CN105792167B - A kind of method and device initializing credible performing environment, equipment - Google Patents
A kind of method and device initializing credible performing environment, equipment Download PDFInfo
- Publication number
- CN105792167B CN105792167B CN201410779238.9A CN201410779238A CN105792167B CN 105792167 B CN105792167 B CN 105792167B CN 201410779238 A CN201410779238 A CN 201410779238A CN 105792167 B CN105792167 B CN 105792167B
- Authority
- CN
- China
- Prior art keywords
- naf
- performing environment
- credible performing
- information
- trusted service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a kind of method and devices for initializing credible performing environment, equipment, wherein the described method includes: credible performing environment server obtains the international mobile subscriber identity for showing user identity;The credible performing environment server determines that trusted service manages the address information of platform according to the international mobile subscriber identity;The international mobile subscriber identity is sent to trusted service management platform according to the address information of trusted service management platform by the credible performing environment server, obtains NAF_ID information to trigger the trusted service management platform;NAF_ID information is sent to processing unit by the credible performing environment server, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, operation has the credible performing environment on the processing unit.
Description
Technical field
The present invention relates to the communication technology more particularly to a kind of method and devices for initializing credible performing environment, equipment.
Background technique
The advantages that mobile payment is with its mobility and timeliness, is rapidly developed.Due to mobile payment what is involved is
Financial transaction, then the safety of mobile payment on the terminal device always by people concern.Existing terminal device is only
Including an operating environment, i.e., by operating systems such as widely known Android (Android) operating system, iOS operating systems, this
The operating systems such as class Android and iOS are referred to as abundant performing environment (REE, Rich Execution Environment), because
There is powerful processing capacity and multimedia function for this type operating system.It is enterprising in the terminal device for only including abundant performing environment
When row mobile payment, all mobile payment operations are completed under abundant performing environment;For example, user is in smart phone
When the upper progress mobile payment by mobile payment applications programs such as Alipays, including input password, encryption and decryption etc. are relevant
Mobile payment operation is completed under abundant performing environment.Under abundant performing environment, mobile payment operation is likely to
Wooden horse is infected, is intercepted or is attacked by hacker, to influence the safety of mobile payment.
In order to improve the safety of mobile payment, on the basis of existing abundant performing environment, and propose a kind of credible
Performing environment (TEE, Trusted Execution Environment), credible performing environment refers to secure processing capability
With the trusted operating system of offer secure peripheral operation.Application in credible performing environment is all ability under the premise of ensuring safety
It is downloaded and installs, guarantee the safety of mobile payment with this.On the terminal device, as Figure 1-1, credible operation ring
Border and abundant running environment is mutually isolated, independent operating;By taking smart phone as an example, credible performing environment and abundant performing environment can
Can be run based on same hardware, such as credible performing environment and abundant performing environment are all based on application processor
(Application Processor) and run.As the secure operating environment in terminal device, the peace of credible running environment
Full initialization is particularly important.
Currently, the initialization for credible performing environment, relatively conventional is that preset master control is close in credible performing environment
Key, it is subsequent that other keys are created by master control key again in use.The master control key of credible performing environment is set in terminal
In standby production process, controlling party that is preset, and needing in preset master control key clear master control key is carried out by device manufacturer,
Due to master control code key be carried out by device manufacturer it is preset, then the controlling party of master control key is exactly device manufacturer.When terminal is set
After standby dispensing is arrived in the market, terminal device is generally managed by common carrier, and in other words, credible performing environment is by leading to
Letter operator is managed, it is seen then that the manager of master control code key is not but the controlling party of master control key, and the manager of master control code key exists
May there are security risk and trust problem when replacing master control key.
Summary of the invention
In view of this, the embodiment of the present invention be solves the problems, such as it is existing in the prior art at least one and provide it is a kind of initially
Method and device, the equipment for changing credible performing environment enable to close without clear master control in the production process of terminal device
The controlling party of key, to avoid security risk and trust problem.
The technical solution of the embodiment of the present invention is achieved in that
In a first aspect, the embodiment of the present invention provides a kind of method for initializing credible performing environment, which comprises
Credible performing environment server obtains the international mobile subscriber identity for showing user identity;
The credible performing environment server determines that trusted service manages platform according to the international mobile subscriber identity
Address information;
The credible performing environment server moves the world according to the address information of trusted service management platform
Dynamic CUSTOMER ID is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform
Breath;
NAF_ID information is sent to processing unit by the credible performing environment server, to trigger the processing unit root
The first Ks_NAF key is generated according to NAF_ID information, operation has the credible performing environment on the processing unit.
Second aspect, the embodiment of the present invention provide a kind of method for initializing credible performing environment, which comprises
Processor obtains the international mobile subscriber identity for showing user identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, to trigger
It states credible performing environment server and obtains NAF_ID information;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and close using the first Ks_NAF
Key completes the initialization procedure of credible performing environment.
The third aspect, the embodiment of the present invention provide a kind of method for initializing credible performing environment again, which comprises
Trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID letter
Breath;
The NAF_ID information and the international mobile subscriber identity are sent to and are drawn by the trusted service management platform
Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform
NAF key;
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to institute
It states credible performing environment server and sends NAF_ID information.
Fourth aspect, a kind of method for initializing credible performing environment of the embodiment of the present invention, which comprises
Processor obtains the international mobile subscriber identity for showing user identity;
Credible performing environment server receives the processor and sends the international mobile subscriber identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, to trigger
It states credible performing environment server and obtains NAF_ID information;
The credible performing environment server determines that trusted service manages platform according to the international mobile subscriber identity
Address information;
The credible performing environment server moves the world according to the address information of trusted service management platform
Dynamic CUSTOMER ID is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform
Breath;
The trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID letter
Breath;
The NAF_ID information and the international mobile subscriber identity are sent to and are drawn by the trusted service management platform
Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform
NAF key;
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to institute
It states credible performing environment server and sends NAF_ID information;
NAF_ID information is sent to processing unit by the credible performing environment server, to trigger the processing unit root
The first Ks_NAF key is generated according to NAF_ID information;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and close using the first Ks_NAF
Key completes the initialization procedure of credible performing environment.
5th aspect, the embodiment of the present invention provide a kind of credible performing environment server, the credible performing environment service
Device includes first acquisition unit, determination unit, the first transmission unit, the first receiving unit and the second transmission unit, in which:
The first acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The determination unit, for determining the ground of trusted service management platform according to the international mobile subscriber identity
Location information;
First transmission unit, for the address information according to trusted service management platform, by the international shifting
Dynamic CUSTOMER ID is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform
Breath;
First receiving unit, the NAF_ID information sent for receiving the trusted service management platform;
Second transmission unit, for NAF_ID information to be sent to processing unit, to trigger the processing unit root
The first Ks_NAF key is generated according to NAF_ID information, operation has the credible performing environment on the processing unit.
6th aspect, the embodiment of the present invention provide a kind of processor, and the processor includes second acquisition unit, third hair
Send unit, the second receiving unit, generation unit and the first initialization unit, in which:
The second acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The third transmission unit, for the international mobile subscriber identity to be sent to credible performing environment service
Device obtains NAF_ID information to trigger the credible performing environment server;
Second receiving unit, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The generation unit, for generating the first Ks_NAF key according to the NAF_ID information;
First initialization unit, for completing the initialization of credible performing environment using the first Ks_NAF key
Process.
7th aspect, the embodiment of the present invention provide a kind of trusted service management platform, and the trusted service manages platform packet
Include third receiving unit, verification unit, third acquiring unit, the 4th transmission unit and the 5th transmission unit, in which:
The third receiving unit, the international mobile subscriber identity sent for receiving credible performing environment server;
The verification unit, for verifying the validity of the international mobile subscriber identity;
The third acquiring unit, for obtaining NAF_ID letter when the verification international mobile subscriber identity is effective
Breath;
4th transmission unit, for the NAF_ID information and the international mobile subscriber identity to be sent to and draw
Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform
NAF key;
5th transmission unit, after receiving the 2nd Ks_NAF key that guide service function platform is sent, to
The credible performing environment server sends NAF_ID information.
Eighth aspect, the embodiment of the present invention provide a kind of device for initializing credible performing environment, and described device includes place
It manages device, credible performing environment server and trusted service and manages platform, in which:
The processor, for obtaining the international mobile subscriber identity for showing user identity;
The credible performing environment server sends the international mobile subscriber identity for receiving the processor;
The processor, for the international mobile subscriber identity to be sent to credible performing environment server, so as to
It triggers the credible performing environment server and obtains NAF_ID information;
The credible performing environment server, for determining trusted service pipe according to the international mobile subscriber identity
The address information of platform;
The credible performing environment server will be described for the address information according to trusted service management platform
International mobile subscriber identity is sent to trusted service management platform, obtains NAF_ to trigger the trusted service management platform
Id information;
The trusted service manages platform, the international mobile subscriber identification sent for receiving credible performing environment server
Code;
The trusted service manages platform, for verifying the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service manages platform, for obtaining NAF_
Id information;
The trusted service manages platform, for sending the NAF_ID information and the international mobile subscriber identity
Guide service function platform is given, sends second to trigger the guide service function platform to trusted service management platform
Ks_NAF key;
The trusted service manages platform, for receiving the 2nd Ks_NAF key of guide service function platform transmission
Afterwards, NAF_ID information is sent to the credible performing environment server;
The credible performing environment server, for NAF_ID information to be sent to processing unit, to trigger the processing
Unit generates the first Ks_NAF key according to NAF_ID information;
The processor, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The processor for generating the first Ks_NAF key according to the NAF_ID information, and utilizes the first Ks_
NAF key completes the initialization procedure of credible performing environment.
A kind of method and device initializing credible performing environment provided in an embodiment of the present invention, equipment, wherein credible to hold
Row environment server obtains the international mobile subscriber identity for showing user identity;The credible performing environment server root
According to the international mobile subscriber identity, the address information of trusted service management platform is determined;The credible performing environment service
The international mobile subscriber identity is sent to trusted service pipe according to the address information of trusted service management platform by device
Platform obtains NAF_ID information to trigger the trusted service management platform;The credible performing environment server will
NAF_ID information is sent to processing unit, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information,
Operation has the credible performing environment on the processing unit, so, it is possible so that being not necessarily in the production process of terminal device
The controlling party of master control key is specified, to avoid security risk and trust problem.
Detailed description of the invention
Fig. 1-1 is the relation schematic diagram of credible performing environment and abundant performing environment in the related technology;
Fig. 1-2 is the relationship initialized between each equipment involved in the method for credible performing environment in the embodiment of the present invention
Schematic diagram;
Fig. 1-3 is the implementation process schematic diagram for the method that the embodiment of the present invention one initializes credible performing environment;
Fig. 2 is the implementation process schematic diagram for the method that the embodiment of the present invention two initializes credible performing environment;
Fig. 3 is the implementation process schematic diagram for the method that the embodiment of the present invention three initializes credible performing environment;
Fig. 4 is the composed structure schematic diagram of the credible performing environment server of the embodiment of the present invention four;
Fig. 5 is the composed structure schematic diagram of five processor of the embodiment of the present invention;
Fig. 6 is the composed structure schematic diagram that six trusted service of the embodiment of the present invention manages platform.
Fig. 7 is the implementation process schematic diagram for the method that the embodiment of the present invention eight initializes credible performing environment.
Specific embodiment
In order to solve the above technical problems, the technical solution that following embodiment of the invention provides, by generic authentication architecture
The security initialization behaviour of credible performing environment is completed on the basis of (GBA, General Bootstrapping Architecture)
Make, specifically, user is inserted into after Subscriber Identity Module in terminal device, will carry out generic authentication architecture process, common authentication
After framework process terminates, initialization that Subscriber Identity Module will trigger a series of equipment and be automatically performed credible performing environment
Journey.As shown in Figs. 1-2, the technical solution that following embodiment of the present invention provides, will be related to following interactive object, and mainly include
Subscriber Identity Module, processor, credible performing environment server, trusted service manage platform (TSM, Trusted Service
Management) and guide service function platform (BSF, Bootstrapping Service Function), in which: can convince
Actual management side of the business management platform as credible performing environment, can be provided by common carrier;In generic authentication architecture
In play the part of network application function (NAF, Network Application Function) role, and between guide service platform
It holds consultation, to obtain Ks_NAF key.Such as cell phone manufacturer, terminal device provider preset first key in the processor, institute
First key is stated for ensuring secure communication and identification authentication between processor and credible performing environment server.By this hair
The technical solution that bright embodiment provides enables to the provider of terminal device without clear master control key in process of production
Controlling party, and user is inserted into after Subscriber Identity Module in terminal device can be automatically performed the safety of credible performing environment just
Beginning process.
Here, the guide service function platform can be provided by common carrier, the credible performing environment service
Device can be provided by the provider of terminal device.
Here, the first key can be symmetric key or private/public key, the credible execution ring of credible performing environment
The public key of border server (TEE Server);
Here, the processor refers to the processor for running the credible performing environment, when terminal device is mobile phone,
The processor can be application processor.
Here, generic authentication architecture (GBA, General Bootstrapping Architecture) is that the third generation closes
Make one kind that Partnership Program (3GPP, 3rd Generation Partnership Project) defines and is based on mobile radio communication
The security infrastructure of network, lightweight can provide unified Security Authentication Service, about common authentication frame for application layer business
The initialization process of structure can be refering to the relevant criterion of third generation partner program.
Here, the Subscriber Identity Module includes the Subscriber Identity Module of the second generation, the third generation, forth generation etc., wherein the second band
Subscriber Identity Module is commonly referred to as subscriber identification module (SIM, Subscriber Identity Module), third generation user identification
Card is commonly referred to as universal subscriber identity module (USIM, Universal Subscriber Identity Module).
Here, terminal device may include smart phone, tablet computer, point of sale (POS, Point of Sales) machine,
The equipment such as personal digital assistant.
The technical solution of the present invention is further elaborated in the following with reference to the drawings and specific embodiments.
Embodiment one
The embodiment of the present invention one provides a kind of method for initializing credible performing environment, and Fig. 1-3 is the embodiment of the present invention one
The implementation process schematic diagram of the method for credible performing environment is initialized, is applied to credible performing environment server, such as Fig. 1-3 institute
Show, this method comprises:
Step 101, credible performing environment server obtains the international mobile subscriber identity for showing user identity
(IMSI, International Mobile Subscriber Identification Number);
Here, the credible performing environment server can be provided by the provider of terminal device, described international mobile
CUSTOMER ID is that the IMSI of Subscriber Identity Module is identified.
Step 102, the credible performing environment server determines trusted service according to the international mobile subscriber identity
Manage the address information of platform;
Here, when terminal device is mobile phone, what the credible performing environment server can also be reported according to processor
Cell-phone number determines the address information of trusted service management platform;Alternatively, the credible performing environment server can also be according to place
The cell-phone number and international mobile subscriber identity that reason device reports determine the address information of trusted service management platform.
Step 103, the credible performing environment server manages the address information of platform according to the trusted service, by institute
It states international mobile subscriber identity and is sent to trusted service management platform, obtain net to trigger the trusted service management platform
Mark (NAF_ID) information of network application function platform;
Here, since network application function platform can be multiple, it is therefore desirable to obtain and international mobile subscriber identity phase
The identification information of the network application function platform of pass.
Step 104, NAF_ID information is sent to processing unit by the credible performing environment server, to trigger the place
It manages unit and the first Ks_NAF key is generated according to NAF_ID information.
Here, operation has the credible performing environment on the processing unit.
In the embodiment of the present invention, obtaining in the credible performing environment server for showing that the international of user identity moves
After dynamic CUSTOMER ID, the method also includes:
The credible performing environment server establishes the first exit passageway, and first exit passageway is the credible execution
Exit passageway between environment server and processor;
Accordingly, the credible performing environment server obtains the international mobile subscriber for showing user identity and identifies
Code, comprising:
The credible performing environment server obtains the world for showing user identity by first exit passageway
Mobile identification number;
Accordingly, NAF_ID information is sent to processing unit by the credible performing environment server, comprising:
The credible performing environment server is sent to processing list by first exit passageway, by NAF_ID information
Member.
In the embodiment of the present invention, in the credible performing environment server according to the international mobile subscriber identity, really
After the address information for determining trusted service management platform, the method also includes:
The credible performing environment server establishes the second exit passageway, and second exit passageway is the credible execution
Exit passageway between environment server and trusted service management platform;
Accordingly, the credible performing environment server, will be described according to the address information of the trusted service management screen
International mobile subscriber identity is sent to trusted service management platform, comprising:
The credible performing environment server passes through described second according to the address information of trusted service management platform
The international mobile subscriber identity is sent to trusted service management platform by exit passageway;
Accordingly, the credible performing environment server receives the NAF_ID letter that the trusted service management platform is sent
Breath, comprising:
The credible performing environment server receives the trusted service by second exit passageway and manages platform hair
The NAF_ID information sent.
In the embodiment of the present invention, before step 101, this method further include: user is inserted into terminal device in user
After identification card, generic authentication architecture process will be carried out.
A kind of method and device initializing credible performing environment provided in an embodiment of the present invention, equipment, wherein credible to hold
Row environment server obtains the international mobile subscriber identity for showing user identity;The credible performing environment server root
According to the international mobile subscriber identity, the address information of trusted service management platform is determined;The credible performing environment service
The international mobile subscriber identity is sent to trusted service pipe according to the address information of trusted service management platform by device
Platform obtains NAF_ID information to trigger the trusted service management platform;The credible performing environment server will
NAF_ID information is sent to processing unit, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information,
Operation has the credible performing environment on the processing unit, so, it is possible so that being not necessarily in the production process of terminal device
The controlling party of master control key is specified, to avoid security risk and trust problem.
Embodiment two
The embodiment of the present invention provides a kind of method for initializing credible performing environment, is applied in processor, and Fig. 2 is this hair
Bright embodiment two initializes the implementation process schematic diagram of the method for credible performing environment, as shown in Fig. 2, this method comprises:
Step 201, processor obtains the international mobile subscriber identity for showing user identity;
Step 202, the international mobile subscriber identity is sent to credible performing environment server by the processor, with
Just it triggers the credible performing environment server and obtains NAF_ID information;
Step 203, the processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
Step 204, the processor generates the first Ks_NAF key according to the NAF_ID information, and utilizes described first
Ks_NAF key completes the initialization procedure of credible performing environment.
In the embodiment of the present invention, the initialization that credible performing environment is completed using the first Ks_NAF key
Journey, comprising:
The processor completes the certification between trusted service management platform using the first Ks_NAF key, to complete
The initialization procedure of credible performing environment.
In the embodiment of the present invention, the international mobile subscriber identity for showing user identity is obtained in the processor
Afterwards, the method also includes:
The processor establishes the first exit passageway, and first exit passageway is the processor and the credible execution
Exit passageway between environment server and processor;
Accordingly, the international mobile subscriber identity is sent to credible performing environment server by the processor, packet
It includes:
The international mobile subscriber identity is sent to credible execution by first exit passageway by the processor
Environment server;
Accordingly, the processor receives the acquisition NAF_ID information that the credible performing environment server is sent, comprising:
The processor receives the acquisition that the credible performing environment server is sent by first exit passageway
NAF_ID information.
Embodiment three
The embodiment of the present invention provides a kind of method for initializing credible performing environment, is applied to trusted service and manages platform,
Fig. 3 is the implementation process schematic diagram for the method that the embodiment of the present invention three initializes credible performing environment, as shown in figure 3, this method
Include:
Step 301, trusted service management platform receives the international mobile subscriber identification that credible performing environment server is sent
Code;
Step 302, the trusted service management platform verifies the validity of the international mobile subscriber identity;
Step 303, when the verification international mobile subscriber identity is effective, the trusted service management platform is obtained
NAF_ID information;
Step 304, the trusted service manages platform for the NAF_ID information and the international mobile subscriber identity
It is sent to guide service function platform, is sent to trigger the guide service function platform to trusted service management platform
2nd Ks_NAF key;
Step 305, the 2nd Ks_NAF that the trusted service management platform receives the transmission of guide service function platform is close
After key, NAF_ID information is sent to the credible performing environment server.
Step 306, when verifying international mobile subscriber identity failure, the trusted service management platform will be verified
The information of failure is sent to the credible performing environment server, to prompt each side's initialization failure.
In the embodiment of the present invention, the method also includes:
The trusted service management platform establishes the second exit passageway, and second exit passageway is the trusted service pipe
Exit passageway between platform and the credible performing environment server;
Accordingly, the trusted service management platform receives the international mobile subscriber that credible performing environment server is sent and knows
Other code, comprising:
The trusted service management platform receives what credible performing environment server was sent by second exit passageway
International mobile subscriber identity;
Accordingly, the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission
Afterwards, NAF_ID information is sent to the credible performing environment server, comprising:
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, pass through
Second exit passageway sends NAF_ID information to the credible performing environment server.
In the embodiment of the present invention, the method also includes:
The first Ks_NAF key that trusted service management platform receiving area haircut is sent;
Trusted service management platform judges whether are the first Ks_NAF key and the 2nd Ks_NAF key of itself
It is identical, obtain the first judging result;
When first judging result shows that the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself,
Complete the initialization procedure of credible performing environment.
When first judging result shows that the first Ks_NAF key is not identical as the 2nd Ks_NAF key of itself
When, initialization failure, and initialization failure news is sent to processor.
Example IV
Based on embodiment of the method for the invention, the embodiment of the present invention provides a kind of credible performing environment server, and Fig. 4 is this
The composed structure schematic diagram of the credible performing environment server of inventive embodiments four, as shown in figure 4, the credible performing environment server
400 include first acquisition unit 401, determination unit 402, the first transmission unit 403, the first receiving unit 404 and the second transmission
Unit 405, in which:
The first acquisition unit 401, for obtaining the international mobile subscriber identity for showing user identity;
The determination unit 402, for determining trusted service management platform according to the international mobile subscriber identity
Address information;
First transmission unit 403, for the address information according to trusted service management platform, by the world
Mobile identification number is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform
Breath;
First receiving unit 404, the NAF_ID information sent for receiving the trusted service management platform;
Second transmission unit 405, for NAF_ID information to be sent to processing unit, to trigger the processing unit
The first Ks_NAF key is generated according to NAF_ID information, operation has the credible performing environment on the processing unit.
In the embodiment of the present invention, the credible performing environment server further includes first establishing unit, for establishing first
Exit passageway, exit passageway of first exit passageway between the credible performing environment server and processor;
Accordingly, the first acquisition unit, for obtaining for showing user identity by first exit passageway
International mobile subscriber identity;
Second transmission unit, for NAF_ID information to be sent to processing unit by first exit passageway.
In the embodiment of the present invention, the credible performing environment server further includes second establishing unit, for establishing second
Exit passageway, second exit passageway are that the credible performing environment server and the trusted service manage between platform
Exit passageway;
Accordingly, first transmission unit passes through institute for the address information according to trusted service management platform
It states the second exit passageway and the international mobile subscriber identity is sent to trusted service management platform;
Accordingly, first receiving unit, for receiving the trusted service management by second exit passageway
The NAF_ID information that platform is sent.
Here, the address information of trusted service management platform can be the identification information of trusted service management platform.
Embodiment five
The embodiment of the present invention provides a kind of processor, and Fig. 5 is the composed structure schematic diagram of five processor of the embodiment of the present invention,
As shown in figure 5, the processor 500 includes second acquisition unit 501, third transmission unit 502, the second receiving unit 503, generates
Unit 504 and the first initialization unit 505, in which:
The second acquisition unit 501, for obtaining the international mobile subscriber identity for showing user identity;
The third transmission unit 502 takes for the international mobile subscriber identity to be sent to credible performing environment
Business device obtains NAF_ID information to trigger the credible performing environment server;
Second receiving unit 503, the acquisition NAF_ID letter sent for receiving the credible performing environment server
Breath;
The generation unit 504, for generating the first Ks_NAF key according to the NAF_ID information;
First initialization unit 505, for completing the first of credible performing environment using the first Ks_NAF key
Beginning process.
In the embodiment of the present invention, first initialization unit, for completing and can convince using the first Ks_NAF key
Certification between business management platform, to complete the initialization procedure of credible performing environment.
In the embodiment of the present invention, the processor further includes that third establishes unit, described for establishing the first exit passageway
Exit passageway of first exit passageway between the processor and the credible performing environment server and processor;
Accordingly, the third transmission unit, for being known the international mobile subscriber by first exit passageway
Other code is sent to credible performing environment server;
Accordingly, second receiving unit, for receiving the credible performing environment by first exit passageway
The acquisition NAF_ID information that server is sent.
Embodiment six
The embodiment of the present invention provides a kind of trusted service management platform, and Fig. 6 is six trusted service management of the embodiment of the present invention
The composed structure schematic diagram of platform, as shown in fig. 6, trusted service management platform 600 includes third receiving unit 601, verification
Unit 602, third acquiring unit 603, the 4th transmission unit 604, the 5th transmission unit 605 and the 6th transmission unit 606,
In:
The third receiving unit 601, the international mobile subscriber identification sent for receiving credible performing environment server
Code;
The verification unit 602, for verifying the validity of the international mobile subscriber identity;
The third acquiring unit 603, for obtaining NAF_ID when the verification international mobile subscriber identity is effective
Information;
4th transmission unit 604, for sending the NAF_ID information and the international mobile subscriber identity
Guide service function platform is given, sends second to trigger the guide service function platform to trusted service management platform
Ks_NAF key;
5th transmission unit 605, after receiving the 2nd Ks_NAF key that guide service function platform is sent,
NAF_ID information is sent to the credible performing environment server.
6th transmission unit 606, for when verifying international mobile subscriber identity failure, verification to be failed
Information be sent to the credible performing environment server, so as to prompt each side initialization failure.
In the embodiment of the present invention, trusted service management platform further includes the 4th establishing unit, for establishing the second peace
Full tunnel, second exit passageway are the peace between trusted service management platform and the credible performing environment server
Full tunnel;
Accordingly, the third receiving unit, for receiving credible performing environment service by second exit passageway
The international mobile subscriber identity that device is sent;
Accordingly, the 5th transmission unit, the 2nd Ks_NAF for receiving the transmission of guide service function platform are close
After key, NAF_ID information is sent to the credible performing environment server by second exit passageway.
The embodiment of the present invention, trusted service management platform further include the 4th receiving unit, judging unit, the second initialization
Unit and the 7th transmission unit, in which:
4th receiving unit, the first Ks_NAF key sent for receiving area's haircut;
The judging unit, for judge the first Ks_NAF key and itself the 2nd Ks_NAF key whether phase
Together, the first judging result is obtained;
Second initialization unit, for showing the first Ks_NAF key and itself when first judging result
The 2nd Ks_NAF key it is identical when, complete the initialization procedure of credible performing environment.
7th transmission unit, for when first judging result show the first Ks_NAF key and itself
When 2nd Ks_NAF key is not identical, initialization failure, and initialization failure news is sent to processor.
Embodiment seven
Implemented based on above-mentioned processor, credible performing environment server example and trusted service management platform are implemented
Example, the embodiment of the present invention provide a kind of device for initializing credible performing environment, and described device includes processor, credible execution ring
Border server and trusted service manage platform, in which:
The processor, for obtaining the international mobile subscriber identity for showing user identity;
The credible performing environment server sends the international mobile subscriber identity for receiving the processor;
The processor, for the international mobile subscriber identity to be sent to credible performing environment server, so as to
It triggers the credible performing environment server and obtains NAF_ID information;
The credible performing environment server, for determining trusted service pipe according to the international mobile subscriber identity
The address information of platform;
The credible performing environment server will be described for the address information according to trusted service management platform
International mobile subscriber identity is sent to trusted service management platform, obtains NAF_ to trigger the trusted service management platform
Id information;
The trusted service manages platform, the international mobile subscriber identification sent for receiving credible performing environment server
Code;
The trusted service manages platform, for verifying the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service manages platform, for obtaining NAF_
Id information;
The trusted service manages platform, for sending the NAF_ID information and the international mobile subscriber identity
Guide service function platform is given, sends second to trigger the guide service function platform to trusted service management platform
Ks_NAF key;
The trusted service manages platform, for receiving the 2nd Ks_NAF key of guide service function platform transmission
Afterwards, NAF_ID information is sent to the credible performing environment server;
The credible performing environment server, for NAF_ID information to be sent to processing unit, to trigger the processing
Unit generates the first Ks_NAF key according to NAF_ID information;
The processor, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The processor for generating the first Ks_NAF key according to the NAF_ID information, and utilizes the first Ks_
NAF key completes the initialization procedure of credible performing environment.
Embodiment eight
Based on Fig. 1-2, the embodiment of the present invention provides a kind of method for initializing credible performing environment, and Fig. 7 is that the present invention is real
The implementation process schematic diagram that example eight initializes the method for credible performing environment is applied, as shown in fig. 7, this method comprises:
Step 701, Subscriber Identity Module is inserted into terminal device by user;
Specifically, user can run in Subscriber Identity Module such as SIM card insertion terminal device credible on the terminal device
Performing environment.
Step 702, Subscriber Identity Module and BSF complete GBA process;
Specifically, Subscriber Identity Module completes GBA process by terminal device and BSF, and the detailed process about GBA process can
With referring to the relevant criterion of 3GPP standard, which is not described herein again.
Step 703, IMSI information is sent to processor by Subscriber Identity Module;
Here, after international mobile subscriber identity is sent to processor by Subscriber Identity Module, processor obtains SIM card
International mobile subscriber identity;After processor receives international mobile subscriber identity, whether processor is judged
The initialization process for completing credible performing environment, when processor has completed the initialization process of credible performing environment, then
This method process just terminates;When processor does not complete the initialization process of credible performing environment, then this method process enters
Step 704.
Here, since user is when using terminal equipment, it is possible that replacement Subscriber Identity Module the case where, when with
When Subscriber Identity Module is replaced at family, the initialization process for carrying out credible performing environment again is not needed;Only user is in head
It is secondary to take terminal device, and when Subscriber Identity Module is inserted into terminal device, just need to carry out it is provided in an embodiment of the present invention can
Believe the initialization process of performing environment.
Step 704, the first exit passageway is established between processor and credible performing environment server (TEE Server);
Here, the first exit passageway is established between processor and credible performing environment server, can effectively prevents puppet
The processor or credible performing environment server made.
Step 705, processor sends IMSI information to credible performing environment server;
Here, processor can send IMSI information to credible performing environment server by the first exit passageway;
Step 706, TEE Server determines the address information of TSM according to IMSI information;
Here, when terminal device is smart phone, TEE Server can also be true according to the cell-phone number information received
TSM address information is determined, alternatively, TEE Server can also determine TSM address information according to IMSI and cell-phone number information.
Step 707, the second exit passageway is established between TEE Server and TSM platform;
Here, the second exit passageway is established between TEE Server and TSM platform, can effectively prevent the TSM forged
Or TEE Server.
Step 708, TEE Server sends IMSI information to TSM platform;
Step 709, TSM platform verifies IMSI information;
Here, the validity of TSM platform verification IMSI information enters step 710 when verification IMSI information is effective, when
When verifying IMSI information failure, method flow provided in an embodiment of the present invention terminates.
Step 710, TSM platform sends IMSI information and NAF_ID information to BSF platform;
Here, the NAF_ID information is the information that BSF platform is the distribution of TSM platform;BSF platform is receiving IMSI letter
After breath and NAF_ID information, the 2nd Ks_NAF key can be obtained.And.
Step 711, BSF platform sends the 2nd Ks_NAF key to TSM platform;
Here, the 2nd Ks_NAF key that BSF platform is returned to TSM platform is a kind of safe transfer mode.
Step 712, TSM platform sends NAF_ID information to TEE Server;
Here, TSM platform will record down the 2nd Ks_NAF after the 2nd Ks_NAF key for receiving the transmission of BSF platform
Key, then TSM platform sends NAF_ID information to TEE Server.
Step 713, TEE Server sends NAF_ID information to processor;
Step 714, processor generates the first Ks_NAF key according to NAF_ID information;
Step 715, two-way authentication is completed between processor and TSM platform;
Here, two-way authentication is completed between processor and TSM platform, can be carried out by following mode, such as handle
First Ks_NAF key of generation is sent to TSM platform by device, and TSM platform is by the first Ks_NAF key received and itself remembers
2nd Ks_NAF key of record is compared, when the first Ks_NAF key is identical as the 2nd Ks_NAF key of self record,
Complete two-way authentication;When the 2nd Ks_NAF key of the first Ks_NAF key and self record is not identical, TSM platform can be with
To processor return authentication failure news.It can be seen that TEE Server is to realize transport layer as transfer from above process
Encryption.
Step 716, after authenticating successfully, TSM platform is the security initialization for completing TEE;
Here, since processor generates the first Ks_NAF key, and the first Ks_NAF key and the 2nd Ks_NAF key
It is identical, it can be said that TSM platform manages key to processor write-in TEE, that is, complete the security initialization of TEE.
It need to be noted that: the description of apparatus above embodiment describes similar with above method embodiment, has same
The same beneficial effect of embodiment of the method, therefore do not repeat them here.For undisclosed technical detail in apparatus of the present invention embodiment,
It please refers to the description of embodiment of the present invention method and understands, which is not described herein again.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it
Its mode is realized.Apparatus embodiments described above are merely indicative, for example, the division of the unit, only
A kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can combine, or
It is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed each composition portion
Mutual coupling or direct-coupling or communication connection is divided to can be through some interfaces, the INDIRECT COUPLING of equipment or unit
Or communication connection, it can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unit
The component shown can be or may not be physical unit;Both it can be located in one place, and may be distributed over multiple network lists
In member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can also
To be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentioned
Integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, which exists
When execution, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: movable storage device, read-only deposits
The various media that can store program code such as reservoir (Read Only Memory, ROM), magnetic or disk.
If alternatively, the above-mentioned integrated unit of the present invention is realized in the form of software function module and as independent product
When selling or using, it also can store in a computer readable storage medium.Based on this understanding, the present invention is implemented
Substantially the part that contributes to existing technology can be embodied in the form of software products the technical solution of example in other words,
The computer software product is stored in a storage medium, including some instructions are used so that computer equipment (can be with
It is personal computer, server or network equipment etc.) execute all or part of each embodiment the method for the present invention.
And storage medium above-mentioned includes: various Jie that can store program code such as movable storage device, ROM, magnetic or disk
Matter.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.
Claims (24)
1. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Credible performing environment server obtains the international mobile subscriber identity for showing user identity;
The credible performing environment server determines the ground of trusted service management platform according to the international mobile subscriber identity
Location information;
The credible performing environment server uses the international movement according to the address information of trusted service management platform
Family identification code is sent to trusted service management platform, obtains NAF_ID information to trigger the trusted service management platform;
NAF_ID information is sent to processing unit by the credible performing environment server, with trigger the processing unit according to
NAF_ID information generates the first Ks_NAF key, and the processing unit is made to complete credible hold using the first Ks_NAF key
The initialization procedure of row environment;Wherein, operation has the credible performing environment on the processing unit.
2. the method according to claim 1, wherein obtaining in the credible performing environment server for table
After the international mobile subscriber identity of bright user identity, the method also includes:
The credible performing environment server establishes the first exit passageway, and first exit passageway is the credible performing environment
Exit passageway between server and processor;
Accordingly, the credible performing environment server obtains the international mobile subscriber identity for showing user identity, packet
It includes:
For the credible performing environment server by first exit passageway, the world obtained for showing user identity is mobile
CUSTOMER ID;
Accordingly, NAF_ID information is sent to processing unit by the credible performing environment server, comprising:
NAF_ID information is sent to processing unit by first exit passageway by the credible performing environment server.
3. method according to claim 1 or 2, which is characterized in that in the credible performing environment server according to
International mobile subscriber identity, after determining the address information that trusted service manages platform, the method also includes:
The credible performing environment server establishes the second exit passageway, and second exit passageway is the credible performing environment
Exit passageway between server and trusted service management platform;
Accordingly, the credible performing environment server manages the address information of platform according to the trusted service, by the state
Border mobile identification number is sent to trusted service management platform, comprising:
The credible performing environment server passes through second safety according to the address information of trusted service management platform
The international mobile subscriber identity is sent to trusted service management platform by channel;
Accordingly, the credible performing environment server receives the NAF_ID information that the trusted service management platform is sent, packet
It includes:
The credible performing environment server receives the trusted service by second exit passageway and manages what platform was sent
NAF_ID information.
4. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Processor obtains the international mobile subscriber identity for showing user identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, so as to trigger it is described can
Believe that performing environment server obtains NAF_ID information;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and complete using the first Ks_NAF key
At the initialization procedure of credible performing environment.
5. according to the method described in claim 4, it is characterized in that, described complete credible hold using the first Ks_NAF key
The initialization procedure of row environment, comprising:
The processor completes the certification between trusted service management platform using the first Ks_NAF key, to complete credible
The initialization procedure of performing environment.
6. method according to claim 4 or 5, which is characterized in that obtain in the processor for showing user identity
International mobile subscriber identity after, the method also includes:
The processor establishes the first exit passageway, and first exit passageway is the processor and the credible performing environment
Exit passageway between server and processor;
Accordingly, the international mobile subscriber identity is sent to credible performing environment server by the processor, comprising:
The international mobile subscriber identity is sent to credible performing environment by first exit passageway by the processor
Server;
Accordingly, the processor receives the acquisition NAF_ID information that the credible performing environment server is sent, comprising:
The processor receives the acquisition NAF_ID that the credible performing environment server is sent by first exit passageway
Information.
7. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID information;
The NAF_ID information and the international mobile subscriber identity are sent to guidance clothes by the trusted service management platform
Business function platform, it is close to the 2nd Ks_NAF of trusted service management platform transmission to trigger the guide service function platform
Key;
After trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to it is described can
Believe that performing environment server sends NAF_ID information, so that NAF_ID information is sent to place by the credible performing environment server
Unit is managed, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, and makes the processing unit benefit
The initialization procedure of credible performing environment is completed with the first Ks_NAF key.
8. the method according to the description of claim 7 is characterized in that the method also includes: when verifying described international mobile use
When family identification code fails, the information of verification failure is sent to the credible performing environment service by the trusted service management platform
Device, to prompt each side's initialization failure.
9. the method according to the description of claim 7 is characterized in that the method also includes:
The trusted service management platform establishes the second exit passageway, and second exit passageway is flat for the trusted service management
Exit passageway between platform and the credible performing environment server;
Accordingly, the trusted service management platform receives the international mobile subscriber identification that credible performing environment server is sent
Code, comprising:
The trusted service management platform receives the world that credible performing environment server is sent by second exit passageway
Mobile identification number;
Accordingly, after the trusted service management platform receives the 2nd Ks_NAF key that guide service function platform is sent,
NAF_ID information is sent to the credible performing environment server, comprising:
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, by described
Second exit passageway sends NAF_ID information to the credible performing environment server.
10. method according to any one of claims 7 to 9, which is characterized in that the method also includes:
The trusted service management platform receives the first Ks_NAF key that processing unit is sent;
The trusted service management platform judges whether the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself,
Obtain the first judging result;
When first judging result shows that the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself, complete
The initialization procedure of credible performing environment.
11. according to the method described in claim 10, it is characterized in that, the method also includes: when first judging result
When showing that the 2nd Ks_NAF key of the first Ks_NAF key and itself is not identical, initialization failure, and sent out to processor
Send initialization failure news.
12. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Processor obtains the international mobile subscriber identity for showing user identity;
Credible performing environment server receives the processor and sends the international mobile subscriber identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, so as to trigger it is described can
Believe that performing environment server obtains NAF_ID information;
The credible performing environment server determines the ground of trusted service management platform according to the international mobile subscriber identity
Location information;
The credible performing environment server uses the international movement according to the address information of trusted service management platform
Family identification code is sent to trusted service management platform, obtains NAF_ID information to trigger the trusted service management platform;
The trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID information;
The NAF_ID information and the international mobile subscriber identity are sent to guidance clothes by the trusted service management platform
Business function platform, it is close to the 2nd Ks_NAF of trusted service management platform transmission to trigger the guide service function platform
Key;
After trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to it is described can
Believe that performing environment server sends NAF_ID information;
NAF_ID information is sent to processing unit by the credible performing environment server, with trigger the processing unit according to
NAF_ID information generates the first Ks_NAF key;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and complete using the first Ks_NAF key
At the initialization procedure of credible performing environment.
13. a kind of credible performing environment server, which is characterized in that the credible performing environment server includes that the first acquisition is single
Member, determination unit, the first transmission unit, the first receiving unit and the second transmission unit, in which:
The first acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The determination unit, for determining the address letter of trusted service management platform according to the international mobile subscriber identity
Breath;
First transmission unit, for the address information according to trusted service management platform, by the international mobile use
Family identification code is sent to trusted service management platform, obtains NAF_ID information to trigger the trusted service management platform;
First receiving unit, the NAF_ID information sent for receiving the trusted service management platform;
Second transmission unit, for NAF_ID information to be sent to processing unit, with trigger the processing unit according to
NAF_ID information generates the first Ks_NAF key, and the processing unit is made to complete credible hold using the first Ks_NAF key
The initialization procedure of row environment;Wherein, operation has the credible performing environment on the processing unit.
14. credible performing environment server according to claim 13, which is characterized in that the credible performing environment service
Device further includes first establishing unit, and for establishing the first exit passageway, first exit passageway is the credible performing environment
Exit passageway between server and processor;
Accordingly, the first acquisition unit, for obtaining the state for showing user identity by first exit passageway
Border mobile identification number;
Second transmission unit, for NAF_ID information to be sent to processing unit by first exit passageway.
15. credible performing environment server described in 3 or 14 according to claim 1, which is characterized in that the credible performing environment
Server further includes second establishing unit, and for establishing the second exit passageway, second exit passageway is the credible execution
Exit passageway between environment server and trusted service management platform;
Accordingly, first transmission unit passes through described for the address information according to trusted service management platform
The international mobile subscriber identity is sent to trusted service management platform by two exit passageways;
Accordingly, first receiving unit manages platform for receiving the trusted service by second exit passageway
The NAF_ID information of transmission.
16. a kind of processor, which is characterized in that the processor includes second acquisition unit, third transmission unit, the second reception
Unit, generation unit and the first initialization unit, in which:
The second acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The third transmission unit, for the international mobile subscriber identity to be sent to credible performing environment server, with
Just it triggers the credible performing environment server and obtains NAF_ID information;
Second receiving unit, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The generation unit, for generating the first Ks_NAF key according to the NAF_ID information;
First initialization unit, for completing the initialization of credible performing environment using the first Ks_NAF key
Journey.
17. processor according to claim 16, which is characterized in that first initialization unit, for utilizing first
Ks_NAF key completes the certification between trusted service management platform, to complete the initialization procedure of credible performing environment.
18. processor according to claim 16 or 17, which is characterized in that the processor further includes that third establishes list
Member, for establishing the first exit passageway, first exit passageway is the processor and the credible performing environment server
Exit passageway between processor;
Accordingly, the third transmission unit, for passing through first exit passageway for the international mobile subscriber identity
It is sent to credible performing environment server;
Accordingly, second receiving unit, for receiving the credible performing environment service by first exit passageway
The acquisition NAF_ID information that device is sent.
19. a kind of trusted service manages platform, which is characterized in that the trusted service management platform include third receiving unit,
Verification unit, third acquiring unit, the 4th transmission unit and the 5th transmission unit, in which:
The third receiving unit, the international mobile subscriber identity sent for receiving credible performing environment server;
The verification unit, for verifying the validity of the international mobile subscriber identity;
The third acquiring unit, for obtaining NAF_ID information when the verification international mobile subscriber identity is effective;
4th transmission unit, for the NAF_ID information and the international mobile subscriber identity to be sent to guidance clothes
Business function platform, it is close to the 2nd Ks_NAF of trusted service management platform transmission to trigger the guide service function platform
Key;
5th transmission unit, after receiving the 2nd Ks_NAF key that guide service function platform is sent, Xiang Suoshu
Credible performing environment server sends NAF_ID information, so that NAF_ID information is sent to by the credible performing environment server
Processing unit generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, and makes the processing unit
The initialization procedure of credible performing environment is completed using the first Ks_NAF key.
20. trusted service according to claim 19 manages platform, which is characterized in that the trusted service management platform is also
Including the 6th transmission unit, for when verifying international mobile subscriber identity failure, the information of verification failure to be sent
To the credible performing environment server, to prompt each side's initialization failure.
21. trusted service according to claim 19 manages platform, which is characterized in that the trusted service management platform is also
Unit is established including the 4th, for establishing the second exit passageway, second exit passageway is that the trusted service manages platform
With the exit passageway between the credible performing environment server;
Accordingly, the third receiving unit, for receiving credible performing environment server hair by second exit passageway
The international mobile subscriber identity sent;
Accordingly, the 5th transmission unit, after receiving the 2nd Ks_NAF key that guide service function platform is sent,
NAF_ID information is sent to the credible performing environment server by second exit passageway.
22. 9 to 21 described in any item trusted services manage platform according to claim 1, which is characterized in that the trusted service
Managing platform further includes the 4th receiving unit, judging unit and the second initialization unit, in which:
4th receiving unit, for receiving the first Ks_NAF key of processing unit transmission;
The judging unit, for judging whether the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself, obtains
To the first judging result;
Second initialization unit, for when first judging result show the first Ks_NAF key and itself the
When two Ks_NAF keys are identical, the initialization procedure of credible performing environment is completed.
23. trusted service according to claim 22 manages platform, which is characterized in that the trusted service management platform is also
Including the 7th transmission unit, for showing the 2nd Ks_ of the first Ks_NAF key and itself when first judging result
When NAF key is not identical, initialization failure, and initialization failure news is sent to processor.
24. a kind of device for initializing credible performing environment, which is characterized in that described device includes processor, credible execution ring
Border server and trusted service manage platform, in which:
The processor, for obtaining the international mobile subscriber identity for showing user identity;
The credible performing environment server sends the international mobile subscriber identity for receiving the processor;
The processor, for the international mobile subscriber identity to be sent to credible performing environment server, to trigger
The credible performing environment server obtains NAF_ID information;
The credible performing environment server, for determining that trusted service management is flat according to the international mobile subscriber identity
The address information of platform;
The credible performing environment server, for the address information according to trusted service management platform, by the world
Mobile identification number is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform
Breath;
The trusted service manages platform, the international mobile subscriber identity sent for receiving credible performing environment server;
The trusted service manages platform, for verifying the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service manages platform, for obtaining NAF_ID letter
Breath;
The trusted service manages platform, for the NAF_ID information and the international mobile subscriber identity to be sent to and draw
Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform
NAF key;
The trusted service manages platform, after the 2nd Ks_NAF key for receiving the transmission of guide service function platform, to
The credible performing environment server sends NAF_ID information;
The credible performing environment server, for NAF_ID information to be sent to processing unit, to trigger the processing unit
The first Ks_NAF key is generated according to NAF_ID information;
The processor, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The processor for generating the first Ks_NAF key according to the NAF_ID information, and utilizes the first Ks_NAF
Key completes the initialization procedure of credible performing environment.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410779238.9A CN105792167B (en) | 2014-12-15 | 2014-12-15 | A kind of method and device initializing credible performing environment, equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410779238.9A CN105792167B (en) | 2014-12-15 | 2014-12-15 | A kind of method and device initializing credible performing environment, equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105792167A CN105792167A (en) | 2016-07-20 |
CN105792167B true CN105792167B (en) | 2019-06-25 |
Family
ID=56374800
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410779238.9A Active CN105792167B (en) | 2014-12-15 | 2014-12-15 | A kind of method and device initializing credible performing environment, equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105792167B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106954211B (en) * | 2017-03-08 | 2019-08-20 | Oppo广东移动通信有限公司 | A kind of key wiring method and mobile terminal |
US10511575B2 (en) * | 2017-09-18 | 2019-12-17 | Huawei Technologies Co., Ltd. | Securing delegated credentials in third-party networks |
CN113518349A (en) * | 2020-10-23 | 2021-10-19 | 中国移动通信有限公司研究院 | Service management method, device, system and storage medium |
CN113572789A (en) * | 2021-08-17 | 2021-10-29 | 四川启睿克科技有限公司 | Secret-free login system and method for Internet of things intelligent equipment application |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8527759B2 (en) * | 2008-05-23 | 2013-09-03 | Telefonaktiebolaget L M Ericsson (Publ) | IMS user equipment, control method thereof, host device, and control method thereof |
CN102238540A (en) * | 2010-04-27 | 2011-11-09 | 中国移动通信集团公司 | Method, device and system for updating key of general guide architecture |
CN102934118B (en) * | 2010-06-10 | 2015-11-25 | 瑞典爱立信有限公司 | Subscriber equipment and control method thereof |
CN102413464B (en) * | 2011-11-24 | 2014-07-09 | 杭州东信北邮信息技术有限公司 | GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform |
US9591484B2 (en) * | 2012-04-20 | 2017-03-07 | T-Mobile Usa, Inc. | Secure environment for subscriber device |
-
2014
- 2014-12-15 CN CN201410779238.9A patent/CN105792167B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN105792167A (en) | 2016-07-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Yazdinejad et al. | Blockchain-enabled authentication handover with efficient privacy protection in SDN-based 5G networks | |
CN106161359B (en) | It authenticates the method and device of user, register the method and device of wearable device | |
CN102143482B (en) | Method and system for authenticating mobile banking client information, and mobile terminal | |
CN110311883A (en) | Identity management method, equipment, communication network and storage medium | |
CN108462710B (en) | Authentication and authorization method, device, authentication server and machine-readable storage medium | |
KR101243713B1 (en) | Wireless lan access point and method for accessing wireless lan | |
CN105119722B (en) | A kind of auth method, equipment and system | |
CN109547464A (en) | For storing and executing the method and device of access control clients | |
CN104467923B (en) | Method, equipment and system that equipment is interacted | |
CN104301289B (en) | Equipment for safety information interaction | |
CN105792167B (en) | A kind of method and device initializing credible performing environment, equipment | |
CN111131416A (en) | Business service providing method and device, storage medium and electronic device | |
CN106936774A (en) | Authentication method and system in credible performing environment | |
CN105812334B (en) | A kind of method for network authorization | |
CN108022100B (en) | Cross authentication system and method based on block chain technology | |
CN112804354B (en) | Method and device for data transmission across chains, computer equipment and storage medium | |
CN101765101B (en) | Method and system for aerially writing personalized card | |
CN103188241A (en) | User account management method based on mobile intelligent terminal number | |
CN110166255A (en) | Auth method, equipment and storage medium based on alliance's block chain | |
CN105101147A (en) | Method and system for realizing directional flow of mobile app | |
CN105635168A (en) | Off-line transaction device and security key using method thereof | |
CN105898743A (en) | Network connection method, device and system | |
CN109327431A (en) | Handle the resource request in mobile device | |
CN110247758A (en) | The method, apparatus and code management device of Password Management | |
CN108600234A (en) | A kind of auth method, device and mobile terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |