Service processing method, device and system
US-2018241571-A1 · Aug 23, 2018 · US
Verification-based service authorization
US10892900B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-10892900-B2 |
| Application number | US-202016805316-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 28, 2020 |
| Priority date | Nov 16, 2017 |
| Publication date | Jan 12, 2021 |
| Grant date | Jan 12, 2021 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
The present specification discloses a service authorization method, apparatus and device. In one aspect, the method includes: obtaining, by a first execution unit that runs in a first security environment, information to be verified; generating, by the first execution unit that runs in the first security environment, a verification result of the information to be verified; signing, by the first execution unit that runs in the first security environment, the verification result using a signature verification private key to provide signature information; obtaining, by a second execution unit that runs in a second security environment, the signature information from the first execution unit; verifying, by the second execution unit that runs in the second security environment, the signature information using a signature verification public key corresponding to the signature verification private key; and in response to verifying the signature information, performing service authorization based on the verification result.
First claim
Opening claim text (preview).
What is claimed is: 1. A service authorization method, comprising: obtaining, by a first execution unit and through a service application, information to be verified, wherein the first execution unit and the service application are running in a first security environment; generating, by the first execution unit, a verification result of the information to be verified; obtaining, by the first execution unit and through the service application, a dynamic parameter; signing, by the first execution unit, the verification result and the dynamic parameter using a signature verification private key to generate signature information; obtaining, by a second execution unit and through the service application, the signature information, wherein the second execution unit is running in a second security environment that is different from the first security environment; verifying, by the second execution unit that runs in the second security environment, the signature information using a signature verification public key corresponding to the signature verification private key; verifying, by the second execution unit that runs in the second security environment, the dynamic parameter, wherein the dynamic parameter is associated with a validity time, and wherein verifying the dynamic parameter comprises comparing, within the validity time, the dynamic parameter to a pre-stored copy of the dynamic parameter; and in response to verifying the signature information and the dynamic parameter, performing service authorization based on the verification result. 2. The method according to claim 1 , wherein the first security environment comprises a trusted execution environment (TEE), and the second security environment comprises an execution environment provided by a secure element (SE). 3. The method according to claim 1 , wherein the information to be verified comprises biometric feature information to be verified. 4. The method according to claim 1 , wherein: the dynamic parameter is generated by the second execution unit and comprises at least one of a random number or time information. 5. The method according to claim 1 , further comprising, prior to signing the verification result to provide the signature information, obtaining, by the first execution unit, the signature verification private key from a first management server corresponding to the first execution unit. 6. The method according to claim 5 , further comprising, prior to receiving the signature information: receiving, by the first execution unit, a public key certificate of the signature verification public key from the first management server, wherein the public key certificate is obtained by the first management server from a certificate authority (CA) after the CA verifies the signature verification public key based on a stored CA private key. 7. The method according to claim 6 , wherein receiving the signature information further comprises: obtaining, by the second execution unit, the public key certificate; verifying, by the second execution unit, the public key certificate using a CA public key obtained from the CA; and in response to verifying the public key certificate, verifying, by the second execution unit, the signature information by parsing the public key certificate. 8. The method according to claim 1 , further comprising: prior to verifying the signature the signature information using the signature verification public key corresponding to the signature verification private key: obtaining, by the second execution unit that runs in the second security environment, a CA public key from a certificate authority (CA) by using a second management server corresponding to the second execution unit. 9. The method according to claim 8 , wherein: verifying the signature information using the signature verification public key corresponding to the signature verification private key comprises: verifying, using the CA public key, a public key certificate sent from a service application, wherein the public key certificate is obtained after the CA verifies the signature verification public key based on a CA private key corresponding to the CA public key, wherein the public key certificate is obtained by the service application from the first execution unit, and wherein the public key certificate is obtained by the first execution unit from the CA by using a first management server corresponding to the first execution unit; and verifying, in response to determining that verification on the public key certificate succeeds, the signature information using the signature verification public key obtained by parsing the public key certificate; and performing service authorization based on the verification result comprises: performing, in response to determining that verification on the signature information succeeds, service verification based on the verification result obtained by parsing the signature information. 10. The method according to claim 8 , wherein: verifying the signature information using the signature verification public key corresponding to the signature verification private key comprises: verifying the public key certificate using the CA public key; verifying, in response to determining that verification on the public key certificate succeeds, the signature information using the signature verification public key obtained by parsing the public key certificate; and verifying, in response to determining that the verification on the signature information succeeds, the dynamic parameter obtained by parsing the signature information; and performing service authorization based on the verification result comprises: performing, in response to determining that the verification on the dynamic parameter succeeds, service authorization based on the verification result obtained by parsing the signature information. 11. A non-transitory, computer-readable medium storing one or more instructions executable by a computer system to perform operations comprising: obtaining, by a first execution unit and through a service application, information to be verified, wherein the first execution unit and the service application are running in a first security environment; generating, by the first execution unit, a verification result of the information to be verified; obtaining, by the first execution unit and through the service application, a dynamic parameter; signing, by the first execution unit, the verification result and the dynamic parameter using a signature verification private key to provide generate signature information; obtaining, by a second execution unit and through the service application, the signature information, wherein the second execution unit is running in a second security environment that is different from the first security environment; verifying, by the second execution unit that runs in the second security environment, the signature information using a signature verification public key corresponding to the signature verification private key; verifying, by the second execution unit that runs in the second security environment, the dynamic parameter, wherein the dynamic parameter is associated with a validity time, and wherein verifying the dynamic parameter comprises comparing, within the validity time, the dynamic parameter to a pre-stored copy of the dynamic parameter; and in response to verifying the signature information and the dynamic parameter, performing service authorization based on the verification result. 12. The non-transitory, computer-readable medium according to claim 11 , wherein the first security environment comprises a trusted execution environment (TEE),
Assignees
Inventors
Classifications
Applying verification of the received information (cryptographic mechanisms or cryptographic arrangements for data integrity or data verification H04L9/32) · CPC title
by using authentication-authorization-accounting [AAA] servers or protocols · CPC title
using biometrical features, e.g. fingerprint, retina-scan (cryptographic mechanisms or cryptographic arrangements for entity authentication using biological data H04L9/3231) · CPC title
- H04L63/083Primary
using passwords (cryptographic mechanisms or cryptographic arrangements for entity authentication using a predetermined code H04L9/3226) · CPC title
involving digital signatures · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US10892900B2 cover?
- The present specification discloses a service authorization method, apparatus and device. In one aspect, the method includes: obtaining, by a first execution unit that runs in a first security environment, information to be verified; generating, by the first execution unit that runs in the first security environment, a verification result of the information to be verified; signing, by the first…
- Who is the assignee on this patent?
- Advanced New Technologies Co Ltd
- What technology area does this patent fall under?
- Primary CPC classification H04L63/083. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 12 2021 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).