阅读说明：本技术 数据流通方法、系统及服务平台、第一终端设备 (Data circulation method, system and service platform, first terminal equipment ) 是由 尹浩 邢炬 查聪 于 2019-04-15 设计创作，主要内容包括：本申请公开了一种数据流通方法、系统及服务平台、第一终端设备,所述方法在数据流通中,基于用户的生物信息以及对生物信息的数字签名来实现终端设备用户的身份认证,由于利用了用户的生物信息以及对生物信息的数字签名来对终端设备用户进行身份认证,从而本申请一方面可实现对终端设备用户实体的身份认证,另一方面还可有效避免用户身份信息的冒用等问题,为数据流通中的数据权限管理及可信传输提供了更好的支持。(This application discloses a kind of data circulation methods, system and service platform, first terminal equipment, the method is in data circulation, the authentication of terminal user is realized based on the biological information of user and to the digital signature of biological information, since the biological information of user is utilized and comes to carry out authentication to terminal user to the digital signature of biological information, to on the one hand the authentication to terminal user's entity can be achieved in the application, on the other hand it also can effectively avoid the problems such as falsely using of subscriber identity information, for data circulation in data permission management and credible delivery provide better support.)

1. a kind of data circulation method, which is characterized in that it is applied to service platform, this method comprises:

The authentication information of terminal user is obtained, the authentication information includes the biological information and utilization terminal device of user Private key carries out resulting signing messages of signing to the biological information；

Obtain the pre-stored public key to match with terminal device private key；

The authentication information of biological information and signing messages based on the public key and including user is to terminal user Authentication is carried out, authentication result is obtained；

In the case where the authentication result indicates that terminal user passes through authentication, execute between the terminal device Data flow-through operation.

2. the method according to claim 1, wherein it is described obtain terminal user authentication information it Before, the method also includes:

Based on terminal user in the identity registration of service platform, store between user biological information and subscriber identity information Corresponding relationship between corresponding relationship and subscriber identity information and the public key of equipment；

It is described to obtain the pre-stored public key to match with terminal device private key, comprising:

Based between pre-stored user biological information and subscriber identity information corresponding relationship and pre-stored user Corresponding relationship between identity information and equipment public key obtains the terminal using the biological information for including in the authentication information The public key of equipment.

3. the method according to claim 1, wherein the biology letter based on the public key and including user The authentication information of breath and signing messages carries out authentication to terminal user, obtains authentication result, comprising:

Sign test is carried out to the signing messages in the authentication information using public key obtained；

If sign test success, terminal user pass through authentication；

If sign test fails, terminal user does not pass through authentication.

4. the method according to claim 1, wherein the data between the execution and the terminal device circulate and grasp Make, comprising:

The private key of utilization service platform signs to the first data, obtains the signing messages of first data；

The signing messages of first data and first data is transmitted to terminal device, so that the terminal device The public key of utilization service platform carries out sign test to the signing messages of first data, and determines described first based on sign test result Whether data are credible；

Alternatively,

Second data of receiving terminal apparatus transmission and the signing messages of the second data；The signing messages of second data is benefit Resulting signing messages of signing is carried out to second data with the private key of terminal device；

Sign test is carried out to the signing messages of second data using the public key of terminal device, and based on described in the determination of sign test result Whether the second data are credible.

5. according to the method described in claim 1, it is characterized by:

In the case where data only relate to the sovereignty and interests of folk prescription terminal device, the private key of the terminal device are as follows: by described Private key of the folk prescription terminal device when carrying out identity registration to service platform in public private key pair generated；

In the case where data are related to the sovereignty and interests of multi-party terminal device, the private key of the terminal device are as follows: eventually by first The private key block and meet quantity from what at least partly equipment in N number of second terminal equipment was collected that end equipment is held itself It is required that private key block carry out synthesizing resulting private key；

Wherein, the first terminal equipment is the data requirements method, apparatus in the multi-party terminal device, N number of second terminal Equipment is the other equipment in the multi-party terminal device in addition to the first terminal equipment, and the N is the nature not less than 1 Number；Each terminal device in the multi-party terminal device holds a private key block, and the private key block that each terminal device is held is served as reasons Some equipment in the multi-party terminal device is when needing to carry out data multi-party authorization by carrying out between multi-party terminal device Negotiation and the resulting code key block of code key cutting.

6. method according to claim 1-5, which is characterized in that further include:

Abnormal audit is carried out to the authenticity of terminal user, and executes corresponding reply processing when occurring abnormal.

7. a kind of data circulation method, which is characterized in that it is applied to first terminal equipment, this method comprises:

Acquire the biological information of user；

It is signed using the private key of the first terminal equipment to the biological information, obtains signing messages；

It is transmitted to service platform using the biological information and the signing messages as the authentication information of user, so that service Platform is based on the pre-stored public key to match with first terminal equipment private key and the authentication information to first The user of terminal device carries out authentication；

The service platform authentication result indicate first terminal equipment user pass through authentication in the case where, execute with Data flow-through operation between the service platform.

8. the method according to the description of claim 7 is characterized in that the data between the execution and the service platform circulate and grasp Make, comprising:

Receive the first data of service platform transmission and the signing messages of first data, and the public key of utilization service platform Sign test is carried out to the signing messages of first data, to determine whether first data are credible based on sign test result；

Alternatively,

The signing messages of second data and second data is transmitted to service platform, so that the service platform utilizes The public key to match with the private key of the first terminal equipment carries out sign test to the signing messages of second data, and is based on testing Label result determines whether second data are credible.

9. the method according to the description of claim 7 is characterized in that it is described acquisition user biological information before, the side Method further include:

Customer identity registration is carried out to service platform, so that identity registration storage user biological letter of the service platform based on user The corresponding relationship between corresponding relationship and subscriber identity information and public key between breath and subscriber identity information.

10. according to the method described in claim 7, it is characterized by:

In the case where data only relate to the sovereignty and interests of folk prescription terminal device, the private key of the first terminal equipment are as follows: by Private key of the folk prescription terminal device when carrying out identity registration to service platform in public private key pair generated；

It is related to the sovereignty of multi-party terminal device in data and in the case where interests, the private key of the first terminal equipment are as follows: by the The private key block that one terminal device is held itself meets with what is collected from at least partly equipment in N number of second terminal equipment The private key block of quantitative requirement carries out synthesizing resulting private key；

Wherein, the first terminal equipment is the data requirements method, apparatus in the multi-party terminal device, N number of second terminal Equipment is the other equipment in the multi-party terminal device in addition to the first terminal equipment, and the N is the nature not less than 1 Number；Each terminal device in the multi-party terminal device holds a private key block, and the private key block that each terminal device is held is served as reasons Some equipment in the multi-party terminal device is when needing to carry out data multi-party authorization by carrying out between multi-party terminal device Negotiation and the resulting code key block of code key cutting.

11. a kind of service platform characterized by comprising

First acquisition unit, for obtaining the authentication information of terminal user, the authentication information includes the biology letter of user It ceases and resulting signing messages of signing is carried out to the biological information using the private key of terminal device；

Second acquisition unit, for obtaining the pre-stored public key to match with terminal device private key；

Identification authenticating unit, the certification for biological information and signing messages based on the public key and including user are believed Breath carries out authentication to terminal user, obtains authentication result；

First circulation processing unit is used in the case where the authentication result indicates that terminal user passes through authentication, Execute the data flow-through operation between the terminal device.

12. a kind of first terminal equipment characterized by comprising

Acquisition unit, for acquiring the biological information of user；

Signature unit obtains A.L.S. for signing using the private key of the first terminal equipment to the biological information Breath；

Transmission unit is flat for being transmitted to service using the biological information and the signing messages as the authentication information of user Platform, so that public key that service platform is matched based on the pre-stored private key with the first terminal equipment and described recognizing It demonstrate,proves information and authentication is carried out to the user of first terminal equipment；

Second circulation processing unit indicates that the user of first terminal equipment passes through body for the authentication result in the service platform In the case where part certification, the data flow-through operation between the service platform is executed.

13. a kind of data system for the distribution of commodities characterized by comprising service platform as claimed in claim 11, and at least one A first terminal equipment as claimed in claim 12.

Technical field

The application belongs to circulation and rights management techniques field more particularly to a kind of data circulation method, system of data And service platform, first terminal equipment.

Background technique

With the arrival of big data era, data circulation becomes more and more important, and the opening and circulation of data have become promotion industry The important motivity of development.

It is wherein worth from data production to by data calculating excavation again to corresponding industry, entire link is often Multi-party participation can be involved, data correspondingly need to be transmitted among multiple parties.In data transmission procedure, in incredible net Clearly multi-party true identity is particularly significant in network environment, is the prerequisite for realizing data permission management and credible delivery.Its In, user terminal (such as mobile device) application and the typical case that the data transmission between application service platform is that data circulate Scene will necessarily be related to the body for terminal side user to realize data permission management and the credible delivery under the scene Part authentication question.

The user identity management of existing terminal applies and certification are generally based on user name (user account) and password come into It is capable, be not able to achieve the authentication of terminal side user subject, user name and the leakage of password or be stolen risk also it is corresponding compared with Height, so that the data permission management and credible delivery in circulating for data bring adverse effect.

Summary of the invention

In view of this, the application's is designed to provide a kind of data circulation method, system and service platform, first eventually End equipment, it is intended to overcome the prior art not to be able to achieve in data circulation and user subject progress authentication in terminal side is asked Topic, and then preferably support data permission management and credible delivery in data circulation.

For this purpose, the present invention is disclosed directly below technical solution:

A kind of data circulation method is applied to service platform, this method comprises:

Obtain the authentication information of terminal user, the authentication information includes the biological information of user and using terminal The private key of equipment carries out resulting signing messages of signing to the biological information；

Obtain the pre-stored public key to match with terminal device private key；

The authentication information of biological information and signing messages based on the public key and including user is to terminal device User carries out authentication, obtains authentication result；

In the case where the authentication result indicates that terminal user passes through authentication, execution is set with the terminal Data flow-through operation between standby.

The above method, it is preferred that before the authentication information for obtaining terminal user, the method also includes:

Based on terminal user in the identity registration of service platform, user biological information and subscriber identity information are stored Between corresponding relationship and subscriber identity information and the public key of equipment between corresponding relationship；

It is described to obtain the pre-stored public key to match with terminal device private key, comprising:

Based on the corresponding relationship between pre-stored user biological information and subscriber identity information, and it is stored in advance Subscriber identity information and equipment public key between corresponding relationship, utilize include in the authentication information biological information obtain The public key of the terminal device.

The above method, it is preferred that the institute of the biological information and signing messages based on the public key and including user It states authentication information and authentication is carried out to terminal user, obtain authentication result, comprising:

Sign test is carried out to the signing messages in the authentication information using public key obtained；

If sign test success, terminal user pass through authentication；

If sign test fails, terminal user does not pass through authentication.

The above method, it is preferred that the data flow-through operation between the execution and the terminal device, comprising:

The private key of utilization service platform signs to the first data, obtains the signing messages of first data；

The signing messages of first data and first data is transmitted to terminal device, so that the end The public key of end equipment utilization service platform carries out sign test to the signing messages of first data, and is determined based on sign test result Whether first data are credible；

Alternatively,

Second data of receiving terminal apparatus transmission and the signing messages of the second data；The A.L.S. of second data Breath is to carry out resulting signing messages of signing to second data using the private key of terminal device；

Sign test is carried out to the signing messages of second data using the public key of terminal device, and true based on sign test result Whether fixed second data are credible.

The above method, preferred:

In the case where data only relate to the sovereignty and interests of folk prescription terminal device, the private key of the terminal device are as follows: by Private key of the folk prescription terminal device when carrying out identity registration to service platform in public private key pair generated；

It is related to the sovereignty of multi-party terminal device in data and in the case where interests, the private key of the terminal device are as follows: by the The private key block that one terminal device is held itself and the symbol collected from at least partly equipment in N number of second terminal equipment The private key block for closing quantitative requirement carries out synthesizing resulting private key；

Wherein, the first terminal equipment is the data requirements method, apparatus in the multi-party terminal device, described N number of the Two terminal devices are other equipment in addition to the first terminal equipment in the multi-party terminal device, the N be not less than 1 natural number；Each terminal device in the multi-party terminal device holds a private key block, the private that each terminal device is held Key block be by some equipment in the multi-party terminal device when needing to carry out data multi-party authorization by being set in multi-party terminal It holds consultation between standby and the resulting code key block of code key cutting.

The above method, it is preferred that further include:

Abnormal audit is carried out to the authenticity of terminal user, and executes corresponding reply processing when occurring abnormal.

A kind of data circulation method is applied to first terminal equipment, this method comprises:

Acquire the biological information of user；

It is signed using the private key of the first terminal equipment to the biological information, obtains signing messages；

It is transmitted to service platform using the biological information and the signing messages as the authentication information of user, so that Service platform is obtained based on the pre-stored public key and the authentication information to match with first terminal equipment private key Authentication is carried out to the user of first terminal equipment；

In the case where the authentication result of the service platform indicates the user of first terminal equipment by authentication, Execute the data flow-through operation between the service platform.

The above method, it is preferred that the data flow-through operation between the execution and the service platform, comprising:

Receive the first data of service platform transmission and the signing messages of first data, and utilization service platform Public key sign test is carried out to the signing messages of first data, to determine that first data whether may be used based on sign test result Letter；

Alternatively,

The signing messages of second data and second data is transmitted to service platform, so that the service is flat The public key that platform is matched using the private key with the first terminal equipment carries out sign test to the signing messages of second data, And determine whether second data are credible based on sign test result.

The above method, it is preferred that before the biological information of the acquisition user, the method also includes:

Customer identity registration is carried out to service platform, so that service platform stores user based on the identity registration of user The corresponding relationship between corresponding relationship and subscriber identity information and public key between biological information and subscriber identity information.

The above method, preferred:

In the case where data only relate to the sovereignty and interests of folk prescription terminal device, the private key of the first terminal equipment Are as follows: from private key of the folk prescription terminal device when carrying out identity registration to service platform in public private key pair generated；

In the case where data are related to the sovereignty and interests of multi-party terminal device, the private key of the first terminal equipment are as follows: The private key block for being held itself by first terminal equipment is collected with from at least partly equipment in N number of second terminal equipment The private key block for meeting quantitative requirement carry out synthesizing resulting private key；

Wherein, the first terminal equipment is the data requirements method, apparatus in the multi-party terminal device, described N number of the Two terminal devices are other equipment in addition to the first terminal equipment in the multi-party terminal device, the N be not less than 1 natural number；Each terminal device in the multi-party terminal device holds a private key block, the private that each terminal device is held Key block be by some equipment in the multi-party terminal device when needing to carry out data multi-party authorization by being set in multi-party terminal It holds consultation between standby and the resulting code key block of code key cutting.

A kind of service platform, comprising:

First acquisition unit, for obtaining the authentication information of terminal user, the authentication information includes the life of user Object information and resulting signing messages of signing is carried out to the biological information using the private key of terminal device；

Second acquisition unit, for obtaining the pre-stored public key to match with terminal device private key；

Identification authenticating unit, for based on the public key and including user biological information and signing messages described in Authentication information carries out authentication to terminal user, obtains authentication result；

First circulation processing unit, for indicating feelings of the terminal user by authentication in the authentication result Under condition, the data flow-through operation between the terminal device is executed.

A kind of first terminal equipment, comprising:

Acquisition unit, for acquiring the biological information of user；

Signature unit is signed for being signed using the private key of the first terminal equipment to the biological information Name information；

Transmission unit, for being transmitted to using the biological information and the signing messages as the authentication information of user Service platform so that service platform based on the pre-stored public key to match with first terminal equipment private key with And the authentication information carries out authentication to the user of first terminal equipment；

Second circulation processing unit, the user of first terminal equipment is indicated for the authentication result in the service platform In the case where authentication, the data flow-through operation between the service platform is executed.

A kind of data system for the distribution of commodities, including service platform as described above and at least one first end as described above End equipment.

As it can be seen from the above scheme data circulation method provided by the present application, in data circulation, the biology based on user Information and the authentication that terminal user is realized to the digital signature of biological information, since the life of user is utilized Object information and to the digital signature of biological information come to terminal user carry out authentication, thus the application on the one hand The authentication to terminal user's entity can be achieved, on the other hand also can effectively avoid falsely using for subscriber identity information Problem, for data circulation in data permission management and credible delivery provide better support.

Detailed description of the invention

In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, below will to embodiment or Attached drawing needed to be used in the description of the prior art is briefly described, it should be apparent that, the accompanying drawings in the following description is only The embodiment of the present invention for those of ordinary skill in the art without creative efforts, can be with Other attached drawings are obtained according to the attached drawing of offer.

Fig. 1-Fig. 2 is the data circulation method flow chart provided by the embodiments of the present application applied to service platform；

Fig. 3 is the data circulation method flow chart provided by the embodiments of the present application applied to first terminal equipment；

Fig. 4 is a kind of structural schematic diagram of service platform provided by the embodiments of the present application；

Fig. 5 is another structural schematic diagram of service platform provided by the embodiments of the present application；

Fig. 6 is another structural schematic diagram of service platform provided by the embodiments of the present application；

Fig. 7-Fig. 8 is the structural schematic diagram of first terminal equipment provided by the embodiments of the present application；

Fig. 9 is the data credible flowthrough mechanism schematic diagram provided by the embodiments of the present application suitable for mobile device application.

Specific embodiment

Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation description, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its His embodiment, shall fall within the protection scope of the present invention.

Terminal side is used in order to overcome the existing authentication mode based on user name and password not to be able to achieve in data circulation The entity at family carries out the problem of authentication, preferably the data permission management in the circulation of support data and credible delivery, this Shen A kind of data circulation method, system and service platform, first terminal equipment please be provide, multiple embodiments pair will be passed through below Data circulation method, system and the service platform of the application, first terminal equipment are described in detail.

The embodiment of the present application discloses a kind of data circulation method applied to service platform first, and the service platform can To be to be deployed in one or more cloud/network end servers to be used to provide the service platform of data service, specifically, Such as it can be to be deployed in one or more cloud/network end servers and be used to provide number for the application on terminal device According to the application service platform of service.

It, should be applied to the data circulation method of service platform with reference to the flow diagram of data circulation method shown in fig. 1 It may comprise steps of:

Step 101, obtain terminal user authentication information, the authentication information include user biological information and Resulting signing messages of signing is carried out to the biological information using the private key of terminal device.

The terminal device can be but not limited to the equipment such as mobile device, computer, and the embodiment of the present application will be with movement The scheme of the application is illustrated for data circulation between equipment application and application service platform.

The certification of user identity needs premised on identity registration, can be in advance user's in practical application based on this Registration request is initiated to application service platform in mobile device application, and by individuals such as the fingerprints, photo and/or iris of user Biological information is provided to application service platform, and application service platform connects existing identity after the biological information for obtaining user The personal biology letter such as fingerprint, photo and/or iris discerned platform (government organs, financial institution etc.), and provided based on user Breath discerns user's progress identity by discerning platform；After the completion of discerning, the local generation public private key pair of mobile device application, and The public key of representative capacity is based on secure connection and is uploaded to application service platform safely, application service platform believes user biological Breath is bound with subscriber identity information, and the public key of subscriber identity information and equipment is bound, while it is raw to store user The corresponding relationship between corresponding relationship and subscriber identity information and public key between object information and subscriber identity information.

The identity information of user can be application service platform and discern the user name or use that platform is transferred from the identity The information such as family identification card number, or can also be that application service platform is the energy of user's distribution when user carries out identity registration For the information of identity user, such as Customs Assigned Number.

On the basis of the user of mobile device carries out identity registration to application service platform, when need to be in mobile device When using carrying out data circulation between application service platform, application service platform need to carry out body to mobile device user first Part certification correspondingly need to obtain the authentication information of mobile device user first, which includes the biology letter of user It ceases and resulting signing messages of signing is carried out to the biological information using the private key of mobile device.The biological information is to use The mobile device at family applies the personal biology such as fingerprint, photo and/or iris temporarily acquired when that need to carry out user identity authentication Information, biological information type collected should be consistent with the biological information type of application service platform is registered in；The A.L.S. Breath is that mobile device carries out biological information collected in the way of the Hash calculation arranged in advance with application service platform Hash calculation, and then the resulting cryptographic Hash of Hash calculation is carried out encrypting resulting information using the private key of mobile device.

In practical application, as a kind of possible implementation, biological information in the authentication information can be use Family using upper triggering logging request, mobile device application and then responds the request one biomedical information acquisition of displaying in mobile device The information acquired when interface by mobile device；Biology or as alternatively possible implementation, in the authentication information Information can also be the instruction of user's trigger data circulation in the application of mobile device (such as upload or the finger of downloading data Enable), mobile device application so that respond the instruction show a biomedical information acquisition interface when by mobile device acquire information (i.e. trigger data circulation instruction when first carry out authentication, after success to be certified just execute downloading or upload etc. operation).

Step 102 obtains the pre-stored public key to match with terminal device private key.

Specifically, after obtaining the authentication information, application service platform can be based on the biology in the authentication information Information passes through the corresponding relationship and user identity inquired between pre-stored user biological information and subscriber identity information Corresponding relationship between information and equipment public key, to obtain the public key to match with the private key of the mobile device.

The authentication information pair of step 103, the biological information based on the public key and including user and signing messages Terminal user carries out authentication, obtains authentication result.

After obtaining the public key to match with the private key of the mobile device, application service platform can be by described in utilization Public key carries out sign test to the signing messages in the authentication information, to realize the authentication to mobile device user.

The authentication procedures based on sign test specifically include: first with public key obtained to the authentication information In signing messages be decrypted, obtain a cryptographic Hash, and using arrange with mobile device Hash calculation mode (keep and Used Hash calculation mode is consistent when mobile device is signed) Hash meter is carried out to the biological information in the authentication information It calculates, obtains another cryptographic Hash, carried out finally, calculating resulting cryptographic Hash and decrypting resulting cryptographic Hash application service platform It compares, if the two is consistent, sign test success correspondingly indicates that terminal user passes through authentication；Otherwise, if the two Inconsistent, then sign test fails, and correspondingly indicates that terminal user does not pass through authentication.

Step 104, the authentication result indicate terminal user pass through authentication in the case where, execute and institute State the data flow-through operation between terminal device.

In the case where sign test success passes through authentication to user, the demand that circulates based on actual data can be continued, It carries out required data between application service platform and mobile device application to circulate, as from application service platform to user Mobile device application transport data (corresponding mobile device is applied from application service platform downloading data), or in application service Platform receives data (corresponding mobile device, which is applied to application service platform, uploads data) of mobile device application transport etc..

Wherein, the case where applying for above-mentioned mobile device from application service platform downloading data, application service platform It signs using the private key of platform itself to the first data that user need to download, obtains the A.L.S. of first data Breath；And the signing messages of first data and first data is transmitted to the mobile device of user, and it is subsequent, it is mobile Equipment is after the signing messages for receiving first data and first data, using the application service platform Public key sign test is carried out to the signing messages of first data, indicate that received first data of institute are institute if sign test success The trust data of application service platform transmission is stated, otherwise, first data are insincere if sign test failure, may transmit It has passed through and distort in the process.

The case where uploading data to application service platform is applied for above-mentioned mobile device, application service platform can connect Receive the second data of the mobile device transmission of user and the signing messages of the second data；The signing messages of second data is Resulting signing messages of signing is carried out to second data using the private key of mobile device；Receiving second data And after the signing messages of second data, application service platform can be further using the public key of the mobile device to institute The signing messages for stating the second data carries out sign test, indicates that received second data of institute are the mobile device if sign test success The trust data of transmission, otherwise, second data are insincere if sign test failure, may have passed through and usurp in transmission process Change.

It should be noted that in the application, in the case where data only relate to the sovereignty and interests of folk prescription terminal device, The private key of the terminal device are as follows: from the folk prescription terminal device when carrying out identity registration to service platform public affairs generated The private key of private key pair.

It is related to the sovereignty of multi-party terminal device in data and in the case where interests, the private key of the terminal device are as follows: by the The private key block that one terminal device is held itself and the symbol collected from at least partly equipment in N number of second terminal equipment The private key block for closing quantitative requirement carries out synthesizing resulting private key；Wherein, the first terminal equipment is the multi-party terminal device In data requirements method, apparatus, N number of second terminal equipment be the multi-party terminal device in remove the first terminal equipment Except other equipment, the N is natural number not less than 1；Each terminal device in the multi-party terminal device holds one Private key block, the private key block that each terminal device is held are to be counted by some equipment in the multi-party terminal device According to when multi-party authorization by holding consultation between multi-party terminal device and the resulting code key block of code key cutting.

The case where above-mentioned sovereignty and interests for being related to multi-party terminal device, belong to the application scenarios of data multi-party authorization, it should Application scenarios can be hereinafter described in detail in exemplary fashion.

As it can be seen from the above scheme data circulation method provided in this embodiment, in data circulation, the life based on user Object information and the authentication that terminal user is realized to the digital signature of biological information, due to being utilized user's Biological information and to the digital signature of biological information come to terminal user carry out authentication, thus one side of the application Face can realize the authentication to terminal user's entity, on the other hand also can effectively avoid falsely using for subscriber identity information The problems such as, for data circulation in data permission management and credible delivery provide better support.

In the above-mentioned data circulation method applied to service platform, with reference to Fig. 2 shows data circulation method process Figure, the data circulation method can also include:

Step 105 carries out abnormal audit to the authenticity of terminal user, and execution is corresponding when occurring abnormal Reply processing.

Specifically, application service platform can record and store mobile device when mobile device carries out identity registration simultaneously Physical message, such as record and store the address mac of mobile device.It is subsequent, it is carried out in mobile device and application service platform Data circulate during, can real-time detection mobile device the address mac, if detecting same user in a relatively short period of time The address the mac frequent switching of used equipment when carrying out data circulation, then it represents that occur abnormal (as may be user Biological information has been revealed and has been falsely used), thus, for the situation, corresponding reply processing is can be performed in application service platform, such as The data terminated between mobile device circulate, and send prompt information to the corresponding user's mobile device in the address mac recorded To prompt user to change registration information the fingerprint of another finger (be such as changed to register) as early as possible.

As alternatively possible implementation, application service platform can be with the IP of real-time detection mobile device (Internet Protocol Address, internet protocol address) address, if detecting same user in a relatively short period of time The IP address frequent switching of used equipment when carrying out data circulation, then it is same to indicate occur abnormal (such as may be user Biological information revealed falsely used), thus, for the situation, can equally be executed in application service platform at above-mentioned reply Reason.

The present embodiment is being gone out by carrying out abnormal audit in authenticity of the application service platform to mobile device user Corresponding reply processing is executed when now abnormal, can be further ensured that the credible circulation of data.

Corresponding to the above-mentioned data circulation method applied to service platform, a kind of application is also disclosed in the embodiment of the present application In the data circulation method of first terminal equipment, which can be the equipment such as mobile device or computer, connects down Come, it will be by taking the first terminal equipment be mobile device as an example, to the data circulation side applied to first terminal equipment of the application Method is illustrated.

The flow diagram of the data circulation method applied to first terminal equipment with reference to shown in Fig. 3, the present embodiment In, should include: applied to the data circulation method of first terminal equipment

Step 301, the biological information for acquiring user.

The certification of user identity needs premised on identity registration, can be in advance user's in practical application based on this Identity registration is carried out to application service platform in mobile device application, the process of the identity registration please refers to above to registration The description of process, details are not described herein again.

On the basis of the user of mobile device carries out identity registration to application service platform, when need to be in mobile device When using carrying out data circulation between application service platform, need first to carry out mobile device user by application service platform Authentication, correspondingly, mobile device need to be acquired first for the user biological information as authentication information, such as are acquired The information such as fingerprint, photo or the iris of user.

Step 302 signs to the biological information using the private key of the first terminal equipment, obtains A.L.S. Breath.

After the biological information of acquisition user, mobile device can further be carried out the biological information using its private key Signature, obtains signing messages, and specifically, the signature process is including the use of the Hash calculation arranged in advance with application service platform Mode carries out Hash calculation to biological information collected, and then using the private key of mobile device to the resulting Kazakhstan of Hash calculation Uncommon value is encrypted.

The biological information and the signing messages are transmitted to service and be put down by step 303 as the authentication information of user Platform, so that public key that service platform is matched based on the pre-stored private key with the first terminal equipment and described Authentication information carries out authentication to the user of first terminal equipment.

After signing to biological information collected, mobile device is by biological information collected and to described The signing messages of biological information is transmitted to application service platform collectively as authentication information, and application service platform can then pass through Sign test is carried out to the signing messages in the authentication information using the public key of mobile device to realize the body to mobile device user Part certification is somebody's turn to do the authentication procedures based on sign test and is seen above in " data circulation method applied to service platform " Description to the part, details are not described herein again.

Step 304 indicates the user of first terminal equipment by authentication in the authentication result of the service platform In the case of, execute the data flow-through operation between the service platform.

The data flow-through operation specifically includes:

The case where applying for mobile device from application service platform downloading data, mobile device receive service platform and pass The signing messages of defeated the first data and first data, and the public key of utilization service platform is to first data Signing messages carries out sign test, is based ultimately upon sign test result and determines whether first data are credible；

For mobile device apply to application service platform upload data the case where, mobile device will need to upload second The signing messages of data and second data is transmitted to service platform, so that the service platform utilizes and described the The public key that the private key of one terminal device matches carries out sign test to the signing messages of second data, and is based on sign test result Determine whether second data are credible.

It should be noted that described first eventually in the case where data only relate to the sovereignty and interests of folk prescription terminal device The private key of end equipment are as follows: from the folk prescription terminal device when carrying out identity registration to service platform public private key pair generated In private key；

In the case where data are related to the sovereignty and interests of multi-party terminal device, the private key of the first terminal equipment are as follows: The private key block for being held itself by first terminal equipment is collected with from at least partly equipment in N number of second terminal equipment The private key block for meeting quantitative requirement carry out synthesizing resulting private key；

Wherein, the first terminal equipment is the data requirements method, apparatus in the multi-party terminal device, described N number of the Two terminal devices are other equipment in addition to the first terminal equipment in the multi-party terminal device, the N be not less than 1 natural number；Each terminal device in the multi-party terminal device holds a private key block, the private that each terminal device is held Key block be by some equipment in the multi-party terminal device when needing to carry out data multi-party authorization by being set in multi-party terminal It holds consultation between standby and the resulting code key block of code key cutting.

The case where above-mentioned sovereignty and interests for being related to multi-party terminal device, belong to the application scenarios of data multi-party authorization, it should Application scenarios can be hereinafter described in detail in exemplary fashion.

The application is due to being utilized the biological information of user and to use terminal device to the digital signature of biological information Family carries out authentication, so that the authentication to terminal user's entity on the one hand can be achieved, it on the other hand can also be effective Avoid the problems such as falsely using of subscriber identity information, for data circulation in data permission management and credible delivery provide more preferably Support.

Corresponding to the above-mentioned data circulation method applied to service platform, a kind of service platform is also disclosed in the application, should It is flat that service platform can be the service for providing data service being deployed in one or more cloud/network end servers Platform specifically, such as can be to be deployed in one or more cloud/network end servers and be used for as on terminal device Using the application service platform of offer data service.

The structural schematic diagram of service platform with reference to shown in Fig. 4, the service platform include:

First acquisition unit 401, for obtaining the authentication information of terminal user, the authentication information includes user Biological information and resulting signing messages of signing is carried out to the biological information using the private key of terminal device；

Second acquisition unit 402, for obtaining the pre-stored public key to match with terminal device private key；

Identification authenticating unit 403, the institute for biological information and signing messages based on the public key and including user It states authentication information and authentication is carried out to terminal user, obtain authentication result；

First circulation processing unit 404, for indicating that terminal user passes through authentication in the authentication result In the case of, execute the data flow-through operation between the terminal device.

In an embodiment of the embodiment of the present application, with reference to Fig. 6, the service platform further include: Identity Management unit 405, for, in the identity registration of service platform, being stored between user biological information and subscriber identity information based on terminal device The first corresponding relationship and subscriber identity information and the public key of equipment between the second corresponding relationship；

The second acquisition unit 402, is specifically used for: being believed based on pre-stored user biological information and user identity The corresponding relationship between corresponding relationship and pre-stored subscriber identity information and equipment public key between breath, using described The biological information for including in authentication information obtains the public key of the terminal device.

In an embodiment of the embodiment of the present application, the identification authenticating unit 403 is specifically used for: using being obtained Public key in the authentication information signing messages carry out sign test；If sign test success, terminal user are recognized by identity Card；If sign test fails, terminal user does not pass through authentication.

In an embodiment of the embodiment of the present application, the first circulation processing unit 404 is specifically used for:

The private key of utilization service platform signs to the first data, obtains the signing messages of first data；By institute The signing messages for stating the first data and first data is transmitted to terminal device, so that the terminal device utilizes clothes The public key of business platform carries out sign test to the signing messages of first data, and determines first data based on sign test result It is whether credible；

Alternatively,

Second data of receiving terminal apparatus transmission and the signing messages of the second data；The A.L.S. of second data Breath is to carry out resulting signing messages of signing to second data using the private key of terminal device；Utilize the public affairs of terminal device Key carries out sign test to the signing messages of second data, and determines whether second data are credible based on sign test result.

In an embodiment of the embodiment of the present application:

In the case where data only relate to the sovereignty and interests of folk prescription terminal device, the private key of the terminal device are as follows: by Private key of the folk prescription terminal device when carrying out identity registration to service platform in public private key pair generated；

It is related to the sovereignty of multi-party terminal device in data and in the case where interests, the private key of the terminal device are as follows: by the The private key block that one terminal device is held itself and the symbol collected from at least partly equipment in N number of second terminal equipment The private key block for closing quantitative requirement carries out synthesizing resulting private key；Wherein, the first terminal equipment is the multi-party terminal device In data requirements method, apparatus, N number of second terminal equipment be the multi-party terminal device in remove the first terminal equipment Except other equipment, the N is natural number not less than 1；Each terminal device in the multi-party terminal device holds one Private key block, the private key block that each terminal device is held are to be counted by some equipment in the multi-party terminal device According to when multi-party authorization by holding consultation between multi-party terminal device and the resulting code key block of code key cutting.

In an embodiment of the embodiment of the present application, with reference to Fig. 6, the service platform further include: audit processing unit 406, it is used for: abnormal audit being carried out to the authenticity of terminal user, and is executed at corresponding reply when occurring abnormal Reason.

For the service platform disclosed in the embodiment of the present application, as its be applied to clothes disclosed in above-described embodiment The data circulation method of business platform is corresponding, so being described relatively simple, related similarity is referred in above-described embodiment The explanation of data circulation method part applied to service platform, and will not be described here in detail.

Corresponding to the above-mentioned data circulation method applied to first terminal equipment, disclosed herein as well is one kind first Terminal device, the first terminal equipment can be the equipment such as mobile device or computer, and the first terminal with reference to shown in Fig. 7 is set Standby structural schematic diagram, the first terminal equipment include:

Acquisition unit 701, for acquiring the biological information of user；

Signature unit 702 is obtained for being signed using the private key of the first terminal equipment to the biological information To signing messages；

Transmission unit 703, for being transmitted using the biological information and the signing messages as the authentication information of user To service platform, so that service platform is based on the pre-stored public key to match with first terminal equipment private key And the authentication information carries out authentication to the user of first terminal equipment；

Second circulation processing unit 704, the use of first terminal equipment is indicated for the authentication result in the service platform In the case that family passes through authentication, the data flow-through operation between the service platform is executed.

In an embodiment of the embodiment of the present application, the second circulation processing unit 704 is specifically used for:

Receive the first data of service platform transmission and the signing messages of first data, and utilization service platform Public key sign test is carried out to the signing messages of first data, to determine that first data whether may be used based on sign test result Letter；

Alternatively,

The signing messages of second data and second data is transmitted to service platform, so that the service is flat The public key that platform is matched using the private key with the first terminal equipment carries out sign test to the signing messages of second data, And determine whether second data are credible based on sign test result.

In an embodiment of the embodiment of the present application, with reference to Fig. 8, the first terminal equipment further include: identity registration Unit 705, for carrying out customer identity registration to service platform, so that service platform is stored based on the identity registration of user Corresponding pass between corresponding relationship and subscriber identity information and public key between user biological information and subscriber identity information System.

In an embodiment of the embodiment of the present application:

In the case where data only relate to the sovereignty and interests of folk prescription terminal device, the private key of the first terminal equipment Are as follows: from private key of the folk prescription terminal device when carrying out identity registration to service platform in public private key pair generated；

In the case where data are related to the sovereignty and interests of multi-party terminal device, the private key of the first terminal equipment are as follows: The private key block for being held itself by first terminal equipment is collected with from at least partly equipment in N number of second terminal equipment The private key block for meeting quantitative requirement carry out synthesizing resulting private key；

Wherein, the first terminal equipment is the data requirements method, apparatus in the multi-party terminal device, described N number of the Two terminal devices are other equipment in addition to the first terminal equipment in the multi-party terminal device, the N be not less than 1 natural number；Each terminal device in the multi-party terminal device holds a private key block, the private that each terminal device is held Key block be by some equipment in the multi-party terminal device when needing to carry out data multi-party authorization by being set in multi-party terminal It holds consultation between standby and the resulting code key block of code key cutting.

For the first terminal equipment disclosed in the embodiment of the present application, since it is applied with disclosed in above-described embodiment Corresponding in the data circulation method of first terminal equipment, so being described relatively simple, related similarity refers to above-mentioned Explanation in embodiment applied to the data circulation method part of first terminal equipment, and will not be described here in detail.

Disclosed herein as well is a kind of data system for the distribution of commodities, which includes service platform as described above, Yi Jizhi Few first terminal equipment as described above.Data flow between the service platform and the first terminal terminal device Logical treatment process is specifically seen above to the data circulation method for being applied to service platform and first terminal equipment Statement, I will not elaborate.

One concrete application example of application scheme presented below:

With reference to Fig. 9, this example based on application scheme provide it is a kind of suitable for mobile device application data can letter flow Logical mechanism should be suitable for the credible flowthrough mechanism of data of mobile device application based on application service platform and mobile device, Wherein, the application service platform includes three Identity Management, data management and audit functional modules, three functional modules It is respectively used to carry out user identity management, data management and the abnormal audit of user's authenticity.

Above-mentioned mechanism include customer identity registration, the authentication in the data process of circulation and data multi-party authorization this Three treatment processes.Wherein, customer identity registration, the reality of authentication and data multi-party authorization in the data process of circulation Existing process is specific as follows:

1) customer identity registration

Mobile device is applied and initiates registration request to application service platform, and provides the life of user to application service platform Object information, such as user fingerprints, photo or iris, application service platform discern platform (government's machine by connecting existing identity Structure, financial institution etc.), the biological information provided according to user is discerned platform by this and is discerned to user's progress identity；It has discerned Cheng Hou, mobile device application is locally generated public private key pair, and the public key of representative capacity is uploaded to safely application service and is put down Platform；Application service platform carries out the binding and subscriber identity information and equipment of user biological information and subscriber identity information The binding of public key, and store the corresponding relationship after bound between resulting user biological information and subscriber identity information, Yi Jiyong Corresponding relationship between family identity information and the public key of equipment, and simultaneously by the physical message of user's mobile device (such as mac Location etc.) it is included in Audit Module, to facilitate the subsequent authenticity to user to carry out abnormal audit.

2) authentication in the data process of circulation

The feelings that data circulation (user uploads or downloading related data) is generated with application service platform are applied in mobile device Under condition, mobile device is applied when transmitting data to application service platform, is signed, is answered to data using the private key of equipment Sign test then is carried out using signature of the public key of equipment to data with service platform, the credibility of data transmission procedure is determined with this, Application service platform assesses the authenticity of user using Audit Module simultaneously.

Similarly, application service platform carries out data using the private key of platform when to mobile device application transport data Signature, mobile device application then carry out sign test using signature of the public key of platform to data, determine data transmission procedure with this It is credible.

3) data multi-party authorization

When data involve multi-party sovereignty and interests, can negotiate to carry out code key cutting in many ways.Data requirements side must be to In many ways collecting sufficient amount of code key just can be by the authentication of application service platform, and then can be from application service platform Obtain data.

The situation is illustrated with specific example below, it is assumed that and the user of mobile device A (such as: patient) it need to be to shifting The user (such as: doctor) of dynamic equipment B, which authorizes, " can obtain mobile device A in application service in the application of mobile device B The permission of partial data (such as the medical record data of patient in nearly 1 year) on platform ", then the situation may be related to Mobile device A, mobile device B and possible other mobile devices C (quantity is not limited to one, corresponding to above-mentioned patient, The example of doctor, mobile device C can represent school) etc. multi-party sovereignty and interests involved for such application scenarios The negotiable progress private key cutting of multi-party equipment, and distribute the resulting private key block of a cutting to each mobile device for being involved, On this basis, the mobile device B as data requirements side can collect private key block to other each equipment, only as data The mobile device B of party in request collect after sufficient amount of private key block in many ways just can by the authentication of application service platform, Specifically, each private key that can will be collected after as the mobile device B of data requirements side collection to sufficient amount of private key block Block synthesizes a private key, and then the private key based on the synthesis carries out authentication and the circulation of subsequent data.Wherein, described The specific value of " sufficient amount " equally can be depending on the negotiation based on multi-party equipment room, which is not limited to multi-party equipment Whole private key blocks quantitative value.

In conclusion the data circulation scheme of the application is compared with the prior art, have the advantage that

1) mobile terminal lacks the authentication to mobile terminal user subject when carrying out data circulation at present, and the application is logical The biological information using user and the digital signature to biological information are crossed to carry out authentication, solution to terminal user It has determined the problem, has realized the authentication to mobile terminal user subject；

2) in the data transmission procedure of network, data, which exist, to be subject to sniff, distorts the even feelings such as man-in-the-middle attack Condition, for the situation, the application by the technologies such as asymmetric encryption, digital signature, key be shared so that mobile application into Row data can authenticate the identity of mobile terminal user subject and then ensure peace of the data in transmission process during circulating Entirely；

3) in data transmission procedure, the prior art lacks the data permission management method of multi-to-multi, between account and data (related data i.e. under user itself account only passes through login user account to be obtained one-to-one correspondence, cannot license to it His account), it is difficult to realize the flexible management of data, the application, can by negotiating based on code key and the data multi-party authorization of cutting Effectively overcome the problems, such as this, can be realized the flexible data permission management of multi-to-multi.

It should be noted that all the embodiments in this specification are described in a progressive manner, each embodiment weight Point explanation is the difference from other embodiments, and the same or similar parts between the embodiments can be referred to each other.

For convenience of description, it describes to be divided into various modules when system above or device with function or unit describes respectively. Certainly, the function of each unit can be realized in the same or multiple software and or hardware when implementing the application.

As seen through the above description of the embodiments, those skilled in the art can be understood that the application It can realize by means of software and necessary general hardware platform.Based on this understanding, the technical solution sheet of the application The part that contributes to existing technology can be embodied in the form of software products in other words in matter, the computer software Product can store in storage medium, such as ROM/RAM, magnetic disk, CD, including some instructions are used so that a calculating Machine equipment (can be personal computer, server or the network equipment etc.) executes each embodiment of the application or embodiment Certain parts described in method.

Finally, it is to be noted that, herein, such as first, second, third and fourth or the like relationship art Language is only used to distinguish one entity or operation from another entity or operation, without necessarily requiring or implying There are any actual relationship or orders between these entities or operation.Moreover, the terms "include", "comprise" or Any other variant thereof is intended to cover non-exclusive inclusion, so that including the process, method of a series of elements, article Or equipment not only includes those elements, but also including other elements that are not explicitly listed, or it is this for further including The intrinsic element of process, method, article or equipment.In the absence of more restrictions, by sentence " including one It is a ... " limit element, it is not excluded that there is also in addition in the process, method, article or apparatus that includes the element Identical element.

The above is only a preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications It should be regarded as protection scope of the present invention.