CN108600222A - The communication means of client application and trusted application, system and terminal - Google Patents
The communication means of client application and trusted application, system and terminal Download PDFInfo
- Publication number
- CN108600222A CN108600222A CN201810375244.6A CN201810375244A CN108600222A CN 108600222 A CN108600222 A CN 108600222A CN 201810375244 A CN201810375244 A CN 201810375244A CN 108600222 A CN108600222 A CN 108600222A
- Authority
- CN
- China
- Prior art keywords
- key
- public key
- escape way
- terminal
- channel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 title claims abstract description 38
- 238000000034 method Methods 0.000 claims abstract description 52
- 230000003993 interaction Effects 0.000 claims abstract description 38
- 238000012545 processing Methods 0.000 claims abstract description 27
- 238000003860 storage Methods 0.000 claims abstract description 22
- 230000002457 bidirectional effect Effects 0.000 claims abstract description 16
- 238000012546 transfer Methods 0.000 claims abstract description 11
- 238000012795 verification Methods 0.000 claims description 59
- 230000008569 process Effects 0.000 claims description 25
- 230000002688 persistence Effects 0.000 claims description 17
- 230000005540 biological transmission Effects 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 7
- 238000007689 inspection Methods 0.000 claims description 7
- 238000001514 detection method Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 4
- 238000009434 installation Methods 0.000 description 4
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 241000208340 Araliaceae Species 0.000 description 2
- 235000005035 Panax pseudoginseng ssp. pseudoginseng Nutrition 0.000 description 2
- 235000003140 Panax quinquefolius Nutrition 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 235000008434 ginseng Nutrition 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 229910002056 binary alloy Inorganic materials 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000002045 lasting effect Effects 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses the communication means of a kind of client application and trusted application, system and terminals, are related to the communications field, and method therein includes:CA and TA is based respectively on first key parameter and the second key parameter carries out bidirectional identity authentication, the first escape way is established between CA and TA if certification success, channel sessions key corresponding with this first escape way is generated, CA and TA is transmitted by the first escape way to carry out data interaction and carry out encryption and decryption processing to data based on channel sessions key and preset channel transfer rule.Communication means, system and the terminal of the present invention; escape way is established between CA and TA and the data in escape way are protected; it prevents third party from intercepting and capturing, storage, analysis, reveal the sensitive information transmitted between CA and TA, multiple CA can be supported to access the same TA by the multiple escape ways being mutually isolated.
Description
Technical field
The present invention relates to field of communication technology more particularly to the communication means of a kind of client application and trusted application, it is
System and terminal.
Background technology
Currently, terminal is integrated with credible performing environment (TEE, Trusted Execution Environment), richness mostly
Performing environment (REE, Rich Execution Environment).REE is by client application (CA, Client
Application) and application operating system forms.TEE is by trusted application (TA, TrustedApplication), Yi Jike
Believe that operating system (Trusted OS, Trusted Operating System) forms.REE supports abundant application, but REE is deposited
In certain security risk.TEE is one piece of independent region in terminal, is installed to the region and applies managed server platform control
System.
In the TrustZone Technical Architectures based on ARM, the CA that operates in Normal World (REE) and operate in
There is the ability for carrying out data interaction between TA in Secure World (TEE).In the case where no escape way protects,
There may be following risks for data interaction behavior between CA and TA:1, sensitive information is leaked:CA and TA carries out data interaction
During can rely on third party software, the function that service, driving are provided is supported, these third party's components have an opportunity to intercept and capture,
The sensitive information transmitted between storage, analysis, leakage CA and TA, and do not perceived by CA and TA;2, sensitive information is tampered:Third
Square component has an opportunity to distort the sensitive information transmitted between CA and TA, and is not perceived by CA and TA;3, injection attacks:Third party's group
Extra data is injected in the data flow that part can be between CA and TA, and is not perceived by CA and TA, so that CA or TA is executed unexpected
Function;4, Replay Attack third party component can be by repeating playing historical interaction data outmoded between CA and TA, and not
It is perceived by CA and TA, CA or TA is made to execute unexpected function;5, the malice TA pretended:CA can not verify the legal identity of TA,
Illegal malice TA is possible to palm off legal TA to obtain the sensitive information of user.Therefore, it is necessary to a kind of new CA and TA it
Between communication mechanism.
Invention content
In view of this, the invention solves a technical problem be to provide the logical of a kind of client application and trusted application
Letter method, system and terminal.
According to an aspect of the present invention, a kind of communication means of client application and trusted application is provided, including:In visitor
It applies in CA and trusted application TA and disposes first key parameter and the second key parameter respectively in family end;The CA and TA distinguishes
Bidirectional identity authentication is carried out based on the first key parameter and second key parameter;If certification success, described
The first escape way is established between CA and the TA, generates channel sessions key corresponding with this first escape way;It is described
The CA and TA is transmitted by first escape way carries out data interaction, and based on the channel sessions key and presets
Channel transfer rule encryption and decryption processing is carried out to the data transmitted by first escape way.
Optionally, the first key parameter includes:Manufacturer's public key;Second key parameter includes:Terminal public key, end
Hold private key, terminal public key signature value.
Optionally, described to dispose first key parameter and the second key respectively in client application CA and trusted application TA
Parameter includes:Manufacturer's public key is stored in CA programs corresponding with the CA, wherein pass through the hair of the CA programs
Manufacturer's public key described in row, installation and deployment;When installing the TA and being run for the first time, the terminal is generated in TEE environment
Public key, the terminal secret key, wherein the terminal public key, the terminal secret key are stored in the TA institutes in a manner of persistence
In the TEE environment at place.
Optionally, in the individualized stage of the TA, the second escape way is established between TA the and TAM servers;
The terminal public key is sent to the TAM servers by the TA by second escape way, and is pacified by described second
Full tunnel receives the terminal public key signature value that the TAM servers are sent, wherein the TAM servers are private using manufacturer
Key is digitally signed the terminal public key;The TA deposits the terminal public key signature value by the way of persistence
Storage.
Optionally, the TA calls whitepack encryption library to obtain the terminal public key signature value, wherein is encrypted in the whitepack
The terminal public key is digitally signed using manufacturer's private key in library;The TA is by the terminal public key signature value using lasting
The mode of change is stored.
Optionally, manufacturer's public key and manufacturer's private key are signed and issued and by the TA management root certificate of TA providers in key management
The heart generates.
Optionally, the CA and TA is based respectively on the first key parameter and second key parameter progress is double
Include to authentication:The TA sends the first verification information to the CA, wherein first verification information includes:It is described
Terminal public key and the terminal public key signature value;The CA tests the terminal public key signature value using manufacturer's public key
Card, if be proved to be successful, generates the channel sessions key;The CA using the second verification information of the terminal public key pair into
Row encrypting and transmitting gives the TA, wherein second verification information includes:The channel sessions key, verification data;It is described
TA is decrypted encrypted second verification information using the terminal secret key, if examined to the inspection data
Success is tested, then establish first escape way and is successfully established message to the CA backward channels.
Optionally, the CA establishes escape way order to TA transmissions, wherein described to establish escape way order packet
It is identified containing CA process instances corresponding with this CA;The TA is based on CA process instances mark and judges whether with the CA
Escape way is established, message is successfully established if it is, returning, if it is not, then sending the first verification letter to the CA
Breath, wherein first verification information further includes:The channel number of the CA.
Optionally, second verification information further includes:The channel number of the CA, CA process instances mark;It is described
Channel sessions key includes:Random number.
Optionally, the channel sessions key and the preset channel transfer rule of being based on by described first to pacifying
The data of full tunnel transmission carry out encryption and decryption processing:Based on the channel sessions key and use preset Encryption Algorithm pair
Interaction data between the CA and the TA carries out encryption and decryption processing;The channel number of the CA is interacted into number with encrypted
It is transmitted between the CA and the TA according to by first escape way.
Optionally, described to be based on the channel sessions key and use preset Encryption Algorithm in the CA and the TA
Between interaction data carry out encryption and decryption processing include:Using the channel sessions key as key, Acquisition channel IV is counted
The current value of device carries out encryption and decryption processing as IV, using the Encryption Algorithm to the interaction data and verification data;Its
In, the Encryption Algorithm includes:Symmetric encipherment algorithm.
Optionally, the first IV counters are arranged in the CA, and the 2nd IV meters corresponding with the escape way are arranged in the TA
Number device;When the escape way is established, the CA and the TA respectively count the first IV counters and the 2nd IV
The initial value of number device is all 0;After completing primary bidirectional data interaction between the CA and the TA, the CA and the TA
The value of the first IV counters and the 2nd IV counters is added 1 respectively.
According to another aspect of the present invention, a kind of communication system of client application and trusted application is provided, including:Operation
Client application CA in credible performing environment TEE, trusted application TA in rich performing environment REE is operated in;In the CA
With first key parameter and the second key parameter are disposed in the TA respectively;It is close that the CA and TA is based respectively on described first
Key parameter and second key parameter carry out bidirectional identity authentication, if certification success, between the CA and the TA
The first escape way is established, channel sessions key corresponding with this first escape way is generated;The CA passes through with the TA
The first escape way transmission carries out data interaction, and based on the channel sessions key and preset channel transfer rule
Encryption and decryption processing is carried out to the data transmitted by first escape way.
Optionally, the first key parameter includes:Manufacturer's public key;Second key parameter includes:Terminal public key, end
Hold private key, terminal public key signature value.
Optionally, manufacturer's public key is stored in CA programs corresponding with the CA, wherein pass through the CA journeys
Manufacturer's public key described in the distribution of sequence, installation and deployment;When installing the TA and being run for the first time, institute is generated in TEE environment
State terminal public key, the terminal secret key, wherein the terminal public key, the terminal secret key are stored in institute in a manner of persistence
It states in the TEE environment residing for TA.
Optionally, further include:TAM servers;In the individualized stage of the TA, between TA the and TAM servers
Establish the second escape way;The terminal public key is sent to the TAM clothes by the TA for passing through second escape way
Business device, and the terminal public key signature value that the TAM servers are sent is received by second escape way, by the end
End public key signature value is stored in a manner of persistence in TEE environment;Wherein, the TAM servers use manufacturer's private key to institute
Terminal public key is stated to be digitally signed.
Optionally, the TA is additionally operable to that whitepack encryption library is called to obtain the terminal public key signature value, by terminal public affairs
Key signature value is stored in a manner of persistence in TEE environment;Wherein, use manufacturer's private key to institute in the whitepack encryption library
Terminal public key is stated to be digitally signed.
Optionally, further include:Key Management Center;Manufacturer's public key and manufacturer's private key are demonstrate,proved by the TA management roots of TA providers
Bookmark is sent out and is generated in the Key Management Center.
Optionally, the TA, for sending the first verification information to the CA, wherein first verification information includes:
The terminal public key and the terminal public key signature value;The CA, for using manufacturer's public key to the terminal public key label
Name value is verified, if be proved to be successful, generates the channel sessions key;It is verified and is believed using the terminal public key pair second
Breath is encrypted and is sent to the TA, wherein second verification information includes:The channel sessions key, verification data;
The TA is also used for the terminal secret key and encrypted second verification information is decrypted, if to institute
It states inspection data to examine successfully, then establish first escape way and is successfully established message to the CA backward channels.
Optionally, the CA is additionally operable to establish escape way order to TA transmissions, wherein the foundation is logical safely
Road order is identified comprising CA process instances corresponding with this CA;The TA, judge for being based on CA process instances mark be
It is no to have been set up escape way with the CA, it is successfully established message if it is, returning, if it is not, then being sent to the CA
First verification information, wherein first verification information further includes:The channel number of the CA.
Optionally, second verification information further includes:The channel number of the CA, CA process instances mark;It is described
Channel sessions key includes:Random number.
Optionally, the CA and the TA be based respectively on the channel sessions key and using preset Encryption Algorithm to
Interaction data between the CA and the TA carries out encryption and decryption processing, wherein by the channel number of the CA and encrypted friendship
Mutual data are transmitted by first escape way between the CA and the TA.
Optionally, the CA and TA uses the channel sessions key as key respectively, and Acquisition channel IV is counted
The current value of device carries out encryption and decryption processing as IV, using the Encryption Algorithm to the interaction data and verification data;Its
In, the Encryption Algorithm includes:Symmetric encipherment algorithm.
Optionally, the first IV counters are arranged in the CA, and the 2nd IV meters corresponding with the escape way are arranged in the TA
Number device;Wherein, when the escape way is established, the CA and the TA are respectively by the first IV counters and described second
The initial value of IV counters is all 0;After completing primary bidirectional data interaction between the CA and the TA, the CA and institute
It states TA and the value of the first IV counters and the 2nd IV counters is added 1 respectively.
According to another aspect of the invention, a kind of communication system of client application and trusted application is provided, including:Storage
Device;And it is coupled to the processor of the memory, the processor is configured as based on the finger being stored in the memory
It enables, executes the communication means of client application and trusted application as described above.
According to another aspect of the invention, a kind of terminal, including client application as described above and trusted application are provided
Communication system.
In accordance with a further aspect of the present invention, a kind of computer readable storage medium is provided, computer program is stored thereon with
The step of instruction, which realizes method as described above when being executed by one or more processors.
Communication means, system and the terminal of the client application and trusted application of the present invention, CA and TA are based respectively on the
One key parameter and the second key parameter carry out bidirectional identity authentication, and the first peace is established between CA and TA if certification success
Full tunnel, generate corresponding with this first escape way channel sessions key, CA and TA by the first escape way transmit into
Row data interaction simultaneously carries out encryption and decryption processing based on channel sessions key and preset channel transfer rule to data;In CA and
Establish escape way between TA and the data in escape way protected, CA can by verify TA terminal public key signature come
The legal identity of TA is verified, is transmitted between the intercepting and capturing of third party's component, storage, analysis, leakage CA and TA in anti-locking system quick
Feel information;CA and TA can perceive and prevent the malicious acts such as the altered data, Replay Attack, injection attacks of attacker;It can be with
Multiple CA are supported to access TA by the multiple escape ways being mutually isolated.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention without having to pay creative labor, may be used also for those of ordinary skill in the art
With obtain other attached drawings according to these attached drawings.
Fig. 1 is to be illustrated according to the flow of one embodiment of the communication means of the client application and trusted application of the present invention
Figure;
Fig. 2 is the key body in one embodiment according to the communication means of the client application and trusted application of the present invention
It is schematic diagram;
Fig. 3 is the foundation safety according to one embodiment of the communication means of the client application and trusted application of the present invention
The flow diagram in channel;
Fig. 4 is to be illustrated according to the module of one embodiment of the communication system of the client application and trusted application of the present invention
Figure;
Fig. 5 is to be shown according to the module of another embodiment of the communication system of the client application and trusted application of the present invention
It is intended to.
Specific implementation mode
Carry out the various exemplary embodiments of detailed description of the present invention now with reference to attached drawing.It should be noted that:Unless in addition having
Body illustrates that the unlimited system of component and the positioned opposite of step, numerical expression and the numerical value otherwise illustrated in these embodiments is originally
The range of invention.
Simultaneously, it should be appreciated that for ease of description, the size of attached various pieces shown in the drawings is not according to reality
Proportionate relationship draw.
It is illustrative to the description only actually of at least one exemplary embodiment below, is never used as to the present invention
And its application or any restrictions that use.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered as part of specification.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined, then it need not be further discussed in subsequent attached drawing in a attached drawing.
The embodiment of the present invention can be applied to computer system/server, can be with numerous other general or specialized calculating
System environments or configuration operate together.Suitable for be used together with computer system/server well-known computing system, ring
The example of border and/or configuration includes but not limited to:Smart mobile phone, personal computer system, server computer system, Thin clients
Machine, thick client computer, hand-held or laptop devices, microprocessor-based system, set-top box, programmable consumer electronics, network
PC, little types Ji calculate machine Xi Tong ﹑ large computer systems and the distributed cloud computing technology ring including any of the above described system
Border, etc..
Computer system/server can be in computer system executable instruction (such as journey executed by computer system
Sequence module) general context under describe.In general, program module may include routine, program, target program, component, logic, number
According to structure etc., they execute specific task or realize specific abstract data type.Computer system/server can be with
Implement in distributed cloud computing environment, in distributed cloud computing environment, task is long-range by what is be linked through a communication network
Manage what equipment executed.In distributed cloud computing environment, program module can be positioned at the Local or Remote meter for including storage device
It calculates in system storage medium.
" first ", " second " hereinafter is only used for distinguishing in description, and there is no other special meanings.
Fig. 1 is to be illustrated according to the flow of one embodiment of the communication means of the client application and trusted application of the present invention
Figure, as shown in Figure 1:
Step 101, first key parameter and the second key ginseng are disposed respectively in client application CA and trusted application TA
Number.
Step 102, CA and TA is based respectively on first key parameter and the second key parameter carries out bidirectional identity authentication.
Step 103, it if certification success, establishes the first escape way between CA and TA, generates and this first safety
The corresponding channel sessions key in channel.Channel sessions key can there are many, such as can be communication two party according to known ginseng
Respectively channel sessions key is calculated in number.
Step 104, CA and TA are transmitted by the first escape way carries out data interaction, and based on channel sessions key and
Preset channel transfer rule carries out encryption and decryption processing to the data transmitted by the first escape way.
The communication means of client application and trusted application in above-described embodiment, CA and TA as data communication two
The data interaction between CA and TA is protected by disposing key code system and establishing end-by-end security channel in end.
In one embodiment, first key parameter includes:Manufacturer's public key etc..Second key parameter include terminal public key,
Terminal secret key, terminal public key signature value etc..Manufacturer's public key is stored in CA programs, the distribution of CA programs, installation and deployment are passed through
Manufacturer's public key.When installing TA and being run for the first time, generation terminal public key, terminal secret key in TEE environment, terminal public key,
Terminal secret key is stored in a manner of persistence in the TEE environment residing for TA.Manufacturer's public key and manufacturer's private key are by TA providers
TA management root certificate sign and issue and Key Management Center generate.
As shown in Fig. 2, the TA management root certificates R that TA providers are possessedpair, it is stored in the Key Management Center of manufacturer
In encryption equipment.Manufacturer's certificate that TA providers are possessed and its public private key pair Ppair, it is stored in the Key Management Center of manufacturer
In encryption equipment.Manufacturer's certificate and its public key P are stored in CApub;TA terminal public private key pairs T is stored in TApair;TA storages use factory
Quotient's private key PpriTo the terminal public key T of TApubThe signature value being digitally signed.
The TA management root certificate that manufacturer's certificate is possessed by TA providers is signed and issued, public private key pair PpairIn key management
It generates and uses in the encryption equipment of the heart, public key can export, and private key can not export.Derived manufacturer's public key PpubIt can be with binary system shape
Formula is packaged in CA programs, can be deployed in intelligent mobile terminal equipment together with the distribution of CA programs.TA is after being installed
Operation for the first time when, TA terminal public private key pairs T is generated in TEEpair, and in a manner of secure storage persistent storage in TEE
In environment.
For whether having the deployment field of TAM servers (Trusted Application Manager, trusted service management)
The generation method of scape, the terminal public key signature value of TA has following two situations:For there is the deployment scenario of TAM, in the individual of TA
In the change stage, the second escape way is established between TA and TAM servers.Terminal public key is sent to by TA by the second escape way
TAM servers, and the terminal public key signature value that TAM servers are sent is received by the second escape way, wherein TAM servers
Terminal public key is digitally signed using manufacturer's private key, TA deposits terminal public key signature value by the way of persistence
Storage.For example, by the second escape way, TA is by terminal public key TpubIt is sent to TAM, TAM calls the encryption equipment of Key Management Center
With manufacturer private key PpriTo terminal public key (Tpub) be digitally signed, signature value is issued to TA by the second escape way, finally
Signature value is persistently stored in TEE environment by TA.
For not having a TAM deployment scenarios, TA calls whitepack encryption library to obtain terminal public key signature value, wherein in whitepack plus
Terminal public key is digitally signed using manufacturer's private key in close library, TA by terminal public key signature value by the way of persistence into
Row storage.For example, manufacturer private key PpriIt is stored securely in TA mirror images by whitepack encryption technology, whitepack encryption technology is existing
A variety of whitepack encryption technologies.TA calls whitepack encryption library after generating terminal public private key pair, and manufacturer's private key is used in whitepack library
PpriTo terminal public key TpubIt is digitally signed, signature value is persistently stored in TEE environment by final TA.
In one embodiment, CA establishes escape way order to TA transmissions, establishes escape way order and includes and this CA
Corresponding CA process instances mark.TA is based on CA process instances mark and judges whether to have been set up escape way with CA, if
It is then to return and be successfully established message, if it is not, then TA sends the first verification information to CA, the first verification information includes:CA's is logical
Taoist monastic name, terminal public key and terminal public key signature value etc..
CA verifies terminal public key signature value using manufacturer's public key, if be proved to be successful, it is close to generate channel sessions
Key, channel sessions key include random number etc..CA using terminals the second verification information of public key pair is encrypted and is sent to TA, the
Two verification informations include:The channel number of CA, CA process instances mark, channel sessions key, verification data etc..TA using terminals are private
Encrypted second verification information is decrypted in key, if examined successfully to inspection data, it is logical to establish the first safety
Road is simultaneously successfully established message to CA backward channels.
Fig. 3 is the foundation safety according to one embodiment of the communication means of the client application and trusted application of the present invention
The flow diagram in channel, as shown in Figure 3:
Step 301, CA establishes escape way order to TA transmissions, and it is real that CA processes are carried in establishing escape way order
The unique mark of example.The unique mark of CA process instances can be a variety of ,+2 byte random number of for example, 2 byte process ID etc..
TA checks that the unique mark of CA process instances then carried out step if it is confirmed that this CA has built up escape way
302, it directly returns successfully, and provide this CA associated channel numbers;If it is confirmed that this CA did not set up escape way, then carry out
Step 303, backward channel not yet establishes message and additional output data:The terminal public key of the newly assigned channel numbers of CA, TA thus
Tpub, terminal public key signature value.
Step 304, CA uses manufacturer public key PpubThe terminal public key signature value of verification TA illustrates if verification is unsuccessful
TA is not true legal TA, carries out step 305, termination of security Path Setup flow;If be proved to be successful, step is carried out
306, CA generate a random number, and as the channel sessions key of escape way, CA uses the terminal public key T of TApubCIPHERING REQUEST
Data packet includes in request data package:Newly assigned channel number, channel sessions key, is examined the unique mark of CA process instances
Data etc., inspection data can be CRC, Hash, MAC etc., and encrypted request data package is sent to TA by CA.
Step 307, TA using terminals private key TpriDecoding request data, if the verification data after decryption is incorrect, into
Row step 308, termination of security Path Setup flow;If the verification data after decryption is correct, new escape way is just established
Context preserves relevant parameter, carries out step 309, returns to escape way and is successfully established message.CA and TA obtains the first peace
The channel sessions key and other parameters of full tunnel, the first escape way establish process completion.
In one embodiment, based on channel sessions key and using preset Encryption Algorithm to the friendship between CA and TA
Mutual data carry out encryption and decryption processing, by the channel number of CA and encrypted interaction data by the first escape way CA and TA it
Between be transmitted.Encryption Algorithm includes symmetric encipherment algorithm etc., and using channel sessions key as key, Acquisition channel IV is counted
The current value of device carries out encryption and decryption processing as IV, using Encryption Algorithm to interaction data and verification data.
After the foundation of the first escape way, CA and TA obtain the channel number of escape way, channel sessions key, CA processes
Unique mark, channel IV counter initial values (being defaulted as 0) of example etc..All data packets exchanged between CA and TA all include logical
Taoist monastic name and ciphertext data.Ciphertext data can use CBC, CFB, OFB isotype of the symmetrical enciphering and deciphering algorithm such as AES, 3DES, with
Channel sessions key as key, the current value of channel IV counters as IV, the former data to be exchanged between CA and TA and
Verification data is encrypted, and verification data includes CRC, Hash, MAC etc..
The first IV counters are arranged in CA, and the 2nd IV counters corresponding with escape way are arranged in TA, and TA is needed while being supported
Multiple escape ways and deposit, each channel number has corresponded to an escape way context in TA, under different escape ways
The parameters such as session key, IV counters be stored in respective escape way context, it is non-interference.It is established in escape way
When, the initial value of the first IV counters and the 2nd IV counters is all respectively 0 by CA and TA, completes one time between CA and TA
After bidirectional data interaction, the value of the first IV counters and the 2nd IV counters is added 1 by CA and TA respectively.
For example, CA and TA respectively safeguard the channel IV counters of a local, and when channel is just established, two channel IV meters
The initial value of number device is all 0.CA is in encryption downlink (CA->TA) data packet and decryption uplink (TA->CA) when data packet, TA is being solved
When close downlink data packet and encryption upstream data packet, all use the current value of respective IV counters as encryption and decryption operation
IV parameters.Often complete a two-way interactive (CA->TA, TA->CA after), CA and TA add 1 to respective IV counters simultaneously, next time
Updated IV counter values will be used when interaction.
In one embodiment, as shown in figure 4, the present invention provides a kind of communication system of client application and trusted application
System, including:The CA 41 that operates in credible performing environment TEE, TA 42, TAM servers in rich performing environment REE are operated in
43 and Key Management Center 44.First key parameter and the second key parameter are disposed respectively in CA 41 and TA 42.CA 41
It is based respectively on first key parameter with TA 42 and the second key parameter carries out bidirectional identity authentication, if certification success, in CA
The first escape way is established between 41 and TA 42, generates channel sessions key corresponding with this first escape way.CA 41
It is transmitted by the first escape way with TA 42 and carries out data interaction, and be based on channel sessions key and preset channel transfer
Rule carries out encryption and decryption processing to the data transmitted by the first escape way.
In one embodiment, first key parameter includes manufacturer's public key etc., and the second key parameter includes terminal public key, end
Hold private key, terminal public key signature value etc..Manufacturer's public key is stored in CA programs corresponding with CA 41, CA programs are passed through
Distribution, installation and deployment manufacturer public key.When installing TA 42 and being run for the first time, terminal public key, end are generated in TEE environment
Private key is held, terminal public key, terminal secret key are stored in a manner of persistence in TA 42.Manufacturer's public key and manufacturer's private key are by TA
The TA management root certificate of provider is signed and issued and is generated in Key Management Center 44.
In the individualized stage of TA 42, the second escape way is established between TA 42 and TAM servers 43.TA 42 is logical
It crosses the second escape way and terminal public key is sent to TAM servers 43, and TAM servers 43 are received by the second escape way and are sent out
The terminal public key signature value sent, terminal public key signature value is stored in a manner of persistence in TEE environment, TAM servers 43
Terminal public key is digitally signed using manufacturer's private key.
TA 42 calls whitepack encryption library to obtain terminal public key signature value, by terminal public key signature value in a manner of persistence
It is stored in TEE environment;Wherein, terminal public key is digitally signed using manufacturer's private key in whitepack encryption library.
In one embodiment, CA 41 establishes escape way order to the transmissions of TA 42, and establishing escape way order includes
41 process instances of CA corresponding with this CA 41 identify.TA 42 is based on CA process instances mark and judges whether to have built with CA 41
Escape way has been found, message is successfully established if it is, returning, if it is not, then TA 42 sends the first verification information to CA 41,
First verification information includes channel number, terminal public key and terminal public key signature value of CA etc..
CA 41 verifies terminal public key signature value using manufacturer's public key, if be proved to be successful, generates channel sessions
Key, the second verification information of using terminal public key pair are encrypted and are sent to TA 42, wherein the second verification information includes:CA
Channel number, CA process instances mark, channel sessions key, verification data etc..Channel sessions key includes:Random number etc..TA
The second verification information after 42 using terminal private key pair encryptions is decrypted, if examined successfully to inspection data, builds
Vertical first escape way is simultaneously successfully established message to 41 backward channels of CA.
CA 41 and TA 42 is based respectively on channel sessions key and using preset Encryption Algorithm in CA 41 and TA 42
Between interaction data carry out encryption and decryption processing, wherein the channel number of CA and encrypted interaction data are passed through into the first safety
Channel is transmitted between CA 41 and TA 42.CA 41 and TA 42 uses channel sessions key as key respectively, obtains
The current value of channel IV counters carries out encryption and decryption processing as IV, using Encryption Algorithm to interaction data and verification data;
Wherein, Encryption Algorithm includes:Symmetric encipherment algorithm.
The first IV counters are arranged in CA 41, and the 2nd IV counters corresponding with escape way are arranged in TA 42;Wherein, pacifying
When full tunnel is established, the initial value of the first IV counters and the 2nd IV counters is all respectively 0 by CA 41 and TA 42.It completes
After bidirectional data interaction between CA 41 and TA 42, CA 41 and TA 42 respectively count the first IV counters and the 2nd IV
The value of number device adds 1.
Fig. 5 is the mould according to client application disclosed by the invention and another embodiment of the communication system of trusted application
Block schematic diagram.As shown in figure 5, the device may include memory 51, processor 52, communication interface 53 and bus 54.Memory
51 for storing instruction, and processor 52 is coupled to memory 51, and processor 52 is configured as the instruction stored based on memory 51
Execute the communication means for realizing above-mentioned client application and trusted application.
Memory 51 can be high-speed RAM memory, nonvolatile memory (NoN-volatile memory) etc., deposit
Reservoir 51 can also be memory array.Processor 52 can be central processor CPU or application-specific integrated circuit ASIC
(Application Specific Integrated Circuit), or be arranged to implement client disclosed by the invention
One or more integrated circuits of end application and the communication means of trusted application.
In one embodiment, the present invention provides a kind of terminal, including the client application in any embodiment as above with
The communication system of trusted application.Terminal can be smart mobile phone, tablet computer etc..
In one embodiment, the disclosure also provides a kind of computer readable storage medium, wherein computer-readable storage
Media storage has computer instruction, instruction to realize the client application that any embodiment as above is related to when being executed by processor and can
Believe the communication means of application.It should be understood by those skilled in the art that, embodiment of the disclosure can be provided as method, apparatus or
Computer program product.Therefore, the disclosure can be used complete hardware embodiment, complete software embodiment or in conjunction with software and firmly
The form of embodiment in terms of part.Moreover, it wherein includes computer available programs generation that the disclosure, which can be used in one or more,
The computer of code can be used on non-transient storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of the computer program product of implementation.
The disclosure is reference according to the method for the embodiment of the present disclosure, the flow chart of equipment (system) and computer program product
And/or block diagram describes.It should be understood that each flow in flowchart and/or the block diagram can be realized by computer program instructions
And/or the combination of the flow and/or box in box and flowchart and/or the block diagram.These computer programs can be provided to refer to
Enable the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to generate
One machine so that by the instruction that computer or the processor of other programmable data processing devices execute generate for realizing
The device for the function of being specified in one flow of flow chart or multiple flows and/or one box of block diagram or multiple boxes.
So far, the disclosure is described in detail.In order to avoid covering the design of the disclosure, it is public that this field institute is not described
Some details known.Those skilled in the art as described above, can be appreciated how to implement technology disclosed herein completely
Scheme.
Communication means, system and the terminal of the client application and trusted application that are provided in above-described embodiment, CA and TA
It is based respectively on first key parameter and the second key parameter carries out bidirectional identity authentication, if certification success between CA and TA
The first escape way is established, channel sessions key corresponding with this first escape way is generated, CA and TA passes through the first safety
Channel transfer carries out data interaction and carries out encryption and decryption to data based on channel sessions key and preset channel transfer rule
Processing;Escape way is established between CA and TA and the data in escape way are protected, and CA can be whole by verifying TA
Public key signature is held to verify the legal identity of TA, third party's component in anti-locking system is intercepted and captured, storage, analysis, reveals CA and TA
Between the sensitive information that transmits;CA and TA can perceive and prevent the evils such as the altered data, Replay Attack, injection attacks of attacker
Meaning behavior;Multiple CA can be supported to access TA by the multiple escape ways being mutually isolated.
The method and system of the present invention may be achieved in many ways.For example, can by software, hardware, firmware or
Software, hardware, firmware any combinations come realize the present invention method and system.The said sequence of the step of for method is only
In order to illustrate, the step of method of the invention, is not limited to sequence described in detail above, especially says unless otherwise
It is bright.In addition, in some embodiments, also the present invention can be embodied as to record program in the recording medium, these programs include
For realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executing according to this hair
The recording medium of the program of bright method.
Description of the invention provides for the sake of example and description, and is not exhaustively or will be of the invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches
It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage
Various embodiments with various modifications of the solution present invention to design suitable for special-purpose.
Claims (27)
1. the communication means of a kind of client application and trusted application, which is characterized in that including:
First key parameter and the second key parameter are disposed respectively in client application CA and trusted application TA;
The CA and TA is based respectively on the first key parameter and second key parameter carries out bidirectional identity authentication;
If certification success, establishes the first escape way between the CA and the TA, generate and this first escape way
Corresponding channel sessions key;
The CA and TA is transmitted by first escape way carries out data interaction, and is based on the channel sessions key
And preset channel transfer rule carries out encryption and decryption processing to the data transmitted by first escape way.
2. the method as described in claim 1, which is characterized in that
The first key parameter includes:Manufacturer's public key;Second key parameter includes:Terminal public key, terminal secret key, terminal
Public key signature value.
3. method as claimed in claim 2, which is characterized in that described to distinguish portion in client application CA and trusted application TA
Administration's first key parameter and the second key parameter include:
Manufacturer's public key is stored in CA programs corresponding with the CA, wherein pass through the distribution of the CA programs, peace
Dress disposes manufacturer's public key;
When installing the TA and being run for the first time, the terminal public key, the terminal secret key are generated in TEE environment,
In, the terminal public key, the terminal secret key are stored in a manner of persistence in the TEE environment residing for the TA.
4. method as claimed in claim 3, which is characterized in that further include:
In the individualized stage of the TA, the second escape way is established between TA the and TAM servers;
The terminal public key is sent to the TAM servers by the TA by second escape way, and passes through described
Two escape ways receive the terminal public key signature value that the TAM servers are sent, wherein the TAM servers use factory
Quotient's private key is digitally signed the terminal public key;
The TA stores the terminal public key signature value by the way of persistence.
5. method as claimed in claim 3, which is characterized in that further include:
The TA calls whitepack encryption library to obtain the terminal public key signature value, wherein factory is used in the whitepack encryption library
Quotient's private key is digitally signed the terminal public key;
The TA stores the terminal public key signature value by the way of persistence.
6. method as claimed in claim 2, which is characterized in that
Manufacturer's public key and manufacturer's private key are signed and issued by the TA management root certificate of TA providers and are generated in Key Management Center.
7. method as claimed in claim 2, which is characterized in that the CA and TA is based respectively on the first key parameter
Carrying out bidirectional identity authentication with second key parameter includes:
The TA sends the first verification information to the CA, wherein first verification information includes:The terminal public key and institute
State terminal public key signature value;
The CA verifies the terminal public key signature value using manufacturer's public key, if be proved to be successful, generates institute
State channel sessions key;
The CA is encrypted using the second verification information of the terminal public key pair and is sent to the TA, wherein described second
Verification information includes:The channel sessions key, verification data;
The TA is decrypted encrypted second verification information using the terminal secret key, if to the inspection
Data detection success is tested, then establishes first escape way and is successfully established message to the CA backward channels.
8. the method for claim 7, which is characterized in that further include:
The CA to the TA transmission establish escape way order, wherein it is described establish escape way order include and this CA pairs
The CA process instances mark answered;
The TA is based on CA process instances mark and judges whether to have been set up escape way with the CA, if it is,
Return is successfully established message, if it is not, then sending first verification information to the CA, wherein first verification information
Further include:The channel number of the CA.
9. method as claimed in claim 8, which is characterized in that further include:
Second verification information further includes:The channel number of the CA, CA process instances mark;
The channel sessions key includes:Random number.
10. the method for claim 7, which is characterized in that described based on the channel sessions key and preset logical
Road transmission rule carries out encryption and decryption processing to the data transmitted by first escape way:
Based on the channel sessions key and using preset Encryption Algorithm to the interaction data between the CA and the TA
Carry out encryption and decryption processing;
By the channel number of the CA and encrypted interaction data by first escape way the CA and TA it
Between be transmitted.
11. method as claimed in claim 10, which is characterized in that described based on the channel sessions key and using preset
Encryption Algorithm carries out encryption and decryption processing to the interaction data between the CA and the TA:
Using the channel sessions key as key, the current value of Acquisition channel IV counters is as IV, using the encryption
Algorithm carries out encryption and decryption processing to the interaction data and verification data;
Wherein, the Encryption Algorithm includes:Symmetric encipherment algorithm.
12. method as claimed in claim 11, which is characterized in that
The first IV counters are arranged in the CA, and the 2nd IV counters corresponding with the escape way are arranged in the TA;
When the escape way is established, the CA and the TA respectively count the first IV counters and the 2nd IV
The initial value of device is all 0;
After completing primary bidirectional data interaction between the CA and the TA, the CA and the TA are respectively by described first
The value of IV counters and the 2nd IV counters adds 1.
13. the communication system of a kind of client application and trusted application, which is characterized in that including:
The client application CA that operates in credible performing environment TEE, trusted application TA in rich performing environment REE is operated in;
First key parameter and the second key parameter are disposed respectively in the CA and the TA;The CA and TA distinguishes base
Bidirectional identity authentication is carried out in the first key parameter and second key parameter, if certification success, in the CA
The first escape way is established between the TA, generates channel sessions key corresponding with this first escape way;
The CA and TA is transmitted by first escape way carries out data interaction, and is based on the channel sessions key
And preset channel transfer rule carries out encryption and decryption processing to the data transmitted by first escape way.
14. system as claimed in claim 13, which is characterized in that
The first key parameter includes:Manufacturer's public key;Second key parameter includes:Terminal public key, terminal secret key, terminal
Public key signature value.
15. system as claimed in claim 14, which is characterized in that
Manufacturer's public key is stored in CA programs corresponding with the CA, wherein pass through the distribution of the CA programs, peace
Dress disposes manufacturer's public key;
When installing the TA and being run for the first time, the terminal public key, the terminal secret key are generated in TEE environment,
In, the terminal public key, the terminal secret key are stored in a manner of persistence in the TEE environment residing for the TA.
16. system as claimed in claim 15, which is characterized in that further include:TAM servers;
In the individualized stage of the TA, the second escape way is established between TA the and TAM servers;
The terminal public key is sent to the TAM servers for passing through second escape way, and passes through institute by the TA
It states the second escape way and receives the terminal public key signature value that the TAM servers are sent, by the terminal public key signature value
It is stored in a manner of persistence in TEE environment;Wherein, the TAM servers using manufacturer's private key to the terminal public key into
Row digital signature.
17. system as claimed in claim 15, which is characterized in that
The TA is additionally operable to that whitepack encryption library is called to obtain the terminal public key signature value, by the terminal public key signature value with
The mode of persistence is stored in TEE environment;Wherein, use manufacturer's private key to the terminal public key in the whitepack encryption library
It is digitally signed.
18. system as claimed in claim 14, which is characterized in that further include:Key Management Center;
Manufacturer's public key and manufacturer's private key are signed and issued by the TA management root certificate of TA providers and are generated in the Key Management Center.
19. system as claimed in claim 14, which is characterized in that
The TA, for sending the first verification information to the CA, wherein first verification information includes:The terminal is public
Key and the terminal public key signature value;
The CA, if be proved to be successful, is given birth to for being verified to the terminal public key signature value using manufacturer's public key
At the channel sessions key;It is encrypted using the second verification information of the terminal public key pair and is sent to the TA, wherein
Second verification information includes:The channel sessions key, verification data;
The TA is also used for the terminal secret key and encrypted second verification information is decrypted, if
The inspection data is examined successfully, then establish first escape way and is successfully established message to the CA backward channels.
20. system as claimed in claim 19, which is characterized in that
The CA, be additionally operable to the TA transmission establish escape way order, wherein it is described establish escape way order include with
The corresponding CA process instances marks of this CA;
The TA judges whether to have been set up escape way with the CA for being based on CA process instances mark, if
It is then to return and be successfully established message, if it is not, then sending first verification information to the CA, wherein first verification
Information further includes:The channel number of the CA.
21. system as claimed in claim 20, which is characterized in that
Second verification information further includes:The channel number of the CA, CA process instances mark;
The channel sessions key includes:Random number.
22. system as claimed in claim 19, which is characterized in that
The CA and TA is based respectively on the channel sessions key and using preset Encryption Algorithm in the CA and institute
The interaction data stated between TA carries out encryption and decryption processing, wherein passes through the channel number of the CA and encrypted interaction data
First escape way is transmitted between the CA and the TA.
23. the system as claimed in claim 22, which is characterized in that
The CA and TA uses the channel sessions key as key respectively, and the current value of Acquisition channel IV counters is made
For IV, encryption and decryption processing is carried out to the interaction data and verification data using the Encryption Algorithm;Wherein, the encryption is calculated
Method includes:Symmetric encipherment algorithm.
24. system as claimed in claim 23, which is characterized in that
The first IV counters are arranged in the CA, and the 2nd IV counters corresponding with the escape way are arranged in the TA;Wherein, exist
When the escape way is established, the CA and the TA respectively by the first IV counters and the 2nd IV counters just
Initial value is all 0;After completing primary bidirectional data interaction between the CA and the TA, the CA and the TA are respectively by institute
The value for stating the first IV counters and the 2nd IV counters adds 1.
25. the communication system of a kind of client application and trusted application, which is characterized in that including:
Memory;And it is coupled to the processor of the memory, the processor is configured as being based on being stored in the storage
Instruction in device executes the communication means of the client application and trusted application as described in any one of claim 1 to 12.
26. a kind of terminal, it is characterised in that:
It include the communication system such as claim 13 to 25 any one of them client application and trusted application.
27. a kind of computer readable storage medium, is stored thereon with computer program instructions, which is handled by one or more
The step of method described in claim 1 to 12 any one is realized when device executes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810375244.6A CN108600222B (en) | 2018-04-24 | 2018-04-24 | Communication method, system and terminal of client application and trusted application |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810375244.6A CN108600222B (en) | 2018-04-24 | 2018-04-24 | Communication method, system and terminal of client application and trusted application |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108600222A true CN108600222A (en) | 2018-09-28 |
| CN108600222B CN108600222B (en) | 2021-01-29 |
Family
ID=63609430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810375244.6A Active CN108600222B (en) | 2018-04-24 | 2018-04-24 | Communication method, system and terminal of client application and trusted application |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108600222B (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109413086A (en) * | 2018-11-16 | 2019-03-01 | 阿里巴巴集团控股有限公司 | Line coker tests the method and device of identity information |
| CN110099063A (en) * | 2019-05-08 | 2019-08-06 | 杭州健康在线信息技术有限公司 | A kind of generation method of meeting registration voucher |
| CN110806978A (en) * | 2019-10-31 | 2020-02-18 | 吉林亿联银行股份有限公司 | Defect management method and device for third-party component |
| CN110855667A (en) * | 2019-11-14 | 2020-02-28 | 宁夏吉虎科技有限公司 | Block chain encryption method, device and system |
| WO2020073750A1 (en) * | 2018-10-12 | 2020-04-16 | 华为技术有限公司 | Terminal attack defense method, apparatus, terminal, and cloud server |
| CN112422487A (en) * | 2019-08-23 | 2021-02-26 | 北京小米移动软件有限公司 | Data transmission method, device, system and computer readable storage medium |
| CN112713987A (en) * | 2020-12-10 | 2021-04-27 | 北京握奇数据股份有限公司 | System and method for establishing session key between CA and TA |
| CN113553125A (en) * | 2020-04-26 | 2021-10-26 | 中移(成都)信息通信科技有限公司 | Calling method, device and equipment of trusted application program and computer storage medium |
| CN114765544A (en) * | 2021-01-11 | 2022-07-19 | 中国移动通信有限公司研究院 | Trusted execution environment data offline migration method and device |
| CN114826596A (en) * | 2022-04-24 | 2022-07-29 | 南京邮电大学 | Key exchange acceleration method for establishing security level of trusted execution environment |
| CN114844672A (en) * | 2022-03-22 | 2022-08-02 | 华为技术有限公司 | Application trusted identity confirmation method, management unit and equipment |
| CN115706981A (en) * | 2021-08-12 | 2023-02-17 | 荣耀终端有限公司 | Key negotiation method and electronic equipment |
| CN117254916A (en) * | 2023-09-07 | 2023-12-19 | 奥特酷智能科技(南京)有限公司 | Non-key DDS safety authentication and communication method based on OP-TEE |
| CN119989333A (en) * | 2024-12-30 | 2025-05-13 | 福建联迪商用设备有限公司 | Application management method and electronic equipment based on OpenHarmony system |
| WO2025162387A1 (en) * | 2024-01-31 | 2025-08-07 | 清华大学深圳国际研究生院 | Server, terminal and security system |
| US20260031989A1 (en) * | 2024-07-29 | 2026-01-29 | Infineon Technologies Ag | Secure Communications Including Secure Channel Multiplexing |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051451A (en) * | 2011-12-12 | 2013-04-17 | 微软公司 | Encryption authentication of security service execution environment |
| CN105574720A (en) * | 2015-12-14 | 2016-05-11 | 联想(北京)有限公司 | Secure information processing method and secure information processing apparatus |
| CN105843653A (en) * | 2016-04-12 | 2016-08-10 | 恒宝股份有限公司 | TA (trusted application) configuration method and device |
| CN106936774A (en) * | 2015-12-29 | 2017-07-07 | 中国电信股份有限公司 | Authentication method and system in credible performing environment |
| EP3293656A1 (en) * | 2016-09-13 | 2018-03-14 | Gemalto Sa | Method for controlling access to a trusted application in a terminal |
-
2018
- 2018-04-24 CN CN201810375244.6A patent/CN108600222B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051451A (en) * | 2011-12-12 | 2013-04-17 | 微软公司 | Encryption authentication of security service execution environment |
| CN105574720A (en) * | 2015-12-14 | 2016-05-11 | 联想(北京)有限公司 | Secure information processing method and secure information processing apparatus |
| CN106936774A (en) * | 2015-12-29 | 2017-07-07 | 中国电信股份有限公司 | Authentication method and system in credible performing environment |
| CN105843653A (en) * | 2016-04-12 | 2016-08-10 | 恒宝股份有限公司 | TA (trusted application) configuration method and device |
| EP3293656A1 (en) * | 2016-09-13 | 2018-03-14 | Gemalto Sa | Method for controlling access to a trusted application in a terminal |
Cited By (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111046383A (en) * | 2018-10-12 | 2020-04-21 | 华为技术有限公司 | Terminal attack defense method, device, terminal and cloud server |
| CN111046383B (en) * | 2018-10-12 | 2023-10-13 | 华为技术有限公司 | Terminal attack defense method, device, terminal and cloud server |
| WO2020073750A1 (en) * | 2018-10-12 | 2020-04-16 | 华为技术有限公司 | Terminal attack defense method, apparatus, terminal, and cloud server |
| CN109413086B (en) * | 2018-11-16 | 2020-11-24 | 创新先进技术有限公司 | Method and device for online verification of identity information |
| CN109413086A (en) * | 2018-11-16 | 2019-03-01 | 阿里巴巴集团控股有限公司 | Line coker tests the method and device of identity information |
| CN110099063B (en) * | 2019-05-08 | 2020-05-26 | 杭州健康在线信息技术有限公司 | Method for generating conference registration certificate |
| CN110099063A (en) * | 2019-05-08 | 2019-08-06 | 杭州健康在线信息技术有限公司 | A kind of generation method of meeting registration voucher |
| CN112422487A (en) * | 2019-08-23 | 2021-02-26 | 北京小米移动软件有限公司 | Data transmission method, device, system and computer readable storage medium |
| CN110806978A (en) * | 2019-10-31 | 2020-02-18 | 吉林亿联银行股份有限公司 | Defect management method and device for third-party component |
| CN110855667B (en) * | 2019-11-14 | 2023-04-07 | 宁夏吉虎科技有限公司 | Block chain encryption method, device and system |
| CN110855667A (en) * | 2019-11-14 | 2020-02-28 | 宁夏吉虎科技有限公司 | Block chain encryption method, device and system |
| CN113553125A (en) * | 2020-04-26 | 2021-10-26 | 中移(成都)信息通信科技有限公司 | Calling method, device and equipment of trusted application program and computer storage medium |
| CN113553125B (en) * | 2020-04-26 | 2024-03-19 | 中移(成都)信息通信科技有限公司 | Method, device and equipment for calling trusted application program and computer storage medium |
| CN112713987A (en) * | 2020-12-10 | 2021-04-27 | 北京握奇数据股份有限公司 | System and method for establishing session key between CA and TA |
| CN112713987B (en) * | 2020-12-10 | 2022-07-26 | 北京握奇数据股份有限公司 | System and method for establishing session key between CA and TA |
| CN114765544A (en) * | 2021-01-11 | 2022-07-19 | 中国移动通信有限公司研究院 | Trusted execution environment data offline migration method and device |
| CN114765544B (en) * | 2021-01-11 | 2024-11-08 | 中国移动通信有限公司研究院 | Trusted execution environment data offline migration method and device |
| CN115706981A (en) * | 2021-08-12 | 2023-02-17 | 荣耀终端有限公司 | Key negotiation method and electronic equipment |
| CN114844672B (en) * | 2022-03-22 | 2023-08-22 | 华为技术有限公司 | Method, management unit and equipment for confirming application trusted identity |
| CN114844672A (en) * | 2022-03-22 | 2022-08-02 | 华为技术有限公司 | Application trusted identity confirmation method, management unit and equipment |
| CN114826596A (en) * | 2022-04-24 | 2022-07-29 | 南京邮电大学 | Key exchange acceleration method for establishing security level of trusted execution environment |
| CN114826596B (en) * | 2022-04-24 | 2024-07-19 | 南京邮电大学 | Secret key exchange acceleration method for establishing security level of trusted execution environment |
| CN117254916A (en) * | 2023-09-07 | 2023-12-19 | 奥特酷智能科技(南京)有限公司 | Non-key DDS safety authentication and communication method based on OP-TEE |
| WO2025162387A1 (en) * | 2024-01-31 | 2025-08-07 | 清华大学深圳国际研究生院 | Server, terminal and security system |
| US20260031989A1 (en) * | 2024-07-29 | 2026-01-29 | Infineon Technologies Ag | Secure Communications Including Secure Channel Multiplexing |
| CN119989333A (en) * | 2024-12-30 | 2025-05-13 | 福建联迪商用设备有限公司 | Application management method and electronic equipment based on OpenHarmony system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108600222B (en) | 2021-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108600222A (en) | The communication means of client application and trusted application, system and terminal | |
| CN109598616B (en) | Method for protecting privacy of blockchain data by introducing arbitration mechanism | |
| CN104618120B (en) | A kind of mobile terminal key escrow digital signature method | |
| CN116562874B (en) | A privacy-preserving cross-chain transaction verification method based on zero-knowledge proof | |
| CN116633530B (en) | Quantum key transmission methods, devices and systems | |
| US20250202688A1 (en) | Quantum key transmission method, apparatus, and system | |
| CN109309565A (en) | Method and device for security authentication | |
| CN108199847B (en) | Digital security processing method, computer device, and storage medium | |
| CN105681470A (en) | Communication method, server and terminal based on hypertext transfer protocol | |
| CN113592484B (en) | A method, system and device for opening an account | |
| CN111241492A (en) | Product multi-tenant secure credit granting method, system and electronic equipment | |
| CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
| CN109361508A (en) | Data transmission method, electronic equipment and computer readable storage medium | |
| CN114697040B (en) | Electronic signature method and system based on symmetric key | |
| CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
| CN109361512A (en) | Data transmission method | |
| CN119766437A (en) | SSL VPN remote access method, system and related device supporting post quantum algorithm | |
| CN109450643B (en) | Signature verification method realized on Android platform based on native service | |
| CN119583061B (en) | Post quantum key negotiation method and device | |
| CN119766447B (en) | IPSEC VPN remote access methods, systems, and computer devices supporting post-quantum algorithms | |
| CN109492359A (en) | A kind of secure network middleware and its implementation and device for authentication | |
| CN110532741B (en) | Personal information authorization method, authentication center and service provider | |
| CN115022012B (en) | Data transmission method, device, system, equipment and storage medium | |
| CN113114468B (en) | Encryption tamper-proofing method and system based on MD5+ AES (advanced encryption Standard) mixture | |
| CN110139163A (en) | A kind of method and relevant apparatus obtaining barrage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |