Home-based care for the aged nursing service authenticity guarantee method and system based on whole-process double verification
By employing a full-process dual-authentication method in the home-based elderly care service system, and using dynamic key seeds and Shamir threshold key sharding technology, the security issues of centralized key management are solved, achieving dynamic key management and high-efficiency security, and improving the system's resistance to attacks and its credibility.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUANGDONG LIANAN XIANGRUI HEALTH MANAGEMENT CO LTD
- Filing Date
- 2026-03-05
- Publication Date
- 2026-06-05
Smart Images

Figure CN122160047A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the fields of trusted execution environment security enhancement and key lifecycle management technology, and in particular to a method and system for ensuring the authenticity of home-based elderly care services based on end-to-end dual verification. Background Technology
[0002] The key to ensuring the authenticity of home-based elderly care services lies in the dual verification of multi-dimensional data, including identity, behavior, and time and space. With the advancement of the Internet of Things, smart hardware, and data security standards, Trusted Execution Environments (TEEs), due to their hardware isolation and trusted computing capabilities, are gradually becoming the mainstream technology platform for verifying the authenticity of elderly care services. Common solutions within mainstream dual-verification systems in this field include static certificate chains, centralized key management servers, pre-configured public-private key pair distribution mechanisms, blockchain-based evidence storage key distribution, and remote mutual authentication technologies between TEEs and the cloud. These technologies have played a crucial role in unified access control, key sharing, and remote secure negotiation, supporting the basic security needs of large-scale home-based elderly care service data in areas such as identity verification, behavior authentication, and service auditing. However, with the surge in the number of service terminals and the expansion of the attack surface, centralized key management has gradually exposed the following core shortcomings: Centralized storage and distribution at a single point means that critical information is always hosted in a fixed physical or logical location, regardless of whether it is through a cloud-based key management server, a blockchain key writing node, or pre-installed public and private key files on the terminal. Once the service node is attacked, internal operations are out of control, or the key lifecycle is compromised, the system is highly vulnerable to security incidents such as mass key leakage, replay attacks, and unauthorized transfers. The static lifecycle of keys means that traditional key distribution mechanisms treat keys as long-term static assets. Each terminal or service role is pre-configured with a unique public-private key pair or key slot, which means that once a key is leaked, it remains valid for a long time. It is difficult to achieve the ability to dynamically limit termination based on service events, identities, and time and space, which increases the risk of penetration-reuse attacks. Relying on a centralized trust anchor, regardless of whether it is based on a certificate chain or blockchain for evidence storage, the security of all keys ultimately depends on the root certificate, network ledger nodes, or centralized trust anchor, which poses the problem of difficulty in thoroughly investigating internal malicious acts and the spread of lateral attacks. Insufficient performance and elasticity, issues such as key synchronization cycle and remote authentication latency often manifest as response delays, certificate synchronization failures, or overall paralysis of the dual authentication function due to the unavailability of the key server in large-scale high-concurrency scenarios. Difficulty in tracing and physical destruction means that most key management schemes fail to achieve deep binding between keys and individual service events. Even after a key is revoked or expired, plaintext traces remain, making them vulnerable to technical threats such as cold start attacks, memory dumps, and side-channel parsing, which affect overall irreversible security and data auditability. Summary of the Invention
[0003] In order to solve the above-mentioned technical problems, this invention provides a method and system for ensuring the authenticity of home-based elderly care services based on full-process dual verification.
[0004] The technical solution of this invention is implemented as follows: a method for ensuring the authenticity of home-based elderly care services based on full-process dual verification, comprising: S1: Receive service context parameters, including service session identifier, caregiver biometric hash value, elderly person's unique fingerprint, service start time and GPS coarse positioning coordinates, wherein the service context parameters are derived from the service request and identity authentication process; S2: Perform a SHA3-256 hash operation on the received service context parameters and XOR them with the output of the hardware true random number generator to generate a dynamic key seed; S3: Input the dynamic key seed into the Shamir threshold key sharding algorithm (t=2, n=3) to generate a multi-dimensional sharded key group in real time within a trusted execution environment. The multi-dimensional sharded key group includes a verification factor key, a behavior signature key, and a spatiotemporal anchoring key. Each key shard is configured with an independent lifetime timer. S4: When the nursing staff completes the face liveness detection and voice command confirmation actions, a joint signature operation is performed on the liveness frame hash value and the voiceprint feature vector based on the verification factor key to generate a verification credential. S5: Continuously collect accelerometer and gyroscope time-series data streams, extract gait rhythm features, use the behavior signature key to generate a lightweight behavior watermark, and embed the behavior watermark into the header of the service log metadata data packet; S6: Package the verification credential, the behavior watermark, the service start time, and the GPS coarse positioning coordinates into an audit atomic unit, and upload it to the data recording and auditing process after encryption processing by the national cryptographic standard SM4-GCM in the trusted execution environment; S7: After the service ends, trigger the key slot erasure protocol to perform three overwrite operations on the memory areas where the verification factor key, the behavior signature key and the spatiotemporal anchoring key are located; S8: Invoke the access control mechanism of the trusted execution environment, perform access permission locking operations on the erased memory region, and inject a key destruction declaration into the system log.
[0005] This invention also provides a home-based elderly care service authenticity assurance system based on full-process dual verification, which uses the above-mentioned home-based elderly care service authenticity assurance method based on full-process dual verification to carry out the security management of the entire home-based elderly care service process.
[0006] The method and system for ensuring the authenticity of home-based elderly care services based on full-process dual verification provided by this invention have the following beneficial effects: (1) This invention effectively overcomes the technical defects of traditional home-based elderly care service systems, such as high risk of key leakage and prominent single point of failure, caused by long-term reliance on static key storage, by constructing a dynamic key lifecycle management system based on a Trusted Execution Environment (TEE). The five-dimensional parameters of service session identifier, biometric hash, device fingerprint, timestamp and location coordinates are integrated to generate a dynamic key seed. Entropy enhancement is achieved by using a hardware-level true random number generator and SHA3-256 hash algorithm to ensure that the key seed generated each time the service is started has high uniqueness and unpredictability. The key seed is split into multiple logical fragments through the (t=2,n=3) Shamir threshold secret sharing mechanism and written into the isolated key slots inside the TEE. Combined with their independent and strictly limited lifespan timers, each key fragment is only valid for a specific time period. After the expiration period, it automatically expires and triggers the subsequent destruction process, thereby completely eliminating the dependence on long-term key assets and realizing the paradigm shift from "static key protection" to "transient service contract", which significantly improves the system's anti-attack capability and overall security. (2) This invention introduces a multi-dimensional behavior binding and lightweight watermark embedding mechanism, which ensures low latency response and high concurrency processing capabilities while achieving a deep integration of service process authenticity verification and operational behavior auditability. In the TEE environment, the accelerometer and gyroscope time series data of nursing staff are continuously collected, gait rhythm features are extracted, and an uncopyable behavior watermark is generated using a key. This watermark is embedded in the service log metadata header to form a digital trace strongly associated with the specific action sequence. At the same time, after completing face liveness detection and voice command confirmation, the dual-modal biometric joint signature is generated using the verification factor key to form a dual verification credential. The above mechanism enables the cloud audit node to verify the validity of the signature and reverse the integrity of the service action through the public key without decrypting the original data. This ensures that privacy data is not leaked and achieves fine-grained traceability and non-repudiation support for the entire service process. In addition, all sensitive operations are limited to the service time window defined by the spatiotemporal anchor key. If the timeout is exceeded, the operation is rejected and the key self-destruction is triggered, which effectively prevents replay attacks and timeliness bypass, and greatly improves the robustness and credibility of the system in real complex environments. (3) This invention constructs a closed-loop, self-consistent secure service execution model by designing a full-link key residue-free management and automated destruction protocol. After each service, the TEE actively triggers the key slot erasure protocol to perform three overwrite operations (all zeros, all one values, and HRNG random values in sequence) on the memory pages containing the verification factor key, behavior signature key, and spatiotemporal anchor key. Access permissions are locked through the TZASC controller of ARM TrustZone to ensure that historical key information cannot be recovered even in the event of a high-level physical attack. At the same time, the system log is synchronously injected with a key destruction declaration containing the destruction time, service SID, TEE runtime environment hash, and hardware certificate chain, providing reliable evidence for subsequent compliance audits. This mechanism not only meets the requirements of the national cryptography management regulations regarding the storage time limit and erasure standards for sensitive information, but also achieves efficient, autonomous, and verifiable key termination management without adding extra communication overhead or introducing complex infrastructure such as blockchain. It is particularly suitable for edge terminal scenarios with limited resources but stringent security requirements. Attached Figure Description
[0007] Figure 1 The flowchart shows the method for ensuring the authenticity of home-based elderly care services based on full-process dual verification according to the present invention. Figure 2 This is a sub-flowchart of the method for ensuring the authenticity of home-based elderly care services based on full-process dual verification according to the present invention; Figure 3 This is another sub-flowchart of the method for ensuring the authenticity of home-based elderly care services based on full-process dual verification according to the present invention. Detailed Implementation
[0008] Embodiments of the present invention are described in detail below, examples of which are shown in the accompanying drawings, wherein the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions throughout. The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present invention, and should not be construed as limiting the present invention.
[0009] The following disclosure provides many different embodiments or examples for implementing different structures of the invention. To simplify the disclosure, specific examples of components and arrangements are described below. Of course, these are merely examples and are not intended to limit the invention. Furthermore, reference numerals and / or letters may be repeated in different examples; such repetition is for simplification and clarity and does not in itself indicate a relationship between the various embodiments and / or arrangements discussed.
[0010] like Figure 1 As shown, this invention provides a method for ensuring the authenticity of home-based elderly care services based on end-to-end dual verification, specifically including: S1: Receive service context parameters, including service session identifier, caregiver biometric hash value, elderly person's unique fingerprint, service start time and GPS coarse positioning coordinates, wherein the service context parameters are derived from the service request and identity authentication process; S2: Perform a SHA3-256 hash operation on the received service context parameters and XOR them with the output of the hardware true random number generator to generate a dynamic key seed; S3: Input the dynamic key seed into the Shamir threshold key sharding algorithm (t=2, n=3) to generate a multi-dimensional sharded key group in real time within a trusted execution environment. The multi-dimensional sharded key group includes a verification factor key, a behavior signature key, and a spatiotemporal anchoring key. Each key shard is configured with an independent lifetime timer. S4: When the nursing staff completes the face liveness detection and voice command confirmation actions, a joint signature operation is performed on the liveness frame hash value and the voiceprint feature vector based on the verification factor key to generate a verification credential. S5: Continuously collect accelerometer and gyroscope time-series data streams, extract gait rhythm features, use the behavior signature key to generate a lightweight behavior watermark, and embed the behavior watermark into the header of the service log metadata data packet; S6: Package the verification credential, the behavior watermark, the service start time, and the GPS coarse positioning coordinates into an audit atomic unit, and upload it to the data recording and auditing process after encryption processing by the national cryptographic standard SM4-GCM in the trusted execution environment; S7: After the service ends, trigger the key slot erasure protocol to perform three overwrite operations on the memory areas where the verification factor key, the behavior signature key and the spatiotemporal anchoring key are located; S8: Invoke the access control mechanism of the trusted execution environment, perform access permission locking operations on the erased memory region, and inject a key destruction declaration into the system log.
[0011] Step S1: Receive service context parameters, including a service session identifier, a caregiver's biometric hash value, the elderly person's unique fingerprint, the service start time, and GPS coarse positioning coordinates. These service context parameters originate from the service request and authentication process. Specifically, this includes: S1.1: Based on the service session identifier parsing request, obtain the service session identifier of the current nursing task to establish the unique logical index basis for this double verification process; The encrypted request messages issued by the service request and authentication module are loaded into the input interface of the trusted execution environment. The message structure parsing algorithm (parameters: fixed header length = 64 bits, dynamic field index table) is used to realize the segmentation and destructive function of the message. Furthermore, the service session identifier field in the request message is accurately located and extracted using a field matching retrieval algorithm (parameters: session identifier field label="SID", field length=128bit), and a binary SID data block is obtained. Furthermore, the legality of the SID data block is confirmed through a format verification algorithm (parameters: the verification rule set includes three items: length verification, character set verification, and CRC verification), and a legal session identifier value that conforms to the preset standard is generated. Furthermore, a unique index construction algorithm (parameter: index hash algorithm = SHA3-256) is used to perform a one-way hash operation on the valid session identifier value and generate an irreversible logical index key value, which serves as the unique logical index basis for this dual verification process; By using a secure buffer write process, the logical index key value output by the previous step is transformed into a data object that conforms to the internal calling interface of the trusted execution environment, thereby achieving secure storage of the unique logical index and availability for subsequent verification calls. For example, in a home-based elderly care scenario, when the service request and authentication module send a request message to the TEE, the configured message has a fixed header length of 64 bits, and the dynamic field index table includes a session identifier field label "SID" with a field length of 128 bits. CRC polynomial parameters are used during the parsing process. The SID data block is verified to determine its validity. A valid SID value is then processed using SHA3-256 to generate a 256-bit hash index key. This key is written to the TEE secure buffer and bound to the current nursing task instance. When concurrent verification requests are processed on another terminal, even with identical message structures, logical isolation is achieved due to the different SID hash results, avoiding the risk of cross-validation. Verification response latency is maintained within 230ms, meeting the target requirements of low latency and high concurrency. S1.2: Using the raw biological signals output by the biometric acquisition terminal, a feature extraction algorithm is executed to generate biometric hash values of nursing staff, so as to quantitatively represent the uniqueness of the service provider's identity; The raw biological signals output by the biometric acquisition terminal are processed by a multimodal signal preprocessing algorithm (parameters: sampling rate 48kHz, sensing channel includes RGB camera and MEMS microphone) to achieve noise reduction and amplitude normalization of video frames and audio streams. Furthermore, by using a dual-channel synchronization alignment algorithm (parameter: frame timing tolerance ≤ 5ms), the time base of video frames and audio streams is unified, and a synchronized multimodal signal sequence is obtained; Furthermore, a facial key point detection algorithm (parameter: 68-point feature template) is used to extract facial geometric structure feature vectors, and a voiceprint MFCC feature extraction algorithm (parameter: 26 filter banks, 39 coefficient dimensions) is used to generate a voiceprint spectrum feature matrix, forming feature data pairs with spatial and frequency domain information; Furthermore, feature fusion and normalization processing is performed to map the facial geometric structure feature vector and the voiceprint spectrum feature matrix to a high-dimensional fusion feature vector of uniform length, and to generate a data structure with cross-modal consistency. Furthermore, the SHA3-256 hash algorithm is invoked to perform a one-way hash operation on the high-dimensional fused feature vector to obtain the biometric hash value of the nursing staff, and the hash output is calculated using the following mathematical formula: , in, To fuse feature vectors, A hash value of 256 bits in length; By using feature extraction and one-way hashing algorithms, the results of the previous step are transformed into biometric hash values of nursing staff, thereby achieving quantification of identity uniqueness and irreversible encryption protection. For example, in a home-based elderly care scenario, the biometric data acquisition terminal is configured with a 1920×1080 resolution CMOS camera and a MEMS microphone with a signal-to-noise ratio ≥60dB, and the sampling rate is set to 48kHz. The video signal undergoes spatial denoising using a Gaussian filter, and the audio signal is bandpass filtered (300Hz~3400Hz) to suppress environmental noise. The synchronization alignment algorithm sets a frame timing tolerance threshold of 3ms to ensure multimodal signal consistency. Facial keypoint detection uses a 68-point Dlib model, outputting a 136-dimensional facial geometric feature vector; voiceprint feature extraction uses 26 MEL filter banks and a 39-dimensional MFCC coefficient set, including first-order and second-order dynamic coefficients. Fusion normalization concatenates the two types of features into a 175-dimensional high-dimensional vector and standardizes it using the Z-score method. The SHA3-256 hash function is called to perform a hash operation on the fused feature vector, generating a 256-bit biometric hash value. This hash value significantly improves the probability of detecting the same sample as the same person in the system test, and can maintain a stable unique identification capability in the cross-terminal verification process. S1.3: Read the hardware register information of the smart wearable device of the elderly being cared for, execute the device fingerprint generation algorithm to obtain the unique fingerprint of the elderly being cared for, and physically bind the trusted hardware entity of the service receiving end; S1.4: Call the system's high-precision clock source and the global positioning system module to synchronously capture the service start time and GPS coarse positioning coordinates in order to construct accurate spatiotemporal anchor point data of the service event occurrence; S1.5: Integrate the service session identifier, the biometric hash value of the caregiver, the unique fingerprint of the device of the elderly being cared for, the service start time, and the GPS coarse positioning coordinates, and encapsulate them into a standardized service context parameter set, which serves as the complete input vector for the subsequent entropy fusion engine to generate the dynamic key seed.
[0012] Step S2: Perform a SHA3-256 hash operation on the received service context parameters and XOR them with the output of the hardware true random number generator to generate a dynamic key seed. Specifically, this includes: S2.1: Perform serialization and concatenation processing on the five-dimensional service context parameters, namely service session identifier, caregiver biometric hash value, elderly person's unique fingerprint, service start time, and GPS coarse positioning coordinates, to construct an original parameter string containing spatiotemporal constraints and identity binding, which serves as the basic input data for subsequent hash operations; For the standardized service context parameter set obtained from the preceding step S1.5, a serialization splicing processing method (parameters: session identifier, biometric hash value of caregiver, unique fingerprint of the elderly being cared for, service start time, and GPS coarse positioning coordinates) is adopted to unify the five-dimensional heterogeneous data into a linear iterable byte stream structure. Furthermore, by using a standardized encoding method (parameters: UTF-8 encoding table, fixed field length constraint), the encoding alignment of each context parameter is achieved, and a set of encoded fields that do not lose semantic information in a cross-platform environment is obtained. Furthermore, by using a field delimiter insertion algorithm (parameters: delimiter selection rules, delimiter redundancy detection mechanism), the boundaries of each encoded field are made explicit, and a field sequence layout with reversible parsing capability is generated. Furthermore, a spatiotemporal binding mapping method (parameters: timestamp format, spatial coordinate format) is adopted to achieve close adjacency between the service start time and the GPS coarse positioning coordinates in the encoding sequence, and to generate a spatiotemporal sequence fragment consistent with the actual occurrence environment of the service event; By using field concatenation, the set of encoded fields from the previous step is converted into a raw parameter string containing spatiotemporal constraints and identity binding, thereby ensuring the uniqueness and unpredictability of the basic input data for subsequent hash operations. For example, in a real-world home-based elderly care service, the service session identifier is a 16-byte UUID "f81d4fae-7dec-11d0-a765-00a0c91e6bf6", the caregiver's biometric hash is a 64-byte hexadecimal string calculated using SHA3-256, the device's unique fingerprint is a 32-byte sequence generated by reading from a register, the service start time is in UTC format "2024-06-18T10:15:00Z", and the GPS coarse positioning coordinates are double-precision floating-point values of latitude 34.123456 and longitude 108.654321. The corresponding serialization and concatenation process first converts each parameter into a byte sequence using UTF-8 encoding, specifying that the session identifier field is 16 bytes long, the hash value is 64 bytes, the device fingerprint is 32 bytes, the timestamp is 20 bytes, and the GPS coordinates total 16 bytes. Then, the ASCII character "|" is inserted between each field as a separator, and a redundancy detection mechanism ensures that no extra separators are embedded. Finally, the timestamp and GPS coordinates are arranged adjacently to form a raw parameter string with a byte stream structure length of (16+1+64+1+32+1+36) bytes. This string is used as the sole input to the SHA3-256 hash algorithm in S2.2, ensuring that significantly different digest values are generated due to the spatiotemporal and identity differences of different care tasks, thereby enhancing the scenario uniqueness and security protection capabilities of the dynamic key seed. S2.2: Based on the original parameter string, call the SHA3-256 hash algorithm to perform one-way hash transformation processing to eliminate the linear correlation of the original data and generate a fixed-length deterministic digest value, ensuring that the input differences under different service scenarios can be mapped to significantly different hash output results; S2.3: The hardware true random number generator built into the Trusted Execution Environment is used to collect physical noise signals and perform entropy extraction processing to generate a true random number sequence with statistical independence and unpredictability. This injects the nondeterministic entropy source of the external physical world into the key seed to prevent pseudo-random number replay attacks. S2.4: Perform bitwise XOR logic hybrid operation on the deterministic digest value and the true random number sequence to fuse the deterministic service context features with the non-deterministic physical entropy source at the bit level, and generate a high-entropy intermediate hybrid data stream that combines scene uniqueness and random uncontrollability. S2.5: Perform standardized truncation and format encapsulation processing on the high-entropy intermediate mixed data stream to output a 256-bit dynamic key seed with a length strictly matching the algorithm requirements. This dynamic key seed serves as the sole input source to directly drive the subsequent execution of the Shamir threshold key fragmentation algorithm.
[0013] like Figure 2As shown, step S3 involves inputting the dynamic key seed into the Shamir threshold key sharding algorithm (t=2, n=3) to generate a multi-dimensional sharded key group in real time within a trusted execution environment. This multi-dimensional sharded key group includes a verification factor key, a behavior signature key, and a spatiotemporal anchoring key. Each key shard is configured with an independent lifetime timer. Specifically, this includes: S3.1: Obtain the dynamic key seed generated in the previous steps and the preset threshold cryptography protocol parameters. Perform polynomial interpolation on the dynamic key seed based on the Shamir threshold secret sharing algorithm to generate an initial set of fragmented keys containing three independent logical fragments. Any two fragments can reconstruct the original seed while a single fragment cannot reveal any information. Obtain the 256-bit dynamic key seed output from the previous steps, call the threshold cryptography algorithm module in the trusted execution environment to load the preset (t=2, n=3) parameters, and realize the Shamir threshold secret sharing initialization; Through the finite field GF( Constructing a random polynomial ,in For key seed integer mapping values, The coefficients for hardware-generated true random numbers are used to implement the definition of polynomials that depend on random coefficients and to perform operations in a specified finite field. Three partitioning points are generated through polynomial calculation. ), ( ), ( This enables the logical number binding and value calculation of fragmented data; Furthermore, the shard point data is encapsulated in a structured manner, including a shard index field, a shard value field, and a finite field identifier field, to ensure the uniqueness and verifiability of the shards in the subsequent reconstruction process; Verify that any two piecewise points are input to the Lagrange interpolation formula. The calculation verifies that the original seed can be completely reconstructed, ensuring that no single fragment can leak the original seed information; By using the Shamir threshold secret sharing algorithm, the dynamic key seed from the previous step is transformed into three independent logical fragments, forming an initial fragment key set, thus achieving a secure multi-dimensional splitting effect of the key within a trusted execution environment. For example, in a dual-authentication request for home-based elderly care services, the 256-bit dynamic key seed is mapped to GF( Integers in the field Hardware-generated true random number coefficients Construct polynomial The fragment values were calculated for x taking values of 1, 2, and 3 respectively. , , (All according to GF( (Domain modulo operation processing), encapsulated as a slice index {1,2,3} and its corresponding value. Randomly select slice indices 1 and 3 and perform the Lagrange interpolation reconstruction formula. The original seed 173 was correctly recovered, verifying the algorithm's effectiveness. In this scenario, the three fragment keys immediately enter the semantic mapping allocation process of S3.2 and remain in the TEE physical isolation zone, significantly improving the key's anti-tampering and anti-leakage capabilities; S3.2: Receive the initial fragment key set, and based on the functional requirements of the dual verification business scenario of home care service, perform semantic mapping and role allocation processing on the initial fragment key set to define the verification factor key used for video liveness comparison signature, the behavior signature key used for service action sequence watermark embedding, and the spatiotemporal anchoring key used for binding time stamp verification. Receive the initial fragment key set containing three independent logical fragments generated by step S3.1 as input data, call the functional semantic analysis module based on the dual verification business scenario of home care service, and load the business scenario parameter configuration set to clarify the various security operation requirements in the dual verification process; A key role semantic mapping algorithm (parameters: fragment index identifier, business function tag set, verification action type matrix) is adopted to realize the business function matching and judgment of each fragment in the initial fragment key set. Based on the participation weight distribution of the fragment when reconstructing the dynamic key seed, the fragment with high weight and fast verifiability is mapped to the verification factor key for video liveness comparison signature function. Furthermore, by using the key function association analysis method (parameters: behavior acquisition module call frequency, data stream timing characteristics, and segment synchronization coefficient), the function positioning of the remaining segments is realized. The segments that undertake the task of embedding real-time gait features and have moderate operation time are mapped to behavior signature keys to serve the action sequence watermark embedding function. Furthermore, through timestamp binding and spatial coordinate anchoring strategies (parameters: service start time, GPS coarse positioning coordinates, and fragment generation time sequence markers), the role of the last fragment is assigned, and the fragment with complete spatiotemporal constraint binding capability and used for long-term validity verification is mapped to a spatiotemporal anchoring key, which is used to bind the time sequence stamp verification function and ensure the spatiotemporal consistency of the verification data. Through the above key role semantic mapping and function allocation processing method, the initial fragment key set of the previous step is transformed into verification factor key, behavior signature key and spatiotemporal anchor key with clear business function labels and security attributes, realizing the functional output of multi-dimensional fragment key group, and providing basic data for subsequent independent lifetime configuration and secure instantiation deployment. For example, in a home-based elderly care dual-authentication scenario, the initial fragmented key set includes fragments A, B, and C. Fragment A has the highest bit weight distribution and the liveness detection delay measurement value is [value missing]. Therefore, it is mapped to the verification factor key; the frequency of behavior data collection calls for shard B is... And the gait feature generation time is The mapping is to the behavior signature key; the difference between the generation time of shard C and the service start time is . Furthermore, the spatial coordinate matching degree is extremely high, which is mapped to a spatiotemporal anchoring key. In the actual processing, the semantic mapping algorithm completes the allocation of shard roles based on the above measurement values and weight indicators, and outputs a functional key group with a tag set {"verification factor key", "behavioral signature key", "spatiotemporal anchoring key"}. After subsequent lifetime configuration and security slot deployment, the dual verification response latency is significantly reduced and the anti-forgery capability of the verification data is significantly improved. S3.3: Obtain the verification factor key, behavior signature key, and spatiotemporal anchor key. Based on the business operation time consumption characteristics and security window requirements corresponding to each key, configure a 90-second short-term timer for the verification factor key, a 180-second medium-term timer for the behavior signature key, and a long-term timer that strictly matches the service period for the spatiotemporal anchor key, so as to generate a controlled sharding key object with an independent lifetime attribute. Obtain the verification factor key, behavior signature key, and spatiotemporal anchor key output by sub-step S3.2, and use the lifetime parameter modeling method (parameters: business operation time consumption characteristics, security window threshold) to achieve precise limitation on the usage period of each key; Furthermore, by using a statistical analysis method based on time consumption characteristics (parameters: average operation time, maximum delay tolerance), the lifetime of the verification factor key is set to a short duration of ninety seconds, and initial value data for a short-cycle countdown is obtained. Furthermore, by using a security window width matching algorithm (parameters: behavior acquisition duration, processing buffer time), the behavior signature key lifetime is set to a medium validity period of 180 seconds, and a medium-period timer is generated to initialize the state matrix; Furthermore, by using the time period mapping verification method (parameters: service start time, service end time), the lifespan of the spatiotemporal anchor key is strictly matched with the service time period, and the start and end time index table of the long-cycle timer is obtained; By binding the lifetime attribute, the three types of keys output in the previous step are transformed into controlled fragmented key objects with independent lifetime attributes, thereby achieving the separation of key validity periods and self-destruction upon expiration in different business verification paths. For example, in a home care service dual verification process, the total time for face liveness detection and voice command confirmation corresponding to the verification factor key is 78 seconds, and the maximum value of the short-term timer configured using the time consumption feature statistical analysis method is 90 seconds; the total time for gait rhythm extraction and log embedding corresponding to the behavior signature key is 155 seconds, and the maximum value of the medium-term timer configured using the security window width matching algorithm is 180 seconds; the entire service period corresponding to the spatiotemporal anchoring key is from 09:00 to 09:15 on June 12, 2024, and the start and end indices of the long-term timer configured using the time period mapping verification method are 09:00 and 09:15 respectively. The initialization status of the three types of timers is calculated by the following formula to determine the remaining time of each timer: , in This represents the remaining time in seconds. Set the maximum number of seconds for the timer. This represents the number of seconds already used. For example, if the verification factor key has been executed for 78 seconds, the remaining time is calculated as follows: = Seconds. With the above configuration, the controlled fragment key objects output in this step can automatically trigger a destruction mechanism after their respective lifespans in practical applications, greatly improving the security and rationality of key lifecycle management; S3.4: Receive a controlled fragmented key object with independent lifetime attributes, call the hardware-level key isolation zone interface inside the trusted execution environment, and write the verification factor key, behavior signature key and spatiotemporal anchoring key into the mutually physically isolated dedicated key slots to complete the instantiation and deployment of the multidimensional fragmented key group in the secure storage area and activate their respective lifetime countdown mechanisms. S3.5: Monitor the status of the instantiated and deployed multi-dimensional shard key group, and perform real-time polling based on the lifetime timer value bound to each key slot. When it is detected that the remaining validity period of any shard key is lower than the preset threshold or returns to zero, the memory overwrite and destruction instruction of the shard key is automatically triggered to ensure that the key is only valid within the current service verification cycle and cannot be reused across scenarios. Within the trusted execution environment, the slot index of the instantiated and deployed multidimensional sharded key group and the initial value of the corresponding lifetime timer are loaded through the key slot status monitoring module to realize the real-time sampling function of the remaining validity period of each key; Furthermore, a polling detection algorithm driven by a high-precision hardware timer (parameters: polling period of 50ms, sampling error tolerance ≤1ms) is used to synchronously update the remaining validity period of the three key slots in each detection period, and obtain a state data matrix containing slot identifier, remaining duration and threshold parameters. Furthermore, the lifetime threshold comparison operation module (parameters: verification factor key threshold is 10 seconds, behavior signature key threshold is 20 seconds, and spatiotemporal anchoring key threshold is 1 minute) performs element-level comparison on the state data matrix to determine whether the remaining validity period of each key is lower than the preset threshold and generates a binary trigger flag vector. Furthermore, the target key slots that need to be destroyed are selected by triggering the flag vector parsing subsystem, and the memory overwrite destruction control algorithm is called (parameters: overwrite mode is all zeros → all ones → true random value, overwrite times are 3). Based on the direct memory access interface of the trusted execution environment, the physical address of the target slot is overwritten and written, and the slot status flag is updated to invalid after destruction. By using the above-mentioned real-time polling detection and threshold determination to trigger memory overwrite and destruction, the controlled fragment key object of the previous step is transformed into a transient key resource that is only valid within the current service verification cycle, thereby achieving the expected technical effect of key non-reuse across scenarios and physical-level secure erasure. For example, in a home-based elderly care service scenario, the system simultaneously deploys verification factor keys, behavioral signature keys, and spatiotemporal anchor keys, with corresponding lifetime timers set to 90 seconds, 180 seconds, and 15 minutes, respectively. The hardware polling cycle is fixed at 50ms with an error tolerance of ≤1ms. The key slot status monitoring module detects at 88 seconds, 160 seconds, and 890 seconds that the remaining validity of the verification factor key, behavioral signature key, and spatiotemporal anchor key is lower than a preset threshold. At this time, the threshold comparison operation module in the system generates trigger flag vectors [1,0,0], [0,1,0], and [0,0,1], respectively, triggering the destruction process of the three types of key slots in sequence. The memory overwrite destruction control algorithm performs writing according to a three-fold overwrite mode of all zeros, all ones, and true random values. In the random value overwrite stage, the output bitstream of the hardware true random number generator is used as the data source, and all generated final slot status flags are set to invalid. The execution results show that the verification factor key slot is no longer accessible after the 88th second, the behavior signature key slot is destroyed after the 160th second, and the spatiotemporal anchoring key slot is destroyed after the 890th second. All slots have no residual recoverable data after destruction, ensuring the performance characteristics of being valid within the key period and not reusable across scenarios.
[0014] like Figure 3 As shown, step S4: After detecting that the nursing staff has completed the face liveness detection and voice command confirmation actions, a joint signature operation is performed on the liveness frame hash value and the voiceprint feature vector based on the verification factor key to generate a verification credential. Specifically, this includes: S4.1: Obtain the real-time video stream frame sequence captured by the camera and the voice command audio stream recorded by the microphone. Perform a key point localization algorithm on the real-time video stream frame sequence to extract facial geometric feature vectors, and perform a Mel frequency cepstral coefficient extraction algorithm on the voice command audio stream to obtain the voiceprint spectrum feature matrix, thereby forming the original biometric dataset to be signed. For the real-time video stream frame sequence captured by the camera, a facial key point localization algorithm based on multi-scale convolution feature extraction (parameters: Gaussian pyramid layer number = 3, convolution kernel size = 5×5) is used to accurately locate facial geometric key points such as the corners of the eyes, the tip of the nose, and the corners of the mouth in each frame, and obtain the key point pixel coordinate matrix. Furthermore, by using the ellipse fitting method (parameter: least squares error threshold = 0.01) to perform shape model fitting operations on the key point pixel coordinate matrix, the facial contour curve and main structural features are accurately modeled, and a normalized facial geometric feature vector is generated. For the audio stream of voice commands recorded by the microphone, the short-time Fourier transform algorithm (parameters: frame length = 25ms, frame shift = 10ms, FFT points = 512) is used to calculate the time-frequency domain spectrum, and the power spectrum matrix is obtained as the basic data for subsequent frequency domain processing. Furthermore, a nonlinear mapping from the power spectrum matrix to the Mel frequency domain is achieved through Mel filter bank transformation (parameters: number of filters = 40, frequency range = 300~8000Hz), and a Mel energy coefficient matrix is generated by combining logarithmic compression operation. Furthermore, the discrete cosine transform algorithm (parameter: number of coefficients = 13) is used to perform energy compression and correlation orthogonalization operations on the Mel energy coefficient matrix to obtain the Mel frequency cepstral coefficient matrix as the acoustic signature spectrum feature matrix; Through the above algorithm chain, video stream frame sequences and audio streams are transformed into facial geometric feature vectors and voiceprint spectral feature matrices, respectively, to achieve unified construction and structured output of the original biometric dataset; For example, in a home care service scenario, a camera captures a real-time video stream with a resolution of 1920×1080, acquiring 30 frames per second. A three-layer Gaussian pyramid multi-scale convolutional network is used to extract facial key points, locating 68 standard key points in each frame, with a pixel coordinate output matrix dimension of 68×2. These points are then modeled using a least-squares ellipse fitting method, resulting in a facial geometric feature vector dimension of 136. The microphone-recorded audio stream of voice commands is sampled at 16000Hz, with a short-time Fourier transform frame length of 25ms, a frame shift of 10ms, and an FFT length of 512, resulting in a power spectrum matrix dimension of [missing information]. ,in The frame number is given. By using 40 Mel filters to cover the frequency range of 300Hz to 8000Hz and applying natural logarithmic compression, the Mel energy coefficient matrix is obtained with dimensions of [missing information]. The first 13 coefficients are extracted using discrete cosine transform to form the voiceprint spectrum feature matrix with dimension [missing information]. Under this configuration, the execution effect of this sub-step is that the facial key point localization accuracy is within 0.5 pixels, the signal-to-noise ratio of the voiceprint spectral feature matrix is significantly improved, and the original biometric dataset can be stably output, achieving high reliability for subsequent joint signature operations; S4.2: Based on the original biometric dataset, normalized hash mapping is performed on the facial geometric feature vector to generate live frame summary values, and vector quantization encoding is performed on the voiceprint spectral feature matrix to generate speech voiceprint feature vectors, thereby constructing a multimodal biometric fusion index with spatiotemporal consistency. S4.3: Call the verification factor key that is in a valid lifetime within the trusted execution environment, and use the national cryptographic SM2 digital signature algorithm to perform an encrypted signature operation on the multimodal biometric fusion index to generate an initial signature ciphertext block with a timestamp binding, so as to establish the logical association between biometric data and the current service session; The input conditions include a verification factor key that is within its valid lifetime and has been loaded from the hardware isolation zone of the trusted execution environment into the signature engine cache, and a multimodal biometric fusion index generated based on the previous sub-steps; The national cryptographic SM2 digital signature algorithm (parameters: the recommended elliptic curve sm2p256v1 is selected, the key length is 256 bits, and the random encryption factor is provided by a hardware true random number generator in a trusted execution environment) is used to realize the elliptic curve public key digital signature operation on the multimodal biometric fusion index. Furthermore, through a signature preprocessing method (parameters: Service Session Identifier SID, Fusion Index Vector, Current Precise Timestamp) ), and the above SID with Perform concatenation and call the hash algorithm Generate a digest value, combine it with the fusion index to form a signed message body, achieve a unique identifier for the message body structure, and obtain a unique input data block for the signature; Furthermore, by using the verification factor key as the private key input through the core elliptic curve signature process, the call... Algorithm signature function Perform operations on the unique input data block for the signature to generate a result containing signature parameters. and The initial signed ciphertext block ensures that the signature result is bound to the current service session and spatiotemporal constraints; Furthermore, by using the timestamp binding processing method (parameters: initial signature ciphertext block, hash digest of the current timestamp value), the hash digest is appended to the end of the signature ciphertext block, thereby achieving an inseparable association between the signature ciphertext and the service occurrence time, and generating the final timestamp-bound initial signature ciphertext block; Through the above algorithm chain, the multimodal biometric fusion index of the previous step is transformed into digital signature data with spatiotemporal binding attributes, thereby achieving the technical effect of securely establishing the logical association between biometric data and the current service session. For example, in a home-based elderly care service scenario, the facial geometric feature vector captured by the camera has a dimension of 68, and the voiceprint spectral feature matrix captured by the microphone has a dimension of 13×20. After preliminary steps, these are fused to form an 81-dimensional multimodal biometric fusion index. The SID is configured as "SID202406150930", representing the current timestamp. The time is 1686815400 seconds. Call The algorithm compares SID with Perform concatenated hashing, outputting a 256-bit digest value. The random encryption factor is generated by an HRNG within a trusted execution environment, with the entropy source collected from physical noise signals; it is 256 bits long. The signature private key is the verification factor key, with a key curve parameter of sm2p256v1. Execute... After the function, the signature parameters are obtained. =112 bytes and An initial signature ciphertext block of 112 bytes is generated and a hash digest is appended to form the final timestamp-bound signature data. During the verification process, any signature result must be matched with the current service's public key and timestamp to pass. In actual testing, the signature generation time in this scenario is 172 milliseconds, the verification factor key is not leaked, and the signature data can be correctly verified on the cloud audit node and cannot be replayed, significantly improving the anti-forgery capability and security of the verification process. S4.4: Perform integrity check code appending processing on the initial signature ciphertext block, mix the service session identifier and the device unique fingerprint as salt values into the verification calculation process, and generate a composite signature data packet with anti-replay attack capability to ensure that the signature result is only valid in the current specific terminal and service context; S4.5: Based on the composite signature data packet, perform structured encapsulation processing, integrate and output the signature data, liveness detection result flag and voice command matching score according to the preset audit atomic unit protocol format, and finally generate a standardized verification certificate for subsequent data recording and auditing processes.
[0015] Step S5: Continuously collect accelerometer and gyroscope time-series data streams, extract gait rhythm features, generate a lightweight behavior watermark using the behavior signature key, and embed the behavior watermark into the header of the service log metadata data packet. Specifically, this includes: S5.1: Acquire the raw time-series data stream output by the accelerometer and gyroscope, and perform sliding window filtering and gravity component separation processing on the raw time-series data stream to eliminate high-frequency noise interference from the device and calculate a pure triaxial linear acceleration vector sequence and angular velocity vector sequence that reflect the human motion trend; S5.2: Based on the pure triaxial linear acceleration vector sequence and angular velocity vector sequence, an adaptive peak detection algorithm is used to identify key event points of heel contact and toe lift in the gait cycle, so as to calculate the gait rhythm feature vector that characterizes the walking frequency and stride stability of nursing staff. Based on the pure triaxial linear acceleration vector sequence and angular velocity vector sequence, an adaptive peak detection algorithm (parameters: window length, dynamic threshold factor, peak width constraint coefficient) is used to realize the peak recognition function of heel contact event in periodic motion signal; Furthermore, by using an adaptive peak detection algorithm (parameters: window length and phase adjustment), the peak recognition function of toe-off events in the angular velocity vector sequence is realized, and the start and end time index data of each gait cycle are obtained. Furthermore, based on the start and end time index data, a gait segmentation processing method (parameters: gait cycle division mode, time synchronization offset correction factor) is adopted to extract the cycle slices of pure triaxial linear acceleration and angular velocity data, and generate the motion event time series within each cycle; Furthermore, the walking frequency is calculated using a frequency calculation formula based on the data extracted from periodic slices: , in, The average length of the gait cycle, in seconds. Furthermore, based on the difference in peak acceleration of the periodic slices, a stride length estimation formula is used to calculate the stride stability index: , in, This represents the change in stride length. Total number of cycles; By using adaptive peak detection and periodic slicing, the results of the previous step are transformed into gait rhythm feature vectors that characterize the walking frequency and stride stability of nursing staff, thereby enabling high-precision input data for the subsequent generation of behavioral signature key watermarks. For example, in a home-based elderly care service scenario, the sampling frequency of the pure triaxial linear acceleration vector sequence is configured to 100Hz, the sampling frequency of the angular velocity vector sequence is configured to 100Hz, the window length is set to 1.2 seconds, the dynamic threshold factor is set to 0.65, and the peak width constraint coefficient is set to 4 sampling points. The adaptive peak detection algorithm identifies the heel-to-ground peak in the acceleration Z-axis data and the toe-to-ground peak in the angular velocity Y-axis data, and outputs event time index sets respectively. During gait segmentation processing, based on the identified event indices, the acceleration and angular velocity data are sliced periodically, with each period having an average length of 0.48 seconds. The walking frequency is calculated using the formula: , The result was approximately 2.08 Hz. Stride stability was determined using stride difference data. The summation of absolute values, divided by the total number of cycles N=50, yields an average stride variation of approximately 0.045 meters. This feature vector significantly improves the accuracy and uniqueness of motion pattern recognition in the subsequent behavior watermark generation stage, while maintaining low latency and high concurrency performance during multi-terminal verification. S5.3: Using the behavior signature key generated in the preceding steps as an encryption seed, perform lightweight hash mapping and bit obfuscation operations on the gait rhythm feature vector to generate a unique and irreversible lightweight behavior watermark binary code stream. Given the input of gait rhythm feature vector, the behavior signature key generated in the previous step and in its valid lifespan is called as the encryption seed to ensure the unique binding of the subsequent watermark generation process with the current service context. A lightweight hash mapping method (parameters: gait rhythm feature vector, key seed length 256 bits) is adopted to realize the one-way hash calculation of the gait rhythm feature vector, so as to solidify the current gait data pattern and eliminate the reversibility of the original features, and output a fixed-length hash code stream. Furthermore, by performing XOR and cyclic shift combination processing based on the Bitwise confusion algorithm (parameters: key seed bit sequence, hash code stream bit sequence, confusion matrix size 64×64), nonlinear perturbation of the hash code stream at the bit level is achieved, and an intermediate code stream with randomized structure is obtained. Furthermore, by using bit-pair interpolation mask injection technology (parameter: the obfuscation mask is derived from a pseudo-random sequence of the behavior signature key), the intermediate code stream is reordered and masked, which further hides the potential gait feature patterns and generates a lightweight behavior watermark binary code stream with uniqueness and irreversibility. Through the hash mapping and bit obfuscation algorithm described above, the gait rhythm feature vector from the previous step is transformed into irregular, high-entropy binary watermark data, thereby achieving secure embedding capability and anti-counterfeiting effect of gait behavior identifier. For example, in a home-based elderly care scenario, the gait rhythm feature vector of caregivers is set as a floating-point sequence of length 128, and the behavior signature key seed length is 256 bits. Lightweight hash mapping uses SHA3-256, performing hash calculation after feature vector normalization to obtain a 256-bit hash code stream with uniform value distribution and an entropy value close to 8 bits. In the bitwise obfuscation algorithm, the obfuscation matrix is set to 64×64, and the obfuscated bits are calculated using the following formula: , in To obfuscate the output bit sequence, It is a hash code stream bit sequence. The key seed bit sequence is used. Bit swapping employs a cyclic shift strategy with a block size of 8 bits. The mask during the mask injection stage originates from a pseudo-random number generator driven by the behavior signature key, and the mask length corresponds to 64 blocks. After processing, the output behavior watermark binary stream maintains a length of 256 bits, and statistical tests show that its uniformity and non-correlation are significantly improved. After being embedded in the header of the service log metadata data packet, it can effectively identify and verify the authenticity of nursing staff's gait behavior, with no risk of irreversible recovery. S5.4: Read the header structure of the service log metadata data packet to be uploaded, and embed the lightweight behavior watermark binary code stream into the reserved verification field in the header of the service log metadata data packet using bit stuffing technology to form an enhanced service log metadata data packet containing behavior integrity identifier; Read the header structure of the service log metadata data packet to be uploaded, and use a predefined binary structure parsing method (parameters: starting offset, field length, field type) to realize the partition mapping and recognition of each verification field and reserved field in the packet header; Furthermore, by using field pointer arithmetic methods (parameters: starting address of reserved verification field, length of line watermark), the storage location of the reserved verification field can be accurately located, and the address of writable binary buffer data can be obtained. Furthermore, a bit-filling algorithm (parameters: behavior watermark binary code stream, field buffer size, filling mode index) is adopted to realize the bit-by-bit embedding of the behavior watermark bit string into the reserved verification field buffer and generate the embedded verification field data block. Furthermore, the CRC32 checksum update method (parameters: the embedded checksum field data block, other field data in the packet header) is used to recalculate the integrity of the packet header, ensuring that the embedding process does not destroy the metadata structure and generating an enhanced packet header checksum value. By using a structured reorganization method (parameters: enhanced packet header data block, remaining part of service log), the result of the previous step is transformed into an enhanced service log meta data packet containing behavioral integrity identifiers, thereby achieving the effect of immutable identification of service process behavioral characteristics during log transmission. For example, in a home-based elderly care service scenario, the collected gait rhythm feature vector is processed by behavior signature key hash mapping and bit obfuscation to obtain a lightweight behavior watermark binary code stream of length 128 bits. The header parsing parameters of the service log metadata data packet to be uploaded are set to a starting offset of 16 bytes, a reserved verification field length of 16 bytes, and a field type of unsigned integer array. The buffer address located by the field pointer operation is 0x0800, and the behavior watermark length is consistent with the reserved field length. The bit-filling algorithm selects the high-order bit-first mode, writing the most significant bit of the watermark code stream into the lowest address unit of the buffer, thus completing the bit-by-bit embedding. After embedding, the CRC32 algorithm is called, where the generator polynomial is... The embedded packet header is used to calculate a checksum, resulting in a new checksum of 0xA1B2C3D4. After structured reorganization, an enhanced service log metadata packet is formed. This packet, after being transmitted to the data recording and auditing module, can be used to verify the actual execution of nursing staff actions through watermark extraction. Moreover, the watermark value is unique across different devices and service sessions, significantly improving data tamper-proof capabilities and the reliability of behavior verification.
[0016] Step S6: Package the verification credential, the behavior watermark, the service start time, and the GPS coarse positioning coordinates into an audit atomic unit, encrypt it using the national cryptographic standard SM4-GCM within a trusted execution environment, and then upload it to the data recording and auditing process. Specifically, this includes: S6.1: Obtain the verification credentials, lightweight behavior watermark, service start time, and GPS coarse positioning coordinates generated by the previous steps, and perform structured serialization encapsulation processing on the four heterogeneous data items to generate an original audit data packet containing complete service context information, which serves as the input object for subsequent encryption processing. The system obtains the verification credentials, lightweight behavior watermark, service start time, and GPS coarse positioning coordinates generated by the previous steps. It then calls the high-speed buffer read interface of the trusted execution environment to extract the binary raw payload and corresponding metadata descriptor of the above four heterogeneous data items from the secure storage area, thereby achieving secure extraction of multi-source data. Furthermore, a data type identification and tagging method (parameters: verification certificate type code, behavior watermark type code, timestamp type code, and location coordinate type code) is used to perform type matching and tag binding processing on the four heterogeneous data items, and a set of data units with type self-description capability is obtained. Furthermore, through a structured serialization algorithm (parameters: unified byte order mode, field length specification, protocol header adaptation template), the position mapping and field arrangement of the data unit set in the unified binary structure are realized, and an intermediate serialized data stream with a protocol header, data body and tail check segment is generated. Furthermore, by using field sorting and index mapping methods (parameters: service context field priority table, position index offset), the dependency relationship of each field in the intermediate serialized data stream is optimized, and fields with high relevance are logically adjacent to each other to shorten the subsequent retrieval path and reduce redundant padding. Furthermore, through data alignment and padding control algorithms (parameters: memory page size, cache line boundary, alignment unit), bit-level alignment processing of the arranged fields is achieved, and original audit data packets that meet the requirements of storage access efficiency optimization are generated; By using serialization encapsulation, the four heterogeneous data results from the previous step are transformed into a complete binary raw audit data packet of the service context, thereby achieving a unified input standard and data integrity support in the subsequent encryption processing stage. For example, in a dual-verification process for home-based elderly care services, the verification credential consists of an SM2 signature result, 128 bytes in length; a lightweight behavioral watermark is generated by gait rhythm hashing, 32 bytes in length; the service start time is recorded as a UNIX timestamp, occupying 8 bytes; and the GPS coarse positioning coordinates are represented as double-precision floating-point numbers, compressed and encoded, occupying 16 bytes. During the secure extraction phase, the trusted execution environment reads the above data into a buffer and binds type labels to them (verification credential type code 0x01, behavioral watermark type code 0x02, timestamp type code 0x03, coordinate type code 0x04). Subsequently, the structured serialization algorithm arranges the fields in the following order according to the protocol template: verification credential → behavioral watermark → timestamp → positioning coordinates, and appends a 2-byte protocol header and a 4-byte CRC tail. The field sorting algorithm ensures that the verification credential and behavioral watermark are stored adjacently, reducing cross-cache line access; the data alignment algorithm pads the end of the field with zero values in 64-byte alignment units to achieve cache line alignment. The final output raw audit data packet has a total length of 192 bytes, which is directly used as the input object of the SM4-GCM encryption engine to ensure that the data remains structurally intact and traceable before transmission; S6.2: Extract key metadata fields based on the original audit data packet, and perform digest calculation processing on the key metadata fields using the SHA3-256 hash algorithm to generate an initial value of the plaintext authentication label for integrity verification, ensuring that the source of the data to be encrypted is trustworthy and has not been tampered with; S6.3: Invoke the national cryptographic SM4-GCM encryption engine in the trusted execution environment, load the currently valid spatiotemporal anchoring key as the symmetric encryption key, and perform Galois counter mode encryption processing with associated data on the original audit data packet to synchronously generate ciphertext payload data blocks and corresponding ciphertext authentication tags; The original audit data packet is invoked to call the national cryptographic SM4-GCM encryption engine interface integrated in the trusted execution environment, and a spatiotemporal anchored key with a valid lifespan is loaded as a symmetric encryption key to realize the key loading and session binding functions. Furthermore, the control logic is loaded via a key (parameters: current service session SID, anchor timestamp). Anchoring coordinates This implements the initialization vector for the SM4-GCM engine. The construction of the associated data input buffer is obtained. To ensure that associated data participates in the authentication label calculation process to prevent tampering; Furthermore, the SM4-GCM mode core algorithm is adopted (parameters: block length 128 bits, counter increment strategy, Galois field multiplication polynomial). ), to implement the original audit data packet The block encryption process generates the corresponding intermediate ciphertext block sequence. ; Furthermore, the Galois domain authentication tag generation unit is invoked to perform operations based on the encrypted ciphertext block sequence and associated data buffer. Multiplication and XOR operations are used to generate authentication tags. And obtain the complete encrypted payload data block. ; By using the SM4-GCM mode processing method, the digest calculation result of the previous step and the spatiotemporal anchoring key are transformed into encrypted payload data blocks and authentication tags that are simultaneously encrypted and authenticated, thereby achieving a unified data confidentiality protection and anti-counterfeiting capability. For example, in a dual-authentication scenario for home-based elderly care services, the SM4-GCM engine within the trusted execution environment uses a 256-bit spatiotemporal anchor key for invocation, and the initialization vector... It consists of the first 16 bytes of the SHA3-256 hash of the service session SID and the UNIX timestamp of the service start time, associated with the data buffer. This is a sequence of the device's unique fingerprint and coarse GPS coordinates. The SM4-GCM operating parameters are set to a block length of 128 bits and an initial counter value. The counter increment strategy is additive. Block encryption is performed on the original audit data packet (2048 bytes), resulting in ciphertext payload data blocks of the same length, and the authentication tag... The length is 16 bytes. Multiplication based on polynomials The authentication tag verification is completed in the cloud. Execution results show that under 500 concurrent terminals / second, the encryption processing latency remains within 220ms, and the authentication tag consistency verification is always correct, significantly improving the security and anti-counterfeiting capability of service verification data transmission. S6.4: Combine the encrypted payload data block with the encrypted authentication tag in binary format to construct a final audit atomic unit containing encrypted content and integrity verification information, so as to achieve the unity of confidentiality protection and anti-counterfeiting verification capabilities during data transmission. S6.5: The final audit atomic unit is sent to the cloud receiving interface of the data recording and auditing module through the secure communication channel of the trusted execution environment to complete the secure uploading and persistent storage of service verification data, which is then used by subsequent audit nodes for asymmetric signature verification and behavior integrity inversion.
[0017] Step S7: After the service ends, trigger the key slot erasure protocol to perform three overwrite operations on the memory areas containing the verification factor key, the behavior signature key, and the spatiotemporal anchoring key. Specifically, this includes: S7.1: Obtain the physical memory page address mapping table of the verification factor key, behavior signature key and spatiotemporal anchor key to be destroyed. Based on the memory management unit positioning mechanism of the trusted execution environment, convert the logical storage location of the above multi-dimensional fragmented key group into a specific hardware physical base address, and generate a key memory region descriptor containing the start address and length information to establish the precise scope of subsequent erasure operations. S7.2: Read the high-entropy random bit stream output by the hardware true random number generator as the source for generating the all-zero overlay mode, and use the direct memory access controller to perform the first all-zero filling write operation on the physical memory page pointed to by the key memory region descriptor, replacing all the binary bits of the originally stored verification factor key, behavior signature key and spatiotemporal anchor key with zero values, generating the first-level zero-clear memory data block to destroy the original magnetization or charge distribution characteristics of the key data; The high-entropy random bit stream output of the internal hardware true random number generator of the trusted execution environment is read, and an entropy extraction algorithm (parameters: sampling window length 256 bits, physical noise source is frequency drift oscillator) is used to convert the original physical noise signal into a uniformly distributed bit sequence. Furthermore, by using a bit mapping method (parameters: logical mapping table all-zero template, mapping mode is fixed 0 permutation), a high-entropy random bit stream and an all-zero covering mode generation source are synthesized to form a covering template data block and obtain a byte sequence that conforms to bus width alignment. Furthermore, by utilizing the Direct Memory Access Controller (DMA) (parameters: burst transfer mode = ON, transfer width = 64 bits), the overlay template data blocks are written in batches to the physical memory pages pointed to by the key memory region descriptor, and a first-level cleared state memory image is generated. Furthermore, a memory write verification algorithm (parameters: CRC32 check polynomial, verification range = length of the entire key memory area) is adopted to verify the results of the executed all-zero-filled write and generate an integrity verification record that has passed the verification. By using a high-entropy random bit stream-driven all-zero overwrite method, all binary bits of the verification factor key, behavioral signature key, and spatiotemporal anchoring key originally stored in the physical memory page of the previous step are replaced with zero values, generating a first-level zero-clear memory data block, thereby achieving the expected technical effect of destroying the original magnetization or charge distribution characteristics of the key data. For example, after home-based elderly care services are completed, the trusted execution environment uses a hardware true random number generator to collect the physical entropy source generated by a frequency-drift oscillator, and sets the sampling window length to [value missing]. The bits are used to obtain a statistically independent bitstream through an entropy extraction algorithm. This bitstream undergoes bit mapping processing, and an overlay template data block is directly constructed using a logical all-zero template. The DMA controller is then called to configure burst mode and set the transmission width to [value missing]. The bit will be used to continuously write the overwrite template to the physical memory address starting from the specified address. , length is The key storage page is filled with all zeros. After writing, a CRC32 check is performed to verify all data in the memory page and confirm that its output value matches the all-zero pattern, thus confirming that the first level of clearing is complete. In this scenario, clearing the memory data block completely eliminates the previous key bit pattern, effectively blocking the possibility of recovering the key through analysis of magnetization residue or charge distribution. S7.3: Call the system's underlying instruction set to generate an all-one inverted mask sequence. Based on the bus width alignment strategy, perform a second all-one fill write operation on the same physical memory page where the first-level zeroed memory data block is located. Invert all the zeroed memory cells to a high level state to generate a second-level inverted memory data block, so as to further obfuscate the residual charge traces and eliminate the hidden danger of incomplete writing caused by media aging. The system calls the underlying instruction set to generate a fully inverted mask sequence (parameters: logic high-level bit mode, mask width matching key memory page bus width), thereby constructing a bit pattern dataset that is completely inverted from the physical memory cell state; Furthermore, by using a bus width alignment strategy (parameters: bus width 64 bits, block write unit 256 bytes), the alignment write path of the all-one inversion mask in the physical memory page is optimized, and a continuous high-level bit region consistent with the address mapping of the original first-level zero-clear memory data block is obtained; Furthermore, through the direct memory access (DMA) controller's batch write mechanism (parameters: burst transfer mode, write priority set to the highest), the all-inverted mask sequence is written to the entire range of the physical memory page where the first-level zero-memory data block is located, and a bit-by-bit flipped binary state matrix is generated, in which each bit in the matrix flips from low level to high level; Furthermore, by verifying the bit flipping result using a verification algorithm (parameters: bitwise XOR check, cumulative sum check), the consistency between the flipped data matrix and the original zeroed data matrix is verified, and a successful flipping flag value is generated. By using the above-mentioned all-fill write and verification process, the first-level zeroed memory data block of the previous step is transformed into the second-level reversed memory data block, which further obfuscates the residual charge traces and eliminates the hidden danger of incomplete writing caused by media aging. For example, in the TEE of a home-based elderly care service terminal, the key memory page bus width is set to 64 bits, the block write unit is 256 bytes, and the structure mapping table indicates that the length of the area to be erased is 1024 bytes. When the system's underlying instruction set generates the all-one inverted mask sequence, it uses... Using the high-level bit mode as the basic unit, four blocks are written cyclically in the DMA controller's burst mode, covering the entire 1024-byte physical address range. The verification algorithm performs a bitwise XOR operation. For each 64-bit word, the XOR value of the original cleared data (all zeros) and the toggled data (all ones) is output as follows: The cumulative sum verification result equals The flip was verified to be correct. The results showed that the memory charge distribution after the flip was completely different from the previous zeroed state, the signal residual path was significantly obscured, and the difficulty of physical layer side-channel analysis was significantly increased. S7.4: Collect the pseudo-random noise sequence generated by the hardware true random number generator again as a dynamic interference factor, and perform a third random value filling write operation on the physical memory page where the second-level inverted memory data block is located. Write the memory unit into an irregular random bit combination to generate a third-level randomized memory data block, so as to completely cut off any potential side channel analysis path and ensure the irrecoverability of key information at the physical level. S7.5: Monitor the write completion interrupt signal of the third-level randomized memory data block, and based on the security status register update mechanism of the trusted execution environment, force the life cycle status flag of the corresponding key slot to be destroyed and invalid, and generate a key destruction completion confirmation certificate to notify the upper-layer audit module that the current verification factor key, behavior signature key and spatiotemporal anchor key have been physically-level securely erased and any subsequent access requests are prohibited.
[0018] Step S8: Invoke the access control mechanism of the trusted execution environment to perform access permission locking operations on the erased memory region, and inject a key destruction declaration into the system log. Specifically, this includes: S8.1: Obtain the physical address index of the key slot after three overwrite operations and the current trusted execution environment running status identifier. Based on the trust zone access security controller configuration register under the ARM TrustZone architecture, perform access permission attribute remapping processing on the physical address index of the key slot, forcibly modify the original read, write and execute permissions to the no access permission state, so as to generate a protected memory region descriptor in a hardware-level locked state. S8.2: Receive the protected memory region descriptor in the hardware-level locked state and the unique identifier of this service session, obtain the accurate destruction timestamp using the secure clock source integrated within the trusted execution environment, and combine it with the hardware unique certificate chain fingerprint data generated in the previous steps to perform multi-source heterogeneous data aggregation and encapsulation operations to construct the original destruction evidence meta data packet containing spatiotemporal constraint information and hardware trust root binding. S8.3: Extract the trusted execution environment running status hash value and service session unique identifier from the original destruction evidence metadata data packet, and use the national cryptographic SM3 hash algorithm to perform integrity check code calculation processing on the original destruction evidence metadata data packet to generate a destruction event digital digest for anti-tampering verification, so as to ensure the non-forgeability of subsequent log recording content; S8.4: Integrate the digital digest of the destruction event, the precise destruction timestamp, and the hardware unique certificate chain fingerprint data, and perform standardized log entry serialization encoding operation according to the predefined audit log structured protocol template to generate a key destruction declaration message that conforms to the data security audit specifications. This message clearly records the legal and technical facts of the key's lifecycle termination. S8.5: Load the key destruction declaration message into the secure output buffer of the trusted execution environment, call the secure log injection interface provided by the operating system kernel, asynchronously write the key destruction declaration message into the system persistent audit log storage area, and complete the final release confirmation of the protected memory area descriptor, so as to realize closed-loop traceability and traceable archiving of the entire key destruction process.
[0019] This invention also provides a home-based elderly care service authenticity assurance system based on full-process dual verification, which uses the above-mentioned home-based elderly care service authenticity assurance method based on full-process dual verification to carry out the security management of the entire home-based elderly care service process.
[0020] The technical solution of the present invention has been described above with reference to the preferred embodiments shown in the accompanying drawings. However, it will be readily understood by those skilled in the art that the scope of protection of the present invention is obviously not limited to these specific embodiments. Without departing from the principles of the present invention, those skilled in the art can make equivalent changes or substitutions to the relevant technical features, and the technical solutions after these changes or substitutions will all fall within the scope of protection of the present invention.
[0021] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and rules of the present invention should be included within the scope of protection of the present invention.
Claims
1. A method for ensuring the authenticity of home-based elderly care services based on full-process dual verification, characterized in that: Includes the following steps: S1: Receive service context parameters, which are derived from the service request and authentication process; S2: Perform a SHA3-256 hash operation on the service context parameter and XOR it with the output of the hardware true random number generator to generate a dynamic key seed; S3: The dynamic key seed is processed using the Shamir threshold key sharding algorithm to generate a multi-dimensional sharded key group in real time within a trusted execution environment. The multi-dimensional sharded key group includes a verification factor key, an action signature key, and a spatiotemporal anchoring key. S4: When the nursing staff completes the face liveness detection and voice command confirmation actions, a joint signature operation is performed on the liveness frame hash value and the voiceprint feature vector based on the verification factor key to generate a verification credential. S5: Continuously collect accelerometer and gyroscope time-series data streams, extract gait rhythm features, use the behavior signature key to generate a behavior watermark, and embed the behavior watermark into the header of the service log metadata data packet; S6: Package the verification credential, the behavior watermark, the service start time, and the GPS coarse positioning coordinates into an audit atomic unit, and upload it to the data recording and auditing process after encryption processing by the national cryptographic standard SM4-GCM in the trusted execution environment; S7: After the service ends, trigger the key slot erasure protocol to perform three overwrite operations on the memory areas where the verification factor key, the behavior signature key, and the spatiotemporal anchoring key are located.
2. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 1, characterized in that, The process following step S7 also includes: S8: Invoke the access control mechanism of the trusted execution environment, perform access permission locking operations on the erased memory region, and inject a key destruction declaration into the system log.
3. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 1, characterized in that, The service context parameters include the service session identifier, the caregiver's biometric hash value, the elderly person being cared for's unique fingerprint on the device, the service start time, and the GPS coarse positioning coordinates.
4. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 1, characterized in that, Step S3 specifically includes: The dynamic key seed generated in step S2 and the preset threshold cryptography protocol parameters are obtained. The Shamir threshold key sharding algorithm performs polynomial interpolation on the dynamic key seed to generate an initial sharding key set containing three independent logical shards. Upon receiving the initial fragmented key set, based on the functional requirements of the dual-authentication business scenario for home care services, semantic mapping and role allocation processing are performed on the initial fragmented key set to define the verification factor key, behavior signature key, and spatiotemporal anchoring key respectively. Obtain the verification factor key, the behavior signature key, and the spatiotemporal anchoring key. Based on the business operation time consumption characteristics and security window requirements corresponding to each key, configure a short-term timer for the verification factor key, a medium-term timer for the behavior signature key, and a long-term timer that strictly matches the service period for the spatiotemporal anchoring key, and generate a controlled sharding key object. Receive the controlled fragment key object, call the hardware-level key isolation zone interface inside the trusted execution environment, and write the verification factor key, the behavior signature key and the spatiotemporal anchoring key into the mutually physically isolated dedicated key slots respectively; Monitor the status of the instantiated and deployed multi-dimensional shard key group, and perform real-time polling based on the lifetime timer value bound to each key slot. When the remaining validity period of any shard key is detected to be lower than the preset threshold or to zero, the memory overwrite and destruction instruction of the corresponding shard key is automatically triggered.
5. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 4, characterized in that, The initial set of shard keys contains three independent logical shards, any two of which can reconstruct the original seed while a single shard cannot reveal any information.
6. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 4, characterized in that, Step S3 further includes: setting the lifetime of the verification factor key to 90 seconds, the lifetime of the behavior signature key to 180 seconds, the lifetime of the spatiotemporal anchor key to strictly match the service period, automatically destroying the timer when the remaining validity period is lower than the preset threshold, the destruction coverage number is 3 times, and the destruction operation adopts the mode of all zeros → all one → true random value.
7. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 1, characterized in that, Step S4 specifically includes: The system acquires a real-time video stream frame sequence captured by a camera and a voice command audio stream recorded by a microphone. It extracts facial geometric feature vectors based on the real-time video stream frame sequence and obtains a voiceprint spectral feature matrix based on the voice command audio stream to form a raw biometric dataset to be signed. Based on the original biometric dataset, normalized hash mapping is performed on the facial geometric feature vector to generate a liveness frame summary value; and vector quantization encoding is performed on the voiceprint spectral feature matrix to generate a speech voiceprint feature vector, thus constructing a multimodal biometric fusion index. The verification factor key, which is in a valid lifetime within the trusted execution environment, is invoked to perform a cryptographic signature operation on the multimodal biometric fusion index, generating an initial signature ciphertext block with a timestamp binding. The initial signature ciphertext block is subjected to integrity check code appending processing, and the service session identifier and the device unique fingerprint are mixed as salt values into the verification calculation process to generate a composite signature data packet; Based on the composite signature data packet, structured encapsulation processing is performed, and the signature data, liveness detection result flag, and voice command matching score are integrated and output according to the preset audit atomic unit protocol format to generate a standardized verification credential.
8. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 1, characterized in that, Step S5 specifically includes: The raw time-series data streams output by the accelerometer and gyroscope are acquired, and sliding window filtering and gravity component separation are performed on the raw time-series data streams to output a pure triaxial linear acceleration vector sequence and angular velocity vector sequence. Based on the pure triaxial linear acceleration vector sequence and angular velocity vector sequence, key event points of heel strike and toe lift in the gait cycle are identified, and gait rhythm feature vectors are calculated. Using the behavior signature key generated in step S3 as an encryption seed, hash mapping and bit confusion operations are performed on the gait rhythm feature vector to generate a behavior watermark binary code stream. The header structure of the service log metadata data packet to be uploaded is read, and the behavior watermark binary code stream is embedded into the reserved verification field in the header of the service log metadata data packet using bit stuffing technology to form an enhanced service log metadata data packet.
9. The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification as described in claim 2, characterized in that, Step S8 further includes: after performing three overwrite operations, remapping the access permissions of the erased area using the ARMTrustZone hardware security controller, forcibly locking the read and write permissions to an inaccessible state, generating a key destruction declaration message containing a digital digest of the destruction event, a timestamp, and a certificate chain fingerprint, and injecting it into the security log.
10. A home-based elderly care service authenticity assurance system based on end-to-end dual verification, characterized in that: The method for ensuring the authenticity of home-based elderly care services based on full-process dual verification, as described in any one of claims 1-9, is used for the safety management of the entire process of home-based elderly care services.