CN108762827A - Cryptographic Service Provider call method and terminal device - Google Patents

Cryptographic Service Provider call method and terminal device Download PDF

Info

Publication number
CN108762827A
CN108762827A CN201810371564.4A CN201810371564A CN108762827A CN 108762827 A CN108762827 A CN 108762827A CN 201810371564 A CN201810371564 A CN 201810371564A CN 108762827 A CN108762827 A CN 108762827A
Authority
CN
China
Prior art keywords
csp
call
call requests
module
library module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810371564.4A
Other languages
Chinese (zh)
Other versions
CN108762827B (en
Inventor
陈柳章
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Minghua Alliance Technology Co Ltd
Original Assignee
Beijing Minghua Alliance Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Minghua Alliance Technology Co Ltd filed Critical Beijing Minghua Alliance Technology Co Ltd
Priority to CN201810371564.4A priority Critical patent/CN108762827B/en
Publication of CN108762827A publication Critical patent/CN108762827A/en
Application granted granted Critical
Publication of CN108762827B publication Critical patent/CN108762827B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to field of computer technology, a kind of Cryptographic Service Provider call method and terminal device are provided.This method includes:Obtain the first CSP call requests for carrying Cryptographic Service Provider CSP marks;The first CSP call requests are sent to TSM Security Agent component;Pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules.The present invention calls CSP, substitution to directly invoke CSP indirectly by the way that TSM Security Agent component is arranged, by intermediary of TSM Security Agent component, to solve the problems, such as that CSP caused by being limited due to operating system permission can not be called, ensures the normal use of Web bank.

Description

Cryptographic Service Provider call method and terminal device
Technical field
The present invention relates to field of computer technology more particularly to a kind of Cryptographic Service Provider call method and terminal to set It is standby.
Background technology
Current Web bank generally carries out authentication using USB Key, but browser passes through under some cases USB Key can not normal use Web bank, such as 10 system of the Edge browsers of 10 systems of Windows or Windows IE browser in the case where opening EPM (Enhanced Protected Mode enhance protected mode).The reason is that with Internetbank driver is all run in AppContainer in the case of upper two kinds, uses USB Key to carry out SSL (Secure at this time Sockets Layer Secure Socket Layer) login, network bank business authentication etc., the communication with smart card is cannot achieve, also can not Password Input frame is popped up, this two limitations, which directly result in, can not use Web bank.
AppContainer be Microsoft since 8 systems of Windows, a kind of new process isolation mechanism of introducing, It is equivalent to a sandbox.Edge browsers and the IE browser for opening EPM, have used the permission of higher level to control, specifically For it introduce AppContainer, realize thinner dynamics permission control, it is many operation by limitation execute, such as start into Journey, access equipment etc..
By taking Edge browsers as an example, important step there are two the processes of SSL logins is carried out by Edge browsers:
1) CredentialUIBroker.exe is run, and pop-up certificate selection frame allows user to select certificate, wherein can also hold Some CSP (Cryptography Service Provider, Cryptographic Service Provider) functions of row;
2) MicrosoftEdgeCP.exe is run, and executes CSP functions, completes signature.
Wherein, CredentialUIBroker.exe is run with the permission of local user, and MicrosoftEdgeCP.exe Operate in AppContainer.Because of the limitation of permission, manufacturer CSP (operating in MicrosoftEdgeCP.exe) launching process, The operation of access equipment can be restricted, therefore can not normally complete CSP calling, lead to SSL login failures.
Invention content
In view of this, an embodiment of the present invention provides Cryptographic Service Provider call method and terminal device, to solve The problem of system permission control at present leads to not using Web bank.
The first aspect of the embodiment of the present invention provides Cryptographic Service Provider call method, including:
Obtain the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
The first CSP call requests are sent to TSM Security Agent component;
Pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules.
The second aspect of the embodiment of the present invention provides Cryptographic Service Provider calling device, including:
Acquiring unit, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
Transmission unit, for the first CSP call requests to be sent to TSM Security Agent component;
Call unit, for being asked by the calling of the first CSP described in the TSM Security Agent component call CSP dynamic library modules Seek corresponding program.
The third aspect of the embodiment of the present invention provides terminal device, including memory, processor and is stored in described In memory and the computer program that can run on the processor, the processor are realized when executing the computer program Cryptographic Service Provider call method in first aspect.
The fourth aspect of the embodiment of the present invention provides computer readable storage medium, the computer readable storage medium It is stored with computer program, the Cryptographic Service Provider in first aspect is realized when the computer program is executed by processor Call method.
Existing advantageous effect is the embodiment of the present invention compared with prior art:Cryptographic services offer is carried by obtaining First CSP call requests of program CSP marks;First CSP call requests are sent to TSM Security Agent component;Pass through TSM Security Agent The corresponding program of first CSP call requests in component call CSP dynamic library modules, can realize the normal use of Web bank. The embodiment of the present invention calls CSP, substitution to directly invoke indirectly by the way that TSM Security Agent component is arranged by intermediary of TSM Security Agent component CSP ensures that the normal of Web bank makes to solve the problems, such as that CSP caused by being limited due to operating system permission can not be called With.
Description of the drawings
It to describe the technical solutions in the embodiments of the present invention more clearly, below will be to embodiment or description of the prior art Needed in attached drawing be briefly described, it should be apparent that, the accompanying drawings in the following description be only the present invention some Embodiment for those of ordinary skill in the art without having to pay creative labor, can also be according to these Attached drawing obtains other attached drawings.
Fig. 1 is the implementation flow chart of Cryptographic Service Provider call method provided by one embodiment of the present invention;
Fig. 2 is the implementation flow chart of Cryptographic Service Provider call method provided by one embodiment of the present invention;
Fig. 3 is the implementation flow chart of Cryptographic Service Provider call method provided by one embodiment of the present invention;
Fig. 4 is the realization that registration table is changed in Cryptographic Service Provider call method provided by one embodiment of the present invention Flow chart;
Fig. 5 is the CSP call flows comparison signal provided by one embodiment of the present invention added before and after TSM Security Agent component Figure;
Fig. 6 is the schematic diagram of Cryptographic Service Provider calling device provided in an embodiment of the present invention;
Fig. 7 is the schematic diagram of terminal device provided in an embodiment of the present invention.
Specific implementation mode
In being described below, for illustration and not for limitation, it is proposed that such as tool of particular system structure, technology etc Body details, to understand thoroughly the embodiment of the present invention.However, it will be clear to one skilled in the art that there is no these specific The present invention can also be realized in the other embodiments of details.In other situations, it omits to well-known system, device, electricity The detailed description of road and method, in case unnecessary details interferes description of the invention.
In order to illustrate technical solutions according to the invention, illustrated below by specific embodiment.
Fig. 1 is the implementation flow chart of Cryptographic Service Provider call method provided in an embodiment of the present invention, and details are as follows:
In S101, the first CSP call requests for carrying Cryptographic Service Provider CSP marks are obtained.
In the present embodiment, user is needing the correlation for carrying out the Web banks such as SSL logins, network bank business authentication to grasp When making, the page end of internet banking system can be logged in.Terminal device can obtain operational order input by user, root by page end The first CSP call requests are generated according to operational order.Since different internet banking systems usually corresponds to different CSP, generate The CSP marks for the Cryptographic Service Provider CSP that active user specifies are carried in first CSP call requests.Wherein CSP is identified Can be CSP titles or CSP labels etc., to call corresponding CSP.The implementor of CSP be usually a dynamic link library (i.e. CSP dynamic bases), pass through registration table for registering to system.CSP can have there are one title (CSP Name), and application program can lead to The mode for crossing CryptoAPI+CSP names realizes calling to CSP.
In S102, the first CSP call requests are sent to TSM Security Agent component.
In the present embodiment, TSM Security Agent component is that can receive call request, and call correlation according to call request is received The component of program.
In S103, pass through the first CSP call requests pair described in the TSM Security Agent component call CSP dynamic library modules The program answered.
In the present embodiment, CSP dynamics library module includes CSP dynamic bases.Include the correlation of CSP processing in CSP dynamic bases Program, by calling CSP dynamic bases that the correlation function of the Web banks such as SSL logins, network bank business authentication may be implemented. CSP dynamic bases are usually provided by the manufacturer of USBKey.First CSP call requests can be sent to TSM Security Agent component.Safety Agent components can receive the first CSP call requests, be called according to the first CSP call requests corresponding in CSP dynamic library modules Program, to realize that user carries out the required function of internet banking operation.
Since TSM Security Agent component can call CSP dynamic bases in common process or service, will not be operated The limitation of system permission.
The embodiment of the present invention carries the first CSP call requests of Cryptographic Service Provider CSP marks by obtaining;It will First CSP call requests are sent to TSM Security Agent component;Pass through the first CSP in TSM Security Agent component call CSP dynamic library modules The corresponding program of call request, can realize the normal use of Web bank.The embodiment of the present invention is by being arranged TSM Security Agent group Part calls CSP, substitution to directly invoke CSP indirectly by intermediary of TSM Security Agent component, to solve to limit due to operating system permission The problem of CSP caused by system can not be called, ensures the normal use of Web bank.
As an embodiment of the present invention, the TSM Security Agent component includes acting on behalf of dynamic library module and agency service mould Block.
In the present embodiment, TSM Security Agent component may include acting on behalf of dynamic library module and proxy service module.Agency is dynamic State library module includes to act on behalf of dynamic base, acts on behalf of effective signature that dynamic base possesses operating system approval.Proxy service module includes Agency service program, the CSP dynamic bases that agency service program is used to that manufacturer to be called to provide.
As shown in Fig. 2, S102 may include:
In S201, the first CSP call requests are sent to and act on behalf of dynamic library module.
In S202, generated and the first CSP call requests corresponding second by the dynamic library module of acting on behalf of CSP call requests, and the 2nd CSP call requests are sent to proxy service module.
In the present embodiment, the CSP dynamic bases that dynamic library module does not directly invoke manufacturer's offer are acted on behalf of, but receive the One CSP call requests generate corresponding 2nd CSP call requests further according to the first CSP call requests, and the 2nd CSP calling is asked It asks and is sent to proxy service module.
S103 may include:
In S203, the 2nd CSP calling described in the CSP dynamics library module is called to ask by the proxy service module Seek corresponding program.
In the present embodiment, proxy service module can receive the 2nd CSP call requests, and be asked according to the 2nd CSP calling It asks and calls the corresponding program of the 2nd CSP call requests in CSP dynamic library modules.
Since proxy service module can call CSP dynamic bases in common process or service, will not be operated The limitation of system permission.For example, if user carries out SSL logins by operating in the Edge browsers in AppContainer, Dynamic library module is acted on behalf of to operate in AppContainer, and proxy service module allows to operate in except AppContainer, CSP dynamic bases are called also to be executed outside AppContainer, therefore proxy service module will not be limited by operating system permission System can realize that the Internetbanks such as SSL logins are operated with normal call CSP.
The use of TSM Security Agent component needs to apply for corresponding signature to system house (such as Microsoft).If every time (such as modification of program or upgrading) is adjusted to the Agent in TSM Security Agent component, all applies signing to system house, The development cycle may be greatly prolonged, the regulated efficiency to TSM Security Agent component programs is influenced.
TSM Security Agent component is divided by the present embodiment acts on behalf of dynamic library module and proxy service module, acts on behalf of dynamic library module The CSP dynamic bases of manufacturer's offer are not be provided, but the 2nd CSP call requests are sent to proxy service module, pass through generation It manages service module and realizes that CSP is called.In the process, it is only to realize the function of calling forwarding to act on behalf of dynamic module, actually Agent functionality realized by proxy service module.Wherein, dynamic library module is acted on behalf of to apply signing accordingly to system house, and generation Reason service module need not be applied signing.It, then can be to agency if necessary to be adjusted to the program in TSM Security Agent component Program in service module is adjusted, and is not had to be adjusted to acting on behalf of the program in dynamic library module in this way, also be avoided The problem of adjustment is required for applying signing to system house every time is improved so as to shorten the development cycle to TSM Security Agent component journey The regulated efficiency of sequence.
As an embodiment of the present invention, as shown in figure 3, S203 may include:
In S301, threeth CSP corresponding with the 2nd CSP call requests is generated by the proxy service module Call request, and the 3rd CSP call requests are sent to CSP and assist library module.
In S302, assist library module that the 3rd CSP described in the CSP dynamics library module is called to call by the CSP Ask corresponding program.
In the present embodiment, it includes that CSP assists dynamic base that CSP, which assists library module, and it includes CSP that CSP, which assists dynamic base only, Relevant interface function, possesses the signature of system house, does not implement CSP functions, and CSP functions are realized by CSP dynamic bases.
Since the use of CSP must obtain the signature of system house, and there are one the periods for the signature of system house, if often Secondary to the adjustment of CSP programs, all application is signed again, and the development cycle of CSP can be caused too long.Dynamic base is assisted by the way that CSP is arranged, CSP calls CSP dynamic bases to realize CSP functions after assisting dynamic base verification signature, is only needed to CSP in being adjusted to CSP programs Program in dynamic base is adjusted, and need not be re-started signature application, can be improved the regulated efficiency of CSP.
In the present embodiment, proxy service module does not directly invoke CSP, but the 3rd CSP call requests are sent to CSP Library module is assisted, by assisting library module to call the corresponding program of the 3rd CSP call requests in CSP dynamic library modules.Exist in this way When manufacturer needs to modify to CSP or upgrade, the agent functionality of TSM Security Agent component is not interfered with, even if in CSP dynamic bases Program be adjusted, TSM Security Agent component provided in this embodiment need not also adjust, can directly invoke adjustment after CSP dynamic bases reduce TSM Security Agent component to reduce influence of the CSP programs adjustment to TSM Security Agent assembly function Number is adjusted, and TSM Security Agent component is made to can adapt to different CSP versions, improve the applicability of TSM Security Agent component and is answered Use range.
As an embodiment of the present invention, before S201, can also include:
The log-on message of CSP auxiliary library modules in registration table is replaced with to the log-on message for acting on behalf of dynamic library module, and The log-on message of library module is assisted to re-start name and registration CSP.
In the present embodiment, CSP theassistant bases are registered with dynamic base needs are acted on behalf of in the registration table of operating system.If TSM Security Agent component is not added, only has the log-on message of CSP theassistant bases, the net that user passes through internet banking system in system registry When page end carries out the operation of Web bank, call request is automatically forwarded to by terminal device according to the log-on message of CSP theassistant bases Corresponding CSP theassistant bases, then function is realized by CSP assisted library calls CSP.
And the present embodiment is additionally arranged TSM Security Agent component, by the log-on message that the CSP in registration table is assisted to library module The log-on message for acting on behalf of dynamic library module is replaced with, terminal device can be made to be automatically forwarded to call request to act on behalf of dynamic base mould Block, to realize the agent functionality of TSM Security Agent component.By by CSP assist library module log-on message re-start name and Registration can be convenient for the call request after TSM Security Agent component being sent to CSP auxiliary library modules.
As an embodiment of the present invention, the log-on message includes routing information and signing messages.As shown in figure 4, The log-on message of CSP auxiliary library modules in registration table " is replaced with the log-on message for acting on behalf of dynamic library module, and will by step The log-on message of CSP auxiliary library modules re-starts name and registration " may include:
In S401, it is the second pathname that CSP in registration table, which is assisted the first path name modifications of library module,;
In S402, first path title is added again in registration table, and the corresponding path of first path title is believed Breath is set as acting on behalf of the routing information of dynamic library module;
In S403, it is the second signature title that CSP in registration table, which is assisted the first signature name modifications of library module,;
In S404, the first signature title is added again in registration table, and by the corresponding A.L.S. of the first signature title Breath is set as acting on behalf of the signing messages of dynamic library module.
Implement example below by one to illustrate the registration process for acting on behalf of dynamic library module.
TSM Security Agent component can be supplied to user in the form of installation kit, and hereinafter referred to as this installation kit is that component installs journey Sequence.It can includes 32 and 64 two kinds of libraries wherein to act on behalf of dynamic base, to support 32 and 64 systems.
For convenience, following premise explanation is done:
1) in 32 systems, 32 system directories be %SystemRoot% Windows System32, no 64 are System catalogue.
2) in 64 systems, 32 system directories be %SystemRoot% Windows SysWow64,64 systems Catalogue be %SystemRoot% Windows System32.
3) in 32 systems, the paths of 32 CSP registry entries be HKEY_LOCAL_MACHINE SOFTWARE Microsoft\Cryptography\Defaults\Provi der\<CSP Name>, without 64 continuous items.
4) in 64 systems, the paths of 32 CSP registry entries be KEY_LOCAL_MACHINE SOFTWARE Wow6432Node\Microsoft\Cryptography\Defaults\Provider\<CSP Name>, 64 CSP registration tablies Path be HKEY_LOCAL_MACHINE SOFTWARE Microsoft Cryptography Defaults Provi der\<CSP Name>。
Specific registration process is as follows:
1) dynamic lab setting is acted on behalf of to 32 system directories by 32, remember that final file path is P1.
2) dynamic lab setting is acted on behalf of to 64 system directories by 64, remember that final file path is P2.If target system System is 32, ignores step 2).
3) entrance of 32 CSP theassistant bases is changed in CSP registry entries, specially:
A. the value item " Image Path " (being equivalent to first path title) of 32 CSP registry entries of renaming is " Image Path Vendor " (being equivalent to the second pathname).
B. the value that the value item " Image Path " of 32 CSP registry entries is arranged is P1.
C. the value item " Signature " (being equivalent to the first signature title) of 32 CSP registry entries of renaming is " Signature Vendor " (is equivalent to the second signature title).
B. the value that the value item " Signature " of 32 CSP registry entries is arranged is effective signature value of P1 meaning files.
4) entrance that 64 CSP theassistant bases are changed in CSP registry entries, particularly as being
A. the value item " Image Path " of 64 CSP registry entries of renaming is " Image Path Vendor ".
B. the value that the value item " Image Path " of 64 CSP registry entries is arranged is P2.
C. the value item " Signature " of 64 CSP registry entries of renaming is " Signature Vendor ".
D. the value that the value item " Signature " of 64 CSP registry entries is arranged is effective signature value of P2 meaning files.
If system is 32, ignore step 4).
So far, dynamic base registration is acted on behalf of to complete.
The present embodiment realizes the redirection that CSP is called so that generation is first called in CSP call requests by changing registry entry Dynamic base is managed, to realize the agent functionality of TSM Security Agent component.
Optionally, S202 may include:It is generated and the first CSP call request phases by the dynamic library module of acting on behalf of Corresponding 2nd CSP call requests, and assist the routing information of library module to send the 2nd CSP call requests and CSP To proxy service module.
S301 may include:Corresponding with the 2nd CSP call requests the is generated by the proxy service module Three CSP call requests, and assist the routing information of library module that the 3rd CSP call requests are sent to CSP auxiliary according to CSP Library module.
The present embodiment to proxy service module by sending the routing information that CSP assists library module so that agency service mould The 3rd CSP call requests accurately can be sent to CSP according to the routing information and assist library module by block, so that it is guaranteed that peace Full Proxy component can accurately forward call request, realize the agency called to CSP.
As an embodiment of the present invention, before S201, can also include:
Proxy service module is registered as into system service, and sets proxy service module to automatic running.
In the present embodiment, proxy service module can be 32 service routines, can support that 32 and 64 are simultaneously System.For example, proxy service module S can be an exe file, its deployment process is as follows:
1) S is arranged to corresponding 32 system directories;
2) S is registered as into system service, and its automatic running is set, support the interaction with system desktop.
Proxy service module is registered as system service by the present embodiment, and is set as automatic running, logical in user in this way When crossing page end progress internet banking operation, proxy service module can respond rapidly to act on behalf of dynamic library module, receive adjust in time With asking and calling manufacturer CSP, the response speed of TSM Security Agent component can be improved, reduction adds TSM Security Agent component to CSP The influence for calling speed enables users to the relevant operation that Web bank is carried out according to normal speed.
It is illustrated in figure 5 the CSP call flows pair provided by one embodiment of the present invention added before and after TSM Security Agent component Compare schematic diagram.
Fig. 5 (a) is the flow diagram that CSP is called before adding TSM Security Agent component.The page end of internet banking system calls CSP Assist library module, CSP auxiliary library modules to recall CSP dynamics library module (as shown in solid arrow in figure).If CSP dynamic base moulds Block needs to return to call result, then call result is back to the page end of CSP auxiliary library modules and internet banking system successively (as schemed Shown in middle dotted arrow).Wherein, the page end of internet banking system, CSP auxiliary library modules and CSP dynamic library modules are run on In AppContainer, limited by the permission of operating system.Since CSP dynamics library module is for realizing CSP functions, so for The system of the permissions such as AppContainer control, the normal use of Web bank is can not achieve according to the CSP call flows.
Fig. 5 (b) is the flow diagram that CSP is called after adding TSM Security Agent component.The page end of internet banking system calls generation Dynamic library module is managed, dynamic library module is acted on behalf of and calls proxy service module, proxy service module that CSP is called to assist library module, CSP Assist library module to call CSP dynamics library module (as shown in solid arrow in figure).If CSP dynamic bases need to return to call result, Call result is then back to CSP auxiliary library module, proxy service module, the net for acting on behalf of dynamic library module and internet banking system successively Page end (as indicated by a dashed arrow in the figure).Wherein, it the page end of internet banking system and acts on behalf of dynamic library module and runs on In AppContainer, and proxy service module, CSP auxiliary library module and CSP dynamic library modules may operate in Except AppContainer, therefore proxy service module, CSP auxiliary library module and the CSP dynamic bases for realizing CSP functions Module will not be limited by the permission of operating system, and the normal use of Web bank can be realized according to the CSP call flows.
For many banks, in order to reduce cost and risk, it can purchase the USBKey products of multiple manufacturers simultaneously, But when internet banking system is moved to and used on newest Edge browsers, it is found that the USBKey of multiple manufacturers has can not The problem of carrying out SSL logins.Because of the obstacle of technology, some manufacturers can not solve the problems, such as this in a short time.And bank is come It says, waits for manufacturer's all this problems of self-healing, need to spend more time.Even if manufacturer all provides available repair in time The driving of this problem, test job amount are also huge.
The embodiment of the present invention can solve the problems, such as this, and have following advantage:
1. hardly transformation storage Internetbank driving saves a large amount of development support work;
2. because Internetbank driving is not transformed, therefore bank saves a large amount of testing time;
3. the embodiment of the present invention has universality, under any banking system, the Internetbank driving of any manufacturer can be not The normal use of on-line banking function is realized under the premise of being driven with transformation Internetbank.
The embodiment of the present invention is paid one's respects by changing the paths registration table CSP via TSM Security Agent component call manufacturer CSP is visiting Full equipment so that manufacturer CSP can solve Edge browsers with browser execution in varying environment (inside and outside AppContainer) Cannot normal access safety equipment the problem of, and it is possible to be compatible with different manufacturers CSP simultaneously.
The embodiment of the present invention carries the first CSP call requests of Cryptographic Service Provider CSP marks by obtaining;It will First CSP call requests are sent to TSM Security Agent component;Pass through the first CSP in TSM Security Agent component call CSP dynamic library modules The corresponding program of call request, can realize the normal use of Web bank.The embodiment of the present invention is by being arranged TSM Security Agent group Part calls CSP, substitution to directly invoke CSP indirectly by intermediary of TSM Security Agent component, to solve to limit due to operating system permission The problem of CSP caused by system can not be called, ensures the normal use of Web bank.
It should be understood that the size of the serial number of each step is not meant that the order of the execution order in above-described embodiment, each process Execution sequence should be determined by its function and internal logic, the implementation process without coping with the embodiment of the present invention constitutes any limit It is fixed.
Corresponding to the Cryptographic Service Provider call method described in foregoing embodiments, Fig. 6 shows the embodiment of the present invention The schematic diagram of the Cryptographic Service Provider calling device of offer.For convenience of description, it illustrates only related to the present embodiment Part.
With reference to Fig. 6, which includes acquiring unit 61, transmission unit 62 and call unit 63.
Acquiring unit 61, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks.
Transmission unit 62, for the first CSP call requests to be sent to TSM Security Agent component.
Call unit 63, for being called by the first CSP described in the TSM Security Agent component call CSP dynamic library modules Ask corresponding program.
Optionally, the TSM Security Agent component includes acting on behalf of dynamic library module and proxy service module;The transmission unit 62 are used for:
The first CSP call requests are sent to and act on behalf of dynamic library module;
It is asked by dynamic library module generation the 2nd CSP calling corresponding with the first CSP call requests of acting on behalf of It asks, and the 2nd CSP call requests is sent to proxy service module;
The call unit 63 is used for:
Call the 2nd CSP call requests described in the CSP dynamics library module corresponding by the proxy service module Program.
Optionally, the call unit 63 is used for:
The 3rd CSP call requests corresponding with the 2nd CSP call requests are generated by the proxy service module, And the 3rd CSP call requests are sent to CSP and assist library module;
Library module is assisted to call the 3rd CSP call requests described in the CSP dynamics library module corresponding by the CSP Program.
Optionally, which further includes the first registering unit, and first registering unit is used for:
The log-on message of CSP auxiliary library modules in registration table is replaced with to the log-on message for acting on behalf of dynamic library module, and The log-on message of library module is assisted to re-start name and registration CSP.
Optionally, the log-on message includes routing information and signing messages;First registering unit is used for:
It is the second pathname that CSP in registration table, which is assisted the first path name modifications of library module,;
It adds first path title again in registration table, and sets the corresponding routing information of first path title to generation Manage the routing information of dynamic library module;
It is the second signature title that CSP in registration table, which is assisted the first signature name modifications of library module,;
It adds the first signature title again in registration table, and sets the corresponding signing messages of the first signature title to generation Manage the signing messages of dynamic library module.
Optionally, which further includes the second registering unit, and second registering unit is used for:
Proxy service module is registered as into system service, and sets proxy service module to automatic running.
The embodiment of the present invention carries the first CSP call requests of Cryptographic Service Provider CSP marks by obtaining;It will First CSP call requests are sent to TSM Security Agent component;Pass through the first CSP in TSM Security Agent component call CSP dynamic library modules The corresponding program of call request, can realize the normal use of Web bank.The embodiment of the present invention is by being arranged TSM Security Agent group Part calls CSP, substitution to directly invoke CSP indirectly by intermediary of TSM Security Agent component, to solve to limit due to operating system permission The problem of CSP caused by system can not be called, ensures the normal use of Web bank.
Fig. 7 is the schematic diagram for the terminal device that one embodiment of the invention provides.As shown in fig. 7, the terminal of the embodiment is set Standby 7 include:Processor 70, memory 71 and it is stored in the meter that can be run in the memory 71 and on the processor 70 Calculation machine program 72, such as program.The processor 70 realizes above-mentioned each embodiment of the method when executing the computer program 72 In step, such as step 101 shown in FIG. 1 is to 103.Alternatively, reality when the processor 70 executes the computer program 72 Show the function of each module/unit in above-mentioned each device embodiment, such as the function of unit 61 to 63 shown in Fig. 6.
Illustratively, the computer program 72 can be divided into one or more module/units, it is one or Multiple module/units are stored in the memory 71, and are executed by the processor 70, to complete the present invention.Described one A or multiple module/units can be the series of computation machine program instruction section that can complete specific function, which is used for Implementation procedure of the computer program 72 in the terminal device 7 is described.For example, the computer program 72 can be divided It is cut into acquiring unit, transmission unit and call unit, each unit concrete function is as follows:
Acquiring unit, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
Transmission unit, for the first CSP call requests to be sent to TSM Security Agent component;
Call unit, for being asked by the calling of the first CSP described in the TSM Security Agent component call CSP dynamic library modules Seek corresponding program.
The terminal device 7 can be that the calculating such as desktop PC, notebook, palm PC and cloud server are set It is standby.The terminal device may include, but be not limited only to, processor 70, memory 71.It will be understood by those skilled in the art that Fig. 7 The only example of terminal device 7 does not constitute the restriction to terminal device 7, may include than illustrating more or fewer portions Part either combines certain components or different components, such as the terminal device can also include input-output equipment, net Network access device, bus, display etc..
Alleged processor 70 can be central processing unit (Central Processing Unit, CPU), can also be Other general processors, digital signal processor (Digital Signal Processor, DSP), application-specific integrated circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field- Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic, Discrete hardware components etc..General processor can be microprocessor or the processor can also be any conventional processor Deng.
The memory 71 can be the internal storage unit of the terminal device 7, such as the hard disk of terminal device 7 or interior It deposits.The memory 71 can also be to be equipped on the External memory equipment of the terminal device 7, such as the terminal device 7 Plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card dodge Deposit card (Flash Card) etc..Further, the memory 71 can also both include the storage inside list of the terminal device 7 Member also includes External memory equipment.The memory 71 is for storing needed for the computer program and the terminal device Other programs and data.The memory 71 can be also used for temporarily storing the data that has exported or will export.
It is apparent to those skilled in the art that for convenience of description and succinctly, only with above-mentioned each work( Can unit, module division progress for example, in practical application, can be as needed and by above-mentioned function distribution by different Functional unit, module are completed, i.e., the internal structure of described device are divided into different functional units or module, more than completion The all or part of function of description.Each functional unit, module in embodiment can be integrated in a processing unit, also may be used It, can also be above-mentioned integrated during two or more units are integrated in one unit to be that each unit physically exists alone The form that hardware had both may be used in unit is realized, can also be realized in the form of SFU software functional unit.In addition, each function list Member, the specific name of module are also only to facilitate mutually distinguish, the protection domain being not intended to limit this application.Above system The specific work process of middle unit, module, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In the above-described embodiments, it all emphasizes particularly on different fields to the description of each embodiment, is not described in detail or remembers in some embodiment The part of load may refer to the associated description of other embodiments.
Those of ordinary skill in the art may realize that lists described in conjunction with the examples disclosed in the embodiments of the present disclosure Member and algorithm steps can be realized with the combination of electronic hardware or computer software and electronic hardware.These functions are actually It is implemented in hardware or software, depends on the specific application and design constraint of technical solution.Professional technician Each specific application can be used different methods to achieve the described function, but this realization is it is not considered that exceed The scope of the present invention.
In embodiment provided by the present invention, it should be understood that disclosed device/terminal device and method, it can be with It realizes by another way.For example, device described above/terminal device embodiment is only schematical, for example, institute The division of module or unit is stated, only a kind of division of logic function, formula that in actual implementation, there may be another division manner, such as Multiple units or component can be combined or can be integrated into another system, or some features can be ignored or not executed.Separately A bit, shown or discussed mutual coupling or direct-coupling or communication connection can be by some interfaces, device Or INDIRECT COUPLING or the communication connection of unit, can be electrical, machinery or other forms.
The unit illustrated as separating component may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, you can be located at a place, or may be distributed over multiple In network element.Some or all of unit therein can be selected according to the actual needs to realize the mesh of this embodiment scheme 's.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also It is that each unit physically exists alone, it can also be during two or more units be integrated in one unit.Above-mentioned integrated list The form that hardware had both may be used in member is realized, can also be realized in the form of SFU software functional unit.
If the integrated module/unit be realized in the form of SFU software functional unit and as independent product sale or In use, can be stored in a computer read/write memory medium.Based on this understanding, the present invention realizes above-mentioned implementation All or part of flow in example method, can also instruct relevant hardware to complete, the meter by computer program Calculation machine program can be stored in a computer readable storage medium, the computer program when being executed by processor, it can be achieved that on The step of stating each embodiment of the method.Wherein, the computer program includes computer program code, the computer program generation Code can be source code form, object identification code form, executable file or certain intermediate forms etc..The computer-readable medium May include:Any entity or device, recording medium, USB flash disk, mobile hard disk, magnetic of the computer program code can be carried Dish, CD, computer storage, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM), electric carrier signal, telecommunication signal and software distribution medium etc..It should be noted that the meter The content that calculation machine readable medium includes can carry out increase and decrease appropriate according to legislation in jurisdiction and the requirement of patent practice, Such as in certain jurisdictions, according to legislation and patent practice, computer-readable medium is including being not electric carrier signal and electricity Believe signal.
Embodiment described above is merely illustrative of the technical solution of the present invention, rather than its limitations;Although with reference to aforementioned reality Applying example, invention is explained in detail, it will be understood by those of ordinary skill in the art that:It still can be to aforementioned each Technical solution recorded in embodiment is modified or equivalent replacement of some of the technical features;And these are changed Or replace, the spirit and scope for various embodiments of the present invention technical solution that it does not separate the essence of the corresponding technical solution should all It is included within protection scope of the present invention.

Claims (10)

1. a kind of Cryptographic Service Provider call method, which is characterized in that including:
Obtain the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
The first CSP call requests are sent to TSM Security Agent component;
Pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules.
2. Cryptographic Service Provider call method as described in claim 1, which is characterized in that the TSM Security Agent component packet It includes and acts on behalf of dynamic library module and proxy service module;It is described that the first CSP call requests are sent to TSM Security Agent component packet It includes:
The first CSP call requests are sent to and act on behalf of dynamic library module;
The 2nd CSP call requests corresponding with the first CSP call requests are generated by the dynamic library module of acting on behalf of, and The 2nd CSP call requests are sent to proxy service module;
It is described to pass through the corresponding program of the first CSP call requests described in the TSM Security Agent component call CSP dynamic library modules Including:
The corresponding program of the 2nd CSP call requests described in the CSP dynamics library module is called by the proxy service module.
3. Cryptographic Service Provider call method as claimed in claim 2, which is characterized in that described to be taken by the agency The corresponding program of the 2nd CSP call requests includes described in the business module calling CSP dynamics library module:
The 3rd CSP call requests corresponding with the 2nd CSP call requests are generated by the proxy service module, and will The 3rd CSP call requests are sent to CSP auxiliary library modules;
Library module is assisted to call the corresponding journey of the 3rd CSP call requests described in the CSP dynamics library module by the CSP Sequence.
4. Cryptographic Service Provider call method as claimed in claim 3, which is characterized in that described by described first CSP call requests are sent to before acting on behalf of dynamic library module, further include:
It assists the log-on message of library module to replace with the CSP in registration table and acts on behalf of the log-on message of dynamic library module, and by CSP The log-on message of auxiliary library module re-starts name and registration.
5. Cryptographic Service Provider call method as claimed in claim 4, which is characterized in that the log-on message includes road Diameter information and signing messages;
The CSP by registration table assists the log-on message of library module to replace with the log-on message for acting on behalf of dynamic library module, and The log-on message of CSP auxiliary library modules is re-started into name and registration includes:
It is the second pathname that CSP in registration table, which is assisted the first path name modifications of library module,;
It adds first path title again in registration table, and sets the corresponding routing information of first path title to agency and move The routing information of state library module;
It is the second signature title that CSP in registration table, which is assisted the first signature name modifications of library module,;
It adds the first signature title again in registration table, and sets the corresponding signing messages of the first signature title to agency and move The signing messages of state library module.
6. such as claim 3 to 5 any one of them Cryptographic Service Provider call method, which is characterized in that incited somebody to action described The first CSP call requests are sent to before acting on behalf of dynamic library module, further include:
Proxy service module is registered as into system service, and sets proxy service module to automatic running.
7. a kind of Cryptographic Service Provider calling device, which is characterized in that including:
Acquiring unit, for obtaining the first CSP call requests for carrying Cryptographic Service Provider CSP marks;
Transmission unit, for the first CSP call requests to be sent to TSM Security Agent component;
Call unit, for passing through the first CSP call requests pair described in the TSM Security Agent component call CSP dynamic library modules The program answered.
8. Cryptographic Service Provider calling device as claimed in claim 7, which is characterized in that the TSM Security Agent component packet It includes and acts on behalf of dynamic library module and proxy service module;The transmission unit is used for:
The first CSP call requests are sent to and act on behalf of dynamic library module;
The 2nd CSP call requests corresponding with the first CSP call requests are generated by the dynamic library module of acting on behalf of, and The 2nd CSP call requests are sent to proxy service module;
The call unit is used for:
The corresponding program of the 2nd CSP call requests described in the CSP dynamics library module is called by the proxy service module.
9. a kind of terminal device, including memory, processor and it is stored in the memory and can be on the processor The computer program of operation, which is characterized in that the processor realizes such as claim 1 to 6 when executing the computer program The step of any one the method.
10. a kind of computer readable storage medium, the computer-readable recording medium storage has computer program, feature to exist In when the computer program is executed by processor the step of any one of such as claim 1 to 6 of realization the method.
CN201810371564.4A 2018-04-24 2018-04-24 Encryption service providing program calling method and terminal equipment Active CN108762827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810371564.4A CN108762827B (en) 2018-04-24 2018-04-24 Encryption service providing program calling method and terminal equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810371564.4A CN108762827B (en) 2018-04-24 2018-04-24 Encryption service providing program calling method and terminal equipment

Publications (2)

Publication Number Publication Date
CN108762827A true CN108762827A (en) 2018-11-06
CN108762827B CN108762827B (en) 2021-02-23

Family

ID=64011420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810371564.4A Active CN108762827B (en) 2018-04-24 2018-04-24 Encryption service providing program calling method and terminal equipment

Country Status (1)

Country Link
CN (1) CN108762827B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114491474A (en) * 2022-02-15 2022-05-13 北京时代正邦科技股份有限公司 Secure interaction method and device for terminal and internet bank U-key

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447010A (en) * 2008-12-30 2009-06-03 北京飞天诚信科技有限公司 Login system and method for logging in
CN103425922A (en) * 2013-08-14 2013-12-04 广州尚融网络科技有限公司 Method and system for acquiring far-end encryption command based on CSP (Cryptographic Service Provider)
CN104092745A (en) * 2014-06-30 2014-10-08 飞天诚信科技股份有限公司 Method for generating criterion of using intelligent card to login remote computer
US20170093818A1 (en) * 2015-09-30 2017-03-30 International Business Machines Corporation Multi-level security enforcement utilizing data typing
CN106612320A (en) * 2016-06-14 2017-05-03 四川用联信息技术有限公司 Encrypted data dereplication method for cloud storage
WO2017210198A1 (en) * 2016-05-31 2017-12-07 Lookout, Inc. Methods and systems for detecting and preventing network connection compromise
CN107609362A (en) * 2017-10-19 2018-01-19 飞天诚信科技股份有限公司 A kind of smart card logs in the method for Windows systems and privately owned authority provides device
CN107729760A (en) * 2017-10-09 2018-02-23 惠州Tcl移动通信有限公司 CSP implementation methods and intelligent terminal based on android system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101447010A (en) * 2008-12-30 2009-06-03 北京飞天诚信科技有限公司 Login system and method for logging in
CN103425922A (en) * 2013-08-14 2013-12-04 广州尚融网络科技有限公司 Method and system for acquiring far-end encryption command based on CSP (Cryptographic Service Provider)
CN104092745A (en) * 2014-06-30 2014-10-08 飞天诚信科技股份有限公司 Method for generating criterion of using intelligent card to login remote computer
US20170093818A1 (en) * 2015-09-30 2017-03-30 International Business Machines Corporation Multi-level security enforcement utilizing data typing
WO2017210198A1 (en) * 2016-05-31 2017-12-07 Lookout, Inc. Methods and systems for detecting and preventing network connection compromise
CN106612320A (en) * 2016-06-14 2017-05-03 四川用联信息技术有限公司 Encrypted data dereplication method for cloud storage
CN107729760A (en) * 2017-10-09 2018-02-23 惠州Tcl移动通信有限公司 CSP implementation methods and intelligent terminal based on android system
CN107609362A (en) * 2017-10-19 2018-01-19 飞天诚信科技股份有限公司 A kind of smart card logs in the method for Windows systems and privately owned authority provides device

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114491474A (en) * 2022-02-15 2022-05-13 北京时代正邦科技股份有限公司 Secure interaction method and device for terminal and internet bank U-key
CN114491474B (en) * 2022-02-15 2022-10-11 北京时代正邦科技股份有限公司 Terminal and internet bank U-key secure interaction method and device

Also Published As

Publication number Publication date
CN108762827B (en) 2021-02-23

Similar Documents

Publication Publication Date Title
US9081948B2 (en) Configurable smartcard
US20180278602A1 (en) Desktop application fulfillment platform with multiple authentication mechanisms
EP1473618B1 (en) Uniform modular framework for a host computer system
Bellissimo et al. Secure Software Updates: Disappointments and New Challenges.
US9038154B2 (en) Token Registration
US8364968B2 (en) Dynamic web services systems and method for use of personal trusted devices and identity tokens
EP3488584B1 (en) Usage tracking in hybrid cloud computing systems
US20120047237A1 (en) Method, Server, Computer Program and Computer Program Product for Communicating with Secure Element
US20140282815A1 (en) Policy-based secure web boot
TW200821934A (en) System and method for automated operating system installation
WO2016015558A1 (en) Method and apparatus for applying for license
US11983546B2 (en) Rendering content of service providers via web page having dynamically-loaded plugins
US20160132668A1 (en) Management apparatus, management method, and recording medium of management program
US20200257776A1 (en) Request authorization using recipe-based service coordination
CN101388771B (en) Method and system for downloading digital certificate
WO2012050717A1 (en) Trustworthy device claims as a service
US7680742B1 (en) System and method for controlling access to licensed computing processes via a codified electronic license
CN103716283A (en) Web service OAuth certification method for processing call in process and system
CN108737338A (en) A kind of authentication method and system
CN108762827A (en) Cryptographic Service Provider call method and terminal device
CN113656109A (en) Security control calling method, device, equipment and storage medium
EP1253528B1 (en) Connection services
CN113687963A (en) Data calling method and device and computer equipment
CN101388772A (en) Digital signature method and system
CN115001805B (en) Single sign-on method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant