CN108762827A - Cryptographic Service Provider call method and terminal device - Google Patents
Cryptographic Service Provider call method and terminal device Download PDFInfo
- Publication number
- CN108762827A CN108762827A CN201810371564.4A CN201810371564A CN108762827A CN 108762827 A CN108762827 A CN 108762827A CN 201810371564 A CN201810371564 A CN 201810371564A CN 108762827 A CN108762827 A CN 108762827A
- Authority
- CN
- China
- Prior art keywords
- csp
- call
- call requests
- module
- library module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The present invention relates to field of computer technology, a kind of Cryptographic Service Provider call method and terminal device are provided.This method includes:Obtain the first CSP call requests for carrying Cryptographic Service Provider CSP marks;The first CSP call requests are sent to TSM Security Agent component;Pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules.The present invention calls CSP, substitution to directly invoke CSP indirectly by the way that TSM Security Agent component is arranged, by intermediary of TSM Security Agent component, to solve the problems, such as that CSP caused by being limited due to operating system permission can not be called, ensures the normal use of Web bank.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of Cryptographic Service Provider call method and terminal to set
It is standby.
Background technology
Current Web bank generally carries out authentication using USB Key, but browser passes through under some cases
USB Key can not normal use Web bank, such as 10 system of the Edge browsers of 10 systems of Windows or Windows
IE browser in the case where opening EPM (Enhanced Protected Mode enhance protected mode).The reason is that with
Internetbank driver is all run in AppContainer in the case of upper two kinds, uses USB Key to carry out SSL (Secure at this time
Sockets Layer Secure Socket Layer) login, network bank business authentication etc., the communication with smart card is cannot achieve, also can not
Password Input frame is popped up, this two limitations, which directly result in, can not use Web bank.
AppContainer be Microsoft since 8 systems of Windows, a kind of new process isolation mechanism of introducing,
It is equivalent to a sandbox.Edge browsers and the IE browser for opening EPM, have used the permission of higher level to control, specifically
For it introduce AppContainer, realize thinner dynamics permission control, it is many operation by limitation execute, such as start into
Journey, access equipment etc..
By taking Edge browsers as an example, important step there are two the processes of SSL logins is carried out by Edge browsers:
1) CredentialUIBroker.exe is run, and pop-up certificate selection frame allows user to select certificate, wherein can also hold
Some CSP (Cryptography Service Provider, Cryptographic Service Provider) functions of row;
2) MicrosoftEdgeCP.exe is run, and executes CSP functions, completes signature.
Wherein, CredentialUIBroker.exe is run with the permission of local user, and MicrosoftEdgeCP.exe
Operate in AppContainer.Because of the limitation of permission, manufacturer CSP (operating in MicrosoftEdgeCP.exe) launching process,
The operation of access equipment can be restricted, therefore can not normally complete CSP calling, lead to SSL login failures.
Invention content
In view of this, an embodiment of the present invention provides Cryptographic Service Provider call method and terminal device, to solve
The problem of system permission control at present leads to not using Web bank.
The first aspect of the embodiment of the present invention provides Cryptographic Service Provider call method, including:
Obtain the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
The first CSP call requests are sent to TSM Security Agent component;
Pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules.
The second aspect of the embodiment of the present invention provides Cryptographic Service Provider calling device, including:
Acquiring unit, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
Transmission unit, for the first CSP call requests to be sent to TSM Security Agent component;
Call unit, for being asked by the calling of the first CSP described in the TSM Security Agent component call CSP dynamic library modules
Seek corresponding program.
The third aspect of the embodiment of the present invention provides terminal device, including memory, processor and is stored in described
In memory and the computer program that can run on the processor, the processor are realized when executing the computer program
Cryptographic Service Provider call method in first aspect.
The fourth aspect of the embodiment of the present invention provides computer readable storage medium, the computer readable storage medium
It is stored with computer program, the Cryptographic Service Provider in first aspect is realized when the computer program is executed by processor
Call method.
Existing advantageous effect is the embodiment of the present invention compared with prior art:Cryptographic services offer is carried by obtaining
First CSP call requests of program CSP marks;First CSP call requests are sent to TSM Security Agent component;Pass through TSM Security Agent
The corresponding program of first CSP call requests in component call CSP dynamic library modules, can realize the normal use of Web bank.
The embodiment of the present invention calls CSP, substitution to directly invoke indirectly by the way that TSM Security Agent component is arranged by intermediary of TSM Security Agent component
CSP ensures that the normal of Web bank makes to solve the problems, such as that CSP caused by being limited due to operating system permission can not be called
With.
Description of the drawings
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art
Needed in attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description be only the present invention some
Embodiment for those of ordinary skill in the art without having to pay creative labor, can also be according to these
Attached drawing obtains other attached drawings.
Fig. 1 is the implementation flow chart of Cryptographic Service Provider call method provided by one embodiment of the present invention;
Fig. 2 is the implementation flow chart of Cryptographic Service Provider call method provided by one embodiment of the present invention;
Fig. 3 is the implementation flow chart of Cryptographic Service Provider call method provided by one embodiment of the present invention;
Fig. 4 is the realization that registration table is changed in Cryptographic Service Provider call method provided by one embodiment of the present invention
Flow chart;
Fig. 5 is the CSP call flows comparison signal provided by one embodiment of the present invention added before and after TSM Security Agent component
Figure;
Fig. 6 is the schematic diagram of Cryptographic Service Provider calling device provided in an embodiment of the present invention;
Fig. 7 is the schematic diagram of terminal device provided in an embodiment of the present invention.
Specific implementation mode
In being described below, for illustration and not for limitation, it is proposed that such as tool of particular system structure, technology etc
Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific
The present invention can also be realized in the other embodiments of details.In other situations, it omits to well-known system, device, electricity
The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, illustrated below by specific embodiment.
Fig. 1 is the implementation flow chart of Cryptographic Service Provider call method provided in an embodiment of the present invention, and details are as follows:
In S101, the first CSP call requests for carrying Cryptographic Service Provider CSP marks are obtained.
In the present embodiment, user is needing the correlation for carrying out the Web banks such as SSL logins, network bank business authentication to grasp
When making, the page end of internet banking system can be logged in.Terminal device can obtain operational order input by user, root by page end
The first CSP call requests are generated according to operational order.Since different internet banking systems usually corresponds to different CSP, generate
The CSP marks for the Cryptographic Service Provider CSP that active user specifies are carried in first CSP call requests.Wherein CSP is identified
Can be CSP titles or CSP labels etc., to call corresponding CSP.The implementor of CSP be usually a dynamic link library (i.e.
CSP dynamic bases), pass through registration table for registering to system.CSP can have there are one title (CSP Name), and application program can lead to
The mode for crossing CryptoAPI+CSP names realizes calling to CSP.
In S102, the first CSP call requests are sent to TSM Security Agent component.
In the present embodiment, TSM Security Agent component is that can receive call request, and call correlation according to call request is received
The component of program.
In S103, pass through the first CSP call requests pair described in the TSM Security Agent component call CSP dynamic library modules
The program answered.
In the present embodiment, CSP dynamics library module includes CSP dynamic bases.Include the correlation of CSP processing in CSP dynamic bases
Program, by calling CSP dynamic bases that the correlation function of the Web banks such as SSL logins, network bank business authentication may be implemented.
CSP dynamic bases are usually provided by the manufacturer of USBKey.First CSP call requests can be sent to TSM Security Agent component.Safety
Agent components can receive the first CSP call requests, be called according to the first CSP call requests corresponding in CSP dynamic library modules
Program, to realize that user carries out the required function of internet banking operation.
Since TSM Security Agent component can call CSP dynamic bases in common process or service, will not be operated
The limitation of system permission.
The embodiment of the present invention carries the first CSP call requests of Cryptographic Service Provider CSP marks by obtaining;It will
First CSP call requests are sent to TSM Security Agent component;Pass through the first CSP in TSM Security Agent component call CSP dynamic library modules
The corresponding program of call request, can realize the normal use of Web bank.The embodiment of the present invention is by being arranged TSM Security Agent group
Part calls CSP, substitution to directly invoke CSP indirectly by intermediary of TSM Security Agent component, to solve to limit due to operating system permission
The problem of CSP caused by system can not be called, ensures the normal use of Web bank.
As an embodiment of the present invention, the TSM Security Agent component includes acting on behalf of dynamic library module and agency service mould
Block.
In the present embodiment, TSM Security Agent component may include acting on behalf of dynamic library module and proxy service module.Agency is dynamic
State library module includes to act on behalf of dynamic base, acts on behalf of effective signature that dynamic base possesses operating system approval.Proxy service module includes
Agency service program, the CSP dynamic bases that agency service program is used to that manufacturer to be called to provide.
As shown in Fig. 2, S102 may include:
In S201, the first CSP call requests are sent to and act on behalf of dynamic library module.
In S202, generated and the first CSP call requests corresponding second by the dynamic library module of acting on behalf of
CSP call requests, and the 2nd CSP call requests are sent to proxy service module.
In the present embodiment, the CSP dynamic bases that dynamic library module does not directly invoke manufacturer's offer are acted on behalf of, but receive the
One CSP call requests generate corresponding 2nd CSP call requests further according to the first CSP call requests, and the 2nd CSP calling is asked
It asks and is sent to proxy service module.
S103 may include:
In S203, the 2nd CSP calling described in the CSP dynamics library module is called to ask by the proxy service module
Seek corresponding program.
In the present embodiment, proxy service module can receive the 2nd CSP call requests, and be asked according to the 2nd CSP calling
It asks and calls the corresponding program of the 2nd CSP call requests in CSP dynamic library modules.
Since proxy service module can call CSP dynamic bases in common process or service, will not be operated
The limitation of system permission.For example, if user carries out SSL logins by operating in the Edge browsers in AppContainer,
Dynamic library module is acted on behalf of to operate in AppContainer, and proxy service module allows to operate in except AppContainer,
CSP dynamic bases are called also to be executed outside AppContainer, therefore proxy service module will not be limited by operating system permission
System can realize that the Internetbanks such as SSL logins are operated with normal call CSP.
The use of TSM Security Agent component needs to apply for corresponding signature to system house (such as Microsoft).If every time
(such as modification of program or upgrading) is adjusted to the Agent in TSM Security Agent component, all applies signing to system house,
The development cycle may be greatly prolonged, the regulated efficiency to TSM Security Agent component programs is influenced.
TSM Security Agent component is divided by the present embodiment acts on behalf of dynamic library module and proxy service module, acts on behalf of dynamic library module
The CSP dynamic bases of manufacturer's offer are not be provided, but the 2nd CSP call requests are sent to proxy service module, pass through generation
It manages service module and realizes that CSP is called.In the process, it is only to realize the function of calling forwarding to act on behalf of dynamic module, actually
Agent functionality realized by proxy service module.Wherein, dynamic library module is acted on behalf of to apply signing accordingly to system house, and generation
Reason service module need not be applied signing.It, then can be to agency if necessary to be adjusted to the program in TSM Security Agent component
Program in service module is adjusted, and is not had to be adjusted to acting on behalf of the program in dynamic library module in this way, also be avoided
The problem of adjustment is required for applying signing to system house every time is improved so as to shorten the development cycle to TSM Security Agent component journey
The regulated efficiency of sequence.
As an embodiment of the present invention, as shown in figure 3, S203 may include:
In S301, threeth CSP corresponding with the 2nd CSP call requests is generated by the proxy service module
Call request, and the 3rd CSP call requests are sent to CSP and assist library module.
In S302, assist library module that the 3rd CSP described in the CSP dynamics library module is called to call by the CSP
Ask corresponding program.
In the present embodiment, it includes that CSP assists dynamic base that CSP, which assists library module, and it includes CSP that CSP, which assists dynamic base only,
Relevant interface function, possesses the signature of system house, does not implement CSP functions, and CSP functions are realized by CSP dynamic bases.
Since the use of CSP must obtain the signature of system house, and there are one the periods for the signature of system house, if often
Secondary to the adjustment of CSP programs, all application is signed again, and the development cycle of CSP can be caused too long.Dynamic base is assisted by the way that CSP is arranged,
CSP calls CSP dynamic bases to realize CSP functions after assisting dynamic base verification signature, is only needed to CSP in being adjusted to CSP programs
Program in dynamic base is adjusted, and need not be re-started signature application, can be improved the regulated efficiency of CSP.
In the present embodiment, proxy service module does not directly invoke CSP, but the 3rd CSP call requests are sent to CSP
Library module is assisted, by assisting library module to call the corresponding program of the 3rd CSP call requests in CSP dynamic library modules.Exist in this way
When manufacturer needs to modify to CSP or upgrade, the agent functionality of TSM Security Agent component is not interfered with, even if in CSP dynamic bases
Program be adjusted, TSM Security Agent component provided in this embodiment need not also adjust, can directly invoke adjustment after
CSP dynamic bases reduce TSM Security Agent component to reduce influence of the CSP programs adjustment to TSM Security Agent assembly function
Number is adjusted, and TSM Security Agent component is made to can adapt to different CSP versions, improve the applicability of TSM Security Agent component and is answered
Use range.
As an embodiment of the present invention, before S201, can also include:
The log-on message of CSP auxiliary library modules in registration table is replaced with to the log-on message for acting on behalf of dynamic library module, and
The log-on message of library module is assisted to re-start name and registration CSP.
In the present embodiment, CSP theassistant bases are registered with dynamic base needs are acted on behalf of in the registration table of operating system.If
TSM Security Agent component is not added, only has the log-on message of CSP theassistant bases, the net that user passes through internet banking system in system registry
When page end carries out the operation of Web bank, call request is automatically forwarded to by terminal device according to the log-on message of CSP theassistant bases
Corresponding CSP theassistant bases, then function is realized by CSP assisted library calls CSP.
And the present embodiment is additionally arranged TSM Security Agent component, by the log-on message that the CSP in registration table is assisted to library module
The log-on message for acting on behalf of dynamic library module is replaced with, terminal device can be made to be automatically forwarded to call request to act on behalf of dynamic base mould
Block, to realize the agent functionality of TSM Security Agent component.By by CSP assist library module log-on message re-start name and
Registration can be convenient for the call request after TSM Security Agent component being sent to CSP auxiliary library modules.
As an embodiment of the present invention, the log-on message includes routing information and signing messages.As shown in figure 4,
The log-on message of CSP auxiliary library modules in registration table " is replaced with the log-on message for acting on behalf of dynamic library module, and will by step
The log-on message of CSP auxiliary library modules re-starts name and registration " may include:
In S401, it is the second pathname that CSP in registration table, which is assisted the first path name modifications of library module,;
In S402, first path title is added again in registration table, and the corresponding path of first path title is believed
Breath is set as acting on behalf of the routing information of dynamic library module;
In S403, it is the second signature title that CSP in registration table, which is assisted the first signature name modifications of library module,;
In S404, the first signature title is added again in registration table, and by the corresponding A.L.S. of the first signature title
Breath is set as acting on behalf of the signing messages of dynamic library module.
Implement example below by one to illustrate the registration process for acting on behalf of dynamic library module.
TSM Security Agent component can be supplied to user in the form of installation kit, and hereinafter referred to as this installation kit is that component installs journey
Sequence.It can includes 32 and 64 two kinds of libraries wherein to act on behalf of dynamic base, to support 32 and 64 systems.
For convenience, following premise explanation is done:
1) in 32 systems, 32 system directories be %SystemRoot% Windows System32, no 64 are
System catalogue.
2) in 64 systems, 32 system directories be %SystemRoot% Windows SysWow64,64 systems
Catalogue be %SystemRoot% Windows System32.
3) in 32 systems, the paths of 32 CSP registry entries be HKEY_LOCAL_MACHINE SOFTWARE
Microsoft\Cryptography\Defaults\Provi der\<CSP Name>, without 64 continuous items.
4) in 64 systems, the paths of 32 CSP registry entries be KEY_LOCAL_MACHINE SOFTWARE
Wow6432Node\Microsoft\Cryptography\Defaults\Provider\<CSP Name>, 64 CSP registration tablies
Path be HKEY_LOCAL_MACHINE SOFTWARE Microsoft Cryptography Defaults Provi
der\<CSP Name>。
Specific registration process is as follows:
1) dynamic lab setting is acted on behalf of to 32 system directories by 32, remember that final file path is P1.
2) dynamic lab setting is acted on behalf of to 64 system directories by 64, remember that final file path is P2.If target system
System is 32, ignores step 2).
3) entrance of 32 CSP theassistant bases is changed in CSP registry entries, specially:
A. the value item " Image Path " (being equivalent to first path title) of 32 CSP registry entries of renaming is
" Image Path Vendor " (being equivalent to the second pathname).
B. the value that the value item " Image Path " of 32 CSP registry entries is arranged is P1.
C. the value item " Signature " (being equivalent to the first signature title) of 32 CSP registry entries of renaming is
" Signature Vendor " (is equivalent to the second signature title).
B. the value that the value item " Signature " of 32 CSP registry entries is arranged is effective signature value of P1 meaning files.
4) entrance that 64 CSP theassistant bases are changed in CSP registry entries, particularly as being
A. the value item " Image Path " of 64 CSP registry entries of renaming is " Image Path Vendor ".
B. the value that the value item " Image Path " of 64 CSP registry entries is arranged is P2.
C. the value item " Signature " of 64 CSP registry entries of renaming is " Signature Vendor ".
D. the value that the value item " Signature " of 64 CSP registry entries is arranged is effective signature value of P2 meaning files.
If system is 32, ignore step 4).
So far, dynamic base registration is acted on behalf of to complete.
The present embodiment realizes the redirection that CSP is called so that generation is first called in CSP call requests by changing registry entry
Dynamic base is managed, to realize the agent functionality of TSM Security Agent component.
Optionally, S202 may include:It is generated and the first CSP call request phases by the dynamic library module of acting on behalf of
Corresponding 2nd CSP call requests, and assist the routing information of library module to send the 2nd CSP call requests and CSP
To proxy service module.
S301 may include:Corresponding with the 2nd CSP call requests the is generated by the proxy service module
Three CSP call requests, and assist the routing information of library module that the 3rd CSP call requests are sent to CSP auxiliary according to CSP
Library module.
The present embodiment to proxy service module by sending the routing information that CSP assists library module so that agency service mould
The 3rd CSP call requests accurately can be sent to CSP according to the routing information and assist library module by block, so that it is guaranteed that peace
Full Proxy component can accurately forward call request, realize the agency called to CSP.
As an embodiment of the present invention, before S201, can also include:
Proxy service module is registered as into system service, and sets proxy service module to automatic running.
In the present embodiment, proxy service module can be 32 service routines, can support that 32 and 64 are simultaneously
System.For example, proxy service module S can be an exe file, its deployment process is as follows:
1) S is arranged to corresponding 32 system directories;
2) S is registered as into system service, and its automatic running is set, support the interaction with system desktop.
Proxy service module is registered as system service by the present embodiment, and is set as automatic running, logical in user in this way
When crossing page end progress internet banking operation, proxy service module can respond rapidly to act on behalf of dynamic library module, receive adjust in time
With asking and calling manufacturer CSP, the response speed of TSM Security Agent component can be improved, reduction adds TSM Security Agent component to CSP
The influence for calling speed enables users to the relevant operation that Web bank is carried out according to normal speed.
It is illustrated in figure 5 the CSP call flows pair provided by one embodiment of the present invention added before and after TSM Security Agent component
Compare schematic diagram.
Fig. 5 (a) is the flow diagram that CSP is called before adding TSM Security Agent component.The page end of internet banking system calls CSP
Assist library module, CSP auxiliary library modules to recall CSP dynamics library module (as shown in solid arrow in figure).If CSP dynamic base moulds
Block needs to return to call result, then call result is back to the page end of CSP auxiliary library modules and internet banking system successively (as schemed
Shown in middle dotted arrow).Wherein, the page end of internet banking system, CSP auxiliary library modules and CSP dynamic library modules are run on
In AppContainer, limited by the permission of operating system.Since CSP dynamics library module is for realizing CSP functions, so for
The system of the permissions such as AppContainer control, the normal use of Web bank is can not achieve according to the CSP call flows.
Fig. 5 (b) is the flow diagram that CSP is called after adding TSM Security Agent component.The page end of internet banking system calls generation
Dynamic library module is managed, dynamic library module is acted on behalf of and calls proxy service module, proxy service module that CSP is called to assist library module, CSP
Assist library module to call CSP dynamics library module (as shown in solid arrow in figure).If CSP dynamic bases need to return to call result,
Call result is then back to CSP auxiliary library module, proxy service module, the net for acting on behalf of dynamic library module and internet banking system successively
Page end (as indicated by a dashed arrow in the figure).Wherein, it the page end of internet banking system and acts on behalf of dynamic library module and runs on
In AppContainer, and proxy service module, CSP auxiliary library module and CSP dynamic library modules may operate in
Except AppContainer, therefore proxy service module, CSP auxiliary library module and the CSP dynamic bases for realizing CSP functions
Module will not be limited by the permission of operating system, and the normal use of Web bank can be realized according to the CSP call flows.
For many banks, in order to reduce cost and risk, it can purchase the USBKey products of multiple manufacturers simultaneously,
But when internet banking system is moved to and used on newest Edge browsers, it is found that the USBKey of multiple manufacturers has can not
The problem of carrying out SSL logins.Because of the obstacle of technology, some manufacturers can not solve the problems, such as this in a short time.And bank is come
It says, waits for manufacturer's all this problems of self-healing, need to spend more time.Even if manufacturer all provides available repair in time
The driving of this problem, test job amount are also huge.
The embodiment of the present invention can solve the problems, such as this, and have following advantage:
1. hardly transformation storage Internetbank driving saves a large amount of development support work;
2. because Internetbank driving is not transformed, therefore bank saves a large amount of testing time;
3. the embodiment of the present invention has universality, under any banking system, the Internetbank driving of any manufacturer can be not
The normal use of on-line banking function is realized under the premise of being driven with transformation Internetbank.
The embodiment of the present invention is paid one's respects by changing the paths registration table CSP via TSM Security Agent component call manufacturer CSP is visiting
Full equipment so that manufacturer CSP can solve Edge browsers with browser execution in varying environment (inside and outside AppContainer)
Cannot normal access safety equipment the problem of, and it is possible to be compatible with different manufacturers CSP simultaneously.
The embodiment of the present invention carries the first CSP call requests of Cryptographic Service Provider CSP marks by obtaining;It will
First CSP call requests are sent to TSM Security Agent component;Pass through the first CSP in TSM Security Agent component call CSP dynamic library modules
The corresponding program of call request, can realize the normal use of Web bank.The embodiment of the present invention is by being arranged TSM Security Agent group
Part calls CSP, substitution to directly invoke CSP indirectly by intermediary of TSM Security Agent component, to solve to limit due to operating system permission
The problem of CSP caused by system can not be called, ensures the normal use of Web bank.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process
Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit
It is fixed.
Corresponding to the Cryptographic Service Provider call method described in foregoing embodiments, Fig. 6 shows the embodiment of the present invention
The schematic diagram of the Cryptographic Service Provider calling device of offer.For convenience of description, it illustrates only related to the present embodiment
Part.
With reference to Fig. 6, which includes acquiring unit 61, transmission unit 62 and call unit 63.
Acquiring unit 61, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks.
Transmission unit 62, for the first CSP call requests to be sent to TSM Security Agent component.
Call unit 63, for being called by the first CSP described in the TSM Security Agent component call CSP dynamic library modules
Ask corresponding program.
Optionally, the TSM Security Agent component includes acting on behalf of dynamic library module and proxy service module;The transmission unit
62 are used for:
The first CSP call requests are sent to and act on behalf of dynamic library module;
It is asked by dynamic library module generation the 2nd CSP calling corresponding with the first CSP call requests of acting on behalf of
It asks, and the 2nd CSP call requests is sent to proxy service module;
The call unit 63 is used for:
Call the 2nd CSP call requests described in the CSP dynamics library module corresponding by the proxy service module
Program.
Optionally, the call unit 63 is used for:
The 3rd CSP call requests corresponding with the 2nd CSP call requests are generated by the proxy service module,
And the 3rd CSP call requests are sent to CSP and assist library module;
Library module is assisted to call the 3rd CSP call requests described in the CSP dynamics library module corresponding by the CSP
Program.
Optionally, which further includes the first registering unit, and first registering unit is used for:
The log-on message of CSP auxiliary library modules in registration table is replaced with to the log-on message for acting on behalf of dynamic library module, and
The log-on message of library module is assisted to re-start name and registration CSP.
Optionally, the log-on message includes routing information and signing messages;First registering unit is used for:
It is the second pathname that CSP in registration table, which is assisted the first path name modifications of library module,;
It adds first path title again in registration table, and sets the corresponding routing information of first path title to generation
Manage the routing information of dynamic library module;
It is the second signature title that CSP in registration table, which is assisted the first signature name modifications of library module,;
It adds the first signature title again in registration table, and sets the corresponding signing messages of the first signature title to generation
Manage the signing messages of dynamic library module.
Optionally, which further includes the second registering unit, and second registering unit is used for:
Proxy service module is registered as into system service, and sets proxy service module to automatic running.
The embodiment of the present invention carries the first CSP call requests of Cryptographic Service Provider CSP marks by obtaining;It will
First CSP call requests are sent to TSM Security Agent component;Pass through the first CSP in TSM Security Agent component call CSP dynamic library modules
The corresponding program of call request, can realize the normal use of Web bank.The embodiment of the present invention is by being arranged TSM Security Agent group
Part calls CSP, substitution to directly invoke CSP indirectly by intermediary of TSM Security Agent component, to solve to limit due to operating system permission
The problem of CSP caused by system can not be called, ensures the normal use of Web bank.
Fig. 7 is the schematic diagram for the terminal device that one embodiment of the invention provides.As shown in fig. 7, the terminal of the embodiment is set
Standby 7 include:Processor 70, memory 71 and it is stored in the meter that can be run in the memory 71 and on the processor 70
Calculation machine program 72, such as program.The processor 70 realizes above-mentioned each embodiment of the method when executing the computer program 72
In step, such as step 101 shown in FIG. 1 is to 103.Alternatively, reality when the processor 70 executes the computer program 72
Show the function of each module/unit in above-mentioned each device embodiment, such as the function of unit 61 to 63 shown in Fig. 6.
Illustratively, the computer program 72 can be divided into one or more module/units, it is one or
Multiple module/units are stored in the memory 71, and are executed by the processor 70, to complete the present invention.Described one
A or multiple module/units can be the series of computation machine program instruction section that can complete specific function, which is used for
Implementation procedure of the computer program 72 in the terminal device 7 is described.For example, the computer program 72 can be divided
It is cut into acquiring unit, transmission unit and call unit, each unit concrete function is as follows:
Acquiring unit, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
Transmission unit, for the first CSP call requests to be sent to TSM Security Agent component;
Call unit, for being asked by the calling of the first CSP described in the TSM Security Agent component call CSP dynamic library modules
Seek corresponding program.
The terminal device 7 can be that the calculating such as desktop PC, notebook, palm PC and cloud server are set
It is standby.The terminal device may include, but be not limited only to, processor 70, memory 71.It will be understood by those skilled in the art that Fig. 7
The only example of terminal device 7 does not constitute the restriction to terminal device 7, may include than illustrating more or fewer portions
Part either combines certain components or different components, such as the terminal device can also include input-output equipment, net
Network access device, bus, display etc..
Alleged processor 70 can be central processing unit (Central Processing Unit, CPU), can also be
Other general processors, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit
(Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field-
Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic,
Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor
Deng.
The memory 71 can be the internal storage unit of the terminal device 7, such as the hard disk of terminal device 7 or interior
It deposits.The memory 71 can also be to be equipped on the External memory equipment of the terminal device 7, such as the terminal device 7
Plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card dodge
Deposit card (Flash Card) etc..Further, the memory 71 can also both include the storage inside list of the terminal device 7
Member also includes External memory equipment.The memory 71 is for storing needed for the computer program and the terminal device
Other programs and data.The memory 71 can be also used for temporarily storing the data that has exported or will export.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each work(
Can unit, module division progress for example, in practical application, can be as needed and by above-mentioned function distribution by different
Functional unit, module are completed, i.e., the internal structure of described device are divided into different functional units or module, more than completion
The all or part of function of description.Each functional unit, module in embodiment can be integrated in a processing unit, also may be used
It, can also be above-mentioned integrated during two or more units are integrated in one unit to be that each unit physically exists alone
The form that hardware had both may be used in unit is realized, can also be realized in the form of SFU software functional unit.In addition, each function list
Member, the specific name of module are also only to facilitate mutually distinguish, the protection domain being not intended to limit this application.Above system
The specific work process of middle unit, module, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in detail or remembers in some embodiment
The part of load may refer to the associated description of other embodiments.
Those of ordinary skill in the art may realize that lists described in conjunction with the examples disclosed in the embodiments of the present disclosure
Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually
It is implemented in hardware or software, depends on the specific application and design constraint of technical solution.Professional technician
Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed
The scope of the present invention.
In embodiment provided by the present invention, it should be understood that disclosed device/terminal device and method, it can be with
It realizes by another way.For example, device described above/terminal device embodiment is only schematical, for example, institute
The division of module or unit is stated, only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as
Multiple units or component can be combined or can be integrated into another system, or some features can be ignored or not executed.Separately
A bit, shown or discussed mutual coupling or direct-coupling or communication connection can be by some interfaces, device
Or INDIRECT COUPLING or the communication connection of unit, can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple
In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme
's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list
The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
If the integrated module/unit be realized in the form of SFU software functional unit and as independent product sale or
In use, can be stored in a computer read/write memory medium.Based on this understanding, the present invention realizes above-mentioned implementation
All or part of flow in example method, can also instruct relevant hardware to complete, the meter by computer program
Calculation machine program can be stored in a computer readable storage medium, the computer program when being executed by processor, it can be achieved that on
The step of stating each embodiment of the method.Wherein, the computer program includes computer program code, the computer program generation
Code can be source code form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium
May include:Any entity or device, recording medium, USB flash disk, mobile hard disk, magnetic of the computer program code can be carried
Dish, CD, computer storage, read-only memory (Read-Only Memory, ROM), random access memory (Random
Access Memory, RAM), electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that the meter
The content that calculation machine readable medium includes can carry out increase and decrease appropriate according to legislation in jurisdiction and the requirement of patent practice,
Such as in certain jurisdictions, according to legislation and patent practice, computer-readable medium is including being not electric carrier signal and electricity
Believe signal.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although with reference to aforementioned reality
Applying example, invention is explained in detail, it will be understood by those of ordinary skill in the art that:It still can be to aforementioned each
Technical solution recorded in embodiment is modified or equivalent replacement of some of the technical features;And these are changed
Or replace, the spirit and scope for various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution should all
It is included within protection scope of the present invention.
Claims (10)
1. a kind of Cryptographic Service Provider call method, which is characterized in that including:
Obtain the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
The first CSP call requests are sent to TSM Security Agent component;
Pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules.
2. Cryptographic Service Provider call method as described in claim 1, which is characterized in that the TSM Security Agent component packet
It includes and acts on behalf of dynamic library module and proxy service module;It is described that the first CSP call requests are sent to TSM Security Agent component packet
It includes:
The first CSP call requests are sent to and act on behalf of dynamic library module;
The 2nd CSP call requests corresponding with the first CSP call requests are generated by the dynamic library module of acting on behalf of, and
The 2nd CSP call requests are sent to proxy service module;
It is described to pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules
Including:
The corresponding program of the 2nd CSP call requests described in the CSP dynamics library module is called by the proxy service module.
3. Cryptographic Service Provider call method as claimed in claim 2, which is characterized in that described to be taken by the agency
The corresponding program of the 2nd CSP call requests includes described in the business module calling CSP dynamics library module:
The 3rd CSP call requests corresponding with the 2nd CSP call requests are generated by the proxy service module, and will
The 3rd CSP call requests are sent to CSP auxiliary library modules;
Library module is assisted to call the corresponding journey of the 3rd CSP call requests described in the CSP dynamics library module by the CSP
Sequence.
4. Cryptographic Service Provider call method as claimed in claim 3, which is characterized in that described by described first
CSP call requests are sent to before acting on behalf of dynamic library module, further include:
It assists the log-on message of library module to replace with the CSP in registration table and acts on behalf of the log-on message of dynamic library module, and by CSP
The log-on message of auxiliary library module re-starts name and registration.
5. Cryptographic Service Provider call method as claimed in claim 4, which is characterized in that the log-on message includes road
Diameter information and signing messages;
The CSP by registration table assists the log-on message of library module to replace with the log-on message for acting on behalf of dynamic library module, and
The log-on message of CSP auxiliary library modules is re-started into name and registration includes:
It is the second pathname that CSP in registration table, which is assisted the first path name modifications of library module,;
It adds first path title again in registration table, and sets the corresponding routing information of first path title to agency and move
The routing information of state library module;
It is the second signature title that CSP in registration table, which is assisted the first signature name modifications of library module,;
It adds the first signature title again in registration table, and sets the corresponding signing messages of the first signature title to agency and move
The signing messages of state library module.
6. such as claim 3 to 5 any one of them Cryptographic Service Provider call method, which is characterized in that incited somebody to action described
The first CSP call requests are sent to before acting on behalf of dynamic library module, further include:
Proxy service module is registered as into system service, and sets proxy service module to automatic running.
7. a kind of Cryptographic Service Provider calling device, which is characterized in that including:
Acquiring unit, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
Transmission unit, for the first CSP call requests to be sent to TSM Security Agent component;
Call unit, for passing through the first CSP call requests pair described in the TSM Security Agent component call CSP dynamic library modules
The program answered.
8. Cryptographic Service Provider calling device as claimed in claim 7, which is characterized in that the TSM Security Agent component packet
It includes and acts on behalf of dynamic library module and proxy service module;The transmission unit is used for:
The first CSP call requests are sent to and act on behalf of dynamic library module;
The 2nd CSP call requests corresponding with the first CSP call requests are generated by the dynamic library module of acting on behalf of, and
The 2nd CSP call requests are sent to proxy service module;
The call unit is used for:
The corresponding program of the 2nd CSP call requests described in the CSP dynamics library module is called by the proxy service module.
9. a kind of terminal device, including memory, processor and it is stored in the memory and can be on the processor
The computer program of operation, which is characterized in that the processor realizes such as claim 1 to 6 when executing the computer program
The step of any one the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, feature to exist
In when the computer program is executed by processor the step of any one of such as claim 1 to 6 of realization the method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810371564.4A CN108762827B (en) | 2018-04-24 | 2018-04-24 | Encryption service providing program calling method and terminal equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810371564.4A CN108762827B (en) | 2018-04-24 | 2018-04-24 | Encryption service providing program calling method and terminal equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108762827A true CN108762827A (en) | 2018-11-06 |
CN108762827B CN108762827B (en) | 2021-02-23 |
Family
ID=64011420
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810371564.4A Active CN108762827B (en) | 2018-04-24 | 2018-04-24 | Encryption service providing program calling method and terminal equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108762827B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114491474A (en) * | 2022-02-15 | 2022-05-13 | 北京时代正邦科技股份有限公司 | Secure interaction method and device for terminal and internet bank U-key |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101447010A (en) * | 2008-12-30 | 2009-06-03 | 北京飞天诚信科技有限公司 | Login system and method for logging in |
CN103425922A (en) * | 2013-08-14 | 2013-12-04 | 广州尚融网络科技有限公司 | Method and system for acquiring far-end encryption command based on CSP (Cryptographic Service Provider) |
CN104092745A (en) * | 2014-06-30 | 2014-10-08 | 飞天诚信科技股份有限公司 | Method for generating criterion of using intelligent card to login remote computer |
US20170093818A1 (en) * | 2015-09-30 | 2017-03-30 | International Business Machines Corporation | Multi-level security enforcement utilizing data typing |
CN106612320A (en) * | 2016-06-14 | 2017-05-03 | 四川用联信息技术有限公司 | Encrypted data dereplication method for cloud storage |
WO2017210198A1 (en) * | 2016-05-31 | 2017-12-07 | Lookout, Inc. | Methods and systems for detecting and preventing network connection compromise |
CN107609362A (en) * | 2017-10-19 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of smart card logs in the method for Windows systems and privately owned authority provides device |
CN107729760A (en) * | 2017-10-09 | 2018-02-23 | 惠州Tcl移动通信有限公司 | CSP implementation methods and intelligent terminal based on android system |
-
2018
- 2018-04-24 CN CN201810371564.4A patent/CN108762827B/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101447010A (en) * | 2008-12-30 | 2009-06-03 | 北京飞天诚信科技有限公司 | Login system and method for logging in |
CN103425922A (en) * | 2013-08-14 | 2013-12-04 | 广州尚融网络科技有限公司 | Method and system for acquiring far-end encryption command based on CSP (Cryptographic Service Provider) |
CN104092745A (en) * | 2014-06-30 | 2014-10-08 | 飞天诚信科技股份有限公司 | Method for generating criterion of using intelligent card to login remote computer |
US20170093818A1 (en) * | 2015-09-30 | 2017-03-30 | International Business Machines Corporation | Multi-level security enforcement utilizing data typing |
WO2017210198A1 (en) * | 2016-05-31 | 2017-12-07 | Lookout, Inc. | Methods and systems for detecting and preventing network connection compromise |
CN106612320A (en) * | 2016-06-14 | 2017-05-03 | 四川用联信息技术有限公司 | Encrypted data dereplication method for cloud storage |
CN107729760A (en) * | 2017-10-09 | 2018-02-23 | 惠州Tcl移动通信有限公司 | CSP implementation methods and intelligent terminal based on android system |
CN107609362A (en) * | 2017-10-19 | 2018-01-19 | 飞天诚信科技股份有限公司 | A kind of smart card logs in the method for Windows systems and privately owned authority provides device |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114491474A (en) * | 2022-02-15 | 2022-05-13 | 北京时代正邦科技股份有限公司 | Secure interaction method and device for terminal and internet bank U-key |
CN114491474B (en) * | 2022-02-15 | 2022-10-11 | 北京时代正邦科技股份有限公司 | Terminal and internet bank U-key secure interaction method and device |
Also Published As
Publication number | Publication date |
---|---|
CN108762827B (en) | 2021-02-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9081948B2 (en) | Configurable smartcard | |
US20180278602A1 (en) | Desktop application fulfillment platform with multiple authentication mechanisms | |
EP1473618B1 (en) | Uniform modular framework for a host computer system | |
Bellissimo et al. | Secure Software Updates: Disappointments and New Challenges. | |
US9038154B2 (en) | Token Registration | |
US8364968B2 (en) | Dynamic web services systems and method for use of personal trusted devices and identity tokens | |
EP3488584B1 (en) | Usage tracking in hybrid cloud computing systems | |
US20120047237A1 (en) | Method, Server, Computer Program and Computer Program Product for Communicating with Secure Element | |
US20140282815A1 (en) | Policy-based secure web boot | |
TW200821934A (en) | System and method for automated operating system installation | |
WO2016015558A1 (en) | Method and apparatus for applying for license | |
US11983546B2 (en) | Rendering content of service providers via web page having dynamically-loaded plugins | |
US20160132668A1 (en) | Management apparatus, management method, and recording medium of management program | |
US20200257776A1 (en) | Request authorization using recipe-based service coordination | |
CN101388771B (en) | Method and system for downloading digital certificate | |
WO2012050717A1 (en) | Trustworthy device claims as a service | |
US7680742B1 (en) | System and method for controlling access to licensed computing processes via a codified electronic license | |
CN103716283A (en) | Web service OAuth certification method for processing call in process and system | |
CN108737338A (en) | A kind of authentication method and system | |
CN108762827A (en) | Cryptographic Service Provider call method and terminal device | |
CN113656109A (en) | Security control calling method, device, equipment and storage medium | |
EP1253528B1 (en) | Connection services | |
CN113687963A (en) | Data calling method and device and computer equipment | |
CN101388772A (en) | Digital signature method and system | |
CN115001805B (en) | Single sign-on method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |