., which can be set according to the actual situation. This specification does not limit this.
[0035] This specification provides a web-based biometric device with a trusted execution environment (TEE). The device includes a webview module integrated into the target web application. This webview module calls the API of the application layer module to obtain a biometric command initiated by the target user. It then sends a biometric request corresponding to the command to the application layer module. The biometric request is then sent to a TEE layer module via the application layer module and the native layer module. The TEE layer module calls a camera component through the TEE and collects the target user's biometric information. This biometric information is provided to the TEE, where it is signed. The signed biometric information is then provided to a server. The server verifies the signed biometric information and, upon successful verification, performs biometric identification on the target user. This TEE-based web application biometric mechanism securely extracts the user's biometric information on the web page within the TEE environment and provides integrity protection measures for this information, ensuring that the biometric information is not hijacked by attackers during transmission.
[0036] Example 2
[0037] This specification provides an embodiment of a web-based biometric device, which includes... Figures 1-2 The diagram shows all the functional modules of a web-based biometric device, and improvements have been made to it as follows:
[0038] like Figure 3 As shown, in practical applications, the main functions of application layer module 120 can include integrating functions such as biometric information collection and login authentication. Specifically, this can be achieved by adding a JSBridge bridge between the webview layer and the native layer module 130 through the native API of the target webpage program's kernel (e.g., WebKit). The JSBridge bridge enables bidirectional communication between the native layer module 130 and the webview module 110. Application layer module 120 will receive biometric requests sent by webview module 110 through the JSBridge bridge and send biometric request results back to webview module 110. In addition, through standard Java classes such as HttpURLConnection, application layer module 120 can establish a secure connection with server 200, send collected biometric information and biometric requests to server 200, and receive recognition results returned by server 200.
[0039] In addition, such as Figure 3 As shown, the functions of the webview module 110 may include: providing the target web application with a biometric or biometric-based login authentication interface. Specifically, the target web application can use the JSBridge to call the JS API of the application layer module 120 to initiate a biometric request and receive the recognition result for further processing by the target web application.
[0040] In practical applications, such as Figure 3As shown, the main functions of the native layer module 130 may include: providing a link for interaction with the TEE layer module 140 of the trusted execution environment. Specifically, this may include: in a general execution environment, code that interacts with the TEE layer module 140 can be written using libraries such as libteec. This code can achieve functions such as establishing a session context between the native layer module 130 and the TEE layer module 140; establishing a session between the native layer module 130 and the TEE layer module 140; and triggering the TEE layer module 140's method to create a trusted application 170 (i.e., TA) instance and create a session. The TEE layer module 140 returns the session creation result to the native layer module 130; it sends a biometric request to the biometric information collection method of the TEE layer module 140, and the TEE layer module 140 returns the command execution result to the native layer module 130; it closes the session with the TEE layer module 140, and can trigger the TEE layer module 140 to close the session and close the instance of trusted application 170 (i.e., TA), and the TEE layer module 140 returns the session closure result to the native layer module 130; it releases the session context previously created by the native layer module 130. Finally, the above code is compiled into a CA in a general execution environment.
[0041] Based on the above, the native layer module 130 can establish a session context with the TEE layer module 140, and trigger the TEE layer module 140 to create a trusted application 170 in the trusted execution environment, and perform signature processing on the biometric information in the trusted execution environment. When the interaction with the TEE layer module 140 is completed, the TEE layer module 140 is triggered to close the session and close the trusted application 170, and release the session context with the TEE layer module 140.
[0042] In practical applications, such as Figure 3As shown, the main functions of the TEE layer module 140 can include: providing a secure link for calling biometric information acquisition components (such as camera components). Specifically, the terminal device can provide secure biometric information acquisition component hardware, which updates the acquired biometric information to memory 160, accessible only by the trusted execution environment. The DMA mechanism within the trusted execution environment can be used to securely acquire the target user's biometric information. Therefore, based on the memory 160 access controller SDK provided by the mobile intelligent terminal development platform in the terminal device, functional functions for acquiring biometric information via a secure DMA channel and signing biometric information using the user key stored in the trusted application 170 can be written for the TEE layer module 140. Simultaneously, code interacting with the native layer module 130 can be added to the TEE layer module 140 using libraries such as libteec. This code can implement functions including creating a TA (Trusted Application 170) instance, creating a session with the native layer module 130, calling the aforementioned functional functions, closing the session and the TA instance, and finally, compiling the above code into a trusted application TA170 within the trusted execution environment.
[0043] Based on the above, the TEE layer module 140 can store the aforementioned biometric information in memory 160, which is accessible only to the trusted execution environment, and trigger the trusted execution environment to directly read the biometric information stored in memory 160. Furthermore, the TEE layer module 140 can create a trusted application 170 within the trusted execution environment and trigger the trusted application 170 in the trusted execution environment to perform signature processing on the biometric information, obtaining the signed biometric information, and then sending the signed biometric information and biometric request to the server 200.
[0044] In implementation, an information transmission channel can be established between the trusted execution environment and the server 200. The signed biometric information and biometric request can be sent to the server 200 through this information transmission channel. Alternatively, the signed biometric information can be sent to the native layer module 130 through the trusted application 170 in the trusted execution environment. The native layer module 130 can then send the signed biometric information to the application layer module 120. The application layer module 120 can then send the signed biometric information and biometric request to the server 200. The specific settings can be configured according to the actual situation, and this embodiment does not limit this.
[0045] This specification provides a web-based biometric device with a trusted execution environment (TEE). The device includes a webview module integrated into the target web application. This webview module calls the API of the application layer module to obtain a biometric command initiated by the target user. It then sends a biometric request corresponding to the command to the application layer module. The biometric request is then sent to a TEE layer module via the application layer module and the native layer module. The TEE layer module calls a camera component through the TEE and collects the target user's biometric information. This biometric information is provided to the TEE, where it is signed. The signed biometric information is then provided to a server. The server verifies the signed biometric information and, upon successful verification, performs biometric identification on the target user. This TEE-based web application biometric mechanism securely extracts the user's biometric information on the web page within the TEE environment and provides integrity protection measures for this information, ensuring that the biometric information is not hijacked by attackers during transmission.
[0046] Example 3
[0047] like Figure 4A and 4B As shown in the embodiments of this specification, a web-based biometric identification method is provided. The execution subject of this method can be the terminal device provided in the above embodiments. This terminal device can be a mobile terminal device such as a mobile phone or tablet computer, or a terminal device such as a personal computer or laptop computer. The terminal device is equipped with a trusted execution environment (TEE). This TEE can be implemented through a program written in a predetermined programming language (i.e., it can be implemented in software), or it can be implemented through a combination of hardware devices and pre-written programs (i.e., it can be implemented in hardware + software). This trusted execution environment can be a secure operating environment for data processing. The method specifically includes the following steps:
[0048] In step S402, the biometric command initiated by the target user through the target web page program is obtained.
[0049] In step S404, the target web page program sends the biometric request corresponding to the above biometric instruction to the trusted execution environment.
[0050] In implementation, the webview module 110 can call the API of the application layer module 120 to obtain the biometric command initiated by the target user, and can send the biometric request corresponding to the biometric command to the application layer module 120. The application layer module 120 can send the biometric request to the native layer module 130, and the native layer module 130 can send the biometric request to the TEE layer module 140, so that the biometric request can be included in the trusted execution environment.
[0051] In step S406, the trusted execution environment invokes the bio-information acquisition component 150, and the bio-information acquisition component 150 acquires the target user's bio-information and provides the bio-information to the trusted execution environment.
[0052] In step S408, the aforementioned biometric information and biometric request are sent to server 200. The biometric information and biometric request are used to trigger server 200 to perform biometric processing on the target user based on the biometric information.
[0053] In implementation, an information transmission channel can be established between the trusted execution environment and the server 200 according to the actual situation. Biometric information in the trusted execution environment can be sent to the server 200 through the pre-built information transmission channel between the trusted execution environment and the server 200, and biometric identification requests can also be sent to the server 200.
[0054] This specification provides a web-based biometric identification method. It involves acquiring a biometric instruction initiated by a target user through a target web application, sending a biometric request corresponding to the instruction to a trusted execution environment (TEE) via the web application, then using the TEE to call a biometric information acquisition component to collect the target user's biometric information. This biometric information is then provided to the TEE. Finally, the biometric information and the biometric request are sent to a server, which performs biometric processing on the target user based on the biometric information. This TEE-based web application biometric identification mechanism securely extracts the user's biometric information on the web page within a TEE environment and implements integrity protection measures for this information, ensuring that the biometric information is not hijacked by attackers during transmission.
[0055] Example 4
[0056] like Figure 5As shown in the embodiments of this specification, a web-based biometric identification method is provided. The execution subject of this method can be the terminal device provided in the above embodiments. This terminal device can be a mobile terminal device such as a mobile phone or tablet computer, or a terminal device such as a personal computer or laptop computer. The terminal device is equipped with a trusted execution environment (TEE). This TEE can be implemented through a program written in a predetermined programming language (i.e., it can be implemented in software), or it can be implemented through a combination of hardware devices and pre-written programs (i.e., it can be implemented in hardware + software). This trusted execution environment can be a secure operating environment for data processing. The method specifically includes the following steps:
[0057] In step S502, the biometric command initiated by the target user through the target webpage program is obtained.
[0058] The target webpage program can be a webpage built based on the Hypertext Markup Language (HTML5).
[0059] In step S504, the target web page program sends the biometric request corresponding to the above biometric instruction to the trusted execution environment.
[0060] The specific processing procedures for steps S502 and S504 can be found in the relevant content of the above embodiments, and will not be repeated here.
[0061] In step S506, the bio-information acquisition component is invoked through the trusted execution environment, and the bio-information acquisition component collects the target user's bio-information.
[0062] In step S508, the aforementioned biological information is stored in memory accessible only by a trusted execution environment.
[0063] In step S510, the biological information stored in memory is read directly through a trusted execution environment.
[0064] In step S512, in a trusted execution environment, the above-mentioned biometric information is signed by a trusted application to obtain the signed biometric information.
[0065] In step S514, the signed biometric information and the aforementioned biometric request are sent to the server. The signed biometric information and the biometric request are used to trigger the server to verify the signed biometric information, and after the verification is successful, biometric processing is performed on the target user based on the biometric information.
[0066] This specification provides a web-based biometric identification method. It involves acquiring a biometric instruction initiated by a target user through a target web application, sending a biometric request corresponding to the instruction to a trusted execution environment (TEE) via the web application, then using the TEE to call a biometric information acquisition component to collect the target user's biometric information. This biometric information is then provided to the TEE. Finally, the biometric information and the biometric request are sent to a server, which performs biometric processing on the target user based on the biometric information. This TEE-based web application biometric identification mechanism securely extracts the user's biometric information on the web page within a TEE environment and implements integrity protection measures for this information, ensuring that the biometric information is not hijacked by attackers during transmission.
[0067] Example 5
[0068] The following will provide a detailed explanation of the above-mentioned web-based biometrics through specific application scenarios. These scenarios may include: facial recognition applications, where the target web application is a webpage built with HTML5 (hereinafter referred to as an H5 webpage), the biometric information acquisition component is a camera, the biometric information is a facial image, the biometric request is a facial recognition request, and the biometric command is a facial recognition command.
[0069] like Figure 6 As shown in the embodiments of this specification, a web-based biometric identification method is provided. The execution subject of this method can be the terminal device provided in the above embodiments. This terminal device can be a mobile terminal device such as a mobile phone or tablet computer, or a terminal device such as a personal computer or laptop computer. The terminal device is equipped with a trusted execution environment (TEE). This TEE can be implemented through a program written in a predetermined programming language (i.e., it can be implemented in software), or it can be implemented through a combination of hardware devices and pre-written programs (i.e., it can be implemented in hardware + software). This trusted execution environment can be a secure operating environment for data processing. The method specifically includes the following steps:
[0070] In step S602, the facial recognition command initiated by the target user through the H5 webpage is obtained.
[0071] In step S604, a facial recognition request corresponding to the aforementioned facial recognition instruction is sent to the trusted execution environment via an H5 webpage.
[0072] In step S606, the camera is invoked through the trusted execution environment, and the facial image of the target user is captured through the camera.
[0073] In step S608, the facial image is stored in memory accessible only by a trusted execution environment.
[0074] In step S610, the facial image stored in memory is read directly through a trusted execution environment.
[0075] In step S612, in a trusted execution environment, the facial image is signed by a trusted application to obtain a signed facial image.
[0076] In step S614, the signed facial image and the aforementioned facial recognition request are sent to the server. The signed facial image and the facial recognition request are used to trigger the server to perform signature verification on the signed facial image, and after the signature verification is successful, facial recognition is performed on the target user based on the facial image.
[0077] This specification provides a web-based biometric identification method. It involves acquiring a biometric instruction initiated by a target user through a target web application, sending a biometric request corresponding to the instruction to a trusted execution environment (TEE) via the web application, then using the TEE to call a biometric information acquisition component to collect the target user's biometric information. This biometric information is then provided to the TEE. Finally, the biometric information and the biometric request are sent to a server, which performs biometric processing on the target user based on the biometric information. This TEE-based web application biometric identification mechanism securely extracts the user's biometric information on the web page within a TEE environment and implements integrity protection measures for this information, ensuring that the biometric information is not hijacked by attackers during transmission.
[0078] Example 6
[0079] The above describes a web-based biometric method provided in the embodiments of this specification. Based on the same idea, the embodiments of this specification also provide a web-based biometric device, which includes a trusted execution environment, such as... Figure 7 As shown.
[0080] The web-based biometric device can provide terminal devices, etc., for the above embodiments.
[0081] Web-based biometric devices can vary significantly in configuration and performance, and may include one or more processors 701 and memory 702. Memory 702 may store one or more application programs or data. Memory 702 may be temporary or persistent storage. The application programs stored in memory 702 may include one or more modules (not shown), each module including a series of computer-executable instructions for the web-based biometric device. Furthermore, processor 701 may be configured to communicate with memory 702 and execute the series of computer-executable instructions in memory 702 on the web-based biometric device. Web-based biometric devices may also include one or more power supplies 703, one or more wired or wireless network interfaces 704, one or more input / output interfaces 705, and one or more keyboards 706.
[0082] Specifically, in this embodiment, the web-based biometric device includes a memory and one or more programs, wherein one or more programs are stored in the memory, and one or more programs may include one or more modules, and each module may include a series of computer-executable instructions for the web-based biometric device, and is configured to be executed by one or more processors. The one or more programs include computer-executable instructions for performing the following:
[0083] Obtain biometric commands initiated by the target user through the target web application;
[0084] The target webpage program sends a biometric request corresponding to the biometric instruction to the trusted execution environment.
[0085] The trusted execution environment invokes the biometric information collection component, and the biometric information collection component collects the target user's biometric information and provides the biometric information to the trusted execution environment.
[0086] The biometric information and the biometric request are sent to the server, and the biometric information and the biometric request are used to trigger the server to perform biometric processing on the target user based on the biometric information.
[0087] In the embodiments of this specification, providing the biological information to the trusted execution environment includes:
[0088] The biological information is stored in memory accessible only by the trusted execution environment;
[0089] The biological information stored in the memory can be read directly through the trusted execution environment.
[0090] In the embodiments of this specification, sending the biometric information and the biometric request to the server includes:
[0091] The biometric information in the trusted execution environment is sent to the server through a pre-built information transmission channel between the trusted execution environment and the server, and the biometric identification request is also sent to the server.
[0092] In the embodiments of this specification, sending the biometric information and the biometric request to the server includes:
[0093] In the trusted execution environment, the biometric information is signed by a trusted application to obtain the signed biometric information.
[0094] The signed biometric information and the biometric request are sent to the server.
[0095] In the embodiments described in this specification, the target webpage program is a webpage built based on the Hypertext Markup Language (HTML5).
[0096] This specification provides a web-based biometric device. It acquires a biometric command initiated by a target user through a target web application, and sends a biometric request corresponding to the command to a trusted execution environment (TEE). The TEE then invokes a biometric information acquisition component to collect the target user's biometric information, which is provided to the TEE. Finally, the biometric information and the biometric request are sent to a server. The server performs biometric processing on the target user based on the biometric information. This TEE-based web application biometric mechanism securely extracts the user's biometric information on the web page within a TEE environment and implements integrity protection measures for the biometric information within the TEE environment, ensuring that the biometric information is not hijacked by attackers during transmission.
[0097] Example 7
[0098] Furthermore, based on the above Figures 4A-6 The method shown in this specification, along with one or more embodiments, also provides a storage medium for storing computer-executable instruction information. In one specific embodiment, the storage medium can be a USB flash drive, optical disc, hard disk, etc. When the computer-executable instruction information stored in the storage medium is executed by a processor, it can achieve the following process:
[0099] Obtain biometric commands initiated by the target user through the target web application;
[0100] The target webpage program sends a biometric request corresponding to the biometric instruction to the trusted execution environment.
[0101] The trusted execution environment invokes the biometric information collection component, and the biometric information collection component collects the target user's biometric information and provides the biometric information to the trusted execution environment.
[0102] The biometric information and the biometric request are sent to the server, and the biometric information and the biometric request are used to trigger the server to perform biometric processing on the target user based on the biometric information.
[0103] In the embodiments of this specification, providing the biological information to the trusted execution environment includes:
[0104] The biological information is stored in memory accessible only by the trusted execution environment;
[0105] The biological information stored in the memory can be read directly through the trusted execution environment.
[0106] In the embodiments of this specification, sending the biometric information and the biometric request to the server includes:
[0107] The biometric information in the trusted execution environment is sent to the server through a pre-built information transmission channel between the trusted execution environment and the server, and the biometric identification request is also sent to the server.
[0108] In the embodiments of this specification, sending the biometric information and the biometric request to the server includes:
[0109] In the trusted execution environment, the biometric information is signed by a trusted application to obtain the signed biometric information.
[0110] The signed biometric information and the biometric request are sent to the server.
[0111] In the embodiments described in this specification, the target webpage program is a webpage built based on the Hypertext Markup Language (HTML5).
[0112] This specification provides a storage medium that acquires a biometric command initiated by a target user through a target web application, sends a biometric request corresponding to the biometric command to a trusted execution environment (TEE) through the target web application, then calls a biometric information acquisition component through the TEE to collect the target user's biometric information, provides the biometric information to the TEE, and finally sends the biometric information and the biometric request to a server. The server performs biometric processing on the target user based on the biometric information. In this way, the TEE-based web application biometric mechanism realizes the secure extraction of the user's biometric information on the web page through the TEE environment, and implements integrity protection measures for the biometric information in the TEE environment to ensure that the biometric information is not hijacked by attackers on the transmission link.
[0113] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.
[0114] In the 1990s, improvements to a technology could be clearly distinguished as either hardware improvements (e.g., improvements to the circuit structure of diodes, transistors, switches, etc.) or software improvements (improvements to the methodology). However, with technological advancements, many methodological improvements today can be considered direct improvements to the hardware circuit structure. Designers almost always obtain the corresponding hardware circuit structure by programming the improved methodology into the hardware circuit. Therefore, it cannot be said that a methodological improvement cannot be implemented using a hardware physical module. For example, a Programmable Logic Device (PLD) (e.g., a Field Programmable Gate Array (FPGA)) is such an integrated circuit whose logic function is determined by the user programming the device. Designers can program a digital system themselves to "integrate" it onto a PLD, without needing chip manufacturers to design and manufacture dedicated integrated circuit chips. Furthermore, nowadays, instead of manually manufacturing integrated circuit chips, this programming is mostly implemented using "logic compiler" software. Similar to the software compiler used in program development, the original code before compilation must be written in a specific programming language, called a Hardware Description Language (HDL). There are many HDLs, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), Confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), Lava, Lola, MyHDL, PALASM, and RHDL (Ruby Hardware Description Language). Currently, the most commonly used are VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog. Those skilled in the art should understand that by simply performing some logic programming on the method flow using one of these hardware description languages and programming it into an integrated circuit, the hardware circuit implementing the logical method flow can be easily obtained.
[0115] The controller can be implemented in any suitable manner. For example, it can take the form of a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro)processor, logic gates, switches, application-specific integrated circuits (ASICs), programmable logic controllers, and embedded microcontrollers. Examples of controllers include, but are not limited to, the following microcontrollers: ARC625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicon Labs C8051F320. A memory controller can also be implemented as part of the control logic of the memory. Those skilled in the art will also recognize that, in addition to implementing the controller in purely computer-readable program code form, the same functionality can be achieved by logically programming the method steps to make the controller take the form of logic gates, switches, ASICs, programmable logic controllers, and embedded microcontrollers. Therefore, such a controller can be considered a hardware component, and the means included therein for implementing various functions can also be considered as structures within the hardware component. Alternatively, the means for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.
[0116] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, a computer can be, for example, a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email device, game console, tablet computer, wearable device, or any combination of these devices.
[0117] For ease of description, the above apparatus is described by dividing it into various functional units. Of course, when implementing one or more embodiments of this specification, the functions of each unit can be implemented in one or more software and / or hardware.
[0118] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0119] Embodiments in this specification are described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this specification. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable parallel device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable parallel device, generate instructions for implementing the flowchart illustrations. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.
[0120] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable fraud device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.
[0121] These computer program instructions can also be loaded onto a computer or other programmable device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable device for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.
[0122] In a typical configuration, a computing device includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.
[0123] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.
[0124] Computer-readable media includes both permanent and non-permanent, removable and non-removable media that can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, magnetic magnetic disk storage or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.
[0125] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.
[0126] Those skilled in the art will understand that the embodiments of this specification can be provided as methods, systems, or computer program products. Therefore, one or more embodiments of this specification may take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, one or more embodiments of this specification may take the form of a computer program product implemented on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.
[0127] One or more embodiments of this specification can be described in the general context of computer-executable instructions, such as program modules, that are executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc., that perform a particular task or implement a particular abstract data type. One or more embodiments of this specification can also be practiced in distributed computing environments where tasks are performed by remote processing devices connected via a communication network. In distributed computing environments, program modules can reside in local and remote computer storage media, including storage devices.
[0128] The various embodiments in this specification are described in a progressive manner. Similar or identical parts between embodiments can be referred to interchangeably. Each embodiment focuses on describing the differences from other embodiments. In particular, the system embodiments are basically similar to the method embodiments, so the description is relatively simple; relevant parts can be referred to the descriptions in the method embodiments.
[0129] The above description is merely an embodiment of this specification and is not intended to limit this application. Various modifications and variations can be made to this specification by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this specification should be included within the scope of the claims of this specification.
Claims
1. A webpage-based biometric identification method applied to a terminal device, the terminal device including a trusted execution environment, the method comprising: Obtain biometric commands initiated by the target user through the target web application; The target webpage program sends a biometric request corresponding to the biometric instruction to the trusted execution environment through the webview module integrated therein. The webview module provides the target webpage program with an interface for calling biometrics or biometric-based login authentication. The trusted execution environment invokes the biometric information collection component, and the biometric information collection component collects the target user's biometric information and provides the biometric information to the trusted execution environment. The biometric information and the biometric request are sent to the server, and the biometric information and the biometric request are used to trigger the server to perform biometric processing on the target user based on the biometric information.
2. The method according to claim 1, wherein providing the biological information to the trusted execution environment comprises: The biological information is stored in memory accessible only by the trusted execution environment; The biological information stored in the memory can be read directly through the trusted execution environment.
3. The method according to claim 2, wherein sending the biometric information and the biometric request to the server comprises: The biometric information in the trusted execution environment is sent to the server through a pre-built information transmission channel between the trusted execution environment and the server, and the biometric identification request is also sent to the server.
4. The method according to claim 2, wherein sending the biometric information and the biometric request to the server comprises: In the trusted execution environment, the biometric information is signed by a trusted application to obtain the signed biometric information. The signed biometric information and the biometric request are sent to the server.
5. The method according to any one of claims 1-4, wherein the target webpage program is a webpage built based on Hypertext Markup Language (HTML5).
6. A web-based biometric device, equipped with a trusted execution environment, the device comprising: The webview module is integrated into the target web application. It calls the API of the application layer module and obtains the biometric command initiated by the target user. It then sends the biometric request corresponding to the biometric command to the application layer module. The webview module provides the target web application with an interface for calling biometrics or biometric-based login authentication. The application layer module sends the biometric request to the native layer module; The native layer module sends the biometric request to the TEE layer module; The TEE layer module calls the camera component through the trusted execution environment, collects the target user's biometric information through the camera component, provides the biometric information to the trusted execution environment, performs signature processing on the biometric information in the trusted execution environment, and sends the signed biometric information to the native layer module. The native layer module sends the signed biometric information to the application layer module; The application layer module sends the signed biometric information and the biometric request to the server. The signed biometric information and the biometric request are used to trigger the server to verify the signed biometric information, and after the verification is successful, perform biometric processing on the target user based on the biometric information.
7. The apparatus according to claim 6, wherein the application layer module adds a bridge between the webview module and the native layer module, and receives the biometric request sent by the webview module through the bridge, the bridge being used to perform bidirectional communication between the webview module and the native layer module.
8. The apparatus according to claim 7, wherein the native layer module establishes a session context with the TEE layer module, triggers the TEE layer module to create a trusted application in the trusted execution environment, performs signature processing on the biometric information in the trusted execution environment, and, upon completion of the interaction with the TEE layer module, triggers the TEE layer module to close the session and close the trusted application, and releases the session context with the TEE layer module.
9. The apparatus according to claim 8, wherein the TEE layer module stores the biological information in memory accessible only to the trusted execution environment, and triggers the trusted execution environment to directly read the biological information stored in the memory.
10. The apparatus according to any one of claims 6-9, wherein the TEE layer module creates a trusted application in the trusted execution environment, triggers the trusted application in the trusted execution environment to perform signature processing on the biometric information, obtains the signed biometric information, and sends the signed biometric information and the biometric identification request to the server.
11. A web-based biometric device, the web-based biometric device comprising a trusted execution environment, including: processor; as well as A memory configured to store computer-executable instructions, which, when executed, cause the processor to: Obtain biometric commands initiated by the target user through the target web application; The target webpage program sends a biometric request corresponding to the biometric instruction to the trusted execution environment through the webview module integrated therein. The webview module provides the target webpage program with an interface for calling biometrics or biometric-based login authentication. The trusted execution environment invokes the camera component and collects the target user's biometric information through the camera component, then provides the biometric information to the trusted execution environment. The biometric information and the biometric request are sent to the server, and the biometric information and the biometric request are used to trigger the server to perform biometric processing on the target user based on the biometric information.
12. A storage medium for storing computer-executable instructions, which, when executed by a processor, perform the following process: Obtain biometric commands initiated by the target user through the target web application; The target web application sends a biometric request corresponding to the biometric instruction to the trusted execution environment through the webview module integrated in the target web application. The webview module provides the target web application with an interface for calling biometrics or biometric-based login authentication. The trusted execution environment invokes the camera component and collects the target user's biometric information through the camera component, then provides the biometric information to the trusted execution environment. The biometric information and the biometric request are sent to the server, and the biometric information and the biometric request are used to trigger the server to perform biometric processing on the target user based on the biometric information.