WO2018161224A1

WO2018161224A1 - Data processing method and related device

Info

Publication number: WO2018161224A1
Application number: PCT/CN2017/075786
Authority: WO
Inventors: 赵晓娜; 梅敬青
Original assignee: 华为技术有限公司
Priority date: 2017-03-06
Filing date: 2017-03-06
Publication date: 2018-09-13
Also published as: CN109076428B; CN109076428A

Abstract

Embodiments of the present application provide a data processing method and a related device to provide a unified solution for card applications having different security and convenience requirements. The method in the embodiments of the application comprises: a DH receiving a first message sent by an NFCC, the first message being used to notify the DH that a second terminal is to select a first application on a first terminal, and/or being used to request the DH to perform a user identity authentication operation; the DH performing the user identity authentication operation if the DH determines that user identity authentication is required; the DH sending a second message to the NFCC if the user identity authentication operation is successful, the second message being a first command that allows the NFCC to perform data routing on a data frame, and the data frame being a message that is sent by the second terminal to the NFCC and indicating that the second terminal is to select the first application.

Description

Data processing method and related device

Technical field

The present application relates to the field of wireless communications, and in particular, to a data processing method and related apparatus.

Background technique

Near field communication (NFC) is a short-range wireless communication technology based on radio frequency identification (RFID). The NFC device is mainly composed of three functional entities: a device host (DH), a near rield communication controller (NFCC), and a near field communication execution environment (NFCEE). DH is responsible for the management of NFCC, such as initialization, configuration and power management; NFCC is responsible for the physical transmission of data through the RF interface and antenna; NFCEE can provide a safe execution environment for NFC applications. The NFC controller interface (NCI) defines a logical interface for communication between DH and NFCC. The communication between DH and NFCC can be performed through the NCI protocol. In addition, the host control interface can be used between NFCC and NFCEE. The host controller interface (HCI) communication protocol communicates.

The NFC device includes at least one NFCEE, and at least one card application can be installed on each NFCEE. According to the current NCI standard, multiple card applications on the same NFCEE, or multiple card applications on different NFCEEs can be activated simultaneously, and each The card application has a corresponding application identifier (AID); when the card application on the NFC device is activated, the card applies related radio frequency (RF) parameters (such as RF technical parameters, RF protocol parameters, etc.), Routing tables in listen mode (such as AID-based routing entries, protocol data unit pattern APDU Pattern routing entries, protocol-based routing entries, technology-based routing entries, etc.) are configured on the NFCC. Therefore, the peer NFC device (such as the point-of-sale terminal POS) discovers the RF protocol corresponding to the activated card application in the RF discovery process, so that the peer NFC device according to its own service requirements (such as banking, bus service, and access control service) Etc.) Select one of the card applications to communicate by applying a selection command (such as selectAID). Accordingly, the NFC device receives the application selected by the peer NFC device. Command matching routing entry based on the routing table to the application selection command, and subsequently received data frame is forwarded to the matching routing entry corresponding NFCEE processed.

One of the existing standards can activate multiple card applications on one or more NFCEE at the same time, and does not fully consider that different types of card applications may have different requirements for security and convenience in implementation, such as bank cards. The application requires more safety than the convenience requirement, and the bus card application requires higher convenience than the security requirement. Therefore, it is not conducive to actual product development, which has some impact on user experience or user capital security. For example, in order to balance the security requirements of the bank card with the convenience requirements of the bus card, it is possible to design a scheme that activates only one card application at a time. When the bus card is activated, the bank POS machine reports an error, and when the bank card is activated, the bus POS machine requires the user. Switching card application and other issues; it is also possible to design a scheme to activate multiple card applications at a time, but limit the conditions used by the card application (such as which mobile phone energy state can be used by the routing item corresponding to the card application (such as AID-based routing items) ), wherein the mobile phone energy status is such as shutdown, unlock & bright screen, lock & bright screen, unlock & unlock screen, lock & unlock screen, etc., assuming that the AID-based routing item corresponding to the bank card application can only be unlocked & Under the bright screen, the user must first illuminate the screen and unlock the phone before swiping the bank card for payment. Obviously, the user operation is cumbersome and the experience is not good; if the bank card application is based on the AID-based If the routing item can be used in the off-screen state, there is a risk of being stolen or mistakenly brushed for a passwordless credit card or some scenarios that support small-sized confidential business.

Summary of the invention

The embodiment of the present application provides a data processing method and related device, which are used to provide a unified solution for card applications with different security and convenience requirements.

In a first aspect, the embodiment of the present application provides a data processing method, which is used by a host DH of a first terminal, where the first terminal further includes a near field communication controller NFCC and at least one near field communication execution environment NFCEE, Methods include:

First, the DH receives the first message sent by the NFCC, where the first message may be used to notify the DH that the second terminal is to select the first application on the first terminal, and/or to request the DH to perform the user identity verification operation. It should be understood that the first application may be any type of card application activated on the first terminal, such as a bank card application and a bus card application, and the request for the DH to perform the user identity verification operation is required when using the first application. Verifying the identity of the user, the user identity mentioned here is the identity of the current user of the first terminal, or, further, the first application on the first terminal or the electronic wallet where the first application is located (such as a mobile phone manufacturer such as huawei) The wallet application such as pay, apple pay, and the controller of the wallet application such as ICBC mobile banking and google wallet launched by various banks or third parties (that is, knowing the password of the e-wallet or presetting the fingerprints related to the e-wallet) The identity of the user, in addition, the second terminal is a terminal that performs NFC communication with the first terminal;

Secondly, if the DH determines that user authentication is required, the DH performs a user identity verification operation, wherein it can be understood that after the DH performs the user identity verification operation, the DH can learn according to the result of the user identity verification operation. Whether the user identity can use the first application. The user authentication mentioned here is an operation that needs to be performed before using the first application, that is, determining whether the first application can be used by determining whether the user identity verification is passed, and only allowing the first application to be used after the user authentication is passed. Performing subsequent services with the second terminal.

Finally, when the result of the user authentication operation performed by the DH is a pass, the DH sends a second message to the NFCC, where the second message is a first command that allows the NFCC to perform data routing on the data frame, and the data frame is the second terminal. Sent to the NFCC and used to indicate that the first application is to be selected.

As can be seen from the above technical solutions, the embodiments of the present application have the following advantages:

It can be understood that the present application has a unified solution according to the different security and convenience requirements of different card applications, which can make the implementation simpler, the development cost is lower, the cycle is shorter, etc., and the user authentication is required. The application of the card indicates that the security requirement is higher than the convenience requirement; for the card application that does not require the user identity verification, the convenience requirement is higher than the security requirement; therefore, the security requirements of the embodiment of the present application can be higher than The card application for convenience requires user authentication, and the card application with higher convenience than the security requirement can realize the function of fast payment, and can also avoid the problems of affecting the user experience or complicating the user operation as described above.

In a possible design, in a first possible implementation manner of the first aspect of the embodiment of the present application, before the DH receives the first message sent by the NFCC, the method further includes:

The DH sends and configures a first routing entry to the NFCC, where the first routing entry includes a user identity verification request identifier, where the user identity verification request identifier is used to indicate that the user needs to perform user identity verification when using the first application. Or no user authentication is required.

In this possible implementation manner, the DH may send the first user identifier verification request identifier to the NFCC after determining that the user identity verification request identifier corresponding to the first application indicates that the user needs to perform user identity verification when using the first application. The routing item; or, whether the user authentication request identifier corresponding to the first application indicates whether the user needs or does not need to perform user authentication when using the first application, the DH sends the first routing item including the user identity verification request identifier to the NFCC. The user authentication request identifier is used to indicate that the user needs to perform user authentication when using the first application, or does not need to perform user authentication.

In this possible implementation manner, the DH configures the first routing item including the user identity verification requirement identifier to the NFCC, and the NFCC can conveniently learn, according to the user identity verification request identifier, whether the user identity is needed or not needed when using the first application. verification.

In a possible design, in a second possible implementation manner of the first aspect of the embodiment of the present application, when the first message is used to notify the DH that the second terminal is to select the first application, the DH determines that the user identity needs to be performed. Validation includes:

When the DH receives the first message sent by the NFCC, and the function of the first message is used to notify the DH that the second terminal is to select the first application, in this scenario, the DH may be determined according to the user identity corresponding to the first application. The identifier further determines whether user authentication is required or not, wherein the user authentication request identifier indicates that the user identity needs to be verified when the first application is used, and therefore, the DH determines that the user needs to perform the indication according to the user identity verification request identifier. User authentication.

In this possible implementation manner, since the first message does not indicate that the request DH performs the user identity verification operation, but notifies the DH second terminal that the first application is to be selected, the DH needs to determine the use of the first application by itself. Whether user authentication is required, it can be understood that the DH can obtain the user identity verification request identifier according to the registration information or the user indication information, or the user identity determined for each application according to the registration information or the user indication information. The user identification verification request identifier corresponding to the first application is obtained in the verification request identifier.

In a possible design, in a third possible implementation manner of the first aspect of the embodiments of the present application, before the DH receives the first message that is sent by the NFCC, the method further includes:

The DH configures a second routing entry to the NFCC. In this case, the user authentication request identifier corresponding to the first application indicates that the user identity needs to be verified when the first application is used, where the second routing entry includes the near field communication execution environment DH corresponding to the DH. An identifier of the NFCEE, which is used to indicate the near field communication execution environment DH-NFCEE corresponding to the DH. However, the DH-NFCEE is not the NFCEE where the first application is located. It can be understood that the DH sends a second routing item to the NFCC. In essence, the NFCC is configured with a route to DH-NFCEE.

In this possible implementation, when user authentication is required when the first application is used, and the NFCEE corresponding to the first application is not DH-NFCEE, the DH configures a route to the NFCC to point to the DH-NFCEE, so it is understandable that DH can simply point to DH-NFCEE according to the route corresponding to the first application to know that user identity verification is required when using the first application.

In a possible design, in a fourth possible implementation manner of the first aspect of the embodiment, the DH receives the first message sent by the NFCC, and specifically includes:

First, the DH receives the first message sent by the NFCC, and the first message includes a data frame sent by the second terminal, where the data frame is used to notify the DH that the second terminal selects the first application;

Secondly, after the DH learns the first application according to the first message, and determines, according to the user identity verification request identifier corresponding to the first application, that the user identity verification is required when the first application is used, it may be understood that, at this time, the first Applying a corresponding user authentication request identifier indicates that user authentication is required when the first application is used;

Finally, the DH sends a second message to the NFCC, where the second message includes a third routing entry, where the third routing entry includes an identifier of the NFCEE where the first application is located. It can be understood that the identifier indicates the first application. The NFCEE is located.

In this possible implementation, the data frame sent by the second terminal is directly forwarded as the first message, and the DH is notified. This implementation manner is simpler and more convenient, and no need to configure the first message.

In a possible design, in a fifth possible implementation manner of the first aspect of the embodiments, the method further includes:

When the communication ends, the DH reconfigures the second routing entry to the NFCC, where the second routing entry includes an identifier of the near field communication execution environment DH-NFCEE corresponding to the DH, and is used to indicate the near field communication execution corresponding to the DH. Environment DH-NFCEE;

Alternatively, the DH may reconfigure the second routing entry to the NFCC when the DH does not receive the data frame sent by the second terminal for selecting the first application again within the preset time after the end of the communication. .

In this possible implementation, the DH reconfigures the second routing entry to the NFCC, so that after the first application is used, the user can automatically restore the route to wait for the next normal use of the first application.

In a possible design, in a sixth possible implementation manner of the first aspect of the embodiment, the user identity verification request identifier may be determined by the DH according to the registration information of the first application and/or the user indication, where The registration information of the first application includes an application type of the first application and/or a requirement parameter for indicating authentication.

In this possible implementation manner, the user identity verification request identifier is determined according to the registration information of the first application and/or the user indication, and the implementation manner is strong and easy to implement.

In a possible design, in a seventh possible implementation manner of the first aspect of the embodiment, the DH performs a user identity verification operation, and specifically includes:

If the DH determines that the user identity verification success flag corresponding to the first application exists, the DH determines, according to the user identity verification success flag, that the user identity verification operation passes; or

If the DH determines that there is no user identity verification success flag corresponding to the first application, the DH receives and determines the user identity information by using the identity verification module of the first terminal to determine whether the user identity verification operation passes.

In this possible implementation, the user authentication operation performed on the DH is further refined, so that the operation becomes clearer and specific. At the same time, this possible implementation method also considers the delay caused by the user to verify the fingerprint or other forms of identity information during the user authentication process or the user's usage habits, and may require the user to leave the NFC mobile phone and verify the NFC mobile phone. After the identity is successful, it is close to the POS machine, which improves the fault tolerance rate of the solution to some extent.

In a possible design, in an eighth possible implementation manner of the first aspect of the embodiments, the user identity verification success flag is that the DH determines the user identity verification by using an identity verification module of the first terminal. The operation is saved after passing.

In this possible implementation, a possible implementation is proposed for the generation of the user identity verification success flag. This increases the achievability of the scheme.

In a possible design, in a ninth possible implementation manner of the first aspect of the embodiments, the method further includes:

When the DH does not receive the first message sent by the NFCC again within the preset time period, the DH deletes the user identity verification success flag; or, after the DH determines that the user identity verification grass passes according to the user identity verification success flag, DH deletes the user authentication request token.

In this possible implementation manner, the user identity verification success flag is deleted in time after the user authentication success flag is used, which can effectively improve the security of the user identity verification.

In a possible design, in a tenth possible implementation manner of the first aspect of the embodiments, the method further includes:

When the DH determines that user authentication is not required, the DH sends a second message to the NFCC, wherein the second message is a second command that does not allow the NFCC to route the data frame.

In this possible implementation, when the user authentication is not required, the DH directly sends the first command to instruct the NFCC to route the data frame to the NFCEE where the first application is located, thereby effectively improving the use of the first application. The processing speed increases the user experience.

In a possible design, in an eleventh possible implementation manner of the first aspect of the embodiments, the method further includes:

When the user verification operation fails, the DH may indicate the NFCC by sending a second message to the NFCC, where the second message is a second command that does not allow the NFCC to perform data routing on the data frame, to inform the NFCC not to perform data on the data frame. Routing processing; DH may not send any messages. It should be understood that when the NFCC does not receive any message within the preset time period, the NFCC does not route the data frame to the NFCEE where the first application is located.

In this possible implementation manner, when the user identity verification fails, the NFCC does not perform routing processing on the data frame, so that the security of using the first application can be effectively improved, and property loss may be prevented when the user is stolen.

In a second aspect, the embodiment of the present application provides a data processing method, where the method is used for a near field communication controller NFCC of a first terminal, where the first terminal further includes a host DH and at least one near field communication execution environment NFCEE, where Methods include:

First, the NFCC receives the data frame sent by the second terminal, and finds a matching first routing item according to the data frame, where the data frame is used to indicate that the second terminal selects the first application on the first terminal, In addition, the second terminal is a terminal that performs NFC communication with the first terminal;

Then, after the NFCC finds the first routing item, the NFCC determines whether it needs to send the first message to the DH according to the preset condition, where the first message may be used to notify the DH that the second terminal is to select the first application on the first terminal. And/or, can be used to request DH to perform a user authentication operation;

Again, if the NFCC determines that the first message needs to be sent to the DH, then the NFCC sends the first message to the DH, it being understood that the first message can be used to perform any of the above steps or perform two functions simultaneously. ;

Finally, when the NFCC receives the second message sent by the DH, the NFCC performs routing processing on the data frame according to the indication of the second message.

In a possible design, in a first possible implementation manner of the second aspect of the embodiment of the present application, the method further includes:

If the NFCC determines that the first message does not need to be sent to the DH according to the preset condition, the NFCC routes the data frame, that is, the NFCC routes the data frame to the NFCEE where the first application is located.

In this possible implementation manner, when the NFCC does not need to send the first message to the DH, the NFCC routes the data frame to the NFCEE where the first application is located, so that the routing and forwarding processing speed can be effectively improved.

In a possible design, in a second possible implementation manner of the second aspect of the embodiment of the present application, before the NFCC finds the matched first routing item after receiving the data frame sent by the second terminal, the method further includes: :

The NFCC receives the first routing entry of the DH configuration, where the first routing entry includes the identifier of the first application and the first NFCEE identifier. It should be noted that the first NFCEE identifier may be the identifier of the NFCEE where the first application is located, and The identification of the environment DH-NFCEE may be performed for the near field communication corresponding to the DH.

In a possible implementation manner, before the NFCC finds the matched first routing item after receiving the data frame sent by the second terminal, the NFCC receives the first routing item including the first NFCEE identifier configured by the DH, so that the NFCC can be based in advance. The first routing entry knows the NFCEE information, which NFCEE information should be routed to the data frame.

In a possible design, in a third possible implementation manner of the second aspect of the embodiment of the present application, if the first NFCEE identifier is an identifier of the NFCEE where the first application is located, the first routing entry is further The user authentication request identifier is included; the NFCC determines whether to send the first message to the DH according to the preset condition, including:

The NFCC determines, according to the user identity verification request identifier in the first routing item, whether to send the first message to the DH, and specifically, if the user identity verification request identifier indicates that the user identity needs to be verified when using the first application, The NFCC determines that the first message is to be sent to the DH; similarly, if the user identity verification request indicates that the user identity is not required to be used when the first application is used, the NFCC determines not to send the first message to the DH.

In this possible implementation manner, the NFCC judges according to the user identity verification request identifier in the first routing item, and can effectively determine that the first message needs to be sent to the DH or does not need to send the first message to the DH.

In a possible design, in a fourth possible implementation manner of the second aspect of the embodiment, the NFCC determines, according to the preset condition, whether to send the first message to the DH, including:

Determining, by the NFCC, whether the first message needs to be sent to the DH according to the current energy status of the first terminal; or determining, by the NFCC, whether the user identity verification success token corresponding to the first application needs to be sent to the DH. The first message, the user authentication success flag is saved after the NFCC receives the message sent by the DH indicating that the user authentication operation passes.

In this possible implementation, the NFCC determines whether the current energy status or the identity verification success flag is The first message needs to be sent, so that the judgment can be accurately made and the timeliness and security of the NFC communication can be improved.

In a possible design, in a fifth possible implementation manner of the second aspect of the embodiment, the NFCC determines, according to the current energy state of the first terminal, whether the first message needs to be sent to the DH, specifically including :

First, when the current energy state of the first terminal is neither the powerless state nor the power-off state, the NFCC determines that the first message needs to be sent to the DH, and it should be understood that the power of the first terminal can maintain the NFC communication. The NFCC determines that the first message needs to be sent to the DH. Secondly, when the current energy state of the first terminal is no power or power-off state, the NFCC determines that the first message does not need to be sent to the DH, it should be understood that when When the current energy state of a terminal is no power or power-off state, the DH of the first terminal cannot be used normally, and the message sent by the NFCC cannot be received, processed, or acknowledged. Therefore, the NFCC does not send the first message at this time. .

In this possible implementation, the first message is sent to the DH when the first terminal is not powered off or not, so that waste of resources on the NFCC can be effectively avoided.

In a possible design, in a sixth possible implementation manner of the second aspect of the embodiment, the NFCC determines whether the presence or absence of the user identity verification success token corresponding to the first application needs to be sent to the DH. The first message specifically includes:

First, if there is a user authentication success flag, the NFCC determines that the first message needs to be sent to the DH. It should be understood that when there is a user identity verification success flag, it indicates that there is a record of successful user identity verification, and no need to verify again; If there is a user authentication success token, then the NFCC determines that the first message does not need to be sent to the DH. It should be understood that when there is no user authentication success token, it indicates that there is no record of successful user authentication, and authentication is required; It should be noted that the user authentication success flag is marked as a token when the user authentication is passed.

In this possible implementation, the first message is sent or not by the user identity success flag, so that when there is a user identity verification success flag, the processing speed can be improved, and the first application can be solved. The delay problem brought by the time increases the fault tolerance rate of the program.

In a possible design, in a seventh possible implementation manner of the second aspect of the embodiment, the NFCC performs routing processing on the data frame according to the second message, specifically:

First, when the second message is the first command, the NFCC routes the data frame sent by the second terminal to the NFCEE where the first application is located, where the first command is to allow the NFCC to perform data routing to the data frame to the first The NFCEE where the application is located, and the first command is sent when the DH performs the user authentication operation and the result is passed;

Secondly, when the second message is the second command, the NFCC does not route the data frame sent by the second terminal to the NFCEE where the first application is located, where the second command indicates that the NFCC is not allowed to perform data routing to the data frame. The command of the NFCEE where the application is located, and is sent by DH when the user authentication operation is performed to get a failed result.

In this possible implementation, the first command or the second command in the second message is used to determine whether the NFCC needs to or need to route the data frame sent by the second terminal to the NFCEE where the first application is located, so that The NFCC is effectively prevented from making an error in data routing processing of the above data frame according to the second message.

In a possible design, in an eighth possible implementation manner of the second aspect of the embodiment of the present application, when the first NFCEE identifier in the first routing item is the identifier of the DH-NFCEE, the NFCC sends the first to the DH. A message, including:

The NFCC sends a first message to the DH, where the first message includes a data frame that is sent by the second terminal and is used to select the first application in the first terminal.

At this time, the NFCC performs routing processing on the data frame according to the second message, and specifically includes:

If the second message is a route configuration command, and the route configuration command includes the foregoing second routing item, the NFCC routes the data frame sent by the second terminal to the NFCEE where the first application is located, where the second message is The DH is sent after the user authentication operation is passed, or is sent after determining that the first application is used without verifying the identity of the user.

In this possible implementation manner, only the corresponding routing configuration command needs to be sent on the routing of the data frame by the NFCC, which is simple, convenient, and implementable.

In a possible design, in a ninth possible implementation manner of the second aspect of the embodiment of the present application, the NFCC performs routing processing on the data frame, specifically:

The NFCC directly forwards the data frame sent by the second terminal for selecting the first application of the first terminal to the NFCEE where the first application is located.

In this possible implementation, the NFCC directly routes the data frame to the NFCEE where the first application is located, so that the data frame can be correspondingly operated.

In a possible design, in a tenth possible implementation manner of the second aspect of the embodiments, the method further includes:

When the NFCC does not receive any message sent by the DH within a preset period of time, the NFCC terminates the communication.

In this possible implementation manner, the NFCC does not receive any message sent by the DH within a preset time period, and the NFCC may choose to terminate the communication, so that the first application may be prevented from being stolen to some extent.

In a possible design, in an eleventh possible implementation manner of the second aspect of the embodiment of the present application, the NFCC, after receiving the data frame sent by the second terminal, finds the matching first routing item, and specifically includes:

First, the NFCC receives the data frame sent by the second terminal, and secondly, the NFCC finds a first routing item that matches the first application in the data frame according to the corresponding routing manner, where a possible routing manner may be It is based on the routing method of the application identification AID. Of course, the current selection mode of the route may also be other types of routing methods, such as a routing mode based on the application protocol data unit mode APDU Pattern, a routing method based on the system number SC, a protocol-based routing method, or a technology-based routing method. Correspondingly, the identifier of the first application included in the data frame for selecting the first application is the APDU Pattern, SC, protocol or technology related to the first application.

In this possible implementation manner, the AID-based routing method can be used to find the first routing item that matches it more effectively, and the implementation is more general and applicable.

In a third aspect, the embodiment of the present application provides a policy entity, where the policy entity has the function of implementing the first terminal in the first aspect of the foregoing method embodiment. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

In a fourth aspect, an embodiment of the present application provides a policy entity, including: a processor, a memory, a bus, and a communication interface; the memory is configured to store a computer execution instruction, and the processor is connected to the memory through the bus, when the policy entity In operation, the processor executes the computer-executed instructions stored in the memory to enable the policy entity to execute as The data processing method of any of the above aspects.

In a fifth aspect, the embodiment of the present application provides a computer readable storage medium, configured to store computer software instructions used by the policy entity, when executed on a computer, to enable the computer to perform any one of the foregoing first aspects. Data processing method.

In a sixth aspect, an embodiment of the present application provides a computer program product comprising instructions, which when executed on a computer, cause the computer to perform the data processing method of any of the above first aspects.

In addition, the technical effects brought by any one of the third aspect to the sixth aspect can be referred to the technical effects brought by different design modes in the first aspect, and details are not described herein again.

In a seventh aspect, the embodiment of the present application provides a policy entity, where the policy entity has the function of implementing the first terminal in the second aspect of the foregoing method embodiment. This function can be implemented in hardware or in hardware by executing the corresponding software. The hardware or software includes one or more modules corresponding to the functions described above.

In an eighth aspect, an embodiment of the present application provides a policy entity, including: a processor, a memory, a bus, and a communication interface; the memory is configured to store a computer execution instruction, and the processor is connected to the memory through the bus, when the policy entity In operation, the processor executes the computer-executed instructions stored in the memory to cause the policy entity to perform the data processing method of any of the second aspects above.

In a ninth aspect, the embodiment of the present application provides a computer readable storage medium, configured to store computer software instructions used by the policy entity, when executed on a computer, to enable the computer to perform any one of the foregoing second aspects. The data processing method of the item.

In a tenth aspect, the embodiment of the present application provides a computer program product comprising instructions, which when executed on a computer, enable the computer to perform the data processing method of any of the above second aspects.

In addition, the technical effects brought by the design mode of any one of the seventh aspect to the tenth aspect can be referred to the technical effects brought by different design modes in the second aspect, and details are not described herein again.

DRAWINGS

1 is a schematic diagram of a system for processing data in an embodiment of the present application;

2 is a schematic diagram of an embodiment of a data processing method in an embodiment of the present application;

3 is a schematic diagram of another embodiment of a data processing method according to an embodiment of the present application;

4 is a schematic diagram of another embodiment of a data processing method according to an embodiment of the present application;

FIG. 5 is a schematic diagram of another embodiment of a data processing method according to an embodiment of the present application; FIG.

FIG. 6 is a schematic diagram of another embodiment of a data processing method according to an embodiment of the present application; FIG.

FIG. 7 is a schematic diagram of an embodiment of a host DH according to an embodiment of the present application;

FIG. 8 is a schematic diagram of another embodiment of a host DH according to an embodiment of the present application;

FIG. 9 is a schematic diagram of an embodiment of a near field communication controller NFCC according to an embodiment of the present application; FIG.

FIG. 10 is a schematic diagram of another embodiment of a near field communication controller NFCC according to an embodiment of the present application; FIG.

FIG. 11 is a schematic diagram of another embodiment of a host DH according to an embodiment of the present application.

detailed description

The terms "first", "second", "third", "fourth", etc. (if present) in the specification and claims of the present application and the above figures are used to distinguish similar objects without having to use To describe a specific order or order. It is to be understood that the data so used may be interchanged where appropriate so that the embodiments described herein can be implemented in a sequence other than what is illustrated or described herein. In addition, the terms "comprises" and "comprises" and "the" and "the" are intended to cover a non-exclusive inclusion, for example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.

NFC technology is a short-range wireless connection technology based on RFID. It uses magnetic field induction to realize NFC equipment communication at close range. Users only need to touch or touch the equipment to exchange information and conduct transactions safely and quickly. The NFC operates at a frequency of 13.56 MHz with an effective communication range of 0-20 cm and a typical value of 4 cm.

Specifically, the working mode of the NFC device can be divided into three types: one, peer-to-peer mode (P2P), which is specifically applied to business card sharing, web page sharing, NFC pairing Bluetooth/WIFI, and the like; Card Emulation (CE), which is specifically used for mobile payment or authentication scenarios such as bank cards, transportation cards, membership cards, coupons, ID cards, etc. 3. Reader/Writer, R /W), this mode is specifically used for mobile payment or authentication scenarios such as bank card POS machines, bus card POS machines, and tag read/write scenarios.

As shown in FIG. 1 , the first terminal and the second terminal are both NFC devices, where the first terminal and the second terminal are mutually peer devices. The NFC device includes a host DH, a near field communication controller NFC, and at least one near field communication execution environment NFCEE, as follows:

The DH is responsible for the management of the first terminal, including the management of the NFCC, and may specifically be NFCC initialization, NFCC configuration, and the like. DH is a term used in the NFC Forum Interface (NCI) specification developed by the NFC Forum to correspond to the Host Controller Interface (Host Controller) developed by the European Telecommunication Standards Institute (ETSI). The Terminal Host in the Interface (HCI) specification; in addition, the Management Entity (ME) in the specification developed by the Global Platform (GP) can also be implemented on the Terminal Host. DH is called Management Host (MH). The NFC device is an NFC-enabled device, which can be a smart phone, an NFC Bluetooth stereo, an NFC-enabled notebook, an NFC digital camera, and an NFC TV. If the NFC device is a smart phone, the DH can be a CPU in the smart phone, which can be understood. The operating system of the smartphone described below (OS, Operating Stytem, such as Android OS, iOS, etc.).

The NFCC is responsible for physical transmission of data through the RF RF interface and the antenna to enable the first terminal to communicate with the second terminal. NFCC is a term used in the NCI specification developed by the NFC Forum. It can correspond to the Contactless Front-end (CLF) in the HCI specification developed by ETSI. At this time, the Host Controller of HCI should be implemented. On the NFCC.

NFCEE is an entity that provides a secure execution environment for NFC applications on the first terminal, such as bank card, bus card and other card emulation applications. NFCEE is a term used in the NCI specification developed by the NFC Forum. It can correspond to the Universal Integrated Circuit Card (UICC) embedded in the HCI specification developed by ETSI. Embedded Secure Element (eSE), Secure Digital Memory Card (SD card), etc.; can also correspond to the Secure Element (SE) in the specification of the GP, or the card simulation environment ( Card Emulation Environment, CEE). One of the special NFCEEs is DH-NFCEE, which is directly connected to DH or NFCEE in DH. That is, the physical carrier of the NFCEE or SE may be an eSE, a UICC, an SD card, or the like. In addition, the NFC application on the first terminal may also be a peer-to-peer application such as a business card sharing, and a card reader application such as a bank POS or a bus POS, and the user may be on the first terminal in some manner (such as a mobile application market). Download and install these NFC applications. Of course, these applications can also be preset to the eSE of the phone when the phone is shipped from the factory or preset to the UICC when the UICC card is shipped.

The above DH and NFCC can communicate through the interface defined by the NCI protocol; the NFCC and the NFCEE can communicate through the interface defined by the HCI protocol (the upper layer is the HCI protocol, and the bottom layer can be the single-line protocol SWP), of course, other interfaces can also be used. Communication (such as eSE and NFCC can communicate through NFC Wired Interface (NFC-WI)); DH and NFCEE can also communicate through the interface defined by HCI protocol.

The Radio Protocol (RF Protocol) is a protocol used when an NFC device's NFCC communicates with a peer NFC device. RF Technology is a collection of transmission parameters used to transmit data between two NFC devices, such as RF carrier, communication mode, bit rate, modulation mode, bit coding, frame format, protocol, and command set. Wait. At present, the NFC standard mainly includes four RF technologies: NFC-A, NFC-B, NFC-F, and NFC-V, and each technology corresponds to a set of transmission parameters defined by a standard for completing communication.

The RF Discovery Porcess defined by the NCI protocol allows the NFCC to detect whether the NFC device exists at the peer end and respond to the device detection performed by the peer NFC device. At the same time, the defined RF Communication Configuration allows The DH configures some parameters required by the NFCC to perform the radio frequency discovery process to the NFCC, such as each RF technology, the poll mode parameter and the listen mode parameter corresponding to the RF protocol, the RF discovery frequency, the RF technology and mode, The RF interface activates the required mapping table (such as the protocol-interface mapping table) and the routing table required for data routing (such as the listening mode routing table), and the forced NFCEE routing mechanism ForcedNFCEE routing. For details, see the NCI protocol. Corresponding content.

Specifically, in the RF discovery process, the NFC device responds to the technical test or the device detection related command sent by the peer NFC device, and notifies the peer end of the RF protocol supported by the locally activated application, thereby making the opposite NFC device The RF protocol is selected for the activation of the protocol according to the service requirements. Alternatively, the NFC device sends a technical detection or device detection-related command to the peer NFC device, and selects the RF protocol to perform the protocol according to the service requirements after collecting the RF protocol supported by the peer NFC device. activation. Generally, after the RF protocol is activated, the two NFC devices are based on an application supporting the RF protocol (the application may be selected by a NFC device by selecting an application command such as SELECT AID or SELECT PPSE, or may be activated in the RF protocol). The interactive service data is determined by the service data directly sent based on the RF protocol to complete the communication.

In order to facilitate the understanding of the data processing method in the embodiments of the present application, the following embodiments will be described in detail. It should be noted that the first terminal is an NFC mobile phone with an NFC communication function, and the second terminal is a POS device. The NFC mobile phone includes a DH, an NFCC, and at least one NFCEE. NFCEE is described as an example, specifically:

In the first embodiment, the DH determines the user identity verification requirement corresponding to each application by using a routing item (such as an AID-based routing entry defined by the NCI protocol) according to the requirement of the user authentication. Configured to the NFCC, so that the NFCC receives the data frame sent by the peer NFC device (such as a POS machine) (such as the command SELECT AID or SELECT PPSE for selecting the application, or the service data sent based on the currently activated RF protocol) User authentication requirements in the routing entries corresponding to the application to be used (ie, the application selected by the peer NFC device, or the application determined according to the activated RF protocol between the two NFC devices) The identifier determines whether user authentication is required, and if necessary, sends a message to DH to request DH to authenticate the user, otherwise it does not send.

The routing entry may also be other types of routing entries defined by the routing table defined by the NCI protocol, such as an APDU Pattern-based routing entry based on the application protocol data unit pattern (APDU Pattern-based routing entry), and a system-based routing entry. (System Code-based routing entry), protocol-based routing entry, technology-based routing entry, or NCI protocol definition configured by mandatory NFCEE routing mechanism. Routing item.

Referring to FIG. 2, an embodiment of a data processing method in an embodiment of the present application includes:

201. The DH records an identifier of each application (such as an application identifier AID) and a corresponding user identity verification request.

In this embodiment, each application can be understood as a card application, such as a bank card issued by a bank, a bus card issued by a transportation company, a prepaid card issued by a merchant, a membership card, and the like. These card applications can be separate applications, that is, they are understood as card applications that users download separately from the application market, such as a Host-based Card Emulation (HCE) cloud card introduced by a bank; or they can exist in a wallet application. Among the sub-applications managed by the wallet application, such as a bank card, a bus card, etc. in a mobile wallet developed by a mobile phone manufacturer such as Huawei wallet huawei pay, apple wallet apple pay, and the like. It should also be noted that these card applications can be downloaded to NFCEE with physical carriers such as eSE and UICC, and of course DH-NFCEE is not excluded. The NFC mobile phone may include at least one NFCEE, and at least one card application may be installed on each NFCEE. According to the current NCI standard, multiple card applications on the same NFCEE, or multiple card applications on different NFCEEs may be activated simultaneously.

In this embodiment, the identifier of an application may be an application identifier defined by an application developer (AID, which may be registered with the system OS when each card application is downloaded to the mobile phone), or other identifiers. Information about an application (such as an identification message associated with its AID set by the mobile phone after the card application is downloaded to the mobile phone), and the user authentication requirement of an application indicates whether the user identity is required to use the application. Verification, that is, whether the legality of the user's identity is required to be verified. Generally, on a smart electronic device such as a mobile phone, it is possible to verify whether the current user operating the mobile phone is a legitimate user of the mobile phone by entering a password or a biometric identification method such as fingerprint recognition.

In this embodiment, the DH determines that the implementation of the user identity verification requirement corresponding to each application is multiple, and the specific implementation manner is as follows:

Possible implementation method 1 is based on the existing HCE implementation. When each card application is downloaded, the OS can register its own policy type. For example, the category type of the bank card is registered as the payment payment class, and the category type of the bus card is registered as the other other. class. Therefore, the DH can determine the user authentication requirement corresponding to each card application according to the type of the policy registered by each card application, such as determining the user identity verification requirement corresponding to the card application of the policy type as the payment type. User authentication is performed to determine that the user authentication requirement corresponding to the card application of the other type is that no user authentication is required.

Possible implementation method 2: Extend the policy type in the existing HCE implementation, such as subdividing the current payment and other types into a secure payment class (corresponding to user identity authentication), an exempt payment class, and other classes; Correspondingly, the policy type of the bank card can be registered as a secure payment class, the policy type of the bus card is registered as an exempt payment or other class, the policy type of the coupon is registered as the other class, and the like. Therefore, the DH can determine the user authentication requirement corresponding to each card application according to the type of the policy registered by each card application. For example, the user authentication request corresponding to the card application of the security type is determined to require user identity verification. It is determined that the user authentication requirement corresponding to the card application of the confidential payment or other class is that no user authentication is required, and the like.

Possible implementation method 3: The card application developer sets a dedicated registration parameter UserValidationPara for each card application, which is used to indicate whether the user authentication operation needs to be performed, and further defines the type of user authentication mode, such as fingerprint verification and password. Verification of accessories such as verification and watches/wrists. Therefore, when downloading each card application, the DH can directly determine the user identity verification request corresponding to each card application according to the dedicated parameter UserValidationPara registered for each card application.

The above possible implementations one to three, when each card application is downloaded into NFCEE, register its own application identification AID with the mobile phone system, and also register other information that can be used to determine its user authentication requirements, so that DH can The information determines the user authentication requirements corresponding to each card application. Of course, there are other implementations, as follows:

The possible implementation method 4 can also be determined according to user settings. For example, if a wallet application has multiple bank cards and multiple bus cards, the user needs to perform user identity verification when using the bank card, and is not required when using the bus card. Therefore, DH can determine the user authentication requirements corresponding to each card application according to the settings of the user for each card application.

Possible implementation method 5: When the card application is downloaded to the NFCEE, a dedicated parameter for indicating its user authentication requirement is simultaneously saved to the NFCEE, and subsequently, when the DH obtains all the card application related parameters from each NFCEE ( When it is mainly used for calculating RF parameters and completing the above-mentioned RF communication configuration, the dedicated parameters of each card application for indicating its user identity verification requirements may be acquired together, thereby determining each according to the dedicated parameters. Apply the corresponding user authentication requirements.

Optionally, the wallet application can be installed in a secure environment such as a Trusted Execution Environment (TEE), and the application AID and its user authentication requirements can be stored in a secure environment such as TEE.

It should be noted that the “user identity” described in all embodiments of the present invention may be understood as the identity of the current user of the first terminal, or, further, the first application or the first application on the first terminal. The e-wallet (such as the wallet application launched by mobile phone manufacturers such as huawei pay, apple pay, wallet applications such as ICBC mobile banking, google wallet, etc.) (that is, knowing the password or pre-email of the e-wallet) The identity of the user who has set the biometrics such as fingerprints associated with the electronic wallet. Only after the user authentication is passed, the user is allowed to use the first application to perform subsequent services with the peer NFC device (such as the card card service of the bank card, the card card service of the bus card, the recharge service, etc.). The verification of the identity of the user in the solution of the present invention is not equivalent to the verification of a card password such as a bank card as it is now, because the user identity in the solution of the present invention is locally verified by the terminal and is used to determine Whether to allow the current user to use the card application for subsequent transactions with the peer POS machine, where the card password is verified by the peer POS machine through the bank card server connected in the background (ie, the verification of the card password is one of the above-mentioned subsequent transactions) Card person verification link).

202. The DH configures, to the NFCC, a routing item that includes a user identity verification request identifier.

In this implementation, the DH configures a routing entry corresponding to the first application to the NFCC according to the user identity verification requirement corresponding to the first application, where the first application is any one of the foregoing applications, or is activated for each application. Any of at least one of the applications, wherein the meaning of "activated" applies to all embodiments of the inventive solution, and it can be understood that if a card application is activated, DH is in calculating the RF parameters. Consider the RF parameters related to the application of the card (such as RF protocol related parameters, etc.), that is, the NFCC can send the activated card application to the NFC device of the opposite end through the RF discovery process, so that the card application can be selected. For subsequent business (such as bank card credit card business, bus card card business or recharge business, etc.).

The manner in which the routing entry is configured by the DH may be any of the following:

1. Regardless of the user authentication request corresponding to the first application, a routing item including the user identity verification requirement identifier is configured for the first application. At this time, the value of the user identity verification request identifier is determined by the user identity corresponding to the first application. The verification request decision is used to indicate that user authentication is required or not required when using the first application, for example, setting a bit to indicate a user authentication request identifier, and when the bit is 1b, indicating that user authentication is required, When the bit is 0b, it means that user authentication is not required. or,

2. The routing item including the user identity verification request identifier is configured for the first application only when the user authentication request corresponding to the first application indicates that the user identity authentication is required. At this time, the user identity verification request identifier is used to indicate the usage. User authentication is required for an application. Otherwise, the configured authentication item does not include the user authentication request identifier. The implementation of the present invention is not limited.

The user identity verification request identifier corresponding to the first application is determined by the user identity verification request corresponding to the first application, and is determined according to any possible implementation manner described in step 201, that is, according to the first application. The registration information and/or the user indication (ie, the user settings described above) are determined, wherein the registration information of the first application includes an application type of the first application and/or a requirement parameter for indicating identity verification (such as the dedicated parameter described above) ).

The routing entry can be configured through the listening mode routing table defined by the NCI protocol, or configured by the mandatory NFCEE routing mechanism. For details, see the corresponding content of the NCI protocol.

Optionally, in the method for configuring the user authentication request identifier by using the routing item, a possible implementation method is: performing the type and the qualified Qualifier-Type field in the routing item defined in the NCI standard (as shown in Table 1 below). Extending, for example, the b7 bit in the extension, if b7=1, it means that when the application corresponding to the routing item is used (that is, the application is selected), user authentication is required, otherwise, the user identity is not required. verification.

Table 1

Table 2

table 3

Optionally, in the method for configuring the user authentication request identifier by using the routing item, another possible implementation method is: using an AID-based routing item defined by the NCI standard as an example, corresponding to the AID-based routing item in the foregoing Table 1. The Value field (which is described in detail in Table 4 below) is extended. For example, a parameter Identity Validation Flag is added to indicate the user authentication request identifier: if the value of the parameter is 1, it indicates the routing entry. After the application corresponding to the AID is selected, user authentication is required. Otherwise, it indicates that user authentication is not required. Of course, the DH can also configure the parameter in the value field when the user identity verification requirement corresponding to the application corresponding to the AID in the routing item is that the user identity authentication is required. Otherwise, there is no such parameter.

Table 4

In this embodiment, it should be noted that the AID-based routing item (including the AID of the first application) defined by the NCI standard is taken as an example, and other types of routing items, such as an APDU pattern, are not excluded. Routing items (including first application related reference data and mask), SC based routing items (including the first application related system coding list SC list), protocol based routing items (including the first application related) The identifier of the RF protocol, the technology-based routing item (including the identifier of the RF technology related to the first application), and the like, and the information included in each routing item may be considered as the identifier of the first application.

203. The NFC mobile phone performs an RF discovery process with the peer POS machine to activate the RF protocol required for the POS machine to perform the service.

In this embodiment, in the RF discovery process, the NFC mobile phone may send a detection command to the outside, or the peer POS machine may send a detection command to detect whether the NFC device exists at the opposite end, and when the opposite end has an NFC device, the pair Which RF protocols are supported by the NFC devices on the side.

It should be understood that the foregoing detection command may be a command related to technical detection or device detection. It should be noted that, in the NFC standard, there are mainly four kinds of RFs: NFC-A, NFC-B, NFC-F, and NFC-V. Techniques, each of which corresponds to a set of standard defined transmission parameters for completing communications, such as RF carrier, communication mode, bit rate, modulation scheme, bit coding, frame format, protocol, command set, and the like. The above-mentioned technical detection command may be a detection command of any one of the above four RF technologies.

In this embodiment, the NFC mobile phone simulates at least one card application as an example. Then, the peer POS machine should send a detection command to detect which RF protocols are supported by the NFC mobile phone side, and after the NFC mobile phone sends a detection response for the detection command, the POS machine It can be inferred which activated card applications are on the NFC mobile phone, so as to determine what data frame to send according to the business needs of the POS machine (such as banking, bus service, etc.) (for example, the command SELECT AID or SELECT PPSE for selecting the card application, or , is the business-related data).

204. The POS machine sends a data frame to the NFCC, where the data frame is an application selection command for selecting the first application.

In this embodiment, the POS device sends an application selection command to the NFCC according to the service requirement, such as the Select command defined by the ISO/IEC 7816- protocol (ie, the SELECT Command, if it includes the AID of a card application, it can be regarded as a Select AID command, Or, if it includes the AID of the Proximity Payment Systems Environment (PPSE) application (such as "2PAY.SYS.DDF01"), it can be considered as a SELECT PPSE command) to inform the NFCC peer POS machine that it will choose The first application in the NFC mobile phone (such as the application identified by the AID), the first application may include an application requiring user authentication (such as a bank card application), and may also include an application that does not require user authentication (such as a bus card application) ).

In this embodiment, it is to be noted that the application selection command is a data frame sent by the POS machine to the NFCC, and the service data sent by the POS machine to the NFCC in the subsequent data interaction phase (ie, the data related to the executed service, Such as encrypted data in a card transaction, etc.) or service data sent by the NFCC to the POS machine is also a type of data frame. In addition, the application selection command may also be a command defined by another protocol for selecting an application on the NFC mobile phone, and there is no limitation here.

205. The NFCC finds a matching routing item for the received data frame.

In this embodiment, the NFCC receives the selectAID command as an example, and the NFCC searches according to the routing table, and finds an AID-based routing item that matches the AID included in the command. Specifically, the NFCC will select the selectAID The AID in the command matches the AID contained in each AID-based routing entry in the routing table until an AID is found to match (if the two AIDs are identical, or the first X bits of the two AIDs are identical, X is the specified integer) based on the AID-based routing entry.

It should be noted that the manner in which the NFCC searches for a matching routing entry may be performed according to the listening mode routing table, that is, according to the AID-based routing item, the APDU Pattern-based routing item, the SC-based routing item, and the protocol-based routing. One or more routing entries in the item and the technology-based routing entry, and match in a certain order until a matching routing entry is found; of course, it can also be searched according to the mandatory NFCEE routing mechanism, as described in the NCI protocol. The corresponding content.

206. If the NFCC determines that the user identity verification requirement identifier in the matched routing item indicates that user identity verification is not required, the NFCC routes the data frame to the NFCEE where the first application is located.

In this embodiment, the NFCC determines whether the user identity verification request identifier in the matched routing entry found in the foregoing step 205 indicates that the user identity verification is required, and if not, the first application corresponding to the AID in the routing entry is considered to be used. User authentication is not required. If the bit corresponding to the user authentication request identifier in the routing entry is 0b, it is considered that user identity verification is not required when the first application corresponding to the AID is used. At this time, the NFCC does not need to send any message to the DH, but directly routes the data frame (ie, the application selection command), that is, forwards the application selection command to the NFCEE where the first application is located, waiting for the NFCEE to select for the application. The command returns a response.

In this embodiment, all "routing" means forwarding or sending. For example, the NFCC routes the data frame to the NFCEE where the first application is located. In the implementation, the NFCC forwards the data frame to the NFCEE where the first application is located, and then The NFCEE is forwarded to the first application for processing, so that the first application can return the message (such as the Select response) for answering the data frame to the NFCC, so that the NFCC is sent to the peer POS.

207. If the NFCC determines that the user identity verification request identifier in the matched routing item indicates that user identity verification is required, the NFCC reports the first message to the DH.

In this embodiment, the NFCC determines whether the user identity verification request identifier in the matched routing entry found in the foregoing step 205 indicates that the user identity verification is required, and if yes, the first application corresponding to the AID in the routing entry is considered to be used. User authentication is required. If the bit corresponding to the user authentication request identifier in the routing entry is 1b, it is considered that the user identity authentication is required when the first application corresponding to the AID is used. At this time, the NFCC reports the first message to the DH, where the first message is used to request the DH to perform a user identity verification operation.

Optionally, the first message includes the foregoing data frame, or the route matching result in step 205 is used to notify the DH peer POS machine to select the first application in the NFC mobile phone, where the data frame includes the application of the first application. The identifier, such as the AID, needs to be described, the application identifier of the first application may also be other identification information other than the AID that uniquely identifies the first application.

Optionally, when the NFCC reports the first message to the DH, the NFCC can report the information through the RF NFCEE Action mechanism defined by the NCI protocol (that is, the notification is reported by the RF_NFCEE_ACTION_NTF). It should be noted that, in addition to reporting through the RF NFCEE Action mechanism, a new notification of the DH may be added, such as a user authentication request notification USER_VALIDATION_REQUEST_NTF notification, for requesting DH to perform a user authentication operation, or a user identity. Verification decision notifies USER_VALIDATION_JUDGEMENT_NTF notification for request DH determines for itself whether user authentication is required, and there is no limit here.

Optionally, the RF NFCEE Action notification may be extended, that is, (a) if the user identity needs to be verified, the NFCC sends an RF NFCEE Action notification to the DH, where the first indication information is included to indicate that the user identity verification is required; Alternatively, (b) if it is not necessary to verify the identity of the user, the NFCC sends an NFCEE Action notification to the DH, including second indication information indicating that no user authentication is required. The first indication information and the second indication information may be respectively represented by two parameters in the notification, for example, the first parameter indicates that user identity verification is required, and the second parameter indicates that user identity verification is not required; or, the first The two indication information may also be represented by the same parameter when two values are respectively taken. For example, the value of the third parameter indicates that user identity authentication is required, and when it is 0, it indicates that it is not required. Of course, in addition to the first parameter and the second parameter, or the third parameter, the RF NFCEE Action notification may also include information related to the matching routing item, such as an AID, an NFCEE identifier, etc., for details, refer to the corresponding content of the NCI protocol.

Optionally, the NFCC determines whether the first message needs to be sent to the DH according to the current energy state of the NFC mobile phone, where the NFCC determines that the NFC mobile phone does not need to send the first message to the DH when the current energy state of the NFC mobile phone is no power or shutdown state. A message; when the current energy state of the NFC handset is neither power nor shutdown, the NFCC determines that the first message needs to be sent to the DH. The current energy state may include an unpowered state, a power-off state, a bright screen and a locked state, a bright screen and an unlocked state, a screen-off state, a locked state, a screen-off state, and an unlocked state. For details, refer to the corresponding content of the NCI protocol. This design is considered, in the implementation, the routing items corresponding to the security-critical applications (such as bank cards) can be set to be unavailable in the no-power and/or shutdown state (for example, the corresponding energy state field) The bit of no power and/or power-off state is set to 0b), so that if there is no power and/or power-off state, the NFCC cannot route the data frame to these cards even if it finds a matching routing item for the received data frame. The NFCEE where the application is located is then forwarded to these card applications for processing, so as to avoid the consumption of these cards for consumption in the absence of power and/or shutdown. Therefore, in the no-power and/or power-off state, the NFCC no longer needs to send the first message to the DH to avoid waste of resources (because even if it is sent, the processing and response of the DH are not obtained).

208. The DH performs a user identity verification operation.

In this embodiment, the DH can directly perform the user identity verification operation after receiving the first message.

Optionally, the DH may further perform a user identity verification operation after determining that the user identity is required to use the first application according to the user identity verification requirement corresponding to the first application.

Optionally, the DH performs the user identity verification operation, specifically, the DH invokes the user identity verification module to perform user identity verification, where the user identity verification module may be a fingerprint module, that is, the user identity is verified by verifying the user fingerprint, and of course, Other authentication methods, such as P1N authentication, iris, and other biometric verification, wearable device verification (ie, verifying the presence or absence of a particular wearable device connected to the terminal via a wireless technology (such as Bluetooth)) There are no restrictions here.

209. If the user identity verification operation fails, the DH indicates that the NFCC does not route the data frame to the NFCEE where the first application is located.

In this embodiment, when DH performs user identity verification and fails verification, DH indicates that the NFCC does not route the data frame to the NFCEE where the first application is located. Among them, the specific instructions are as follows:

In one possible indication, the DH sends a second message to the NFCEE, the second message being NFCC not allowed. Routing the data frame to the second command of the NFCEE where the first application is located.

In another possible indication manner, when the DH performs user authentication and does not pass the verification, the DH does not send any message to the NFCC. It should be understood that the NFCC does not receive the preset time period after reporting the first message. When any indication message is received, then the NFCC can know that the DH indicates that it does not route the data frame to the NFCEE where the first application is located.

If the NFCC does not route the data frame to the NFCEE where the first application is located, the NFCC cannot send a response message to the POS machine at the opposite end. Therefore, the POS machine terminates when it does not receive any response message within the preset time (that is, the response timeout condition). This communication.

Optionally, when the DH performs user identity verification and fails to pass the verification, the DH may also terminate the communication, such as sending an RF protocol deactivation command defined by the NCI protocol or other commands that may terminate the communication to the NFCC.

In this embodiment, it is required that the user identity verification fails, which may be specifically: if the user identity verification fails within the preset identity verification time period or within the preset identity verification times, the DH determines the user identity verification. Failed (ie allows the user to perform multiple verifications within a preset time).

210. If the user authentication operation passes, the DH sends a second message to the NFCC.

In this embodiment, when the result of the user identity verification operation is passed, the DH sends a second message to the NFCC, where the second message is a first command for allowing the NFCC to route the data frame to the NFCEE where the first application is located, the data. The frame is sent by the POS to the NFCC to indicate that the message of the first application is to be selected (ie, the application selection command described above).

It should be noted that the content included in the first command may be information related to user identity verification (ie, the result of performing a user identity verification operation is passed), and/or information indicating that the NFCC is allowed to perform data routing. In summary, after receiving the first command, the NFCC can only determine according to the content that the DH allows the NFCC to route the data frame to the NFCEE where the first application is located.

211. The NFCC routes the data frame to the NFCEE where the first application is located.

In this embodiment, when the NFCC receives the second message sent by the DH, the NFCC routes the data frame to the NFCEE where the first application is located.

Optionally, a pair of command responses may be added in the NCI standard as the second message, which is used to instruct the NFCC to route the data frame to the NFCEE where the first application is located. For example, DH sends a command RF_ROUTE_PERMISSION_CMD to the NFCC, including the route permission identifier RoutingFlag parameter. When the parameter value is 1, it indicates that the NFCC is allowed to perform data routing, and when it is other values, it may indicate that it is not allowed. After receiving the CMD, the NFCC may respond to the DH response RF_ROUTE_PERMISSION_RSP and start forwarding the previously received data frame (such as the above application selection command) to the NFCEE where the first application is located (of course, the subsequently received service data is also directly forwarded. To the NFCEE where the first application is located).

In this embodiment, the routing entry including the user identity verification request identifier is configured to the NFCC by using the DH for the first application, so that the NFCC can directly according to the route after receiving the data frame sent by the peer NFC device for selecting the first application. The user authentication requirement in the item determines whether the user authentication is required when using the first application, and only requests the DH to perform user authentication when the user authentication is required, and then routes the data frame after determining that the verification has passed. To the NFCEE where the first application is located, and directly route the data frame to the NFCEE where the first application is located when user authentication is not required. In this way, according to the different security and convenience requirements of different card applications, the most suitable first application processing method is adopted, and a unified solution is developed, which can realize simpler implementation and lower development cost. The cycle is shorter, etc., wherein for the card application that needs to perform user identity verification, the security requirement is higher than the convenience requirement, and for the card application that does not need the user identity verification, the convenience requirement is higher than the security requirement; In the embodiment of the present application, the user identity verification can be performed on the card application with the security requirement higher than the convenience requirement, and the card application with the convenience requirement higher than the security requirement can realize the function of fast payment, and the frontage can be avoided. The problem that affects the user experience or complicates user operations.

In the above embodiment, in the scenario of one-time card swiping (that is, the NFC mobile phone is close to the POS machine once, if the user identity needs to be verified, the user identity verification operation such as fingerprint identification is completed in the closeness), the implementation method of using the first application to complete the payment is implemented. After detailed description, it should be understood that it may be considered that after a card is swiped, there may be a situation in which the card cannot be successfully swiped, or the usage habit of the user in the implementation of the authentication (such as direct fingerprinting in the process of being close to the POS machine, or temporarily leaving the POS) After the machine picks up the phone and then checks the fingerprint, etc.), or the delay that may occur in the user authentication in one swipe, it may need to be swiped again near the POS machine. Therefore, the following will be applied from the scene of the two swipes. The embodiment is described in detail.

Embodiment 2, referring to FIG. 3, another embodiment of the data processing method in the embodiment of the present application includes:

301, DH records the AID of each application and its corresponding user authentication requirements.

302. The DH configures, to the NFCC, a routing item that includes a user identity verification request identifier.

303. The NFC mobile phone and the peer POS perform an RF discovery process to activate the RF protocol required by the POS to perform the service.

304. The POS machine sends a data frame to the NFCC, where the data frame is an application selection command for selecting the first application.

305. The NFCC finds a matching routing item for the received data frame.

306. If the NFCC determines that the user authentication request identifier in the matched routing item indicates that user authentication is not required, the NFCC routes the data frame to the NFCEE where the first application is located.

307. If the NFCC determines that the user identity verification request identifier in the matched routing entry indicates that user identity authentication is required, the NFCC reports the first message to the DH.

In this embodiment, the steps 301 to 307 are similar to the steps 201 to 207 in the first embodiment, and details are not described herein again.

308. If the user identity verification success token corresponding to the first application does not exist, the DH performs a user identity verification operation.

In this embodiment, in step 208 of the embodiment, the DH may directly verify the identity of the user after receiving the first message, or may determine that the user needs to be used when using the first application according to the user identity verification requirement corresponding to the first application. Authenticate the user after authentication. Then, the DH specifically determines the identity of the user, and may determine whether the user identity verification success token corresponding to the first application is saved locally. If not, the DH does not perform the user identity verification operation for the first application before, or The user authentication operation performed before the DH for the first application is not successful, that is, at this time, the DH needs to perform the user authentication identity operation.

In this embodiment, when the NFCC determines to use the first application, the user identity verification is required, and the first message is reported to the DH to indicate that the DH is required to perform the user identity verification operation, and if the DH determines that the user identity corresponding to the first application does not exist, To verify the success token, DH performs a user authentication operation. The DH performs the user identity verification operation, and specifically may call the fingerprint module for the DH, that is, verify the user identity by verifying the user fingerprint, and in addition to the fingerprint verification, for other authentication methods that may generate delay (such as P1N verification, iris verification, etc.) The same applies to this embodiment, This is not limited here.

Optionally, if the user authentication operation fails, the DH indicates that the NFCC does not route the data frame to the NFCEE where the first application is located, and the specific implementation manner is similar to the step 209 in the foregoing Embodiment 1. Narration.

Optionally, when the user authentication operation is passed, the DH sends a second message to the NFCC, to allow the NFCC to route the data frame to the NFCEE where the first application is located, and the specific implementation is the same as step 210 in the first embodiment. Similar, this will not be repeated here.

In this embodiment, when the user identity verification operation is passed, the corresponding user identity verification success flag may be set and saved for the first application, so that when the NFC mobile phone approaches the POS device again, the DH receives the NFCC transmission again. After the message, the user authentication success token can be directly used for judgment, as in step 309 below. Because this is because the user may need to leave the POS and then re-close when verifying the fingerprint, or the time required for user authentication may be greater than the maximum delay handled by the POS, etc., it is designed for the completion of this transaction for two credit cards. Implementation plan. In addition, the user identity verification success flag in this step is deleted after being used once, that is, when it is determined in the following step 309 that the user identity verification success flag exists, it is determined that the user identity verification is successful, and then the user identity is deleted. Verify the success flag to prevent the risk of property damage from being stolen when the NFC phone is stolen without being deleted.

309. If there is a user identity verification success flag corresponding to the first application, the DH sends a second message to the NFCC.

In this embodiment, in step 208 of the embodiment, the DH may directly verify the identity of the user after receiving the first message, or may determine that the user needs to be used when using the first application according to the user identity verification requirement corresponding to the first application. Authenticate the user after authentication. Then, the DH specifically determines the identity of the user, and may determine whether the user identity verification success token corresponding to the first application is saved locally. If yes, it is considered that the user authentication operation is performed for the first application before the DH, and the verification succeeds, that is, That is to say, at this time, DH no longer needs to perform user authentication identity operation, and can directly send a second message to the NFCC. It should be noted that the user identity verification success flag may be set and saved after the user authentication operation succeeds after the DH receives the first message sent by the NFCC when the DH is last close to the POS machine.

In this embodiment, when the NFCC determines to use the first application, the user identity verification is required, and the first message is reported to the DH to indicate that the DH is required to perform the user identity verification operation, and if the DH determines that the user identity corresponding to the first application exists, Upon successful marking, the DH determines that the user authentication operation passes, sending a second message to the NFCC, the second message being the first command to allow the NFCC to route the data frame to the NFCEE where the first application is located.

Of course, in this embodiment, the user identity verification success flag may be deleted after the user identity verification success flag is used to determine that the user identity verification operation does not need to be performed again (ie, after the user identity verification success flag is used once). This can avoid the case that the DCH is directly used by the DH to judge the success of the verification (ie, it is not required to verify the identity of the current user (ie, the pirate) because the NFC mobile phone is stolen when the NFC mobile phone is stolen. Risk of property damage such as stolen brush.

It should be noted that, in this embodiment, after saving the user identity verification success flag corresponding to the first application, the DH may also receive the NFCC transmission according to the preset time (which may be set by the user or the system). The first message (essentially, the NFCC receives the data frame sent by the POS machine) to determine whether to delete the success flag, and if the first message is not received within the preset time, the success flag is deleted, otherwise continue save.

310. The NFCC routes the data frame to the NFCEE where the first application is located according to the second message.

In this embodiment, the step is similar to the step 211 in the first embodiment, and details are not described herein again.

In this embodiment, the delay problem caused by the user to verify the fingerprint or other forms of identity information during the user identity verification process or the user usage habit is considered, and the user may need to leave the POS machine and verify the identity is successful. The POS machine has improved the fault tolerance of the solution to some extent.

In addition, for the two card swipe scenarios of the second embodiment, there is another achievable manner, that is, when the first swipe card (ie, the NFC mobile phone is close to the POS machine), the DH receives the first message sent by the NFCC and executes the first message. User authentication operation, and when the user authentication operation is passed, the user authentication success token set for the first application is sent to the NFCC, so that the NFCC saves the user authentication success token; in the second credit card (ie, the NFC mobile phone) When (close to the POS machine) (the preset time), the NFCC receives the POS machine (that is, the POS machine that is close to the first time when the card is swiped. At this time, there may be a POS machine that is close to the first card when judging the second card swipe. Whether the POS machine that is close to the time is judged by the same NFC device, for example, it can be judged by the terminal identification information of the NFC device, etc., and is not limited herein. After the user who sends the data selects the data frame of the first application, it can directly determine whether the local area is The user authentication success flag corresponding to the first application is saved, and if yes, the first message is not sent to the DH, but the routing of the data frame can be directly performed; otherwise, the first message is sent to the DH.At this time, the manner of saving or deleting the user identity verification success flag corresponding to the first application on the NFCC side is similar to the manner of saving or deleting the user identity verification success flag on the DH side, and details are not described herein again.

In the first embodiment and the second embodiment, the embodiment of the present application is described in terms of determining whether the user authentication is required by the NFCC. The following is a description of whether the DH needs to perform user identity verification.

For a third embodiment, a description is made from the perspective of the DH to determine whether the user authentication is required. Referring to FIG. 4, another embodiment of the data processing method in the embodiment of the present application includes:

401. DH records the AID of each application and its corresponding user authentication requirements.

In this embodiment, the step is similar to step 201 in the first embodiment, and details are not described herein again.

Different from the first embodiment, the DH sets a corresponding user identity verification request identifier for each application according to the user identity verification requirement corresponding to each application, and saves, for example, the association between the application AID and its corresponding user identity verification request identifier. The relationship table is saved.

402. The DH configures a routing entry to the NFCC.

In this embodiment, the DH configures a routing entry for the first application to the NFCC. Similar to step 202 in the first embodiment, the first application may be any one of the applications installed on the DH, or Any one of the at least one application that has been activated in the application; the routing item may be an AID-based routing item, or may be other types of routing items, and details are not described herein again. Similarly, the DH can configure a routing entry to the NFCC through the listening mode routing table. For example, the routing table includes an AID-based routing entry corresponding to the first application. It should be noted that, the routing item corresponding to the first application does not include information indicating whether user identity verification is required when the first application is used, such as the user identity verification request identifier in the first embodiment.

403. The NFC mobile phone and the peer POS perform an RF discovery process to activate the RF protocol required by the POS to perform the service.

404. The POS machine sends a data frame to the NFCC, where the data frame is an application selection command for selecting the first application.

405. The NFCC finds a matching routing item for the received data frame.

In this embodiment, the steps 403 to 405 are similar to the steps 203 to 205 in the foregoing embodiment, and details are not described herein again.

406. The NFCC sends a first message to the DH.

In this embodiment, the NFCC sends a first message to the DH, where the first message is used to notify the DH peer POS machine to select the first application in the NFC mobile phone.

Optionally, after receiving the application selection command (such as the SelectAID command) sent by the POS machine, and finding the matching routing item (such as the AID-based routing item matching the AID in the command), the NFCC passes the RF NFCEE. The action mechanism reports the route to the DH, including the AID, the NFCEE identifier, and the like, and the NFCEE identifier is a unique identifier indicating the NFCEE where the first application is located.

Optionally, the NFCC sends a first message including the foregoing data frame to the DH, where the data frame is used to notify the DH peer POS machine to select the first application in the NFC mobile phone, and the first message is used in addition to the foregoing data. In addition to the notification of the frame, the DH peer POS machine can be directly notified to select the first application in the NFC mobile phone, which is not limited herein.

Optionally, when the NFCC reports the first message to the DH, the NFCC can report the information through the RFNFCEEAction mechanism. It should be noted that, in addition to reporting through the RF NFCEE Action mechanism, a new notification of the DH may be added, such as the user identity verification notification USER_VALIDATION_JUDGEMENT_NTF, for requesting the DH to determine whether the user authentication is required. There is no limitation here, in which the RF NFCEE Action mechanism reports the RF_NFCEE_ACTION_NTF notification.

Optionally, the NFCC determines whether the first message needs to be sent to the DH according to the current energy state of the NFC mobile phone, where the NFCC determines that the NFC mobile phone does not need to send the first message to the DH when the current energy state of the NFC mobile phone is no power or shutdown state. A message; when the current energy state of the NFC handset is neither power nor shutdown, the NFCC determines that the first message needs to be sent to the DH. The current energy state may include an unpowered state, a power-off state, a bright screen and a locked state, a bright screen and an unlocked state, a screen-off state, a locked state, a screen-off state, and an unlocked state. For details, refer to the corresponding content of the NCI protocol. This design is considered, in the implementation, the routing items corresponding to the security-critical applications (such as bank cards) can be set to be unavailable in the no-power and/or shutdown state (for example, the corresponding energy state field) The no-power and/off-off status bits are set to 0b), so that in the absence of power and/or shutdown, the NFCC cannot route the data frame to these card applications even if it finds a matching routing item for the received data frame. The NFCEE is then forwarded to these card applications for processing, which avoids the consumption of these cards for consumption in the event of no power and/or shutdown. Therefore, in the no-power and/or power-off state, the NFCC no longer needs to send the first message to the DH to avoid waste of resources (because even if it is sent, the processing and response of the DH are not obtained).

407. If the DH determines that the user identity verification request identifier corresponding to the first application indicates that user identity verification is not required, the DH instructs the NFCC to route the data frame to the NFCEE where the first application is located.

In this embodiment, after receiving the first message sent by the NFCC, the DH may determine the user identity verification request identifier corresponding to the first application by using the identifier of the first application (such as the AID) included in the first message, where specifically, The DH searches for the user identity verification request identifier corresponding to the AID from the association table of the AID saved in step 401 and its corresponding user identity verification request identifier according to the AID. Then, DH determines the user authentication request corresponding to the first application. Whether the identifier indicates that the user authentication is required when using the first application, and if not, it is considered that the user authentication is not required when the first application is used. For example, if the user authentication request identifier corresponding to the bit is 0b, the indication is used. The first application corresponding to the AID does not require user authentication.

Optionally, the DH indicates that the NFCC routes the data frame to the NFCEE where the first application is located, where a possible indication manner is that the DH sends a second message to the NFCC, where the second message is to allow the NFCC to perform data routing on the data frame. First order.

It should be noted that the content included in the first command may be information related to user identity verification (ie, no user identity verification is required), and/or information indicating that the NFCC is allowed to perform data routing. In summary, after receiving the first command, the NFCC can only determine according to the content that the DH allows the NFCC to route the data frame to the NFCEE where the first application is located.

408. If the DH determines that the user identity verification request identifier corresponding to the first application indicates that user identity verification is required when using the first application, the DH performs a user identity verification operation.

In this embodiment, after receiving the first message sent by the NFCC, the DH may determine the user identity verification request identifier corresponding to the first application by using the identifier of the first application (such as the AID) included in the first message, where specifically, The DH searches for the user identity verification request identifier corresponding to the AID from the association table of the AID saved in step 401 and its corresponding user identity verification request identifier according to the AID. Then, the DH determines whether the user identity verification request identifier corresponding to the first application indicates that the user identity verification is required when using the first application, and if yes, it is determined that the user identity verification is required when using the first application, that is, DH Perform user authentication operations.

Optionally, the DH performs the user identity verification operation, and the implementation manner is similar to the implementation manner described in the step 208 in the first embodiment, and details are not described herein again.

409. If the user authentication operation passes, the DH sends a second message to the NFCC.

In this embodiment, when the user identity verification operation is passed, the DH sends a second message to the NFCC, where the second message is a first command that allows the NFCC to perform data routing processing on the data frame, where the NFCC is allowed to perform data routing on the data frame. The process is to allow the NFCC to route the data frame to the NFCEE where the first application is located.

410. The NFCC performs routing processing on the data frame according to the second message.

In this embodiment, the NFCC receives the second message, and performs routing processing on the data frame according to the second message. The specific implementation manner is as follows:

For the step 409, the second message is a first command that allows the NFCC to perform data routing processing on the data frame. In this case, the NFCC routes the data frame to the NFCEE where the first application is located. Step 211 is similar, and will not be described here.

Certainly, for step 413, the NFCC may also receive the second message, but only the second message is a second command that does not allow the NFCC to perform data routing processing on the data frame. Then, the NFCC does not route the data frame to the first application. NFCEE, that is, NFCC cannot send a response message to the peer POS, so the POS machine is at the preset time. This communication is terminated when no response message is received (ie, the response timeout condition).

411. If the user identity verification operation fails, the DH indicates that the NFCC does not route the data frame to the NFCEE corresponding to the first application.

In this embodiment, when DH performs user identity verification and fails verification, DH indicates that the NFCC does not route the data frame to the NFCEE where the first application is located. The specific indication manner is similar to the step 209 in the first embodiment, and details are not described herein again.

In this embodiment, after receiving the notification message sent by the NFCC to indicate that the peer POS machine selects the first application, the DH determines whether the user identity verification is required when the first application is used, and implements the application according to different cards. Different security and convenience requirements adopt the most suitable first-application processing method, and a unified solution can be made, which makes the implementation simpler, lower development cost, shorter cycle, etc., where user authentication is required. The application of the card indicates that the security requirement is higher than the convenience requirement. For the card application that does not require the user identity verification, the convenience requirement is higher than the security requirement; therefore, the security requirements of the embodiment of the present application are higher than the convenience. The card application for sexual requirements performs user authentication, and the card application with higher convenience than the security requirement can realize the function of fast payment, and can also avoid the problems of affecting the user experience or complicating the user operation as described above.

In the third embodiment, an embodiment in which the DH itself determines whether the user authentication is required is described. The following describes an embodiment corresponding to the two card swipe scenarios of the solution similar to the second embodiment.

Embodiment 4, referring to FIG. 5, another embodiment of the data processing method in the embodiment of the present application includes:

501, DH records the AID of each application and its corresponding user authentication requirements.

502. The DH configures a routing entry to the NFCC.

503. The NFC mobile phone and the peer POS perform an RF discovery process to activate the RF protocol required by the POS to perform the service.

504. The POS machine sends a data frame to the NFCC, where the data frame is an application selection command for selecting the first application.

505. The NFCC finds a matching routing item for the received data frame.

506. The NFCC sends a first message to the DH.

507. If DH determines that user authentication is not required when using the first application, DH instructs the NFCC to route the data frame to the NFCEE where the first application is located.

In this embodiment, the steps 501 to 507 are similar to the steps 401 to 407 in the third embodiment, and details are not described herein again.

508. If the DH determines that the user authentication is required when the first application is used, and the user identity verification success flag corresponding to the first application exists, the DH indicates that the NFCC routes the data frame to the NFCEE where the first application is located.

In this embodiment, when the DH determines that the user identity verification is required when the first application is used, the DH determines whether the user identity verification success flag corresponding to the first application exists or not, and if the DH determines that the user identity corresponding to the first application exists. To verify the success flag, DH instructs the NFCC to route the data frame to the NFCEE where the first application is located.

Optionally, the DH determines that the first application is required to perform user identity verification. Specifically, after receiving the first message sent by the NFCC, the DH may pass the identifier of the first application (such as an AID) included in the first message. Determining a user identity verification request identifier corresponding to the first application, for example, the DH searches for the user identity verification request identifier corresponding to the AID from the association relationship between the AID saved in step 401 and the corresponding user identity verification request identifier according to the AID, The DH determines whether the user identity verification request identifier corresponding to the first application indicates that the user identity verification is required when the first application is used, and if yes, it is determined that the user identity verification is required when the first application is used.

Optionally, the DH indicates that the NFCC routes the data frame to the NFCEE where the first application is located, where a possible indication manner is that the DH sends a second message to the NFCC, where the second message is to allow the NFCC to perform data routing on the data frame. First order. It should be noted that the content included in the foregoing first command may be information related to user identity verification (that is, the result of performing the user identity verification operation is passed, or information indicating that the user identity verification success flag exists), and/or , indicating the information that allows the NFCC to perform data routing. In summary, after receiving the first command, the NFCC can only determine according to the content that the DH allows the NFCC to route the data frame to the NFCEE where the first application is located.

509. If the DH determines that the user authentication is required when the first application is used, and the user identity verification success flag corresponding to the first application does not exist, the DH performs a user identity verification operation.

In this embodiment, when the DH determines that the user authentication is required when the first application is used, the DH determines whether the user identity verification success flag corresponding to the first application exists or not, and if the DH determines that the user corresponding to the first application does not exist. If the authentication is successfully marked, the DH performs the user authentication operation. The specific implementation mode is that the DH invokes the fingerprint module, that is, the user identity is verified by verifying the user fingerprint, and in addition to the fingerprint verification, other authentication methods that may generate delays (such as The P1N verification, the iris verification, and the like are also applicable to the embodiment, which is not limited herein.

510. If the identity verification successful operation passes, the DH sends a second message to the NFCC.

In this embodiment, similar to step 308 in the foregoing embodiment 2, when the user identity verification operation is passed, the corresponding user identity verification success flag may be set and saved for the first application, so that the NFC mobile phone is close to the POS machine again. When the DH receives the first message sent by the NFCC again, the DH can directly use the user identity verification success flag to perform the determination, as in step 508 or 509 above. Because this is because the user may need to leave the POS and then re-close when verifying the fingerprint, or the time required for user authentication may be greater than the maximum delay handled by the POS, etc., it is designed for the completion of this transaction for two credit cards. Implementation plan. In addition, the user identity verification success flag in this step is deleted after being used once, that is, when it is determined in the above step 508 that the user identity verification success flag is present, it is determined that the user identity verification is successful, and then the user identity is deleted. Verify the success flag to prevent the risk of property damage from being stolen when the NFC phone is stolen without being deleted.

511. The NFCC routes the data frame to the NFCEE where the first application is located according to the second message.

512. If the user identity verification operation fails, the NFCC is instructed not to route the data frame to the NFCEE corresponding to the first application.

In this embodiment, the steps 511 to 512 are similar to the steps 410 to 411 in the foregoing third embodiment, and details are not described herein again. In addition, it should be noted that step 510 to step 512 are performed under the condition that the DH determines that there is no user identity verification success flag corresponding to the first application, which is different from step 409 to step 411 in the third embodiment.

In this embodiment, the usage habits of the user in performing identity verification are also considered (such as directly checking the fingerprint in the process of attaching the POS machine, or picking up the fingerprint after attaching the POS machine) or a possible delay, therefore, To some extent, the fault tolerance rate of the program has been improved.

In the foregoing four embodiments, when the routing entry corresponding to the first application is configured by the DH to the NFCC, the routing entry needs to be set to point to the NFCEE where the first application is located (that is, the Route in the routing item defined in the NCI protocol). The parameter is set to the NFCEE identifier of the first application), whether it is NFCC or DH, the first choice for the opposite POS machine The corresponding user authentication request identifier is used for judging, and the NFCC is allowed to perform routing processing on the data frame sent by the POS machine only if the user authentication is not required or the user authentication is required and the verification is passed. The frame is routed to the NFCEE where the first application is located. The following embodiments provide another solution. When the DH configures the routing entry corresponding to the first application to the NFCC, the DH only sets the routing entry corresponding to the application that does not require user authentication to the NFCEE where the application is located. And the routing item corresponding to the first application that requires the user authentication is set to point to the DH, then the NFCC can route the data frame to the DH after receiving the data frame of the first application, and then the DH pair The user identity verification request identifier corresponding to the first application is determined, and the routing entry corresponding to the first application is reconfigured to the NFCC to change the routing entry to the NFCC only if the user authentication is required and the verification is passed. Points to the NFCEE where the first application is located.

Embodiment 5 Referring to FIG. 6, another embodiment of the data processing method in the embodiment of the present application includes:

601. The DH records the identifier of each application (such as the application identifier AID) and its corresponding user identity verification requirement.

In this embodiment, the step is similar to the step 401 in the foregoing embodiment 3. The DH sets a corresponding user identity verification request identifier for each application according to the user identity verification requirement corresponding to each application, and saves the identifier, for example, by applying the AID. The association table corresponding to the user authentication request identifier is saved. Others will not go into details.

602. The DH configures a second routing entry to the NFCC.

In this embodiment, step 602 is different from step 402 in the third embodiment. In step 402, each routing item configured by the DH to the NFCC is directed to the NFCEE where each application (such as the application corresponding to the AID in the routing entry) is located. .

In this embodiment, the DH selects a specific AID, and configures a second routing entry for the first application corresponding to the specific AID, where the second routing entry is a near field communication execution environment DH-NFCEE corresponding to the DH. Specifically, the DH selects a specific AID according to the user identity verification request identifier corresponding to each AID in step 601. For example, the DH marks the AID corresponding to the user identity verification request identifier that needs to perform user identity verification, thereby selecting a specific AID. And configuring a second routing item for the first application corresponding to the specific AID.

Optionally, the second routing item may include an identifier of the DH-NFCEE, where the identifier is used to uniquely identify the DH-NFCEE corresponding to the DH corresponding near field communication execution environment.

For example, suppose that there is a bank card 1, a bank card 2 and a bus card in a wallet on the mobile phone, the user needs to perform user identity verification when using the bank card 1, and the bank card 2 and the bus card are not required, then the DH is When setting a routing item, you can set the NFCEE ID in the second routing entry set for bank card 1 to the ID of DH-NFCEE (for example, 0x00), and the routing items set for bank card 2 and bus card respectively point to the card. The NFCEE where the application is located.

603. The NFC mobile phone and the peer POS perform an RF discovery process to activate the RF protocol required by the POS to perform the service.

604. The POS machine sends a data frame to the NFCC, where the data frame is an application selection command for selecting the first application.

605. The NFCC finds a matching second routing item for the received data frame.

In this embodiment, the steps 603 to 605 are similar to the steps 203 to 205 in the foregoing embodiment, and details are not described herein again.

606. The NFCC sends a first message to the DH according to the second routing item, where the first message is the data frame.

In this embodiment, after the NFCC receives the data frame sent by the POS machine, the NFCC selects a command according to an application in the data frame (such as a SelectAID command), and finds a matching second routing item (such as the AID in the command and the Second After the AIDs in the routing entries match, the NFCC routes the above data frame to the routing destination DH pointed to by the second routing entry.

In this embodiment, it is also required that after the NFCC forwards the received data frame to the DH, if the command for configuring the third routing item sent by the DH is not received within the preset time, the RF communication is terminated. If the command to configure the third routing entry sent by the DH is received within the set time, the data frame is rerouted according to the newly configured third routing entry. It should be understood that the possible implementation manner is applicable to the user authentication by using the method of verifying the user's fingerprint, and the application scenario that the mobile phone keeps close to the POS when verifying the fingerprint is a swipe scene.

607. If the DH determines that the user identity verification request identifier corresponding to the first application indicates that user identity verification is required when using the first application, perform a user identity verification operation.

In this embodiment, the DH determines that the user identity verification request identifier corresponding to the first application indicates that the user identity needs to be performed when the first application is used, and the AID corresponding to the first application selected by the DH to determine the data frame is marked as Specific AID.

Optionally, the DH performs the user identity verification operation, specifically, the DH invokes the user identity verification module to perform user identity verification, where the user identity verification module may be a fingerprint module, that is, the user identity is verified by verifying the user fingerprint, and of course, Other authentication methods, such as PIN verification, iris, and other biometric verification, wearable device verification (ie, verifying the presence of a particular wearable device connected to the terminal via a wireless technology (such as Bluetooth)) There are no restrictions here.

In addition, it should be noted that if the DH determines that the user authentication request identifier corresponding to the first application indicates that the user authentication is not required when using the first application, it indicates that the NFCEE where the first application is located is originally DH-NFCEE, thus, DH The message that the user answers the data frame (such as the Select response) can be directly sent to the NFCC, so that the NFCC can reply it to the peer POS machine. Therefore, the solution of the fifth embodiment design is for those card applications that are not operating in DH (ie, DH-NFCEE).

608. If the user authentication operation fails, the DH indicates that the NFC does not route the data frame to the NFCEE where the first application is located.

In this embodiment, when the result of the user identity verification operation is not passed, the DH indicates that the NFC does not route the data frame to the NFCEE where the first application is located. Among them, the specific instructions are as follows:

In a possible indication manner, the DH terminates the communication. Specifically, the DH sends an RF protocol deactivation command defined by the NCI protocol or other command that can terminate the communication to the NFCC. Alternatively, the DH does not send any information to the NFCC. The message is acknowledged, so that the NFCC cannot answer the POS machine of the opposite end. Once the response times out, the POS machine terminates the current communication with the NFC mobile phone (ie, disconnects the NFC connection between the two).

In another possible indication manner, the DH sends a second message to the NFCEE, the second message is a command that does not allow the NFCC to route the data frame to the NFCEE where the first application is located, or does not allow the NFCC to the opposite POS. The command to answer the machine.

609. If the user authentication operation passes, the DH sends a second message to the NFCC, where the second message is used for configuration. The third routing item.

In this embodiment, when the result of the user identity verification operation is passed, the DH configures a third routing entry to the NFCC, where the third routing entry is set to point to the NFCEE where the first application is located, and the NFCEE where the first application is located is not DH. The corresponding near field communication execution environment DH-NFCEE.

Optionally, the third routing item configured by the DH to the NFCC includes an identifier of the first application (such as an AID of the first application), a unique identifier indicating the NFCEE where the first application is located, and the like.

610. The NFCEE routes the data frame to the NFCEE where the first application is located.

In this embodiment, after the NFCC receives the second message (that is, the second command for configuring the third routing entry), the NFCC routes the data frame to the NFCEE where the first application pointed to by the third routing entry is located.

611. When the communication ends, the DH reconfigures the second routing entry to the NFCC.

In this embodiment, when the radio frequency RF communication ends, the DH reconfigures the second routing item to the NFCC, where the second routing item includes a near field communication execution environment DH-NFCEE corresponding to the DH.

It should be noted that, the radio frequency RF communication described herein ends, specifically, the DH is determined after receiving the notification that the NFCC reports that the opposite radio frequency RF field disappears (ie, by the RF_FIELD_INFO_NTF notification), or DH Determined when no message of NFCC is received within the specified time, or DH deactivates the RF interface RF interface between DH and NFCC for any reason (such as transmission error in data interaction, protocol error, timeout, etc.) The method defined by the other NCI protocol to determine the end of the RF communication is not limited herein.

In the step 607 of the embodiment, when the DH performs the user identity verification operation, the method of swiping the card may be used once in the first embodiment or the third embodiment, or the method of swiping the card twice in the second embodiment or the fourth embodiment.

If it is a way of swiping the card (such as the NFC mobile phone stays close to the POS when verifying the user's identity), since the current NCI protocol stipulates that the routing item can only be configured when the RF communication state machine is in the IDLE state (ie, RFST_IDLE), the following manner can be implemented. Re-configuration of the routing entry (that is, updating the second routing entry corresponding to the first application to the third routing entry). For example, the DH sends a corresponding command (such as RF_DEACTIVE_CMD (Idle mode)) to the NFCC to enable the state machine to perform the data interaction phase. The corresponding ACTIVE state (ie, RFST_LISTEN_ACTIVE) becomes the IDLE state, and then the routing table is updated (ie, reconfigured); again, the DH is allowed to reconfigure the routing table directly in the ACTIVE state. In this case, the time limit may be increased in the first embodiment or the third embodiment. For example, after the NFCC forwards the received data frame to the DH through the first message, if the DH is received within the preset time, the third routing entry is configured. The second command (ie, the second message) re-routes the data frame according to the newly configured routing item (that is, routes the data frame to the NFCEE where the first application is located according to the third routing item); otherwise, the NFCC considers this The secondary RF communication ends.

If the card is swiped twice (that is, the NFC mobile phone leaves the POS when the user identity is verified), the NFC mobile phone and the POS machine perform two RF communications in succession, as long as the NFC mobile phone is in the IDLE state after leaving the POS. DH can reconfigure routing entries for NFCC. At this time, similar to the second or fourth embodiment, the time limit is increased. For example, if the DH configures the third routing item by using the second message, the next RF communication is not performed with the peer POS machine within a preset time (more specifically, If the DH does not receive the data frame for the first application to be forwarded by the NFCC within the preset time after the reconfiguration of the routing entry, the DH needs to configure the routing entry again to restore the original routing table (that is, the first application corresponds to the first application). The third routing entry is updated again to the second routing entry, that is, the routing entry of the application represented by the specific AID is also Is pointing to DH). Of course, in the manner of two card swipes, as in the previous embodiment two or four, DH saves the user identity success token after verifying the user identity after the first card swiping, and then directly uses the card when the second card is swiped. The success flag is determined whether the user identity verification is passed by determining whether the success flag exists, and details are not described herein again.

In this embodiment, the DH does not modify the current NCI standard, so that the DH sets a routing entry that points to the DH by using the first application that needs to perform user authentication, and receives the data for selecting the first application that is forwarded by the NFCC. User authentication is performed after the frame, and the routing entry pointing to the NFCEE where the first application is located is reconfigured to the NFCC only when it is determined that the verification has passed, so that the NFCC can route the data frame to the NFCEE where the first application is located. The implementation of the most appropriate first application processing method according to the different security and convenience requirements of different card applications, and the development of a unified solution, which can make the implementation simpler, lower development cost, shorter cycle, etc.; In the embodiment of the present application, the user identity verification can be performed on the card application with the security requirement higher than the convenience requirement, and the card application with the convenience requirement higher than the security requirement can realize the function of fast payment, and can also avoid the foregoing. The impact of the user experience or the complexity of the user's operation, in addition, the above two brushing schemes can still be to some extent High fault tolerance of the program.

The actions of the policy entity in the first embodiment to the fifth embodiment may also be performed by the processor in the first terminal 8 as shown in FIG. 8 by calling the application code stored in the memory 803. There are no restrictions on the case.

It should be noted that, in the above-mentioned first to fifth embodiments, the DH records the application identifier as an example of the AID of the application, and the DH configures the routing entry as an example. Certainly, the routing item may also be other types of routing items, such as an APDU pattern-based routing item defined by the NCI, an SC-based routing item, a protocol-based routing item, a technology-based routing item, and a mandatory NFCEE routing mechanism, etc. The identifier of the application may also be other information that can represent the application, such as application-related APDU pattern information (such as reference data and mask), application-related SC information (such as SC list), and application-related RF protocol information (such as ISO). -DEP protocol, T1T/T2T/T3T/T5T protocol, etc.), application-related RF technical information (such as NFC-A, NFC-B, NFC-F, NFC-V technology, etc.) and application-related NFCEE information (such as applications) The NFCEE in which it is located, etc., is not limited by the present invention.

The data processing method in the embodiment of the present application has been described above. The host DH in the embodiment of the present application is described below.

Embodiment 6 Referring to FIG. 7, an embodiment of the host DH in the embodiment of the present application includes:

The first receiving unit 701 is configured to receive a first message sent by the NFCC, where the first message is used to notify the DH that the second terminal is to select the first application on the first terminal, and/or to request the DH to be executed. User authentication operation;

The verification unit 702 is configured to perform a user identity verification operation if the DH determines that user identity verification is required;

The first sending unit 703 is configured to: when the result of the user identity verification operation is passed, send a second message to the NFCC, where the second message is a first command that allows the NFCC to perform data routing on the data frame, where the data frame The message sent by the second terminal to the NFCC indicates that the first application is to be selected.

In this embodiment, the host DH formulates a unified solution according to different security and convenience requirements of different card applications, and indicates that the security requirement is higher than the convenience requirement for the card application that needs to perform user identity verification; For card applications that do not require user authentication, the convenience requirements are higher than the security requirements.

Referring to FIG. 8, other possible embodiments of the host DH in the embodiment of the present application may further include:

Optionally, in a possible implementation, the first receiving unit 801 may specifically include a first receiving module 8011. The first receiving module 8011 is specifically configured to:

Optionally, in a possible implementation, the verification unit 802 may specifically include: one or more modules of the first determining module 8021, the second determining module 8022, the third determining module 8023, or the fourth determining module 8024. The functions of each module are as follows:

The first determining module 8021 is configured to determine, according to the user identity verification request identifier corresponding to the first application, that the user identity verification is required; wherein the user identity verification request identifier is used to indicate that the user identity needs to be verified when the first application is used;

The second determining module 8022 is configured to determine, according to the user identity verification request identifier corresponding to the first application, that user identity verification is required when the first application is used;

The third determining module 8023 is configured to: if the DH determines that the user identity verification success flag corresponding to the first application exists, determine, according to the user identity verification success flag, that the user identity verification operation passes; or

The fourth determining module 8024 is configured to: if the DH determines that the user identity verification success flag corresponding to the first application does not exist, receive, by the identity verification module of the first terminal, the user identity information to determine the user identity verification operation. Whether it passed.

Optionally, in a possible implementation manner, the first sending unit 803 includes a first sending module 8031, where the first sending module 8031 is configured to send, to the NFCC, a second message including a third routing item, where The third routing entry includes an identifier of the NFCEE where the first application is located.

Optionally, in a possible implementation manner, the host DH further includes: a second sending unit 804, a third sending unit 805, a fourth sending unit 806, a fifth sending unit 807, a deleting unit 808, or a configuration unit 809. One or more units, the functions of each unit are as follows:

a second sending unit 804, configured to send, to the NFCC, a first routing item that includes a user identity verification request identifier, where the user identity verification request identifier is used to indicate that the user identity is required or not required to use the first application;

The third sending unit 805 is configured to: if the user identity verification request identifier corresponding to the first application indicates that the user identity needs to be verified when the first application is used, send a second routing item to the NFCC, where the second routing item includes the DH Corresponding near field communication execution environment DH-NFCEE identifier, the DH-NFCEE is not the NFCEE where the first application is located;

The fourth sending unit 806 is configured to: if the DH determines that user identity verification is not required, send the second message to the NFCC, where the second message is the first command that allows the NFCC to perform data processing on the data frame;

The fifth sending unit 807 is configured to send a second message to the NFCC or not send any message when the user identity verification operation fails, the second message is a second that does not allow the NFCC to perform data routing on the data frame. command;

The deleting unit 808 is configured to: when the DH does not receive the first message sent by the NFCC again within a preset time period, or after the DH determines, according to the user identity verification success flag, that the user identity verification operation is passed, Delete the user authentication success token;

The configuration unit 809 is configured to: when the communication ends, or when the DH does not receive the data frame sent by the second terminal for selecting the first application again within a preset time after the end of the communication Reconfigure to the NFCC The second routing entry.

Optionally, in a possible implementation, the user identity verification request identifier is determined by the DH according to the registration information and/or the user indication of the first application, where the registration information of the first application includes the first The application type of an application and/or the required parameters for representing authentication.

Optionally, in a possible implementation manner, the user identity verification success flag is that the DH is saved after the identity verification module of the first terminal determines that the user identity verification operation is passed.

The sixth embodiment is described in detail in the main sentence DH in the embodiment of the present application. The near field communication controller NFCC in the embodiment of the present application is described below.

Embodiment 7, with reference to FIG. 9, an embodiment of the near field communication controller NFCC in the embodiment of the present application includes:

The first receiving unit 901 is configured to: after receiving the data frame sent by the second terminal, find a matching first routing item, where the data frame is used to indicate that the first application on the first terminal is to be selected;

The first determining unit 902 is configured to determine, according to the preset condition, whether to send the first message to the DH, where the first message is used to notify the DH that the second terminal is to select the first application on the first terminal, And/or for requesting the DH to perform a user authentication operation;

The first sending unit 903 is configured to: if yes, send the first message to the DH;

The first routing unit 904 is configured to: if the NFCC receives the second message sent by the DH, perform routing processing on the data frame according to the second message.

In this embodiment, the near field communication controller NFCC formulates a unified solution according to different security and convenience requirements of different card applications. For the card application requiring user identity verification, the security requirement is higher than the convenience. Sexual requirements; for card applications that do not require user authentication, the convenience requirements are higher than the security requirements.

Referring to FIG. 10, in other possible embodiments of the near field communication controller NFCC in the embodiment of the present application, the method may further include:

Optionally, in a possible implementation, the first receiving unit 1001 may include a first query module 10011, where the first query module 10011 is configured to: after the NFCC receives the data frame sent by the second terminal, And determining, by the routing manner, the first routing item that matches the first application, where the routing manner includes a routing manner based on the application identifier AID.

Optionally, in a possible implementation manner, the first determining unit 1002 may include: a first determining module 10021, a first determining module 10022, a second determining module 10023, a second determining module 10024, or a third determining module 10025. One or more modules in the module; wherein the functions of each module are as follows:

The first determining module 10021 is configured to determine, according to the user identity verification request identifier in the first routing item, whether to send the first message to the DH.

The first determining module 10022 is configured to: if the user identity verification request identifier indicates that the user identity needs to be verified when using the first application, determine that the first message is to be sent to the DH;

The second determining module 10023 is configured to: if the user identity verification request identifier indicates that the user identity is not required to be used when the first application is used, determine that the first message is not sent to the DH;

The second determining module 10024 is configured to determine, according to the current energy state of the first terminal, whether the first message needs to be sent to the DH; or

The third determining module 10025 is configured to determine, according to the presence or absence of the user identity verification success flag corresponding to the first application, whether the first message needs to be sent to the DH, where the user identity verification success flag is that the NFCC is receiving, the DH The message sent after the message indicating the user authentication operation is saved.

Optionally, in a possible implementation manner, the second determining module 10024 can include a first determining submodule 100241 and a second determining submodule 100242, where

The first determining sub-module 100241 is configured to determine that the first message needs to be sent to the DH if the current energy state of the first terminal is not the power-off state and the power-off state;

The second determining sub-module 100242 is configured to determine that the first message does not need to be sent to the DH if the current energy state of the first terminal is an unpowered or powered-off state.

Optionally, in a possible implementation manner, the third determining module 10025 may include a third determining submodule 100251 and a fourth determining submodule 100252.

a third determining sub-module 100251, configured to: if the user identity verification success flag exists, determine that the first message needs to be sent to the DH;

The fourth determining submodule 100252 is configured to determine that the first message does not need to be sent to the DH if the user identity verification success flag does not exist.

Optionally, in a possible implementation, the first sending unit 1003 may include a first sending module 10031, where the first sending module 10031 is configured to send a first message including the data frame to the DH.

Optionally, in a possible implementation manner, the first routing unit 1005 may include: one or more modules in the first routing module 10051, the second routing module 10052, or the third routing module 10053, and functions of each module. details as follows:

The first routing module 10051 is configured to: when the second message is sent by the DH after the user identity verification operation is passed, indicating that the NFCC is allowed to perform the first command of data routing, routing the data frame to the first application NFCEE; or,

The second routing module 10052 is configured to: when the second message is sent by the DH after the user identity verification operation fails, indicating that the NFCC is not allowed to perform the second command of data routing, the data frame is not routed to the first NFCEE where the application is located, or terminate this communication;

The third routing module 10053 is configured to: when the second message is a routing configuration command including the second routing item, routing the data frame to the NFCEE where the first application is located, where the second message is the user authentication of the DH After the operation is passed or after determining that the first application is used, it is not required to verify the identity of the user. The second routing item includes the identifier of the first application and the identifier of the NFCEE where the first application is located.

Optionally, in a possible implementation manner, the near field communication controller NFCC further includes one or two units of the second routing unit 1006 and the terminating unit 1007. The specific functions of the two units are as follows:

a second routing unit 1006, configured to perform routing processing on the data frame if not;

The terminating unit 1007 is configured to terminate the current communication if the NFCC does not receive any message sent by the DH within a preset time period.

Optionally, in a possible implementation manner, the second routing unit 1006 can include a fourth routing module 10061, where the fourth routing module 10061 is configured to route the data frame to the NFCEE where the first application is located.

Optionally, in a possible implementation manner, the near field communication controller NFCC further includes a second receiving unit 1004, The second receiving unit 1004 is configured to receive the first routing entry of the DH configuration, where the first routing entry includes an identifier of the first application and the first NFCEE identifier, where the first NFCEE identifier is the first The identifier of the NFCEE where the application is located or the identifier of the near field communication execution environment DH-NFCEE corresponding to the DH.

The above embodiments respectively describe the functional entities of the host DH and the near field communication controller NFCC in the embodiments of the present application. It should be noted that the near field communication controller NFCC and the host DH are similar in hardware implementation, and the near field communication control is performed. The NFCC can refer to the description of the hardware aspect of the host DH. For details, the host DH in the embodiment of the present application is described below.

In the eighth embodiment, the processor in the host DH11 as shown in FIG. 11 can perform the actions of the policy entity in the foregoing Embodiments 1 to 5 by calling the application code stored in the memory 1103. Do not make any restrictions.

As shown in FIG. 11, a hardware structure diagram of a host DH11 according to an embodiment of the present application includes at least one processor 1101, a communication bus 1102, a memory 1103, and at least one communication unit 1104.

The processor 1101 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more programs for controlling the execution of the program of the present application. integrated circuit.

It should be noted that, in the specific implementation manner of the present invention, the processor 1101 may configure a listening mode routing table to the NFCC by using an NCI based routing configuration command/response (RF_SET_LISTEN_MODE_ROUTING_CMD/RSP) in an initialization phase of the NFC device, which may include The routing entry of the AID (including the application identifier AID and the NFCEE ID of the NFCEE where the application is located), etc., so that the NFCC can find the matching route target NFCEE according to the AID-based routing item after receiving the selectAID command. In addition, the processor 1101 can also correspond to the NFCEE of the NFC device, and the NFCEE can communicate with the NFCC through a protocol (such as HCI/SWP), so that the NFCEE can receive and process the peer NFC device forwarded by the NFCC (ie, the second terminal). The data frame sent.

Communication bus 1102 can include a path for communicating information between the components described above.

The communication unit 1104 uses a device such as any transceiver for communicating with other devices or communication networks, such as Ethernet, Radio Access Network (RAN), Wireless Local Area Networks (WLAN), etc. .

For the host DH, in the specific embodiment of the present invention, the communication unit 1104 may further include a module for communicating with the NFCC, such as an interface between the DH and the NFCC, the interface may support the NCI protocol at the upper layer, and may be used at the bottom layer. Universal Asynchronous Receiver/Transmitter (UART), 12C bus (Inter-Integrated Circuit) or half-duplex Serial Peripheral Interface (SPI) to transmit data. The DH can configure the RF parameters, the routing table, and the like to the NFCC through the communication unit 1104, so that the NFCC can communicate with the NFC device of the opposite end in the RF discovery process, and receive the first message sent by the NFCC to perform corresponding according to the first message. User authentication processing, and sending a second message to the NFCC for the NFCC to perform corresponding data routing processing or the like according to the second message.

The memory 1103 can be a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (RAM) or other type that can store information and instructions. Dynamic storage device, or electrically erasable programmable read only memory (Electrically Erasable Programmable Read-Only Memory (EEPROM), Compact Disc Read-Only Memory (CD-ROM) or other optical disc storage, optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.) A disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of an instruction or data structure and that can be accessed by a computer, but is not limited thereto. The memory can exist independently and be connected to the processor via a bus. The memory can also be integrated with the processor.

The memory 1103 is configured to store application code for executing the solution of the present application, and is controlled by the processor 1101 to execute. The processor 1101 is configured to execute the application code stored in the memory 1103, thereby implementing the AR projection method in the above embodiment.

It should be noted that, in a specific embodiment of the present invention, the storage unit may store an NFC application installed in the DH-NFCEE or NFCEE(s), and a routing program and a routing table in the NFCC.

In a specific implementation, as an embodiment, the processor 1101 may include one or more CPUs, such as CPU0 and CPU1 in FIG.

In a specific implementation, as an embodiment, the host DH11 may include multiple processors, such as the processor 1101 and the processor 1108 in FIG. Each of these processors can be a single-CPU processor or a multi-core processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data, such as computer program instructions.

In a specific implementation, as an embodiment, the host DH11 may further include an output device 1105 and an input device 1106. The output device 1105 is in communication with the processor 1101 and can display information in a variety of ways. For example, the output device 1105 can be a liquid crystal display (LCD), a light emitting diode (LED) display device, a cathode ray tube (CRT) display device, or a projector. Wait. Input device 1106 is in communication with processor 1101 and can accept user input in a variety of ways. For example, input device 1106 can be a mouse, keyboard, touch screen device, or sensing device, and the like.

The host DH11 described above may be a general terminal or a dedicated terminal. In a specific implementation, the host DH11 may be a desktop computer, a portable computer, a network server, a personal digital assistant (PDA), a mobile phone, a tablet, a wireless terminal device, an embedded device, or a device having a similar structure as in FIG. . The embodiment of the present application does not limit the type of the host DH11.

It should be noted that, for the NFC controller NFCC, in the specific embodiment of the present invention, the communication unit 1104 may further include a module for communicating with the DH, such as an interface between the DH and the NFCC, and the interface may be in the upper layer. Support NCI protocol, at the bottom layer can use Universal Asynchronous Receiver/Transmitter (UART), 12C bus (Inter-Integrated Circuit) or half-duplex Serial Peripheral Interface (SPI) to transmit data The NFCC can receive the RF parameters, the routing table, and the like of the DH configuration through the communication unit 1104, so as to be able to communicate with the NFC device of the opposite end in the RF discovery process, and send the first message to the DH, so that the DH performs the first message according to the first message. Corresponding user authentication processing, and receiving a second message sent by the DH to perform corresponding data routing processing according to the second message, and the like, and may further include performing, for performing, with the NFC device (ie, the second terminal) of the peer end a module for communication (ie, transmitting data to and receiving data from a second terminal), such as a transceiver circuit in the NFCC, and the NFC in the transceiver circuit Line operating frequency may be 13.56MHz, NFCC may transmit data to the second terminal through the NFC antenna may also receive data from the second terminal.

A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.

In the several embodiments provided by the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application, in essence or the contribution to the prior art, or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. A number of instructions are included to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present application. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

The above embodiments are only used to explain the technical solutions of the present application, and are not limited thereto; although the present application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that they can still The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents. The modifications and substitutions of the embodiments do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims

A data processing method, characterized in that the method is used for a host DH of a first terminal, the first terminal further comprising a near field communication controller NFCC and at least one near field communication execution environment NFCEE, the method comprising:

Receiving, by the DH, a first message sent by the NFCC, where the first message is used to notify the DH that the second terminal is to select the first application on the first terminal, and/or to request the DH to be executed. User authentication operation;

If the DH determines that user authentication is required, the DH performs a user identity verification operation;

When the result of the user identity verification operation is a pass, the DH sends a second message to the NFCC, where the second message is a first command that allows the NFCC to perform data routing on a data frame, the data frame For the second terminal to send to the NFCC, indicating that the message of the first application is to be selected.
The data processing method according to claim 1, wherein before the DH receives the first message sent by the NFCC, the method further includes:

The DH sends a first routing entry including a user identity verification request identifier to the NFCC; wherein the user identity verification request identifier is used to indicate that the user identity is required or not required to be used when the first application is used.
The data processing method according to claim 1, wherein when the first message is used to notify the DH that the second terminal is to select the first application, the DH determines that user identity verification is required. include:

And determining, by the DH, that the user identity verification is required according to the user identity verification request identifier corresponding to the first application, where the user identity verification request identifier is used to indicate that the user identity needs to be verified when the first application is used.
The data processing method according to claim 1, wherein before the DH receives the first message sent by the NFCC, the method further includes:

And if the user identity verification request identifier corresponding to the first application indicates that the user identity needs to be verified when the first application is used, the DH sends a second routing item to the NFCC, where the second routing item includes the DH Corresponding near field communication execution environment DH-NFCEE, the DH-NFCEE is not the NFCEE where the first application is located.
The data processing method according to claim 4, wherein the receiving, by the DH, the first message sent by the NFCC comprises:

The DH receives a first message that is sent by the NFCC and includes the data frame, where the data frame is used to notify the DH that the second terminal is to select the first application;

The DH determines that user authentication is required, including:

Determining, according to the user identity verification request identifier corresponding to the first application, that the DH needs to perform user identity verification when using the first application;

Sending, by the DH, the second message to the NFCC, including:

The DH sends a second message including a third routing entry to the NFCC, where the third routing entry includes an identifier of the NFCEE where the first application is located.
The data processing method according to claim 4 or 5, wherein the method further comprises:

When the communication ends, or when the DH does not receive the data frame for selecting the first application sent by the second terminal again within a preset time after the end of the communication, the The DH reconfigures the second routing entry to the NFCC.
The data processing method according to any one of claims 2 to 4, wherein said user identity The certificate request identifier is determined by the DH according to the registration information and/or the user indication of the first application, where the registration information of the first application includes an application type of the first application and/or is used to indicate a pair Requirements parameters for authentication.
The data processing method according to any one of claims 1 to 5, wherein the DH performs a user identity verification operation, including:

If the DH determines that the user identity verification success flag corresponding to the first application exists, the DH determines, according to the user identity verification success flag, that the user identity verification operation passes; or

If the DH determines that there is no user identity verification success flag corresponding to the first application, the DH receives and determines the user identity information by using the identity verification module of the first terminal to determine whether the user identity verification operation is by.
The data processing method according to claim 8, wherein said user identity verification success flag is that said DH is saved after said user identity verification operation is determined by said identity verification module of said first terminal.
The data processing method according to claim 8 or 9, wherein the method further comprises:

And after the DH does not receive the first message sent by the NFCC again within a preset time period, or after the DH determines that the user identity verification operation is passed according to the user identity verification success flag, The DH deletes the user identity verification success flag.
The data processing method according to claim 1, wherein the method further comprises:

If the DH determines that user authentication is not required, the DH sends the second message to the NFCC, and the second message is the first that allows the NFCC to perform data processing on the data frame. command.
The data processing method according to claim 1, wherein the method further comprises:

When the user authentication operation fails, the DH sends a second message to the NFCC or does not send any message, and the second message is a second that does not allow the NFCC to perform data routing on the data frame. command.
A data processing method, wherein the method is used for a near field communication controller NFCC of a first terminal, the first terminal further comprising a host DH and at least one near field communication execution environment NFCEE, the method comprising:

Receiving, by the NFCC, the data frame sent by the second terminal, and finding a matching first routing item, where the data frame is used to indicate that the first application on the first terminal is to be selected;

Determining, by the NFCC, whether to send a first message to the DH according to a preset condition, where the first message is used to notify the DH that the second terminal is to select a first application on the first terminal, And/or for requesting the DH to perform a user authentication operation;

If yes, the NFCC sends the first message to the DH;

If the NFCC receives the second message sent by the DH, the NFCC performs routing processing on the data frame according to the second message.
The data processing method according to claim 13, wherein the method further comprises:

If no, the NFCC routes the data frame.
The data processing method according to claim 13 or 14, wherein before the NFCC finds the matching first routing item after receiving the data frame sent by the second terminal, the method further includes:

Receiving, by the NFCC, the first routing item of the DH configuration, where the first routing item includes an identifier of the first application and the first NFCEE identifier, where the first NFCEE identifier is the first NFCEE where an application is located The identifier of the near field communication execution environment DH-NFCEE corresponding to the DH.
The data processing method according to claim 15, wherein when the first NFCEE identifier is an identifier of the NFCEE in which the first application is located, the first routing entry further includes the user identity verification request identifier ;

Determining, by the NFCC, whether to send the first message to the DH according to a preset condition, including:

Determining, by the NFCC, whether the first message is to be sent to the DH according to the user identity verification request identifier in the first routing item;

If the user identity verification request indication indicates that the user identity needs to be verified when using the first application, the NFCC determines to send the first message to the DH;

If the user identity verification request indication indicates that the user identity does not need to be authenticated when using the first application, the NFCC determines not to send the first message to the DH.
The data processing method according to claim 13 or 14, wherein the NFCC determines whether to send the first message to the DH according to a preset condition, including:

Determining, by the NFCC, whether the first message needs to be sent to the DH according to a current energy state of the first terminal;

or,

Determining, by the NFCC, whether the first message is required to be sent to the DH according to the presence or absence of the user identity verification success flag corresponding to the first application, where the user identity verification success flag is that the NFCC is receiving, The message sent by the DH indicating that the user authentication operation passed is saved.
The data processing method according to claim 17, wherein the NFCC determines whether the first message needs to be sent to the DH according to the current energy state of the first terminal, including:

If the current energy state of the first terminal is not the powerless state and the power-off state, the NFCC determines that the first message needs to be sent to the DH;

If the current energy state of the first terminal is an unpowered or powered off state, the NFCC determines that the first message does not need to be sent to the DH.
The data processing method according to claim 17, wherein the NFCC determines whether the first message needs to be sent to the DH according to the presence or absence of the user identity verification success flag corresponding to the first application, including:

If the user identity verification success flag exists, the NFCC determines that the first message needs to be sent to the DH;

If the user authentication success flag does not exist, the NFCC determines that the first message does not need to be sent to the DH.
The data processing method according to claim 13 or 15, wherein the NFCC performs routing processing on the data frame according to the second message, including:

When the second message is sent by the DH after the user identity verification operation is passed, indicating that the NFCC is allowed to perform the first command of data routing, the NFCC routes the data frame to the first application. NFCEE;

Or,

When the second message is sent by the DH after the user identity verification operation fails, indicating that the NFCC is not allowed to perform the second command of data routing, the NFCC does not route the data frame to the first NFCEE where the application is located, or terminate this communication.
The data processing method according to claim 15, wherein when the first NFCEE identifier in the first routing item is the identifier of the DH-NFCEE,

Sending, by the NFCC, the first message to the DH, including:

Sending, by the NFCC, a first message including the data frame to the DH;

The NFCC performs routing processing on the data frame according to the second message, including:

When the second message is a route configuration command including a second routing item, the NFCC routes the data frame to an NFCEE where the first application is located, and the second message is that the DH is authenticated by a user. After the operation is passed or after determining that the first application is used, it is not required to verify the identity of the user, and the second routing item includes the identifier of the first application and the identifier of the NFCEE where the first application is located.
The data processing method according to claim 14, wherein the NFCC performs routing processing on the data frame, including:

The NFCC routes the data frame to an NFCEE where the first application is located.
The data processing method according to claim 13, wherein the method further comprises:

If the NFCC does not receive any message sent by the DH within a preset time period, the NFCC terminates the current communication.
The data processing method according to any one of claims 13 to 15, wherein the NFCC, after receiving the data frame sent by the second terminal, finds a matching first routing item, including:

After the NFCC receives the data frame sent by the second terminal, the NFCC finds the first routing item that matches the first application according to a routing manner, where the routing manner includes A routing method based on the application identification AID.
A host DH, wherein the DH comprises:

a first receiving unit, configured to receive a first message sent by the NFCC, where the first message is used to notify the DH that the second terminal is to select the first application on the first terminal, and/or for requesting The DH performs a user identity verification operation;

a verification unit, configured to perform a user identity verification operation if the DH determines that user identity verification is required;

a first sending unit, configured to send a second message to the NFCC when the result of the user identity verification operation is a pass, where the second message is a first command that allows the NFCC to perform data routing on the data frame, The data frame is sent by the second terminal to the NFCC, indicating that the message of the first application is to be selected.
The DH of claim 25, wherein the DH further comprises:

a second sending unit, configured to send, to the NFCC, a first routing item that includes a user identity verification request identifier, where the user identity verification request identifier is used to indicate whether the user identity is required or not required to use the first application .
The DH according to claim 25, wherein when the first message is used to notify the DH that the second terminal is to select the first application, the verification unit comprises:

a first determining module, configured to determine, according to the user identity verification request identifier corresponding to the first application, that the user needs to use User identity verification; wherein the user identity verification request is used to indicate that the identity of the user needs to be verified when using the first application.
The DH of claim 25, wherein the DH further comprises:

a third sending unit, configured to send a second routing item, the second routing item, to the NFCC, if the user identity verification request identifier corresponding to the first application indicates that the user identity needs to be verified when the first application is used The identifier of the near field communication execution environment DH-NFCEE corresponding to the DH is included, and the DH-NFCEE is not the NFCEE where the first application is located.
The DH according to claim 28, wherein the first receiving unit comprises:

a first receiving module, configured to receive, by the NFCC, a first message that includes the data frame, where the data frame is used to notify the DH that the second terminal selects the first application;

The verification unit includes:

a second determining module, configured to determine, according to the user identity verification request identifier corresponding to the first application, that user identity verification is required when using the first application;

The first sending unit includes:

And a first sending module, configured to send, to the NFCC, a second message that includes a third routing item, where the third routing item includes an identifier of the NFCEE where the first application is located.
The DH according to claim 28 or 29, wherein the DH further comprises:

a configuration unit, configured to: when the communication ends, or when the DH does not receive the data sent by the second terminal for selecting the first application again within a preset time after the end of the communication At the time of the frame, the second routing entry is reconfigured to the NFCC.
The DH according to any one of claims 26 to 28, wherein the user identity verification request identifier is determined by the DH according to registration information and/or user indication of the first application, wherein The registration information of the first application includes an application type of the first application and/or a requirement parameter for indicating identity verification.
The DH according to any one of claims 25 to 29, wherein the verification unit comprises:

a third determining module, configured to determine, according to the user identity verification success flag, that the user identity verification operation passes if the DH determines that the user identity verification success flag corresponding to the first application exists; or

a fourth determining module, configured to: if the DH determines that the user identity verification success flag corresponding to the first application does not exist, receive and determine user identity information by using the identity verification module of the first terminal to determine the user Whether the authentication operation passed.
The DH of claim 32, wherein the user identity verification success flag is that the DH is saved after the user identity verification operation is determined by the identity verification module of the first terminal.
The DH according to claim 32 or 33, wherein the DH further comprises:

a deleting unit, configured to determine, when the DH does not receive the first message sent by the NFCC again within a preset time period, or determine, according to the user identity verification success flag, the user identity After the verification operation is passed, the user authentication success flag is deleted.
The DH of claim 25, wherein the DH further comprises:

a fourth sending unit, configured to send to the NFCC if the DH determines that user identity verification is not required Sending the second message, the second message is the first command that allows the NFCC to perform data processing on the data frame.
The first terminal according to claim 25, wherein the DH further comprises:

a fifth sending unit, configured to send a second message to the NFCC or not send any message when the user identity verification operation fails, the second message is not allowing the NFCC to perform data on the data frame The second command of the route.
A near field communication controller NFCC, characterized in that the NFCC comprises:

a first receiving unit, configured to receive a data frame sent by the second terminal, and find a matching first routing item, where the data frame is used to indicate that the first application on the first terminal is to be selected;

a first determining unit, configured to determine, according to a preset condition, whether to send a first message to the DH, where the first message is used to notify the DH that the second terminal is to select the first terminal a first application, and/or for requesting the DH to perform a user authentication operation;

a first sending unit, configured to: if yes, send the first message to the DH;

a first routing unit, configured to perform routing processing on the data frame according to the second message if the NFCC receives the second message sent by the DH.
The NFCC according to claim 37, wherein the NFCC further comprises:

The second routing unit is configured to perform routing processing on the data frame if no.
The NFCC according to claim 37 or claim 38, wherein the NFCC further comprises:

a second receiving unit, configured to receive the first routing item of the DH configuration, where the first routing item includes an identifier of the first application and the first NFCEE identifier, where the first NFCEE identifier The identifier of the environment DH-NFCEE is performed for the identifier of the NFCEE in which the first application is located or the near field communication corresponding to the DH.
The NFCC according to claim 39, wherein when the first NFCEE identifier is an identifier of the NFCEE in which the first application is located, the first routing entry further includes the user identity verification request identifier; The first determining unit includes:

a first determining module, configured to determine, according to the user identity verification request identifier in the first routing item, whether to send the first message to the DH;

a first determining module, if the user identity verification request identifier indicates that the user identity needs to be verified when using the first application, determining to send the first message to the DH;

The second determining module is configured to determine not to send the first message to the DH if the user identity verification request identifier indicates that the user identity is not required to be used when the first application is used.
The NFCC according to claim 37 or 38, wherein the first determining unit comprises:

a second determining module, configured to determine, according to a current energy state of the first terminal, whether the first message needs to be sent to the DH;

or,

a third determining module, configured to determine, according to the presence or absence of the user identity verification success flag corresponding to the first application, whether the first message needs to be sent to the DH, where the user identity verification success flag is that the NFCC is receiving The message sent by the DH indicating that the user authentication operation passes is saved.
The NFCC according to claim 41, wherein the second determining module comprises:

a first determining submodule, configured to: if the current energy state of the first terminal is not in an unpowered or powered off state, determine that the first message needs to be sent to the DH;

The second determining submodule is configured to determine that the first message does not need to be sent to the DH if the current energy state of the first terminal is an unpowered or powered off state.
The NFCC according to claim 41, wherein the third determining module comprises:

a third determining submodule, configured to: if the user identity verification success flag exists, determine that the first message needs to be sent to the DH;

And a fourth determining submodule, configured to determine that the first message does not need to be sent to the DH if the user identity verification success flag does not exist.
The NFCC according to claim 37 or 39, wherein the first routing unit comprises:

a first routing module, configured to: when the second message is sent by the DH after the user identity verification operation is passed, indicating that the NFCC is allowed to perform a first command of data routing, routing the data frame to the The NFCEE where the first application is located;

or,

a second routing module, configured to: when the second message is sent by the DH after the user identity verification operation fails, indicating that the NFCC is not allowed to perform the second command of data routing, the data frame is not routed to The NFCEE where the first application is located, or terminates the communication.
The NFCC according to claim 39, wherein when the first NFCEE identifier in the first routing item is the identifier of the DH-NFCEE, the first sending unit includes:

a first sending module, configured to send, to the DH, a first message that includes the data frame;

The first routing unit includes:

a third routing module, configured to: when the second message is a routing configuration command including a second routing item, routing the data frame to an NFCEE where the first application is located, where the second message is the DH After the user authentication operation is passed or after determining that the first application is used, the second routing item includes an identifier of the first application and an identifier of the NFCEE where the first application is located. .
The NFCC according to claim 38, wherein the second routing unit comprises:

And a fourth routing module, configured to route the data frame to the NFCEE where the first application is located.
The NFCC according to claim 37, wherein the NFCC further comprises:

And a terminating unit, configured to terminate the current communication if the NFCC does not receive any message sent by the DH within a preset time period.
The NFCC according to any one of claims 37 to 39, wherein the first receiving unit comprises:

a first query module, configured to: after the NFCC receives the data frame sent by the second terminal, find the first routing item that matches the first application according to a routing manner, where The routing method includes a routing method based on the application identifier AID.
A host DH, wherein the DH comprises:

Input devices, output devices, processors, and storage devices;

The storage device is configured to store an operation instruction;

The processor executes the steps of claims 1 to 12 by invoking the operational instructions.
A near field communication controller NFCC, characterized in that the NFCC comprises:

Input devices, output devices, processors, and storage devices;

The storage device is configured to store an operation instruction;

The processor executes the steps of claims 13 to 24 by invoking the operational instructions.