CN105429760A

CN105429760A - Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment)

Info

Publication number: CN105429760A
Application number: CN201510862638.0A
Authority: CN
Inventors: 李登峰
Original assignee: China Science And Technology (beijing) Co Ltd Rong'an
Current assignee: Shenzhou Rongan digital technology (Beijing) Co.,Ltd.
Priority date: 2015-12-01
Filing date: 2015-12-01
Publication date: 2016-03-23
Anticipated expiration: 2035-12-01
Also published as: CN109150548B; CN109150548A; CN105429760B

Abstract

The invention discloses a method for identity verification of a digital certificate based on a TEE (Trusted Execution Environment). The method comprises pre-configuration of a digital certificate system through a terminal, a digital certificate signature process and a digital certificate signature verification process. The method is characterized in that the terminal is provided with the TEE; the digital certificate signature process is carried out on the terminal and is used for utilizing a private key of the digital certificate to sign for a user request; the digital certificate signature verification process is used for authenticating identity of a requested user, and the authentication method comprises verification of validity and effectiveness of the digital certificate and integrity and correctness of the signature, wherein the digital certificate signature process is carried out under the TEE; the sensitive information, such as a user key, identity information, biological characteristic information and password information, is stored through a secure storage module, so that the problems that the signature process is carried out in REE and the sensitive information of the user is stored under the REE environment to cause privacy disclosure and stolen hidden danger of property in the prior art are avoided.

Description

A kind of auth method of the digital certificate based on TEE and system

Technical field

The application relates to areas of information technology, specifically, relates to a kind of auth method and system of the digital certificate based on TEE.

Background technology

PKI is the abbreviation of PublicKeyInfrastructure, i.e. PKIX, and be to provide system or the platform of asymmetric encryption and decryption and the service of digital signature sign test, object is in order to managing keys and digital certificate.PKI be a kind of follow standard utilize public key cryptography to be ecommerce, E-Government etc. carry out technology and specification that a set of foundation for security platform is provided.

In order to improve the identification authentication security of the network application systems such as Web bank, telephone bank, Internet securities, phone security, shopping online, online game, every profession and trade, each enterprise release the identity authorization system such as PKI, OTP, living things feature recognition, large data wind control than traditional static password with greater security one after another.

Adopt the identity authorization system such as PKI, OTP, living things feature recognition, large data wind control to carry out authentication, greatly improve the fail safe of network application system.Identification authentication mode main at present and pluses and minuses thereof are:

Traditional PKI technology and OTP technology, realize mainly with example, in hardware at present, fail safe is higher, is widely used at present; But it needs user to go to get material object, carries with and have study use procedure, and Consumer's Experience is poor; And although short message verification code wherein does not need extra hardware device, due to the opening of cell phone platform, fail safe is poor, and Problems gets more and more;

The authentication of biological characteristic, user does not need to carry additional hardware, and experience is better; But because it mostly is static data, open environment, open network, open platform are are easily intercepted and captured or is copied; Particularly because biological characteristic possesses the characteristic that can not change, easily produce more safety problem, therefore it is more suitable for as near field authentication means;

Based on the authentication of the analysis of large data; transparent completely to user; Consumer's Experience is better; but multi-dimensional data collect and use there is no relevant laws and regulations; also involve the problems such as secret protection; its recognition result can only be a probability simultaneously, instead of a deterministic judgement, and therefore it is more suitable for as advertisement marketing and risk control means.

Therefore, be badly in need of a kind of without additional hardware, use safety is convenient, non-repudiation strong and the identity identifying method of the compatible good digital certificate based on TEE.

Summary of the invention

In view of this, technical problems to be solved in this application are problems that existing identity identifying method is dangerous, unstable, not convenient and compatibility is not high.

In order to solve the problems of the technologies described above, the invention provides a kind of without additional hardware, use safety is convenient, non-repudiation strong and the auth method of the compatible good digital certificate based on TEE and system, by carrying out signature and the sign test of digital certificate under TEE, avoid the problem that existing identity identifying method is dangerous, unstable, not convenient and compatibility is not high, technical scheme is as follows:

A kind of auth method of the digital certificate based on TEE, comprise the pre-configured digital certificate system of terminal, digital certificate signature process and digital certificate sign test process, it is characterized in that, described terminal possesses TEE, described digital certificate signature process, described terminal is carried out, digital certificate private key is used to sign for asking for user, described digital certificate sign test process is used for the identity of user of authentication request, and authentication mode comprises the legitimacy of verifying described digital certificate and validity, the integrality of described signature and correctness; Wherein, described digital certificate signature process is carried out under TEE.

Preferably, described client is described terminal inner applications client, and described digital certificate signature process comprises:

Step 1: described digital certificate system safe storage subscriber identity information, root ca certificate information and customer digital certificate and private key information, server security corresponding to described client stores its digital certificate and private key information, described terminal receives the ID authentication request of the application of client and described server to the signature of described request, start described digital certificate system, described digital certificate system verify legal effective, the described signature of described server digital certificate complete correct after, send the request inputting described subscriber identity information to terminal use;

Step 2: the described subscriber identity information stored in the information of input and described step 1 verifies by described digital certificate system;

Step 3: when the result of verification in described step 2 be information consistent time, described digital certificate system uses the ID authentication request described in customer digital certificate private key signature step 1, and described digital certificate signature process completes.

Preferably, described client is described exterior of terminal applications client, and described applications client refers to that the carrier of described applications client is the equipment in described step 1 outside terminal, and described digital certificate signature process comprises:

Step is 1.: described digital certificate system safe storage subscriber identity information, root ca certificate information and customer digital certificate and private key information, server security corresponding to described client stores its digital certificate and private key information, when starting described digital certificate system, described digital certificate system sends the request inputting described subscriber identity information to user;

Step is 2.: described digital certificate system by the information of input and described step 1. in the described subscriber identity information that stores verify;

Step is 3.: when described step 2. in the result of verification be information consistent time, described digital certificate system passes through OTG, NFC, bluetooth, audio frequency, sound wave, user's input or scanning bar code, the mode of Quick Response Code obtain the ID authentication request of the application of described client and step 1. described server to the signing messages of described request, it is effectively legal that described digital certificate system verifies described server digital certificate, described signature complete correct after, described digital certificate system uses the ID authentication request described in customer digital certificate private key signature, described digital certificate signature process completes.

Preferably, described client is terminal inner applications client, and described digital certificate sign test process comprises:

Steps A 1: described digital certificate system sends the signature extremely described terminal inner applications client produced in described step 3;

Step B1: after described terminal inner applications client receives described signature, the request in forwarding step 1 and signing messages are to server corresponding to this client application;

Step C1: server described in step B1 receives described request and signature, the customer digital certificate of the complete correct and correspondence of the signature sent in verified users information and step B1 effectively legal, when check results is correct, described server processing requests also returns result to described terminal inner applications client;

Step D1: described terminal inner applications client receives the result in described step C1, verification relevant information also shows, and described digital certificate sign test process is complete.

Preferably, described client is exterior of terminal applications client, and described digital certificate sign test process comprises:

Steps A 2: described terminal sends signature that 3. described step produce to described client by the mode of OTG, NFC, bluetooth, audio frequency or sound wave, or reads for described applications client scan with the display of the form of bar code, Quick Response Code;

Step B2: after described applications client obtains this signature, send described step 3. in request and signing messages to server corresponding to this client application;

Step C2: server described in step B2 receives described request in described step B2 and signature, the customer digital certificate of the complete correct and correspondence of the signature that verified users information and step B2 send effectively legal, when check results is correct, application request described in described server process also returns result to described applications client;

Step D2: described applications client receives the result in described step C2, verification relevant information also shows, and described digital certificate sign test process is complete.

Preferably, also comprise the establishment account of described digital certificate system, generate double secret key and sign and issue the process of digital certificate, wherein, comprising:

Step one: the pre-configured digital certificate system based on TEE of terminal forms described digital certificate system, in described digital certificate system registered user account, registered user's account comprises input identity information and arranges access password, enrollment status information and access password described in described digital certificate system safe storage;

Step 2: described digital certificate system reads the verify data of trust root device or asks trust root device to sign and issue verify data;

Step 3: described digital certificate system is by verify data and described enrollment status information described in server request root of trust system authentication step 2 corresponding to described client application, and described root of trust system is corresponding with trust root device described in step 2;

Step 4: verify data described in described root of trust system check step 2 whether verify described enrollment status information corresponding with described trust root device, is sent to described digital certificate system by check results by the server that described client application is corresponding;

Step 5: when check results described in step 4 is described verify data verification succeeds and described enrollment status information is corresponding with described trust root device, described digital certificate system produces the first PKI of the first private key and correspondence thereof, private key described in safe storage, and sign and issue request to the CA server transmission digital certificate that described client application is corresponding;

Step 6: the request described in described CA server receiving step five also signs and issues described digital certificate, the server user bound account that described client application is corresponding and digital certificate corresponding relation, be sent to described digital certificate system by the digital certificate after signature;

Step 7: described digital certificate system receives and the digital certificate signed and issued in step 6 described in safe storage, the establishment account of described digital certificate system, generates double secret key and signs and issues digital certificate process and complete;

Described step one to three, step 5 and step 7 carry out under TEE.

Preferably, also comprise the customer digital certificate renewal process of described digital certificate system, wherein, comprising:

Step a: described digital certificate system request upgrades customer digital certificate, and sends the request inputting described subscriber identity information to user;

Step b: the described subscriber identity information stored in the information of input and described step 1 verifies by described digital certificate system; When check results is consistent, send the request using trust root device to user;

Step c: described digital certificate system reads the verify data of trust root device or asks trust root device to sign and issue verify data; When trust root device mandate reading or after signing and issuing associated authentication data, described digital certificate system is by enrollment status information and described verify data described in server request root of trust system authentication corresponding to described client application, and described root of trust system is corresponding with trust root device described in step b;

Steps d: verify data in step c described in described root of trust system check whether verify described enrollment status information corresponding with described trust root device, is sent to described digital certificate system by check results by the server that described client application is corresponding;

Step e: when check results described in steps d is described verify data verification succeeds and described enrollment status information is corresponding with described trust root device, described digital certificate system produces the second PKI of the second private key and correspondence thereof, private key described in safe storage, and send updating digital certificate to the CA server that described client is corresponding and sign and issue request;

Step f: the renewal described in described CA server receiving step e and signing and issuing is asked and described new digital certificate of signing, the server user bound account that described client application is corresponding and new digital certificate corresponding relation, be sent to described digital certificate system by the new digital certificate after signature;

Step g: described digital certificate system receives and the new digital certificate signed and issued in step f described in safe storage, and delete old digital certificate, the customer digital certificate renewal process of described digital certificate system completes;

Described step a to c, step e and step g are carried out under TEE.

Preferably, subscriber identity information in described step 1 comprises the basic identity information of user and biological information, described basic identity information comprises name and passport NO., and described biological information comprises finger print information, face feature information, voiceprint and/or iris information;

Also comprise in described step 3: when in described step 2 verification result be information consistent time, described digital certificate system shows safely the application request message of described client, and alerting users confirms, after user confirms to agree to described request, described digital certificate system uses customer digital certificate private key to sign to described request, and described digital certificate signature process completes;

Described step 3. in also comprise: when described step 2. in verification result be information consistent time, described digital certificate system shows safely the application request message of described client, and alerting users confirms, after user confirms to agree to described request, described digital certificate system uses customer digital certificate private key to sign to described request, and described digital certificate signature process completes.

Preferably, described digital certificate system comprises:

User's identification module, differentiates user for the instruction receiving Secure execution module, and feeds back identification result to described Secure execution module;

Crypto-operation module, carries out computing for the instruction receiving Secure execution module, and sends operation result to described Secure execution module;

Secure storage module, for receiving the instruction of Secure execution module, safe storage user data also carries out the transmission of described user data with described Secure execution module;

Secure execution module, for described safe input/output module, described user's identification module, described crypto-operation module, secure interface module and described secure storage module scheduling of resource, send instruction receive related data;

Secure interface module, for passing through bluetooth, OTG, NFC, or Quick Response Code, sound wave, or the Correspondent of TEE and REE is machine-processed and shared drive is machine-processed, carries out data interaction with client application;

TEE model calling in described safe input/output module, Secure execution module, secure interface module and secure storage module and described terminal installation.

Based on an authentication system for the digital certificate of TEE, comprise dispensing unit, digital certificate signature unit and digital certificate sign test unit, it is characterized in that,

Dispensing unit, at the pre-configured digital certificate system of terminal;

Digital certificate signature unit, described terminal is carried out, and signs for asking the raw digital certificate private key that uses for user;

Digital certificate sign test unit, for the user of authentication request identity and ensure user's non-repudiation described request, authentication mode comprises the legitimacy of the described digital certificate of described checking and validity, the integrality of described signature and correctness;

Wherein, under described digital certificate signature unit runs on TEE.

Compared with prior art, the method and system described in the application, reaches following effect:

(1) auth method of the digital certificate based on TEE provided by the invention, digital signature and sign test process, crypto-operation process and user's discrimination process are carried out under TEE, the key of user, identity information, the sensitive information such as biological information and password information are stored by secure storage module under TEE, avoid problems of the prior art, as digital signature procedure carry out in REE, user sensitive information stores under REE environment, produces privacy leakage, hidden danger etc. that property is stolen; Simultaneously, under TEE environment, ID authentication request is transmitted by safe interface and client application, input module and the input module of terminal is managed and calls by safe input/output interface, ID authentication request information security display through the confirmation of user, avoid input and output module under REE environment by illegal application controls and the risk of distorting, ensure that authentication procedures can embody the actual wishes of user;

(2) auth method of the digital certificate based on TEE provided by the invention, described terminal installation can be arbitrary smart machine possessing TEE, do not need specific equipment, the intelligent end device that user carries with usually can carry out, as the equipment such as mobile phone, panel computer, but its fail safe used is equally very high;

(3) auth method of the digital certificate based on TEE provided by the invention, compatible biological characteristic is differentiated, this distinctive fixing information of human body biological characteristics is also applied, do not differentiate that certification just can not enter the next step of authentication by biological characteristic, and said process all carries out under TEE, while use safety, also improve the convenience in use procedure;

(4) auth method of the digital certificate based on TEE provided by the invention, namely carries out based on TEE from initial step, improves the coefficient of safety of authentication from flow process; The public and private key of digital certificate as digital certificate system, its production process carries out based on TEE, and digital certificate and public and private key are stored in the TEE of equipment, improve the coefficient of safety of authentication from Operation system setting;

(5) auth method of the digital certificate based on TEE provided by the invention, method described in the application does not need in person to go sales counter to open an account and downloading digital certificate, can authentication be made to have non-repudiation by safety convenient simultaneously, user is easy-to-use, treatment effeciency is high, it is good, high to the compatibility of each application to experience, and whole authentication procedures coefficient of safety is also higher;

(6) auth method of the digital certificate based on TEE provided by the invention, can safety convenient, carry out authentication process itself efficiently, and effectively can ensure the true legitimacy verifying both sides, the safe transmission of request message, anti-tamper, anti-counterfeiting and anti-repudiation can be realized, and described digital certificate signature process is carried out under TEE, make described auth method safer, more convenient, better protect privacy of user, Consumer's Experience is better;

(7) auth method of the digital certificate based on TEE provided by the invention, described Digital Certificate Security systemic-function is comprehensive, operation safety, combine the modes such as certificate discriminating, biological characteristic discriminating and password authentication, make the compatibility of its identification authentication mode stronger, security performance is better, Consumer's Experience is better;

(8) authentication system of the digital certificate based on TEE provided by the invention, special study course is not needed during use, it uses is all respond one by one for user's request, pointed out by terminal installation, compared to dynamic password system of the prior art, it agrees with the use habit of user, and it is very convenient to use; It protects the key of user, identity information, biological information and password information etc., also improves the fail safe in use procedure and privacy while easy-to-use.

Accompanying drawing explanation

Accompanying drawing described herein is used to provide further understanding of the present application, and form a application's part, the schematic description and description of the application, for explaining the application, does not form the improper restriction to the application.In the accompanying drawings:

Fig. 1 is the flow chart of digital certificate signature process described in the embodiment of the present application;

Fig. 2 is the flow chart of digital certificate signature process described in the embodiment of the present application;

Fig. 3 is the flow chart of digital certificate sign test process described in the embodiment of the present application;

Fig. 4 is the flow chart of digital certificate sign test process described in the embodiment of the present application;

The flow chart of the process of the establishment account that Fig. 5 is digital certificate system described in the embodiment of the present application;

Fig. 6 is the flow chart of the renewal process of digital certificate system described in the embodiment of the present application;

Fig. 7 is the structural representation of digital certificate system described in the embodiment of the present application;

Fig. 8 is the structural representation of terminal described in the embodiment of the present application;

Fig. 9 is the structural representation of method described in the embodiment of the present application.

Embodiment

As employed some vocabulary to censure specific components in the middle of specification and claim.Those skilled in the art should understand, and hardware manufacturer may call same assembly with different noun.This specification and claims are not used as with the difference of title the mode distinguishing assembly, but are used as the criterion of differentiation with assembly difference functionally." comprising " as mentioned in the middle of specification and claim is in the whole text an open language, therefore should be construed to " comprise but be not limited to "." roughly " refer to that in receivable error range, those skilled in the art can solve the technical problem within the scope of certain error, reach described technique effect substantially.In addition, " couple " word and comprise directly any and indirectly electric property coupling means at this.Therefore, if describe a first device in literary composition to be coupled to one second device, then represent described first device and directly can be electrically coupled to described second device, or be indirectly electrically coupled to described second device by other devices or the means that couple.Specification subsequent descriptions is implement the better embodiment of the application, and right described description is for the purpose of the rule that the application is described, and is not used to the scope limiting the application.The protection range of the application is when being as the criterion depending on the claims person of defining.

Embodiment one:

A kind of auth method of the digital certificate based on TEE, comprise the pre-configured digital certificate system 1 of terminal 2, digital certificate signature process and digital certificate sign test process, it is characterized in that, described terminal 2 possesses TEE, described digital certificate signature process, described terminal 2 is carried out, digital certificate private key is used to sign for asking for user, described digital certificate sign test process is used for the identity of user of authentication request, and authentication mode comprises the legitimacy of verifying described digital certificate and validity, the integrality of described signature and correctness; Wherein, described digital certificate signature process is carried out under TEE.

Described user's request, specifically, comprise the application request of client, described application request needs to carry out authentication.Described digital certificate system 1 is arranged in described terminal 2TEE, TEE is the abbreviation of Trustedexecutionenvironment, Chinese translation is credible execution environment, the auth method of the digital certificate based on TEE provided by the invention, for a kind of identity identifying method, described digital certificate signature process is carried out under TEE, avoids problems of the prior art, as digital certificate signature process is carried out in REE, there is the hidden danger etc. be stolen in generation privacy leakage, property; Simultaneously, under TEE environment, ID authentication request is transmitted by secure interface module 106 and client application, input module and the input module of terminal 2 is managed and calls by safe input/output interface, ID authentication request information security display through the confirmation of user, avoid input module and output module under REE environment by illegal application controls and the risk of distorting, ensure that authentication procedures can embody the actual wishes of user; Described terminal 2 can be arbitrary smart machine possessing TEE, described digital certificate system 1 is software form, be arranged in the TEE Executive Module of described terminal 2, do not need specific equipment, the intelligent terminal 2 that user carries with usually can carry out, as the equipment such as mobile phone, panel computer, but its fail safe used is equally very high; Special study course is not needed during use, it uses is all respond one by one for user's request, point out by terminal 2, meet the use habit of the masses, compared to identity identifying method of the prior art, it possesses high-caliber security performance simultaneously and agrees with the use habit of user, and it is very convenient to use.

Should be noted that, auth method described in the application also refers to the checking of a checking subscriber identity information incessantly, also should comprise its checking whether in CA system with legal effective digital certificate, it is to the whether complete checking correctly of the signature of application request; Described auth method includes but not limited to the authentication in following process: 1, both sides are through mutually verifying that digital certificate and signature are with the true and false verifying the other side's identity, thus carry out the interchange of security privacy to the other side or authorize corresponding resource access authority; 2, both sides are through checking digital certificate and signature verify the other side's identity in transaction mutually, file, certification, contract, bill, agreement, bidding documents etc. transmit after digital certificate encryption, the transmit leg PKI of recipient is encrypted message, recipient is decrypted with the private key only having oneself just to have, and obtains message expressly; The transmit leg private key of oneself is signed to above-mentioned Transaction Information, and recipient can carry out sign test with the PKI of transmit leg.

Described digital certificate signature possesses non-repudiation, can realize in actual life with the non-repudiation that official seal, signature etc. realize on the net by the digital signature of digital certificate.Digital signature is not the digital image of written signature, but private cipher key control under to message itself carry out password change formed.Digital signature can realize anti-tamper, anti-counterfeiting and the anti-repudiation of message.

Therefore; the auth method that the application provides; can safety convenient, carry out authentication process itself efficiently; and effectively can ensure the true legitimacy verifying both sides; can realize the safe transmission of request message, anti-tamper, anti-counterfeiting and anti-repudiation, and described digital certificate signature process is carried out under TEE, makes described auth method safer, more convenient; privacy is able to better protection, and Consumer's Experience is better.

Embodiment two:

As described in Fig. 1 the embodiment of the present application digital certificate signature process flow chart shown in, described client is described terminal 2 internal applications client, and this internal applications client can be arranged in described terminal 2REE, and described digital certificate signature process comprises:

Step 1: described digital certificate system 1 safe storage subscriber identity information, root ca certificate information and customer digital certificate and private key information, server security corresponding to described client stores its digital certificate and private key information, described terminal 2 receives the ID authentication request of the application of client and described server to the signature of described request, start described digital certificate system 1, described digital certificate system 1 verify legal effective, the described signature of described server digital certificate complete correct after, send the request inputting described subscriber identity information to terminal 2 user; User can input according to the prompting of system, described subscriber identity information generally includes the basic identity information of user and biological information, described basic identity information comprises name and passport NO., and described biological information comprises finger print information, face feature information, voiceprint and/or iris information.

The request of described client comprises the request that the Mobile solution of authentication is carried out in all requirements, as the operation requests etc. that the transaction request of Mobile banking, the transaction request of security application and game are applied.The cause that described terminal 2 receives the request of client includes but not limited to following several situation: described terminal 2 internal applications client sends a request to described terminal 2; The applications client of described terminal 2 produces request and presents with the form of Quick Response Code, and described terminal 2 scans the request accepting described applications client; The applications client of described terminal 2 produces request, and described terminal 2 obtains described request information by the mode such as bluetooth, NFC, OTG and described applications client's side link thus accepts the request of described applications client.Described terminal 2 internal applications client refers to that the hardware carrier of this applications client and described terminal 2 are same equipment, and described applications client refers to that the carrier of described applications client is the equipment in described step 1 outside terminal 2.

Step 2: the described subscriber identity information stored in the information of input and described step 1 verifies by described digital certificate system 1, and verify the legitimacy of described internal applications client;

Step 3: when the result of verification in described step 2 is that information is consistent and described the result is legal, described digital certificate system 1 uses the ID authentication request described in customer digital certificate private key signature step 1, and described digital certificate signature process completes.

Terminal 2 are users for the equipment terminal 2 as described in Fig. 7 the embodiment of the present application with main-machine communication structural representation shown in, described terminal 2 comprises: Executive Module 202, comprises REE Executive Module and TEE Executive Module; Output module 201, comprises display unit, sound components and indicating device; Input module 203, comprises key-press input parts, microphone assembly, finger print information acquisition component, shooting part and/or sensor element; Communication module 205, comprises mobile communication parts, bluetooth component, WIFI parts, OTG parts and NFC parts; Storage module 204, comprises RAM parts and/or FLASH parts.

Described terminal 2 can be arbitrary smart machine possessing TEE, described digital certificate signature process is carried out under TEE, also namely above-mentioned steps 1-3 carries out under TEE, to solve in prior art digital certificate key easily by the problem intercepted and captured, and the method for identity identifying method compatible subscribers identity information provided by the invention certification, this distinctive fixing information of human body biological characteristics is also applied, the next step of authentication just can not be entered by subscriber identity information certification, and said process all carries out under TEE, protect the key of user, identity information, biological information and password information etc., also improve the fail safe in use procedure and privacy while easy-to-use.

Preferably, subscriber identity information in described step 1 comprises the basic identity information of user and biological information, described basic identity information comprises name and passport NO., and described biological information comprises finger print information, face feature information, voiceprint and/or iris information.

Preferably, also comprise in described step 3: when in described step 2 verification result be information consistent time, described digital certificate system 1 shows safely the application request message of described client, and alerting users confirms, after user confirms to agree to described request, described digital certificate system 1 uses customer digital certificate private key to sign to described request, and described digital certificate signature process completes.Wherein add the process that an alerting users confirms, be convenient to user and reaffirm solicited message, in order to avoid cause error, Consumer's Experience is better.

Embodiment three:

A kind of auth method of the digital certificate based on TEE, comprise the pre-configured digital certificate system 1 of terminal 2, digital certificate signature process and digital certificate sign test process, it is characterized in that, described terminal 2 possesses TEE and REE, described digital certificate signature process, described terminal 2 is carried out, and generates digital certificate for asking for user, described digital certificate sign test process is used for the identity of the user of authentication request, and authentication mode comprises described digital certificate; Wherein, described digital certificate system 1 is arranged in described terminal 2TEE, and described digital certificate signature process is carried out under TEE.

Described client is described terminal 2 applications client, and described digital certificate signature process comprises:

Step is 1.: described digital certificate system 1 safe storage subscriber identity information, root ca certificate information and customer digital certificate and private key information, server security corresponding to described client stores its digital certificate and private key information, when starting described digital certificate system 1, described digital certificate system 1 sends the request inputting described subscriber identity information to user;

Step is 2.: described digital certificate system 1 by the information of input and described step 1. in the described subscriber identity information that stores verify;

Step is 3.: when described step 2. in the result of verification be information consistent time, described digital certificate system 1 passes through OTG, NFC, bluetooth, audio frequency, sound wave, user's input or scanning bar code, the mode of Quick Response Code obtain the ID authentication request of the application of described client and step 1. described server to the signing messages of described request, it is effectively legal that described digital certificate system 1 verifies described server digital certificate, described signature complete correct after, described digital certificate system 1 uses the ID authentication request described in customer digital certificate private key signature, described digital certificate signature process completes.Described applications client refers to that the carrier of described applications client is the equipment in described step 1 outside terminal 2.

Preferably, described step 3. in also comprise: when described step 2. in verification result be information consistent time, described digital certificate system 1 shows safely the application request message of described client, and alerting users confirms, after user confirms to agree to described request, described digital certificate system 1 generates digital certificate, and described digital certificate signature process completes.

The auth method that the application provides, also may be used for applications client, information transmission mode is various, and different transmission meanss all brings good experience can to the user of different custom, widely applicable, easy-to-use.

Embodiment four:

Add on the basis of embodiment two content in embodiment one content or embodiment one, described client is terminal 2 internal applications client, as as described in Fig. 2 the embodiment of the present application method as described in the flow chart of digital certificate sign test process and Fig. 8 the embodiment of the present application structural representation shown in, described digital certificate sign test process comprises:

Steps A 1: described terminal 2 sends the signature extremely described terminal 2 internal applications client 5 produced in described step 3; Described terminal 2 internal applications client 5 refers to that the hardware carrier of this applications client and described terminal 2 are same equipment, and its send mode is that Correspondent mechanism between TEE and REE or shared drive are machine-processed etc.

Step B1: after described terminal 2 internal applications client receives described signature, the request in forwarding step 1 and signing messages are to server corresponding to this client application; The certification of described internal applications client 5 and described digital certificate system 1 and service background system can all be present on this server.

Step C1: server described in step B1 receives described request and signature, the customer digital certificate of the complete correct and correspondence of the signature sent in verified users information and step B1 effectively legal, when check results is correct, described server processing requests also returns result to described terminal 2 internal applications client; When check results is mistake, described server refusal is asked and returns the result to described terminal 2 internal applications client.

Step D1: described internal applications client 5 receives the result in described step C1, verification relevant information also shows, and described digital certificate sign test process is complete.

Embodiment five:

Add on the basis of embodiment two content in embodiment one content or embodiment one, described client is terminal 2 applications client, as as described in Fig. 3 the embodiment of the present application method as described in the flow chart of digital certificate sign test process and Fig. 8 the embodiment of the present application structural representation shown in, described digital certificate sign test process comprises:

Steps A 2: described terminal 2 sends signature that 3. described step produce to described client by the mode of OTG, NFC, bluetooth, audio frequency or sound wave, or reads for described applications client scan with the display of the form of bar code, Quick Response Code; Described applications client 4 refers to that the carrier of described applications client is the equipment in described step 1 outside terminal 2.

Step C2: server described in step B2 receives described request in described step B2 and signature, the customer digital certificate of the complete correct and correspondence of the signature that verified users information and step B2 send effectively legal, when check results is correct, application request described in described server process also returns result to described applications client; When check results is mistake, described server refusal is asked and returns the result to described terminal 2 internal applications client.

Embodiment six:

Above-described embodiment method and be combined with each other formed method basis on, as as described in Fig. 4 the embodiment of the present application the process of the establishment account of digital certificate system 1 flow chart shown in, the auth method of the described digital certificate based on TEE also comprise described digital certificate system 1 establishment account, generate double secret key and sign and issue the process of digital certificate, wherein, comprising:

Step one: the pre-configured digital certificate system 1 based on TEE of terminal 2 forms described digital certificate system 1, in described digital certificate system 1 registered user account, registered user's account comprises input identity information and arranges access password, enrollment status information and access password described in described digital certificate system 1 safe storage;

Step 2: described digital certificate system 1 reads the verify data of trust root device or asks trust root device to sign and issue verify data;

Step 3: described digital certificate system 1 is by verify data and described enrollment status information described in server request root of trust system authentication step 2 corresponding to described client application, and described root of trust system is corresponding with trust root device described in step 2;

Step 4: verify data described in described root of trust system check step 2 whether verify described enrollment status information corresponding with described trust root device, is sent to described digital certificate system 1 by check results by the server that described client application is corresponding;

Step 5: when check results described in step 4 is described verify data verification succeeds and described enrollment status information is corresponding with described trust root device, described digital certificate system 1 produces the first PKI of the first private key and correspondence thereof, private key described in safe storage, and sign and issue request to the CA server transmission digital certificate that described client application is corresponding;

Step 6: the request described in described CA server receiving step five also signs and issues described digital certificate, the server user bound account that described client application is corresponding and digital certificate corresponding relation, be sent to described digital certificate system 1 by the digital certificate after signature;

Step 7: described digital certificate system 1 receives and the digital certificate signed and issued in step 6 described in safe storage, the establishment account of described digital certificate system 1, generates double secret key and signs and issues digital certificate process and complete;

Described step one to three, step 5 and step 7 carry out under TEE.

Create the initial step that account is use system, namely carry out based on TEE from initial step, the coefficient of safety of authentication is improved from flow process, as digital certificate PKI and the private key of digital certificate system 1, its production process carries out based on TEE, digital certificate and public and private key are stored in the TEE of equipment, improve the coefficient of safety of authentication from Operation system setting; Simultaneously, method described in the application does not need in person to go sales counter to open an account and downloading digital certificate, safety convenient makes authentication have non-repudiation simultaneously, and user's treatment effeciency is high, it is good, high to the compatibility of each application to experience, and whole authentication procedures coefficient of safety is also higher.

Preferably, as as described in Fig. 5 the embodiment of the present application the renewal process of the digital certificate of digital certificate system 1 flow chart shown in, the auth method of the described digital certificate based on TEE also comprises the renewal process of described digital certificate system 1, also be the renewal process of the customer digital certificate of described digital certificate system 1, wherein, comprising:

Step a: described digital certificate system 1 asks to upgrade customer digital certificate, and sends the request inputting described subscriber identity information to user;

Step b: the described subscriber identity information stored in the information of input and described step 1 verifies by described digital certificate system 1; When check results is consistent, send the request using trust root device to user;

Step c: described digital certificate system 1 reads the verify data of trust root device or asks trust root device to sign and issue verify data; When trust root device mandate reading or after signing and issuing associated authentication data, described digital certificate system 1 is by enrollment status information and described verify data described in server request root of trust system authentication corresponding to described client application, and described root of trust system is corresponding with trust root device described in step b;

Steps d: verify data in step c described in described root of trust system check whether verify described enrollment status information corresponding with described trust root device, is sent to described digital certificate system 1 by check results by the server that described client application is corresponding;

Step e: when check results described in steps d is described verify data verification succeeds and described enrollment status information is corresponding with described trust root device, described digital certificate system 1 produces the second PKI of the second private key and correspondence thereof, second private key described in safe storage, and send updating digital certificate to the CA server that described client is corresponding and sign and issue request;

Step f: the renewal described in described CA server receiving step e and signing and issuing is asked and described new digital certificate of signing, the server user bound account that described client application is corresponding and new digital certificate corresponding relation, be sent to described digital certificate system 1 by the new digital certificate after signature;

Step g: described digital certificate system 1 receives and the new digital certificate signed and issued in step f described in safe storage, and delete old digital certificate, the customer digital certificate renewal process of described digital certificate system 1 completes;

Described step a to c, step e and step g are carried out under TEE.

Updating digital certificate dynamically updates, and it is different with the original public and private key of digital certificate that renewal refers to the public and private key of present digital certificate.Even if the public and private key of digital certificate is before cracked, what steal is original digital certificate, but does not know what the public and private key of digital certificate used now is.So, the public and private key of digital certificate is secret forever.And the auth method of the digital certificate based on TEE provided by the present invention, the renewal process of its digital certificate is carried out under TEE, and lsafety level can reach the lsafety level even surmounting hardware intelligent code key in kind.

Embodiment seven:

As described in Fig. 6 the embodiment of the present application digital certificate system 1 structural representation shown in, described digital certificate system 1 comprises:

Secure storage module 104, safe input/output module 101, user's identification module 105, crypto-operation module 103, secure interface module 106 and Secure execution module 102, described user's identification module 105, crypto-operation module 103, safe input/output module 101, secure interface module 106 and secure storage module 104 are connected with described Secure execution module 102 respectively, and described safe input/output module 101, Secure execution module 102, secure interface module 106 are connected with the TEE Executive Module in described terminal 2 device 2 with secure storage module 104.

Described user's identification module 105, differentiates user for the instruction receiving Secure execution module 102, and feeds back identification result to described Secure execution module 102;

Crypto-operation module 103, carries out computing for the instruction receiving Secure execution module 102, and sends operation result to described Secure execution module 102;

Secure storage module 104, for receiving the instruction of Secure execution module 102, safe storage user data also carries out the transmission of described user data with described Secure execution module 102;

Secure execution module 102, for described safe input/output module 101, described user's identification module 105, described crypto-operation module 103, secure interface module 106 and described secure storage module 104 scheduling of resource, send instruction receive related data;

Described safe input/output module 101 is for safety management and call described output module and described input module;

Secure interface module 106 user safety management also calls described communication module;

Described secure storage module is used for safety management and calls described storage module.

Preferably, described secure interface module 106, for passing through bluetooth, OTG, NFC, or Quick Response Code, sound wave, or the Correspondent of TEE and REE is machine-processed and shared drive is machine-processed, carries out data interaction with client application;

Described user's identification module 105, crypto-operation module 103, safe input/output module 101, Secure execution module 102, secure interface module 106 and secure storage module 104 and the TEE model calling in described terminal 2 device 2.

Described terminal 2 device 2 can be arbitrary smart machine possessing TEE; described digital signature procedure is carried out under TEE; to solve in prior art credential key easily by the problem intercepted and captured; protect the key of user, identity information, biological information and password information etc., also improve the fail safe in use procedure and privacy while easy-to-use.

Preferably, described user's identification module 105 comprises password authentication unit, finger print information discriminating unit, face feature information discriminating unit, voiceprint discriminating unit and/or iris information discriminating unit.Namely described user's identification module 105 comprises any one and combination in any thereof of following unit: password authentication unit, finger print information discriminating unit, face feature information discriminating unit, voiceprint discriminating unit, iris information discriminating unit.

Preferably, described output module 201 comprises display unit, voice unit (VU) and/or indicating member; Described input module 203 comprises: screen unit, push-button unit, finger print information collecting unit, sound collection unit, image unit and/or sensor unit.

Preferably, described crypto-operation module 103 comprises asymmetric cryptographic algorithm unit, HASH algorithm unit and/or symmetric cryptographic algorithm unit.Described crypto-operation module 103 comprises any one and combination in any thereof of following unit: asymmetric cryptography arithmetic element, symmetric cryptography arithmetic element, HASH arithmetic element.

Preferably, described user data comprises: user basic information, user's authentication information, digital certificate, asymmetric public and private key, symmetric key and/or character library.Namely described user data comprises any one and combination in any thereof of following information: user basic information, user's authentication information, digital certificate, asymmetric public and private key, symmetric key and character library.

Described Digital Certificate Security system 1 function synthesized, operation safety, combines that certificate is differentiated, biological characteristic is differentiated and the advantage of the modes such as password authentication, and make the compatibility of its identification authentication mode stronger, security performance is better, Consumer's Experience is better.

Embodiment eight:

Based on an authentication system for the digital certificate of TEE, comprise dispensing unit digital certificate signature unit and digital certificate sign test unit, it is characterized in that,

Dispensing unit, at the pre-configured digital certificate system 1 of terminal 2;

Digital certificate signature unit, described terminal 2 is carried out, and signs for asking the raw digital certificate private key that uses for user;

Wherein, under described digital certificate signature unit runs on TEE.

The authentication system 1 of the digital certificate based on TEE provided by the invention, meets the use habit of the masses, and compared to identity identifying method of the prior art, it possesses high-caliber security performance simultaneously and agrees with the use habit of user, and it is very convenient to use; Protect the key of user, identity information, biological information and password information etc., also improve the fail safe in use procedure and privacy while easy-to-use.

Known by above each embodiment, the beneficial effect that the application exists is:

(1) auth method of the digital certificate based on TEE provided by the invention, digital signature and sign test process, crypto-operation process and user's discrimination process are carried out under TEE, the key of user, identity information, the sensitive information such as biological information and password information are stored by secure storage module under TEE, avoid problems of the prior art, as digital signature generative process carry out in REE, user sensitive information stores under REE environment, produces privacy leakage, hidden danger etc. that property is stolen; Simultaneously, under TEE environment, ID authentication request is transmitted by safe interface and client application, input module and the input module of terminal is managed and calls by safe input/output interface, ID authentication request information security display through the confirmation of user, avoid input and output module under REE environment by illegal application controls and the risk of distorting, ensure that authentication procedures can embody the actual wishes of user;

Certainly, the technical scheme that the present invention protects must not reach all above-mentioned beneficial effects simultaneously, and a scheme does not reach all above-mentioned beneficial effects simultaneously and do not form limiting the scope of the invention.

Those skilled in the art should understand, the embodiment of the application can be provided as method, device or computer program.Therefore, the application can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the application can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code.

Above-mentioned explanation illustrate and describes some preferred embodiments of the application, but as previously mentioned, be to be understood that the application is not limited to the form disclosed by this paper, should not regard the eliminating to other embodiments as, and can be used for other combinations various, amendment and environment, and can in invention contemplated scope described herein, changed by the technology of above-mentioned instruction or association area or knowledge.And the change that those skilled in the art carry out and change do not depart from the spirit and scope of the application, then all should in the protection range of the application's claims.

Claims

1. the auth method based on the digital certificate of TEE, comprise the pre-configured digital certificate system of terminal, digital certificate signature process and digital certificate sign test process, it is characterized in that, described terminal possesses TEE, described digital certificate signature process, described terminal is carried out, digital certificate private key is used to sign for asking for user, described digital certificate sign test process is used for the identity of user of authentication request, and authentication mode comprises the legitimacy of verifying described digital certificate and validity, the integrality of described signature and correctness; Wherein, described digital certificate signature process is carried out under TEE.

2. method according to claim 1, is characterized in that, described client is described terminal inner applications client, and described digital certificate signature process comprises:

3. method according to claim 1, it is characterized in that, described client is described exterior of terminal applications client, and described applications client refers to that the carrier of described applications client is the equipment in described step 1 outside terminal, and described digital certificate signature process comprises:

4. method according to claim 2, is characterized in that, described client is terminal inner applications client, and described digital certificate sign test process comprises:

5. method according to claim 3, is characterized in that, described client is exterior of terminal applications client, and described digital certificate sign test process comprises:

6., according to described method arbitrary in claim 1-5, it is characterized in that, also comprise the establishment account of described digital certificate system, generate double secret key and sign and issue the process of digital certificate, wherein, comprising:

Described step one to three, step 5 and step 7 carry out under TEE.

7. method according to claim 6, is characterized in that, also comprise the customer digital certificate renewal process of described digital certificate system, wherein, comprising:

Step e: when check results described in steps d is described verify data verification succeeds and described enrollment status information is corresponding with described trust root device, described digital certificate system produces the second PKI of the second private key and correspondence thereof, second private key described in safe storage, and send updating digital certificate to the CA server that described client is corresponding and sign and issue request;

Described step a to c, step e and step g are carried out under TEE.

8. method according to claim 6, it is characterized in that, subscriber identity information in described step 1 comprises the basic identity information of user and biological information, described basic identity information comprises name and passport NO., and described biological information comprises finger print information, face feature information, voiceprint and/or iris information;

9. method according to claim 8, it is characterized in that, described digital certificate system comprises:

10., based on an authentication system for the digital certificate of TEE, comprise dispensing unit, digital certificate signature unit and digital certificate sign test unit, it is characterized in that,

Dispensing unit, at the pre-configured digital certificate system of terminal;

Wherein, under described digital certificate signature unit runs on TEE.