CN105792167B - A kind of method and device initializing credible performing environment, equipment - Google Patents

A kind of method and device initializing credible performing environment, equipment Download PDF

Info

Publication number
CN105792167B
CN105792167B CN201410779238.9A CN201410779238A CN105792167B CN 105792167 B CN105792167 B CN 105792167B CN 201410779238 A CN201410779238 A CN 201410779238A CN 105792167 B CN105792167 B CN 105792167B
Authority
CN
China
Prior art keywords
naf
performing environment
credible performing
information
trusted service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410779238.9A
Other languages
Chinese (zh)
Other versions
CN105792167A (en
Inventor
黄更生
乐祖晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201410779238.9A priority Critical patent/CN105792167B/en
Publication of CN105792167A publication Critical patent/CN105792167A/en
Application granted granted Critical
Publication of CN105792167B publication Critical patent/CN105792167B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The invention discloses a kind of method and devices for initializing credible performing environment, equipment, wherein the described method includes: credible performing environment server obtains the international mobile subscriber identity for showing user identity;The credible performing environment server determines that trusted service manages the address information of platform according to the international mobile subscriber identity;The international mobile subscriber identity is sent to trusted service management platform according to the address information of trusted service management platform by the credible performing environment server, obtains NAF_ID information to trigger the trusted service management platform;NAF_ID information is sent to processing unit by the credible performing environment server, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, operation has the credible performing environment on the processing unit.

Description

A kind of method and device initializing credible performing environment, equipment
Technical field
The present invention relates to the communication technology more particularly to a kind of method and devices for initializing credible performing environment, equipment.
Background technique
The advantages that mobile payment is with its mobility and timeliness, is rapidly developed.Due to mobile payment what is involved is Financial transaction, then the safety of mobile payment on the terminal device always by people concern.Existing terminal device is only Including an operating environment, i.e., by operating systems such as widely known Android (Android) operating system, iOS operating systems, this The operating systems such as class Android and iOS are referred to as abundant performing environment (REE, Rich Execution Environment), because There is powerful processing capacity and multimedia function for this type operating system.It is enterprising in the terminal device for only including abundant performing environment When row mobile payment, all mobile payment operations are completed under abundant performing environment;For example, user is in smart phone When the upper progress mobile payment by mobile payment applications programs such as Alipays, including input password, encryption and decryption etc. are relevant Mobile payment operation is completed under abundant performing environment.Under abundant performing environment, mobile payment operation is likely to Wooden horse is infected, is intercepted or is attacked by hacker, to influence the safety of mobile payment.
In order to improve the safety of mobile payment, on the basis of existing abundant performing environment, and propose a kind of credible Performing environment (TEE, Trusted Execution Environment), credible performing environment refers to secure processing capability With the trusted operating system of offer secure peripheral operation.Application in credible performing environment is all ability under the premise of ensuring safety It is downloaded and installs, guarantee the safety of mobile payment with this.On the terminal device, as Figure 1-1, credible operation ring Border and abundant running environment is mutually isolated, independent operating;By taking smart phone as an example, credible performing environment and abundant performing environment can Can be run based on same hardware, such as credible performing environment and abundant performing environment are all based on application processor (Application Processor) and run.As the secure operating environment in terminal device, the peace of credible running environment Full initialization is particularly important.
Currently, the initialization for credible performing environment, relatively conventional is that preset master control is close in credible performing environment Key, it is subsequent that other keys are created by master control key again in use.The master control key of credible performing environment is set in terminal In standby production process, controlling party that is preset, and needing in preset master control key clear master control key is carried out by device manufacturer, Due to master control code key be carried out by device manufacturer it is preset, then the controlling party of master control key is exactly device manufacturer.When terminal is set After standby dispensing is arrived in the market, terminal device is generally managed by common carrier, and in other words, credible performing environment is by leading to Letter operator is managed, it is seen then that the manager of master control code key is not but the controlling party of master control key, and the manager of master control code key exists May there are security risk and trust problem when replacing master control key.
Summary of the invention
In view of this, the embodiment of the present invention be solves the problems, such as it is existing in the prior art at least one and provide it is a kind of initially Method and device, the equipment for changing credible performing environment enable to close without clear master control in the production process of terminal device The controlling party of key, to avoid security risk and trust problem.
The technical solution of the embodiment of the present invention is achieved in that
In a first aspect, the embodiment of the present invention provides a kind of method for initializing credible performing environment, which comprises
Credible performing environment server obtains the international mobile subscriber identity for showing user identity;
The credible performing environment server determines that trusted service manages platform according to the international mobile subscriber identity Address information;
The credible performing environment server moves the world according to the address information of trusted service management platform Dynamic CUSTOMER ID is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform Breath;
NAF_ID information is sent to processing unit by the credible performing environment server, to trigger the processing unit root The first Ks_NAF key is generated according to NAF_ID information, operation has the credible performing environment on the processing unit.
Second aspect, the embodiment of the present invention provide a kind of method for initializing credible performing environment, which comprises
Processor obtains the international mobile subscriber identity for showing user identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, to trigger It states credible performing environment server and obtains NAF_ID information;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and close using the first Ks_NAF Key completes the initialization procedure of credible performing environment.
The third aspect, the embodiment of the present invention provide a kind of method for initializing credible performing environment again, which comprises
Trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID letter Breath;
The NAF_ID information and the international mobile subscriber identity are sent to and are drawn by the trusted service management platform Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform NAF key;
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to institute It states credible performing environment server and sends NAF_ID information.
Fourth aspect, a kind of method for initializing credible performing environment of the embodiment of the present invention, which comprises
Processor obtains the international mobile subscriber identity for showing user identity;
Credible performing environment server receives the processor and sends the international mobile subscriber identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, to trigger It states credible performing environment server and obtains NAF_ID information;
The credible performing environment server determines that trusted service manages platform according to the international mobile subscriber identity Address information;
The credible performing environment server moves the world according to the address information of trusted service management platform Dynamic CUSTOMER ID is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform Breath;
The trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID letter Breath;
The NAF_ID information and the international mobile subscriber identity are sent to and are drawn by the trusted service management platform Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform NAF key;
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to institute It states credible performing environment server and sends NAF_ID information;
NAF_ID information is sent to processing unit by the credible performing environment server, to trigger the processing unit root The first Ks_NAF key is generated according to NAF_ID information;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and close using the first Ks_NAF Key completes the initialization procedure of credible performing environment.
5th aspect, the embodiment of the present invention provide a kind of credible performing environment server, the credible performing environment service Device includes first acquisition unit, determination unit, the first transmission unit, the first receiving unit and the second transmission unit, in which:
The first acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The determination unit, for determining the ground of trusted service management platform according to the international mobile subscriber identity Location information;
First transmission unit, for the address information according to trusted service management platform, by the international shifting Dynamic CUSTOMER ID is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform Breath;
First receiving unit, the NAF_ID information sent for receiving the trusted service management platform;
Second transmission unit, for NAF_ID information to be sent to processing unit, to trigger the processing unit root The first Ks_NAF key is generated according to NAF_ID information, operation has the credible performing environment on the processing unit.
6th aspect, the embodiment of the present invention provide a kind of processor, and the processor includes second acquisition unit, third hair Send unit, the second receiving unit, generation unit and the first initialization unit, in which:
The second acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The third transmission unit, for the international mobile subscriber identity to be sent to credible performing environment service Device obtains NAF_ID information to trigger the credible performing environment server;
Second receiving unit, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The generation unit, for generating the first Ks_NAF key according to the NAF_ID information;
First initialization unit, for completing the initialization of credible performing environment using the first Ks_NAF key Process.
7th aspect, the embodiment of the present invention provide a kind of trusted service management platform, and the trusted service manages platform packet Include third receiving unit, verification unit, third acquiring unit, the 4th transmission unit and the 5th transmission unit, in which:
The third receiving unit, the international mobile subscriber identity sent for receiving credible performing environment server;
The verification unit, for verifying the validity of the international mobile subscriber identity;
The third acquiring unit, for obtaining NAF_ID letter when the verification international mobile subscriber identity is effective Breath;
4th transmission unit, for the NAF_ID information and the international mobile subscriber identity to be sent to and draw Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform NAF key;
5th transmission unit, after receiving the 2nd Ks_NAF key that guide service function platform is sent, to The credible performing environment server sends NAF_ID information.
Eighth aspect, the embodiment of the present invention provide a kind of device for initializing credible performing environment, and described device includes place It manages device, credible performing environment server and trusted service and manages platform, in which:
The processor, for obtaining the international mobile subscriber identity for showing user identity;
The credible performing environment server sends the international mobile subscriber identity for receiving the processor;
The processor, for the international mobile subscriber identity to be sent to credible performing environment server, so as to It triggers the credible performing environment server and obtains NAF_ID information;
The credible performing environment server, for determining trusted service pipe according to the international mobile subscriber identity The address information of platform;
The credible performing environment server will be described for the address information according to trusted service management platform International mobile subscriber identity is sent to trusted service management platform, obtains NAF_ to trigger the trusted service management platform Id information;
The trusted service manages platform, the international mobile subscriber identification sent for receiving credible performing environment server Code;
The trusted service manages platform, for verifying the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service manages platform, for obtaining NAF_ Id information;
The trusted service manages platform, for sending the NAF_ID information and the international mobile subscriber identity Guide service function platform is given, sends second to trigger the guide service function platform to trusted service management platform Ks_NAF key;
The trusted service manages platform, for receiving the 2nd Ks_NAF key of guide service function platform transmission Afterwards, NAF_ID information is sent to the credible performing environment server;
The credible performing environment server, for NAF_ID information to be sent to processing unit, to trigger the processing Unit generates the first Ks_NAF key according to NAF_ID information;
The processor, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The processor for generating the first Ks_NAF key according to the NAF_ID information, and utilizes the first Ks_ NAF key completes the initialization procedure of credible performing environment.
A kind of method and device initializing credible performing environment provided in an embodiment of the present invention, equipment, wherein credible to hold Row environment server obtains the international mobile subscriber identity for showing user identity;The credible performing environment server root According to the international mobile subscriber identity, the address information of trusted service management platform is determined;The credible performing environment service The international mobile subscriber identity is sent to trusted service pipe according to the address information of trusted service management platform by device Platform obtains NAF_ID information to trigger the trusted service management platform;The credible performing environment server will NAF_ID information is sent to processing unit, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, Operation has the credible performing environment on the processing unit, so, it is possible so that being not necessarily in the production process of terminal device The controlling party of master control key is specified, to avoid security risk and trust problem.
Detailed description of the invention
Fig. 1-1 is the relation schematic diagram of credible performing environment and abundant performing environment in the related technology;
Fig. 1-2 is the relationship initialized between each equipment involved in the method for credible performing environment in the embodiment of the present invention Schematic diagram;
Fig. 1-3 is the implementation process schematic diagram for the method that the embodiment of the present invention one initializes credible performing environment;
Fig. 2 is the implementation process schematic diagram for the method that the embodiment of the present invention two initializes credible performing environment;
Fig. 3 is the implementation process schematic diagram for the method that the embodiment of the present invention three initializes credible performing environment;
Fig. 4 is the composed structure schematic diagram of the credible performing environment server of the embodiment of the present invention four;
Fig. 5 is the composed structure schematic diagram of five processor of the embodiment of the present invention;
Fig. 6 is the composed structure schematic diagram that six trusted service of the embodiment of the present invention manages platform.
Fig. 7 is the implementation process schematic diagram for the method that the embodiment of the present invention eight initializes credible performing environment.
Specific embodiment
In order to solve the above technical problems, the technical solution that following embodiment of the invention provides, by generic authentication architecture The security initialization behaviour of credible performing environment is completed on the basis of (GBA, General Bootstrapping Architecture) Make, specifically, user is inserted into after Subscriber Identity Module in terminal device, will carry out generic authentication architecture process, common authentication After framework process terminates, initialization that Subscriber Identity Module will trigger a series of equipment and be automatically performed credible performing environment Journey.As shown in Figs. 1-2, the technical solution that following embodiment of the present invention provides, will be related to following interactive object, and mainly include Subscriber Identity Module, processor, credible performing environment server, trusted service manage platform (TSM, Trusted Service Management) and guide service function platform (BSF, Bootstrapping Service Function), in which: can convince Actual management side of the business management platform as credible performing environment, can be provided by common carrier;In generic authentication architecture In play the part of network application function (NAF, Network Application Function) role, and between guide service platform It holds consultation, to obtain Ks_NAF key.Such as cell phone manufacturer, terminal device provider preset first key in the processor, institute First key is stated for ensuring secure communication and identification authentication between processor and credible performing environment server.By this hair The technical solution that bright embodiment provides enables to the provider of terminal device without clear master control key in process of production Controlling party, and user is inserted into after Subscriber Identity Module in terminal device can be automatically performed the safety of credible performing environment just Beginning process.
Here, the guide service function platform can be provided by common carrier, the credible performing environment service Device can be provided by the provider of terminal device.
Here, the first key can be symmetric key or private/public key, the credible execution ring of credible performing environment The public key of border server (TEE Server);
Here, the processor refers to the processor for running the credible performing environment, when terminal device is mobile phone, The processor can be application processor.
Here, generic authentication architecture (GBA, General Bootstrapping Architecture) is that the third generation closes Make one kind that Partnership Program (3GPP, 3rd Generation Partnership Project) defines and is based on mobile radio communication The security infrastructure of network, lightweight can provide unified Security Authentication Service, about common authentication frame for application layer business The initialization process of structure can be refering to the relevant criterion of third generation partner program.
Here, the Subscriber Identity Module includes the Subscriber Identity Module of the second generation, the third generation, forth generation etc., wherein the second band Subscriber Identity Module is commonly referred to as subscriber identification module (SIM, Subscriber Identity Module), third generation user identification Card is commonly referred to as universal subscriber identity module (USIM, Universal Subscriber Identity Module).
Here, terminal device may include smart phone, tablet computer, point of sale (POS, Point of Sales) machine, The equipment such as personal digital assistant.
The technical solution of the present invention is further elaborated in the following with reference to the drawings and specific embodiments.
Embodiment one
The embodiment of the present invention one provides a kind of method for initializing credible performing environment, and Fig. 1-3 is the embodiment of the present invention one The implementation process schematic diagram of the method for credible performing environment is initialized, is applied to credible performing environment server, such as Fig. 1-3 institute Show, this method comprises:
Step 101, credible performing environment server obtains the international mobile subscriber identity for showing user identity (IMSI, International Mobile Subscriber Identification Number);
Here, the credible performing environment server can be provided by the provider of terminal device, described international mobile CUSTOMER ID is that the IMSI of Subscriber Identity Module is identified.
Step 102, the credible performing environment server determines trusted service according to the international mobile subscriber identity Manage the address information of platform;
Here, when terminal device is mobile phone, what the credible performing environment server can also be reported according to processor Cell-phone number determines the address information of trusted service management platform;Alternatively, the credible performing environment server can also be according to place The cell-phone number and international mobile subscriber identity that reason device reports determine the address information of trusted service management platform.
Step 103, the credible performing environment server manages the address information of platform according to the trusted service, by institute It states international mobile subscriber identity and is sent to trusted service management platform, obtain net to trigger the trusted service management platform Mark (NAF_ID) information of network application function platform;
Here, since network application function platform can be multiple, it is therefore desirable to obtain and international mobile subscriber identity phase The identification information of the network application function platform of pass.
Step 104, NAF_ID information is sent to processing unit by the credible performing environment server, to trigger the place It manages unit and the first Ks_NAF key is generated according to NAF_ID information.
Here, operation has the credible performing environment on the processing unit.
In the embodiment of the present invention, obtaining in the credible performing environment server for showing that the international of user identity moves After dynamic CUSTOMER ID, the method also includes:
The credible performing environment server establishes the first exit passageway, and first exit passageway is the credible execution Exit passageway between environment server and processor;
Accordingly, the credible performing environment server obtains the international mobile subscriber for showing user identity and identifies Code, comprising:
The credible performing environment server obtains the world for showing user identity by first exit passageway Mobile identification number;
Accordingly, NAF_ID information is sent to processing unit by the credible performing environment server, comprising:
The credible performing environment server is sent to processing list by first exit passageway, by NAF_ID information Member.
In the embodiment of the present invention, in the credible performing environment server according to the international mobile subscriber identity, really After the address information for determining trusted service management platform, the method also includes:
The credible performing environment server establishes the second exit passageway, and second exit passageway is the credible execution Exit passageway between environment server and trusted service management platform;
Accordingly, the credible performing environment server, will be described according to the address information of the trusted service management screen International mobile subscriber identity is sent to trusted service management platform, comprising:
The credible performing environment server passes through described second according to the address information of trusted service management platform The international mobile subscriber identity is sent to trusted service management platform by exit passageway;
Accordingly, the credible performing environment server receives the NAF_ID letter that the trusted service management platform is sent Breath, comprising:
The credible performing environment server receives the trusted service by second exit passageway and manages platform hair The NAF_ID information sent.
In the embodiment of the present invention, before step 101, this method further include: user is inserted into terminal device in user After identification card, generic authentication architecture process will be carried out.
A kind of method and device initializing credible performing environment provided in an embodiment of the present invention, equipment, wherein credible to hold Row environment server obtains the international mobile subscriber identity for showing user identity;The credible performing environment server root According to the international mobile subscriber identity, the address information of trusted service management platform is determined;The credible performing environment service The international mobile subscriber identity is sent to trusted service pipe according to the address information of trusted service management platform by device Platform obtains NAF_ID information to trigger the trusted service management platform;The credible performing environment server will NAF_ID information is sent to processing unit, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, Operation has the credible performing environment on the processing unit, so, it is possible so that being not necessarily in the production process of terminal device The controlling party of master control key is specified, to avoid security risk and trust problem.
Embodiment two
The embodiment of the present invention provides a kind of method for initializing credible performing environment, is applied in processor, and Fig. 2 is this hair Bright embodiment two initializes the implementation process schematic diagram of the method for credible performing environment, as shown in Fig. 2, this method comprises:
Step 201, processor obtains the international mobile subscriber identity for showing user identity;
Step 202, the international mobile subscriber identity is sent to credible performing environment server by the processor, with Just it triggers the credible performing environment server and obtains NAF_ID information;
Step 203, the processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
Step 204, the processor generates the first Ks_NAF key according to the NAF_ID information, and utilizes described first Ks_NAF key completes the initialization procedure of credible performing environment.
In the embodiment of the present invention, the initialization that credible performing environment is completed using the first Ks_NAF key Journey, comprising:
The processor completes the certification between trusted service management platform using the first Ks_NAF key, to complete The initialization procedure of credible performing environment.
In the embodiment of the present invention, the international mobile subscriber identity for showing user identity is obtained in the processor Afterwards, the method also includes:
The processor establishes the first exit passageway, and first exit passageway is the processor and the credible execution Exit passageway between environment server and processor;
Accordingly, the international mobile subscriber identity is sent to credible performing environment server by the processor, packet It includes:
The international mobile subscriber identity is sent to credible execution by first exit passageway by the processor Environment server;
Accordingly, the processor receives the acquisition NAF_ID information that the credible performing environment server is sent, comprising:
The processor receives the acquisition that the credible performing environment server is sent by first exit passageway NAF_ID information.
Embodiment three
The embodiment of the present invention provides a kind of method for initializing credible performing environment, is applied to trusted service and manages platform, Fig. 3 is the implementation process schematic diagram for the method that the embodiment of the present invention three initializes credible performing environment, as shown in figure 3, this method Include:
Step 301, trusted service management platform receives the international mobile subscriber identification that credible performing environment server is sent Code;
Step 302, the trusted service management platform verifies the validity of the international mobile subscriber identity;
Step 303, when the verification international mobile subscriber identity is effective, the trusted service management platform is obtained NAF_ID information;
Step 304, the trusted service manages platform for the NAF_ID information and the international mobile subscriber identity It is sent to guide service function platform, is sent to trigger the guide service function platform to trusted service management platform 2nd Ks_NAF key;
Step 305, the 2nd Ks_NAF that the trusted service management platform receives the transmission of guide service function platform is close After key, NAF_ID information is sent to the credible performing environment server.
Step 306, when verifying international mobile subscriber identity failure, the trusted service management platform will be verified The information of failure is sent to the credible performing environment server, to prompt each side's initialization failure.
In the embodiment of the present invention, the method also includes:
The trusted service management platform establishes the second exit passageway, and second exit passageway is the trusted service pipe Exit passageway between platform and the credible performing environment server;
Accordingly, the trusted service management platform receives the international mobile subscriber that credible performing environment server is sent and knows Other code, comprising:
The trusted service management platform receives what credible performing environment server was sent by second exit passageway International mobile subscriber identity;
Accordingly, the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission Afterwards, NAF_ID information is sent to the credible performing environment server, comprising:
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, pass through Second exit passageway sends NAF_ID information to the credible performing environment server.
In the embodiment of the present invention, the method also includes:
The first Ks_NAF key that trusted service management platform receiving area haircut is sent;
Trusted service management platform judges whether are the first Ks_NAF key and the 2nd Ks_NAF key of itself It is identical, obtain the first judging result;
When first judging result shows that the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself, Complete the initialization procedure of credible performing environment.
When first judging result shows that the first Ks_NAF key is not identical as the 2nd Ks_NAF key of itself When, initialization failure, and initialization failure news is sent to processor.
Example IV
Based on embodiment of the method for the invention, the embodiment of the present invention provides a kind of credible performing environment server, and Fig. 4 is this The composed structure schematic diagram of the credible performing environment server of inventive embodiments four, as shown in figure 4, the credible performing environment server 400 include first acquisition unit 401, determination unit 402, the first transmission unit 403, the first receiving unit 404 and the second transmission Unit 405, in which:
The first acquisition unit 401, for obtaining the international mobile subscriber identity for showing user identity;
The determination unit 402, for determining trusted service management platform according to the international mobile subscriber identity Address information;
First transmission unit 403, for the address information according to trusted service management platform, by the world Mobile identification number is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform Breath;
First receiving unit 404, the NAF_ID information sent for receiving the trusted service management platform;
Second transmission unit 405, for NAF_ID information to be sent to processing unit, to trigger the processing unit The first Ks_NAF key is generated according to NAF_ID information, operation has the credible performing environment on the processing unit.
In the embodiment of the present invention, the credible performing environment server further includes first establishing unit, for establishing first Exit passageway, exit passageway of first exit passageway between the credible performing environment server and processor;
Accordingly, the first acquisition unit, for obtaining for showing user identity by first exit passageway International mobile subscriber identity;
Second transmission unit, for NAF_ID information to be sent to processing unit by first exit passageway.
In the embodiment of the present invention, the credible performing environment server further includes second establishing unit, for establishing second Exit passageway, second exit passageway are that the credible performing environment server and the trusted service manage between platform Exit passageway;
Accordingly, first transmission unit passes through institute for the address information according to trusted service management platform It states the second exit passageway and the international mobile subscriber identity is sent to trusted service management platform;
Accordingly, first receiving unit, for receiving the trusted service management by second exit passageway The NAF_ID information that platform is sent.
Here, the address information of trusted service management platform can be the identification information of trusted service management platform.
Embodiment five
The embodiment of the present invention provides a kind of processor, and Fig. 5 is the composed structure schematic diagram of five processor of the embodiment of the present invention, As shown in figure 5, the processor 500 includes second acquisition unit 501, third transmission unit 502, the second receiving unit 503, generates Unit 504 and the first initialization unit 505, in which:
The second acquisition unit 501, for obtaining the international mobile subscriber identity for showing user identity;
The third transmission unit 502 takes for the international mobile subscriber identity to be sent to credible performing environment Business device obtains NAF_ID information to trigger the credible performing environment server;
Second receiving unit 503, the acquisition NAF_ID letter sent for receiving the credible performing environment server Breath;
The generation unit 504, for generating the first Ks_NAF key according to the NAF_ID information;
First initialization unit 505, for completing the first of credible performing environment using the first Ks_NAF key Beginning process.
In the embodiment of the present invention, first initialization unit, for completing and can convince using the first Ks_NAF key Certification between business management platform, to complete the initialization procedure of credible performing environment.
In the embodiment of the present invention, the processor further includes that third establishes unit, described for establishing the first exit passageway Exit passageway of first exit passageway between the processor and the credible performing environment server and processor;
Accordingly, the third transmission unit, for being known the international mobile subscriber by first exit passageway Other code is sent to credible performing environment server;
Accordingly, second receiving unit, for receiving the credible performing environment by first exit passageway The acquisition NAF_ID information that server is sent.
Embodiment six
The embodiment of the present invention provides a kind of trusted service management platform, and Fig. 6 is six trusted service management of the embodiment of the present invention The composed structure schematic diagram of platform, as shown in fig. 6, trusted service management platform 600 includes third receiving unit 601, verification Unit 602, third acquiring unit 603, the 4th transmission unit 604, the 5th transmission unit 605 and the 6th transmission unit 606, In:
The third receiving unit 601, the international mobile subscriber identification sent for receiving credible performing environment server Code;
The verification unit 602, for verifying the validity of the international mobile subscriber identity;
The third acquiring unit 603, for obtaining NAF_ID when the verification international mobile subscriber identity is effective Information;
4th transmission unit 604, for sending the NAF_ID information and the international mobile subscriber identity Guide service function platform is given, sends second to trigger the guide service function platform to trusted service management platform Ks_NAF key;
5th transmission unit 605, after receiving the 2nd Ks_NAF key that guide service function platform is sent, NAF_ID information is sent to the credible performing environment server.
6th transmission unit 606, for when verifying international mobile subscriber identity failure, verification to be failed Information be sent to the credible performing environment server, so as to prompt each side initialization failure.
In the embodiment of the present invention, trusted service management platform further includes the 4th establishing unit, for establishing the second peace Full tunnel, second exit passageway are the peace between trusted service management platform and the credible performing environment server Full tunnel;
Accordingly, the third receiving unit, for receiving credible performing environment service by second exit passageway The international mobile subscriber identity that device is sent;
Accordingly, the 5th transmission unit, the 2nd Ks_NAF for receiving the transmission of guide service function platform are close After key, NAF_ID information is sent to the credible performing environment server by second exit passageway.
The embodiment of the present invention, trusted service management platform further include the 4th receiving unit, judging unit, the second initialization Unit and the 7th transmission unit, in which:
4th receiving unit, the first Ks_NAF key sent for receiving area's haircut;
The judging unit, for judge the first Ks_NAF key and itself the 2nd Ks_NAF key whether phase Together, the first judging result is obtained;
Second initialization unit, for showing the first Ks_NAF key and itself when first judging result The 2nd Ks_NAF key it is identical when, complete the initialization procedure of credible performing environment.
7th transmission unit, for when first judging result show the first Ks_NAF key and itself When 2nd Ks_NAF key is not identical, initialization failure, and initialization failure news is sent to processor.
Embodiment seven
Implemented based on above-mentioned processor, credible performing environment server example and trusted service management platform are implemented Example, the embodiment of the present invention provide a kind of device for initializing credible performing environment, and described device includes processor, credible execution ring Border server and trusted service manage platform, in which:
The processor, for obtaining the international mobile subscriber identity for showing user identity;
The credible performing environment server sends the international mobile subscriber identity for receiving the processor;
The processor, for the international mobile subscriber identity to be sent to credible performing environment server, so as to It triggers the credible performing environment server and obtains NAF_ID information;
The credible performing environment server, for determining trusted service pipe according to the international mobile subscriber identity The address information of platform;
The credible performing environment server will be described for the address information according to trusted service management platform International mobile subscriber identity is sent to trusted service management platform, obtains NAF_ to trigger the trusted service management platform Id information;
The trusted service manages platform, the international mobile subscriber identification sent for receiving credible performing environment server Code;
The trusted service manages platform, for verifying the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service manages platform, for obtaining NAF_ Id information;
The trusted service manages platform, for sending the NAF_ID information and the international mobile subscriber identity Guide service function platform is given, sends second to trigger the guide service function platform to trusted service management platform Ks_NAF key;
The trusted service manages platform, for receiving the 2nd Ks_NAF key of guide service function platform transmission Afterwards, NAF_ID information is sent to the credible performing environment server;
The credible performing environment server, for NAF_ID information to be sent to processing unit, to trigger the processing Unit generates the first Ks_NAF key according to NAF_ID information;
The processor, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The processor for generating the first Ks_NAF key according to the NAF_ID information, and utilizes the first Ks_ NAF key completes the initialization procedure of credible performing environment.
Embodiment eight
Based on Fig. 1-2, the embodiment of the present invention provides a kind of method for initializing credible performing environment, and Fig. 7 is that the present invention is real The implementation process schematic diagram that example eight initializes the method for credible performing environment is applied, as shown in fig. 7, this method comprises:
Step 701, Subscriber Identity Module is inserted into terminal device by user;
Specifically, user can run in Subscriber Identity Module such as SIM card insertion terminal device credible on the terminal device Performing environment.
Step 702, Subscriber Identity Module and BSF complete GBA process;
Specifically, Subscriber Identity Module completes GBA process by terminal device and BSF, and the detailed process about GBA process can With referring to the relevant criterion of 3GPP standard, which is not described herein again.
Step 703, IMSI information is sent to processor by Subscriber Identity Module;
Here, after international mobile subscriber identity is sent to processor by Subscriber Identity Module, processor obtains SIM card International mobile subscriber identity;After processor receives international mobile subscriber identity, whether processor is judged The initialization process for completing credible performing environment, when processor has completed the initialization process of credible performing environment, then This method process just terminates;When processor does not complete the initialization process of credible performing environment, then this method process enters Step 704.
Here, since user is when using terminal equipment, it is possible that replacement Subscriber Identity Module the case where, when with When Subscriber Identity Module is replaced at family, the initialization process for carrying out credible performing environment again is not needed;Only user is in head It is secondary to take terminal device, and when Subscriber Identity Module is inserted into terminal device, just need to carry out it is provided in an embodiment of the present invention can Believe the initialization process of performing environment.
Step 704, the first exit passageway is established between processor and credible performing environment server (TEE Server);
Here, the first exit passageway is established between processor and credible performing environment server, can effectively prevents puppet The processor or credible performing environment server made.
Step 705, processor sends IMSI information to credible performing environment server;
Here, processor can send IMSI information to credible performing environment server by the first exit passageway;
Step 706, TEE Server determines the address information of TSM according to IMSI information;
Here, when terminal device is smart phone, TEE Server can also be true according to the cell-phone number information received TSM address information is determined, alternatively, TEE Server can also determine TSM address information according to IMSI and cell-phone number information.
Step 707, the second exit passageway is established between TEE Server and TSM platform;
Here, the second exit passageway is established between TEE Server and TSM platform, can effectively prevent the TSM forged Or TEE Server.
Step 708, TEE Server sends IMSI information to TSM platform;
Step 709, TSM platform verifies IMSI information;
Here, the validity of TSM platform verification IMSI information enters step 710 when verification IMSI information is effective, when When verifying IMSI information failure, method flow provided in an embodiment of the present invention terminates.
Step 710, TSM platform sends IMSI information and NAF_ID information to BSF platform;
Here, the NAF_ID information is the information that BSF platform is the distribution of TSM platform;BSF platform is receiving IMSI letter After breath and NAF_ID information, the 2nd Ks_NAF key can be obtained.And.
Step 711, BSF platform sends the 2nd Ks_NAF key to TSM platform;
Here, the 2nd Ks_NAF key that BSF platform is returned to TSM platform is a kind of safe transfer mode.
Step 712, TSM platform sends NAF_ID information to TEE Server;
Here, TSM platform will record down the 2nd Ks_NAF after the 2nd Ks_NAF key for receiving the transmission of BSF platform Key, then TSM platform sends NAF_ID information to TEE Server.
Step 713, TEE Server sends NAF_ID information to processor;
Step 714, processor generates the first Ks_NAF key according to NAF_ID information;
Step 715, two-way authentication is completed between processor and TSM platform;
Here, two-way authentication is completed between processor and TSM platform, can be carried out by following mode, such as handle First Ks_NAF key of generation is sent to TSM platform by device, and TSM platform is by the first Ks_NAF key received and itself remembers 2nd Ks_NAF key of record is compared, when the first Ks_NAF key is identical as the 2nd Ks_NAF key of self record, Complete two-way authentication;When the 2nd Ks_NAF key of the first Ks_NAF key and self record is not identical, TSM platform can be with To processor return authentication failure news.It can be seen that TEE Server is to realize transport layer as transfer from above process Encryption.
Step 716, after authenticating successfully, TSM platform is the security initialization for completing TEE;
Here, since processor generates the first Ks_NAF key, and the first Ks_NAF key and the 2nd Ks_NAF key It is identical, it can be said that TSM platform manages key to processor write-in TEE, that is, complete the security initialization of TEE.
It need to be noted that: the description of apparatus above embodiment describes similar with above method embodiment, has same The same beneficial effect of embodiment of the method, therefore do not repeat them here.For undisclosed technical detail in apparatus of the present invention embodiment, It please refers to the description of embodiment of the present invention method and understands, which is not described herein again.
In several embodiments provided herein, it should be understood that disclosed device and method can pass through it Its mode is realized.Apparatus embodiments described above are merely indicative, for example, the division of the unit, only A kind of logical function partition, there may be another division manner in actual implementation, such as: multiple units or components can combine, or It is desirably integrated into another system, or some features can be ignored or not executed.In addition, shown or discussed each composition portion Mutual coupling or direct-coupling or communication connection is divided to can be through some interfaces, the INDIRECT COUPLING of equipment or unit Or communication connection, it can be electrical, mechanical or other forms.
Above-mentioned unit as illustrated by the separation member, which can be or may not be, to be physically separated, aobvious as unit The component shown can be or may not be physical unit;Both it can be located in one place, and may be distributed over multiple network lists In member;Some or all of units can be selected to achieve the purpose of the solution of this embodiment according to the actual needs.
In addition, each functional unit in various embodiments of the present invention can be fully integrated in one processing unit, it can also To be each unit individually as a unit, can also be integrated in one unit with two or more units;It is above-mentioned Integrated unit both can take the form of hardware realization, can also realize in the form of hardware adds SFU software functional unit.
Those of ordinary skill in the art will appreciate that: realize that all or part of the steps of above method embodiment can pass through The relevant hardware of program instruction is completed, and program above-mentioned can store in computer-readable storage medium, which exists When execution, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes: movable storage device, read-only deposits The various media that can store program code such as reservoir (Read Only Memory, ROM), magnetic or disk.
If alternatively, the above-mentioned integrated unit of the present invention is realized in the form of software function module and as independent product When selling or using, it also can store in a computer readable storage medium.Based on this understanding, the present invention is implemented Substantially the part that contributes to existing technology can be embodied in the form of software products the technical solution of example in other words, The computer software product is stored in a storage medium, including some instructions are used so that computer equipment (can be with It is personal computer, server or network equipment etc.) execute all or part of each embodiment the method for the present invention. And storage medium above-mentioned includes: various Jie that can store program code such as movable storage device, ROM, magnetic or disk Matter.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, protection scope of the present invention should be based on the protection scope of the described claims.

Claims (24)

1. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Credible performing environment server obtains the international mobile subscriber identity for showing user identity;
The credible performing environment server determines the ground of trusted service management platform according to the international mobile subscriber identity Location information;
The credible performing environment server uses the international movement according to the address information of trusted service management platform Family identification code is sent to trusted service management platform, obtains NAF_ID information to trigger the trusted service management platform;
NAF_ID information is sent to processing unit by the credible performing environment server, with trigger the processing unit according to NAF_ID information generates the first Ks_NAF key, and the processing unit is made to complete credible hold using the first Ks_NAF key The initialization procedure of row environment;Wherein, operation has the credible performing environment on the processing unit.
2. the method according to claim 1, wherein obtaining in the credible performing environment server for table After the international mobile subscriber identity of bright user identity, the method also includes:
The credible performing environment server establishes the first exit passageway, and first exit passageway is the credible performing environment Exit passageway between server and processor;
Accordingly, the credible performing environment server obtains the international mobile subscriber identity for showing user identity, packet It includes:
For the credible performing environment server by first exit passageway, the world obtained for showing user identity is mobile CUSTOMER ID;
Accordingly, NAF_ID information is sent to processing unit by the credible performing environment server, comprising:
NAF_ID information is sent to processing unit by first exit passageway by the credible performing environment server.
3. method according to claim 1 or 2, which is characterized in that in the credible performing environment server according to International mobile subscriber identity, after determining the address information that trusted service manages platform, the method also includes:
The credible performing environment server establishes the second exit passageway, and second exit passageway is the credible performing environment Exit passageway between server and trusted service management platform;
Accordingly, the credible performing environment server manages the address information of platform according to the trusted service, by the state Border mobile identification number is sent to trusted service management platform, comprising:
The credible performing environment server passes through second safety according to the address information of trusted service management platform The international mobile subscriber identity is sent to trusted service management platform by channel;
Accordingly, the credible performing environment server receives the NAF_ID information that the trusted service management platform is sent, packet It includes:
The credible performing environment server receives the trusted service by second exit passageway and manages what platform was sent NAF_ID information.
4. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Processor obtains the international mobile subscriber identity for showing user identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, so as to trigger it is described can Believe that performing environment server obtains NAF_ID information;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and complete using the first Ks_NAF key At the initialization procedure of credible performing environment.
5. according to the method described in claim 4, it is characterized in that, described complete credible hold using the first Ks_NAF key The initialization procedure of row environment, comprising:
The processor completes the certification between trusted service management platform using the first Ks_NAF key, to complete credible The initialization procedure of performing environment.
6. method according to claim 4 or 5, which is characterized in that obtain in the processor for showing user identity International mobile subscriber identity after, the method also includes:
The processor establishes the first exit passageway, and first exit passageway is the processor and the credible performing environment Exit passageway between server and processor;
Accordingly, the international mobile subscriber identity is sent to credible performing environment server by the processor, comprising:
The international mobile subscriber identity is sent to credible performing environment by first exit passageway by the processor Server;
Accordingly, the processor receives the acquisition NAF_ID information that the credible performing environment server is sent, comprising:
The processor receives the acquisition NAF_ID that the credible performing environment server is sent by first exit passageway Information.
7. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID information;
The NAF_ID information and the international mobile subscriber identity are sent to guidance clothes by the trusted service management platform Business function platform, it is close to the 2nd Ks_NAF of trusted service management platform transmission to trigger the guide service function platform Key;
After trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to it is described can Believe that performing environment server sends NAF_ID information, so that NAF_ID information is sent to place by the credible performing environment server Unit is managed, generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, and makes the processing unit benefit The initialization procedure of credible performing environment is completed with the first Ks_NAF key.
8. the method according to the description of claim 7 is characterized in that the method also includes: when verifying described international mobile use When family identification code fails, the information of verification failure is sent to the credible performing environment service by the trusted service management platform Device, to prompt each side's initialization failure.
9. the method according to the description of claim 7 is characterized in that the method also includes:
The trusted service management platform establishes the second exit passageway, and second exit passageway is flat for the trusted service management Exit passageway between platform and the credible performing environment server;
Accordingly, the trusted service management platform receives the international mobile subscriber identification that credible performing environment server is sent Code, comprising:
The trusted service management platform receives the world that credible performing environment server is sent by second exit passageway Mobile identification number;
Accordingly, after the trusted service management platform receives the 2nd Ks_NAF key that guide service function platform is sent, NAF_ID information is sent to the credible performing environment server, comprising:
After the trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, by described Second exit passageway sends NAF_ID information to the credible performing environment server.
10. method according to any one of claims 7 to 9, which is characterized in that the method also includes:
The trusted service management platform receives the first Ks_NAF key that processing unit is sent;
The trusted service management platform judges whether the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself, Obtain the first judging result;
When first judging result shows that the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself, complete The initialization procedure of credible performing environment.
11. according to the method described in claim 10, it is characterized in that, the method also includes: when first judging result When showing that the 2nd Ks_NAF key of the first Ks_NAF key and itself is not identical, initialization failure, and sent out to processor Send initialization failure news.
12. a kind of method for initializing credible performing environment, which is characterized in that the described method includes:
Processor obtains the international mobile subscriber identity for showing user identity;
Credible performing environment server receives the processor and sends the international mobile subscriber identity;
The international mobile subscriber identity is sent to credible performing environment server by the processor, so as to trigger it is described can Believe that performing environment server obtains NAF_ID information;
The credible performing environment server determines the ground of trusted service management platform according to the international mobile subscriber identity Location information;
The credible performing environment server uses the international movement according to the address information of trusted service management platform Family identification code is sent to trusted service management platform, obtains NAF_ID information to trigger the trusted service management platform;
The trusted service management platform receives the international mobile subscriber identity that credible performing environment server is sent;
The trusted service management platform verifies the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service management platform obtains NAF_ID information;
The NAF_ID information and the international mobile subscriber identity are sent to guidance clothes by the trusted service management platform Business function platform, it is close to the 2nd Ks_NAF of trusted service management platform transmission to trigger the guide service function platform Key;
After trusted service management platform receives the 2nd Ks_NAF key of guide service function platform transmission, to it is described can Believe that performing environment server sends NAF_ID information;
NAF_ID information is sent to processing unit by the credible performing environment server, with trigger the processing unit according to NAF_ID information generates the first Ks_NAF key;
The processor receives the acquisition NAF_ID information that the credible performing environment server is sent;
The processor generates the first Ks_NAF key according to the NAF_ID information, and complete using the first Ks_NAF key At the initialization procedure of credible performing environment.
13. a kind of credible performing environment server, which is characterized in that the credible performing environment server includes that the first acquisition is single Member, determination unit, the first transmission unit, the first receiving unit and the second transmission unit, in which:
The first acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The determination unit, for determining the address letter of trusted service management platform according to the international mobile subscriber identity Breath;
First transmission unit, for the address information according to trusted service management platform, by the international mobile use Family identification code is sent to trusted service management platform, obtains NAF_ID information to trigger the trusted service management platform;
First receiving unit, the NAF_ID information sent for receiving the trusted service management platform;
Second transmission unit, for NAF_ID information to be sent to processing unit, with trigger the processing unit according to NAF_ID information generates the first Ks_NAF key, and the processing unit is made to complete credible hold using the first Ks_NAF key The initialization procedure of row environment;Wherein, operation has the credible performing environment on the processing unit.
14. credible performing environment server according to claim 13, which is characterized in that the credible performing environment service Device further includes first establishing unit, and for establishing the first exit passageway, first exit passageway is the credible performing environment Exit passageway between server and processor;
Accordingly, the first acquisition unit, for obtaining the state for showing user identity by first exit passageway Border mobile identification number;
Second transmission unit, for NAF_ID information to be sent to processing unit by first exit passageway.
15. credible performing environment server described in 3 or 14 according to claim 1, which is characterized in that the credible performing environment Server further includes second establishing unit, and for establishing the second exit passageway, second exit passageway is the credible execution Exit passageway between environment server and trusted service management platform;
Accordingly, first transmission unit passes through described for the address information according to trusted service management platform The international mobile subscriber identity is sent to trusted service management platform by two exit passageways;
Accordingly, first receiving unit manages platform for receiving the trusted service by second exit passageway The NAF_ID information of transmission.
16. a kind of processor, which is characterized in that the processor includes second acquisition unit, third transmission unit, the second reception Unit, generation unit and the first initialization unit, in which:
The second acquisition unit, for obtaining the international mobile subscriber identity for showing user identity;
The third transmission unit, for the international mobile subscriber identity to be sent to credible performing environment server, with Just it triggers the credible performing environment server and obtains NAF_ID information;
Second receiving unit, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The generation unit, for generating the first Ks_NAF key according to the NAF_ID information;
First initialization unit, for completing the initialization of credible performing environment using the first Ks_NAF key Journey.
17. processor according to claim 16, which is characterized in that first initialization unit, for utilizing first Ks_NAF key completes the certification between trusted service management platform, to complete the initialization procedure of credible performing environment.
18. processor according to claim 16 or 17, which is characterized in that the processor further includes that third establishes list Member, for establishing the first exit passageway, first exit passageway is the processor and the credible performing environment server Exit passageway between processor;
Accordingly, the third transmission unit, for passing through first exit passageway for the international mobile subscriber identity It is sent to credible performing environment server;
Accordingly, second receiving unit, for receiving the credible performing environment service by first exit passageway The acquisition NAF_ID information that device is sent.
19. a kind of trusted service manages platform, which is characterized in that the trusted service management platform include third receiving unit, Verification unit, third acquiring unit, the 4th transmission unit and the 5th transmission unit, in which:
The third receiving unit, the international mobile subscriber identity sent for receiving credible performing environment server;
The verification unit, for verifying the validity of the international mobile subscriber identity;
The third acquiring unit, for obtaining NAF_ID information when the verification international mobile subscriber identity is effective;
4th transmission unit, for the NAF_ID information and the international mobile subscriber identity to be sent to guidance clothes Business function platform, it is close to the 2nd Ks_NAF of trusted service management platform transmission to trigger the guide service function platform Key;
5th transmission unit, after receiving the 2nd Ks_NAF key that guide service function platform is sent, Xiang Suoshu Credible performing environment server sends NAF_ID information, so that NAF_ID information is sent to by the credible performing environment server Processing unit generates the first Ks_NAF key to trigger the processing unit according to NAF_ID information, and makes the processing unit The initialization procedure of credible performing environment is completed using the first Ks_NAF key.
20. trusted service according to claim 19 manages platform, which is characterized in that the trusted service management platform is also Including the 6th transmission unit, for when verifying international mobile subscriber identity failure, the information of verification failure to be sent To the credible performing environment server, to prompt each side's initialization failure.
21. trusted service according to claim 19 manages platform, which is characterized in that the trusted service management platform is also Unit is established including the 4th, for establishing the second exit passageway, second exit passageway is that the trusted service manages platform With the exit passageway between the credible performing environment server;
Accordingly, the third receiving unit, for receiving credible performing environment server hair by second exit passageway The international mobile subscriber identity sent;
Accordingly, the 5th transmission unit, after receiving the 2nd Ks_NAF key that guide service function platform is sent, NAF_ID information is sent to the credible performing environment server by second exit passageway.
22. 9 to 21 described in any item trusted services manage platform according to claim 1, which is characterized in that the trusted service Managing platform further includes the 4th receiving unit, judging unit and the second initialization unit, in which:
4th receiving unit, for receiving the first Ks_NAF key of processing unit transmission;
The judging unit, for judging whether the first Ks_NAF key is identical as the 2nd Ks_NAF key of itself, obtains To the first judging result;
Second initialization unit, for when first judging result show the first Ks_NAF key and itself the When two Ks_NAF keys are identical, the initialization procedure of credible performing environment is completed.
23. trusted service according to claim 22 manages platform, which is characterized in that the trusted service management platform is also Including the 7th transmission unit, for showing the 2nd Ks_ of the first Ks_NAF key and itself when first judging result When NAF key is not identical, initialization failure, and initialization failure news is sent to processor.
24. a kind of device for initializing credible performing environment, which is characterized in that described device includes processor, credible execution ring Border server and trusted service manage platform, in which:
The processor, for obtaining the international mobile subscriber identity for showing user identity;
The credible performing environment server sends the international mobile subscriber identity for receiving the processor;
The processor, for the international mobile subscriber identity to be sent to credible performing environment server, to trigger The credible performing environment server obtains NAF_ID information;
The credible performing environment server, for determining that trusted service management is flat according to the international mobile subscriber identity The address information of platform;
The credible performing environment server, for the address information according to trusted service management platform, by the world Mobile identification number is sent to trusted service management platform, obtains NAF_ID letter to trigger the trusted service management platform Breath;
The trusted service manages platform, the international mobile subscriber identity sent for receiving credible performing environment server;
The trusted service manages platform, for verifying the validity of the international mobile subscriber identity;
When the verification international mobile subscriber identity is effective, the trusted service manages platform, for obtaining NAF_ID letter Breath;
The trusted service manages platform, for the NAF_ID information and the international mobile subscriber identity to be sent to and draw Service function platform is led, sends the 2nd Ks_ to trigger the guide service function platform to trusted service management platform NAF key;
The trusted service manages platform, after the 2nd Ks_NAF key for receiving the transmission of guide service function platform, to The credible performing environment server sends NAF_ID information;
The credible performing environment server, for NAF_ID information to be sent to processing unit, to trigger the processing unit The first Ks_NAF key is generated according to NAF_ID information;
The processor, the acquisition NAF_ID information sent for receiving the credible performing environment server;
The processor for generating the first Ks_NAF key according to the NAF_ID information, and utilizes the first Ks_NAF Key completes the initialization procedure of credible performing environment.
CN201410779238.9A 2014-12-15 2014-12-15 A kind of method and device initializing credible performing environment, equipment Active CN105792167B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410779238.9A CN105792167B (en) 2014-12-15 2014-12-15 A kind of method and device initializing credible performing environment, equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410779238.9A CN105792167B (en) 2014-12-15 2014-12-15 A kind of method and device initializing credible performing environment, equipment

Publications (2)

Publication Number Publication Date
CN105792167A CN105792167A (en) 2016-07-20
CN105792167B true CN105792167B (en) 2019-06-25

Family

ID=56374800

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410779238.9A Active CN105792167B (en) 2014-12-15 2014-12-15 A kind of method and device initializing credible performing environment, equipment

Country Status (1)

Country Link
CN (1) CN105792167B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106954211B (en) * 2017-03-08 2019-08-20 Oppo广东移动通信有限公司 A kind of key wiring method and mobile terminal
US10511575B2 (en) * 2017-09-18 2019-12-17 Huawei Technologies Co., Ltd. Securing delegated credentials in third-party networks
CN113518349A (en) * 2020-10-23 2021-10-19 中国移动通信有限公司研究院 Service management method, device, system and storage medium
CN113572789A (en) * 2021-08-17 2021-10-29 四川启睿克科技有限公司 Secret-free login system and method for Internet of things intelligent equipment application

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8527759B2 (en) * 2008-05-23 2013-09-03 Telefonaktiebolaget L M Ericsson (Publ) IMS user equipment, control method thereof, host device, and control method thereof
CN102238540A (en) * 2010-04-27 2011-11-09 中国移动通信集团公司 Method, device and system for updating key of general guide architecture
CN102934118B (en) * 2010-06-10 2015-11-25 瑞典爱立信有限公司 Subscriber equipment and control method thereof
CN102413464B (en) * 2011-11-24 2014-07-09 杭州东信北邮信息技术有限公司 GBA (General Bootstrapping Architecture)-based secret key negotiation system and method of telecommunication capability open platform
US9591484B2 (en) * 2012-04-20 2017-03-07 T-Mobile Usa, Inc. Secure environment for subscriber device

Also Published As

Publication number Publication date
CN105792167A (en) 2016-07-20

Similar Documents

Publication Publication Date Title
Yazdinejad et al. Blockchain-enabled authentication handover with efficient privacy protection in SDN-based 5G networks
CN106161359B (en) It authenticates the method and device of user, register the method and device of wearable device
CN102143482B (en) Method and system for authenticating mobile banking client information, and mobile terminal
CN110311883A (en) Identity management method, equipment, communication network and storage medium
CN108462710B (en) Authentication and authorization method, device, authentication server and machine-readable storage medium
KR101243713B1 (en) Wireless lan access point and method for accessing wireless lan
CN105119722B (en) A kind of auth method, equipment and system
CN109547464A (en) For storing and executing the method and device of access control clients
CN104467923B (en) Method, equipment and system that equipment is interacted
CN104301289B (en) Equipment for safety information interaction
CN105792167B (en) A kind of method and device initializing credible performing environment, equipment
CN111131416A (en) Business service providing method and device, storage medium and electronic device
CN106936774A (en) Authentication method and system in credible performing environment
CN105812334B (en) A kind of method for network authorization
CN108022100B (en) Cross authentication system and method based on block chain technology
CN112804354B (en) Method and device for data transmission across chains, computer equipment and storage medium
CN101765101B (en) Method and system for aerially writing personalized card
CN103188241A (en) User account management method based on mobile intelligent terminal number
CN110166255A (en) Auth method, equipment and storage medium based on alliance's block chain
CN105101147A (en) Method and system for realizing directional flow of mobile app
CN105635168A (en) Off-line transaction device and security key using method thereof
CN105898743A (en) Network connection method, device and system
CN109327431A (en) Handle the resource request in mobile device
CN110247758A (en) The method, apparatus and code management device of Password Management
CN108600234A (en) A kind of auth method, device and mobile terminal

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant