Search

US-12619980-B2 - Security authentication method, apparatus and system for digital currency transaction

US12619980B2US 12619980 B2US12619980 B2US 12619980B2US-12619980-B2

Abstract

The present application relates to the technical field of computers. A security authentication method, apparatus and system for a digital currency transaction. A specific embodiment of the method includes: a first terminal device storing a first certificate issued by a digital currency issuing end and second certificates issued by one or more digital currency operation ends; the first terminal device receiving a third certificate sent by a first digital currency operation end, and performing signature verification on the third certificate by using a second certificate, which is issued by the first digital currency operation end and passes signature verification; and after the third certificate passes the signature verification, the first terminal device performing a digital currency transaction with the first digital currency operation end and/or a second terminal device, wherein the second terminal device stores a fourth certificate sent by a second digital currency operation end. By means of the embodiment, mutual authentication and secure communication between a digital currency operation end and a terminal device and between different terminal devices can be realized, thereby avoiding potential security hazards such as information stealing, information leakage and illegitimate access.

Inventors

  • Changchun MU
  • Gang DI
  • Xinyu Zhao
  • Wei Liang
  • Peidong CUI
  • KEFENG XU
  • Yongchao BIAN

Assignees

  • DIGITAL CURRENCY INSTITUTE, THE PEOPLE'S BANK OF CHINA

Dates

Publication Date
20260505
Application Date
20230224
Priority Date
20220224

Claims (20)

  1. 1 . A method for security authentication for a digital currency transaction, comprising: storing, by a first terminal device, a first certificate issued by a digital currency issuer and a second certificate issued by at least one digital currency operator, wherein the digital currency operator and the second certificate are in one-to-one correspondence, and the first certificate is to perform signature verification of the second certificate by the first terminal device; receiving, by the first terminal device, a third certificate sent by a first digital currency operator among the at least one digital currency operator, and performing, by the first terminal device, signature verification of the third certificate by using the second certificate, of which the signature verification passes, issued by the first digital currency operator, wherein the third certificate is generated by the first digital currency operator based on signature data of the first terminal device; and conducting, by the first terminal device, the digital currency transaction with the first digital currency operator and/or a second terminal device after the signature verification of the third certificate passes, wherein a fourth certificate sent by a second digital currency operator among the at least one digital currency operator is stored in the second terminal device.
  2. 2 . The method according to claim 1 , wherein the second certificate issued by the digital currency operator is generated by the digital currency issuer based on institution data of the digital currency operator, and is sent by the digital currency issuer to the digital currency operator, wherein the institution data comprises an institution identification.
  3. 3 . The method according to claim 1 , wherein before receiving, by the first terminal device, the third certificate sent by the first digital currency operator among the at least one digital currency operator, the method comprises: signing, by the first terminal device, local data of the first terminal device to generate signature data of the first terminal device, wherein the local data of the first terminal device comprises a device identification of the first terminal device and a random number generated by the first terminal device; and sending, by the first terminal device, the signature data of the first terminal device to the first digital currency operator to generate the third certificate by the first digital currency operator based on the signature data of the first terminal device.
  4. 4 . The method according to claim 3 , wherein the step of conducting, by the first terminal device, the digital currency transaction with the first digital currency operator comprises: encrypting, by the first terminal device, first business data of the digital currency transaction by using a first process key, and sending, by the first terminal device, the encrypted first business data to the first digital currency operator, to generate second business data of the digital currency transaction by the first digital currency operator based on the first business data; receiving, by the first terminal device, encrypted communication data and digest information signature sent by the first digital currency operator, wherein the encrypted communication data is obtained by encrypting the second business data by the first digital currency operator using the first process key, and the digest information signature is obtained by generating first digest information for the second business data and signing the first digest information by the first digital currency operator; decrypting, by the first terminal device, the encrypted communication data to obtain the second business data, generating second digest information for the decrypted second business data, and performing signature verification of the digest information to obtain the first digest information; and comparing, by the first terminal device, the first digest information with the second digest information, performing a business processing on the second business data when the first digest information is consistent with the second digest information, and returning a processing result to the first digital currency operator.
  5. 5 . The method according to claim 4 , wherein the first process key is generated by each of the first terminal device and the first digital currency operator by: determining a first shared confidential key through a key negotiation between the first terminal device and the first digital currency operator; and encrypting, by using the first shared confidential key, the device identification of the first terminal device and the random number generated by the first terminal device, to obtain the first process key.
  6. 6 . The method according to claim 1 , wherein the step of conducting, by the first terminal device, the digital currency transaction with the second terminal device comprises: sending, by the first terminal device, the third certificate to the second terminal device, and receiving the fourth certificate sent by the second terminal device; determining, by the first terminal device, the second digital currency operator from the at least one digital currency operator based on signature information in the fourth certificate; and performing, by the first terminal device, signature verification of the fourth certificate by using the second certificate, of which the signature verification passes, issued by the second digital currency operator.
  7. 7 . The method according to claim 6 , wherein the step of conducting, by the first terminal device, the digital currency transaction with the second terminal device further comprises: encrypting, by the first terminal device, business data communicated in the digital currency transaction with the second terminal device by using a second process key, and sending, by the first terminal device, the encrypted business data to a counterpart terminal device, wherein the first terminal device and the second terminal device are counterpart terminal devices to each other, and wherein the second process key is generated by the first terminal device and the second terminal device by: determining a second shared confidential key through a key negotiation between the first terminal device and the second terminal device, and exchanging random numbers with each other; processing the random numbers of the first terminal device and the second terminal device according to a preset processing rule, to obtain a to-be-encrypted random number; and encrypting the to-be-encrypted random number by using the second shared confidential key, to obtain the second process key.
  8. 8 . The method according to claim 1 , wherein the first terminal device performs a local operation related to the digital currency transaction in a secure encryption chip, and the local operation comprises one or more of a process key generating operation, a data encryption operation, a data decryption operation, a signing operation, and a signature verification operation, wherein the process key is a first process key for conducting the digital currency transaction with the first digital currency operator, or a second process key for conducting the digital currency transaction with the second terminal device.
  9. 9 . A system for security authentication of a digital currency transaction, comprising: a digital currency issuer server configured to issue a first certificate, at least one digital currency operator server configured to issue a second certificate, and a first terminal device, wherein the at least one digital currency operator server is configured to generate a third certificate based on signature data of the first terminal device, and generate a fourth certificate, and wherein the first terminal device is configured to: store the first certificate and the second certificate, wherein the digital currency operator server and the second certificate are in one-to-one correspondence, and the first certificate is to perform signature verification of the second certificate by the first terminal device; receive the third certificate from the digital currency operator server, and perform signature verification of the third certificate by using the second certificate, of which the signature verification passes, issued by the digital currency operator server; and conduct the digital currency transaction with the first digital currency operator server and/or a second terminal device after the signature verification of the third certificate passes, wherein the fourth certificate is stored in the second terminal device.
  10. 10 . The system according to claim 9 , wherein the second certificate issued by the digital currency operator server is generated by the digital currency issuer server based on institution data of the digital currency operator server, and is sent by the digital currency issuer server to the digital currency operator server, wherein the institution data comprises an institution identification.
  11. 11 . The system according to claim 9 , wherein before the first terminal device receives the third certificate from the digital currency operator server, the first terminal device is further configured to: sign local data of the first terminal device to generate signature data of the first terminal device, wherein the local data of the first terminal device comprises a device identification of the first terminal device and a random number generated by the first terminal device; and send the signature data of the first terminal device to the digital currency operator server to generate the third certificate by the digital currency operator server based on the signature data of the first terminal device.
  12. 12 . The system according to claim 9 , wherein when the first terminal device conducts the digital currency transaction with the digital currency operator server, the first terminal device is further configured to: encrypt first business data of the digital currency transaction by using a first process key, and send the encrypted first business data to the digital currency operator server, to generate second business data of the digital currency transaction by the digital currency operator server based on the first business data; receive encrypted communication data and digest information signature sent by the digital currency operator server, wherein the encrypted communication data is obtained by encrypting the second business data by the digital currency operator server using the first process key, and the digest information signature is obtained by generating first digest information for the second business data and signing the first digest information by the digital currency operator server; decrypt the encrypted communication data to obtain the second business data, generate second digest information for the decrypted second business data, and perform signature verification of the digest information to obtain the first digest information; and compare the first digest information with the second digest information, perform a business processing on the second business data when the first digest information is consistent with the second digest information, and return a processing result to the digital currency operator server.
  13. 13 . The system according to claim 10 , wherein each of the first terminal device and the digital currency operator server generates the first process key by: determining a first shared confidential key through a key negotiation between the first terminal device and the digital currency operator server; and encrypting, by using the first shared confidential key, the device identification of the first terminal device and the random number generated by the first terminal device, to obtain the first process key.
  14. 14 . The system according to claim 9 , wherein when the first terminal device conducts the digital currency transaction with the second terminal device, the first terminal device is configured to: send the third certificate to the second terminal device, and receive the fourth certificate sent by the second terminal device; and perform signature verification of the fourth certificate by using the second certificate, of which the signature verification passes, issued by the digital currency operator.
  15. 15 . The system according to claim 12 , wherein when the first terminal device conducts the digital currency transaction with the second terminal device, the first terminal device is configured to: encrypt business data communicated in the digital currency transaction with the second terminal device by using a second process key, and send the encrypted business data to a counterpart terminal device, wherein the first terminal device and the second terminal device are counterpart terminal devices to each other, and wherein the second process key is generated by the first terminal device and the second terminal device by: determining a second shared confidential key through a key negotiation between the first terminal device and the second terminal device, and exchanging random numbers with each other; processing the random numbers of the first terminal device and the second terminal device according to a preset processing rule, to obtain a to-be-encrypted random number; and encrypting the to-be-encrypted random number by using the second shared confidential key, to obtain the second process key.
  16. 16 . The system according to claim 9 , wherein the first terminal device performs a local operation related to the digital currency transaction in a secure encryption chip, and the local operation comprises one or more of a process key generating operation, a data encryption operation, a data decryption operation, a signing operation, and a signature verification operation, wherein the process key is a first process key for conducting the digital currency transaction with the first digital currency operator server, or a second process key for conducting the digital currency transaction with the second terminal device.
  17. 17 . An electronic device, comprising: one or more processors; and a memory, configured to store one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to store, using a first terminal device, a first certificate issued by a digital currency issuer and a second certificate issued by at least one digital currency operator, wherein the digital currency operator and the second certificate are in one-to-one correspondence, and the first certificate is to perform signature verification of the second certificate by the first terminal device; receive, using the first terminal device, a third certificate sent by a first digital currency operator among the at least one digital currency operator, and perform, using the first terminal device, signature verification of the third certificate by using the second certificate, of which the signature verification passes, issued by the first digital currency operator, wherein the third certificate is generated by the first digital currency operator based on signature data of the first terminal device; and conduct, using the first terminal device, the digital currency transaction with the first digital currency operator and/or a second terminal device after the signature verification of the third certificate passes, wherein a fourth certificate sent by a second digital currency operator among the at least one digital currency operator is stored in the second terminal device.
  18. 18 . The electronic device according to claim 17 , wherein before receiving, using the first terminal device, the third certificate sent by the first digital currency operator among the at least one digital currency operator, the one or more programs, when executed by the one or more processors, further cause the one or more processors to: sign, using the first terminal device, local data of the first terminal device to generate signature data of the first terminal device, wherein the local data of the first terminal device comprises a device identification of the first terminal device and a random number generated by the first terminal device; and send, using the first terminal device, the signature data of the first terminal device to the first digital currency operator to generate the third certificate by the first digital currency operator based on the signature data of the first terminal device.
  19. 19 . The electronic device according to claim 17 , wherein when conducting, using the first terminal device, the digital currency transaction with the first digital currency operator, the one or more programs, when executed by the one or more processors, further cause the one or more processors to: encrypt, using the first terminal device, first business data of the digital currency transaction by using a first process key, and send, using the first terminal device, the encrypted first business data to the first digital currency operator, to generate second business data of the digital currency transaction by the first digital currency operator based on the first business data; receive, using the first terminal device, encrypted communication data and digest information signature sent by the first digital currency operator, wherein the encrypted communication data is obtained by encrypting the second business data by the first digital currency operator using the first process key, and the digest information signature is obtained by generating first digest information for the second business data and signing the first digest information by the first digital currency operator; decrypt, using the first terminal device, the encrypted communication data to obtain the second business data, generating second digest information for the decrypted second business data, and performing signature verification of the digest information to obtain the first digest information; and compare, using the first terminal device, the first digest information with the second digest information, performing a business processing on the second business data when the first digest information is consistent with the second digest information, and returning a processing result to the first digital currency operator.
  20. 20 . A non-transitory computer-readable storage medium having a computer program stored thereon, wherein the computer program, when executed by a processor, performs the method according to claim 1 .

Description

CROSS REFERENCE OF RELATED APPLICATION This application is a national stage filing under 35 U.S.C. § 371 of International Patent Application Serial No. PCT/CN2023/078254, filed Feb. 24, 2023, which claims priority to Chinese Patent Application No. 202210173203.5 titled “SECURITY AUTHENTICATION METHOD, APPARATUS AND SYSTEM FOR DIGITAL CURRENCY TRANSACTION”, filed on Feb. 24, 2022. The contents of these applications are which is-incorporated herein by reference in their entirety. FIELD The present disclosure relates to the field of computer technology, and in particular, to a method, an apparatus, and a system for security authentication of a digital currency transaction. BACKGROUND Digital currency is an important part of the new generation of payment method. With the increasing widespread adoption of digital currency, security protection of the digital currency attracts enough attention. In the existing digital currency transactions, there is no sufficient protection for information transmission security, device security control, user privacy, etc., no matter whether it is remote transmission or local transmission in a near-field range on a payment device and a recipient device, which poses certain security risks. In addition, data is likely to be hijacked or forged by middleman during a transmission process. Therefore, the digital currency is likely to be stolen, and is also subject to many external security threats. There is no good solution to theft of sensitive data and important data. Therefore, it is very important to achieve access control and encryption for sensitive and important data of digital currency to ensure the security of digital currency transactions. In a process for this purpose, it is founded that there is at least the following problem in the conventional technology: there are technical problems of information theft, information leakage, and poor security in the authentication process. SUMMARY In view of the above, a method, an apparatus, and a system for security authentication of a digital currency transaction are provided in embodiments of the present disclosure. To achieve the above objective, according to an aspect of an embodiment of the present disclosure, a method for security authentication of a digital currency transaction is provided. A method for security authentication of a digital currency transaction includes: storing, by a first terminal device, a first certificate issued by a digital currency issuer and a second certificate issued by at least one digital currency operator, wherein the digital currency operator and the second certificate are in one-to-one correspondence, and the first certificate is to perform signature verification of the second certificate by the first terminal device; receiving, by the first terminal device, a third certificate sent by a first digital currency operator among the at least one digital currency operator, and performing, by the first terminal device, signature verification of the third certificate by using the second certificate, of which the signature verification passes, issued by the first digital currency operator, wherein the third certificate is generated by the first digital currency operator based on signature data of the first terminal device; and conducting, by the first terminal device, the digital currency transaction with the first digital currency operator and/or a second terminal device after the signature verification of the third certificate passes, wherein a fourth certificate sent by a second digital currency operator among the at least one digital currency operator is stored in the second terminal device. In some embodiments of the present disclosure, the second certificate issued by the digital currency operator is generated by the digital currency issuer based on institution data of the digital currency operator, and is sent by the digital currency issuer to the digital currency operator, wherein the institution data includes an institution identification. In some embodiments of the present disclosure, before receiving, by the first terminal device, the third certificate sent by the first digital currency operator among the at least one digital currency operator, the method includes: signing, by the first terminal device, local data of the first terminal device to generate signature data of the first terminal device, wherein the local data of the first terminal device includes a device identification of the first terminal device and a random number generated by the first terminal device; and sending, by the first terminal device, the signature data of the first terminal device to the first digital currency operator to generate the third certificate by the first digital currency operator based on the signature data of the first terminal device. In some embodiments of the present disclosure, the step of conducting, by the first terminal device, the digital currency transaction with the first digital currency operator