CN114765544A - Trusted execution environment data offline migration method and device - Google Patents
Trusted execution environment data offline migration method and device Download PDFInfo
- Publication number
- CN114765544A CN114765544A CN202110029319.7A CN202110029319A CN114765544A CN 114765544 A CN114765544 A CN 114765544A CN 202110029319 A CN202110029319 A CN 202110029319A CN 114765544 A CN114765544 A CN 114765544A
- Authority
- CN
- China
- Prior art keywords
- data
- password
- random
- session key
- execution environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000005012 migration Effects 0.000 title claims abstract description 52
- 238000013508 migration Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004891 communication Methods 0.000 claims abstract description 28
- 238000012790 confirmation Methods 0.000 claims description 15
- 238000012795 verification Methods 0.000 claims description 12
- 238000004590 computer program Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 description 7
- 230000008676 import Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/72—Signcrypting, i.e. digital signing and encrypting simultaneously
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a trusted execution environment data offline migration method and device, and belongs to the technical field of data services. A trusted execution environment data offline migration method, performed by a first device, the method comprising: establishing a wireless communication link with the second equipment, and carrying out validity check; decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data; calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data; sending the second data to a second device; wherein the first password and the second password are generated by using a random password input by a user. The technical scheme of the invention can increase the security of TEE data migration.
Description
Technical Field
The present invention relates to the field of data service technologies, and in particular, to a method and an apparatus for offline migration of trusted execution environment data.
Background
The trusted Execution Environment tee (trusted Execution Environment) is an Execution Environment coexisting with the normal application Execution Environment REE (Rich Execution Environment, such as Android, etc.) on the device, and is a secure area on the main processor of the mobile device. The TEE has its own execution space, providing a secure execution environment for trusted applications ta (trusted application), and therefore a higher level of security than the REE. The TEE mainly provides key management, cryptographic algorithm, safe storage, safe clock resource and service, and expanded TUI (trusted User interface) functions.
As shown in fig. 1, the software and hardware resources accessible by the TEE are completely separated from the REE, and the REE cannot obtain the user privacy data (such as keys, certificates, other encrypted data, etc.) in the TEE. Under normal conditions, after a user changes the equipment, TEE data in the original equipment is difficult to migrate to new equipment, so that great trouble is brought to the user, and the method is very unfriendly user experience.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a trusted execution environment data offline migration method and device, which can increase the security of TEE data migration.
In order to solve the above technical problem, embodiments of the present invention provide the following technical solutions:
in one aspect, a trusted execution environment data offline migration method, performed by a first device, is provided, the method including:
establishing a wireless communication link with the second equipment, and carrying out validity check;
decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data;
calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data;
sending the second data to a second device;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, before establishing the wireless communication link with the second device, the method further comprises:
installing a SIM card;
receiving the random password input by a user;
generating the signature data by signing the random password by using an authentication APPLET on the SIM card;
generating the first password and the second password from the random password through a Trusted Application (TA).
In some embodiments, performing the validity check includes:
generating a first random number, and sending the certificate of the first device and the first random number to a second device;
receiving a second random number, a certificate of the second device, a second session key factor and second signature data sent by the second device;
verifying the certificate of the second device and the second signature data, and generating a first session key factor and first signature data;
generating the second cipher using the first session key factor and the second session key factor;
sending the first session key factor and first signature data to the second device;
and receiving a safety channel establishment confirmation result of the second equipment.
The embodiment of the invention also provides a trusted execution environment data offline migration method, which is executed by second equipment and comprises the following steps:
establishing a wireless communication link with first equipment, and carrying out validity check;
receiving second data sent by the first equipment;
decrypting the second data by using a second password to obtain first data and an MAC value;
verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data;
verifying the signature data by using a random password input by a user;
encrypting and storing the original data by using a trusted application TA key;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, before establishing the wireless communication link with the first device, the method further comprises:
installing a SIM card;
receiving the random password input by a user;
generating the first password and the second password from the random password through a Trusted Application (TA).
In some embodiments, performing the validity check includes:
receiving a first random number and a certificate of a first device, which are sent by the first device;
verifying the certificate of the first device, and generating a second random number, a second session key factor and second signature data;
sending the second random number, the certificate of the second device, the second session key factor and the second signature data to the first device;
receiving a first session key factor and first signature data sent by a first device;
verifying the first signature data by using the certificate of the first device, and generating a second password by using a first session key factor and a second session key factor after the verification is passed;
and sending the safety channel establishment confirmation result to the first equipment.
The embodiment of the invention also provides a trusted execution environment data offline migration device, which is applied to the first equipment and comprises a transceiver and a processor,
the processor is used for establishing a wireless communication link with the second equipment and carrying out validity check; decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data; calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data;
the transceiver is configured to transmit the second data to a second device;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor is further configured to install a SIM card;
the transceiver is further used for receiving the random password input by a user;
the processor is further configured to generate the signature data for the random cryptographic signature using an authentication APPLET on the SIM card; generating the first password and the second password from the random password by a Trusted Application (TA).
In some embodiments, the processor is further configured to generate a first random number, send the certificate of the first device and the first random number to a second device;
the transceiver is further configured to receive a second random number, a certificate of the second device, a second session key factor, and second signature data sent by the second device;
the processor is further configured to verify the certificate of the second device and the second signature data, generate a first session key factor and first signature data; generating the second cipher using the first session key factor and a second session key factor;
the transceiver is further configured to transmit the first session key factor and first signature data to the second device; and receiving a safety channel establishment confirmation result of the second equipment.
The embodiment of the invention also provides a trusted execution environment data offline migration device, which is applied to a second device and comprises a transceiver and a processor,
the processor is used for establishing a wireless communication link with the first equipment and carrying out validity check;
the transceiver is used for receiving second data sent by the first equipment;
the processor is further configured to decrypt the second data using a second password to obtain first data and a MAC value; verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data; verifying the signature data by using a random password input by a user; encrypting and storing the original data by using a trusted application TA key;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor is further configured to install a SIM card;
the transceiver is further used for receiving the random password input by a user;
the processor is further configured to generate the first password and the second password from the random password through a trusted application TA.
In some embodiments, the transceiver is further configured to receive a first random number sent by the first device and a certificate of the first device;
the processor is further configured to verify a certificate of the first device, generate a second random number, a second session key factor, and second signature data;
the transceiver is further configured to send the second random number, the certificate of the second device, the second session key factor, and the second signature data to the first device; receiving a first session key factor and first signature data sent by a first device;
the processor is further configured to verify the first signature data by using a certificate of the first device, and generate the second password by using the first session key factor and the second session key factor after the verification is passed;
the transceiver is further configured to send the secure channel establishment confirmation result to the first device.
The embodiment of the invention also provides a trusted execution environment data offline migration device, which comprises a memory, a processor and a computer program, wherein the computer program is stored on the memory and can run on the processor; the processor, when executing the program, implements the trusted execution environment data offline migration method as described above.
In some embodiments, the trusted execution environment data offline migration apparatus is applied to a first device, and the processor is configured to establish a wireless communication link with a second device and perform validity check; decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data; calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data; sending the second data to a second device; wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor is further configured to receive the random password entered by a user; generating the signature data by signing the random password by using an authentication APPLET on the SIM card; generating the first password and the second password from the random password through a Trusted Application (TA).
In some embodiments, the processor is further configured to generate a first random number, send the certificate of the first device and the first random number to a second device; receiving a second random number, a certificate of the second device, a second session key factor and second signature data sent by the second device; verifying the certificate of the second device and the second signature data, generating a first session key factor and first signature data; generating the second cipher using the first session key factor and the second session key factor; sending the first session key factor and first signature data to the second device; and receiving a safety channel establishment confirmation result of the second equipment.
In some embodiments, the trusted execution environment data offline migration apparatus is applied to a second device, and the processor is configured to establish a wireless communication link with a first device and perform validity check; receiving second data sent by first equipment; decrypting the second data by using a second password to obtain first data and an MAC value; verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data; verifying the signature data by using a random password input by a user; encrypting and storing the original data by using a trusted application TA key; wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor is further configured to install a SIM card; receiving the random password input by a user; generating the first password and the second password from the random password by a Trusted Application (TA).
In some embodiments, the processor is further configured to receive a first random number sent by the first device and a certificate of the first device; verifying the certificate of the first device, and generating a second random number, a second session key factor and second signature data; sending the second random number, the certificate of the second device, the second session key factor and the second signature data to the first device; receiving a first session key factor and first signature data sent by a first device; verifying the first signature data by using the certificate of the first device, and generating a second password by using a first session key factor and a second session key factor after the verification is passed; and sending the safety channel establishment confirmation result to the first equipment.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the trusted execution environment data offline migration method described above.
The embodiment of the invention has the following beneficial effects:
in the scheme, in data exporting and importing, the first device and the second device do not need to be connected with a background server, data are transmitted through a wireless link safety channel between the two devices, and the risk of data leakage in the transmission process is reduced. In addition, in the embodiment, the validity of the user identity is verified by using the SIM card and the user-defined password, so that the security risk is reduced. Moreover, in the embodiment, by exchanging the device certificate and verifying the certificate, the authentication process between different devices is increased, so that data migration between devices of different brands becomes possible.
Drawings
FIG. 1 is a schematic TEE diagram;
FIG. 2 is a schematic diagram of an apparatus according to an embodiment of the present invention;
FIG. 3 is a flowchart illustrating a trusted execution environment data offline migration method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a trusted execution environment data offline migration apparatus on a first device side according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a trusted execution environment data offline migration apparatus on the second device side according to an embodiment of the present invention;
fig. 6 is a schematic diagram illustrating a trusted execution environment data offline migration apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages to be solved by the embodiments of the present invention clearer, the following detailed description will be given with reference to the accompanying drawings and specific embodiments.
In the prior art, there is a method for realizing migration of TEE data between different devices by forwarding through a cloud server. Specifically, there are 3 network elements of the device 1, the device 2, and the management platform. Asymmetric keys are generated in the devices 1 and 2, and the public keys of the devices 1 and 2 are transferred to the management platform before the devices leave the factory. The management platform generates a platform asymmetric key for each device, and presets the platform public keys in the device 1 and the device 2 respectively. When the TEE data in the equipment 1 is migrated to the equipment 2, the equipment 1 firstly marks a signature on the equipment by using a private key of the equipment 1 and sends the signature to a management platform, and the management platform uses a public key of the equipment 1 to check the signature. After the TEE data passes the encryption, the TEE data are encrypted by the equipment 1 through the platform public key 1 and are sent to the management platform, the TEE data are decrypted into a plaintext through the platform private key 1 through the management platform, and then the plaintext is encrypted through the equipment public key 2 and is sent to the equipment 2. Device 2 decrypts the data using device private key 2 and stores into the TEE.
The problems of the existing TEE data migration are as follows:
two devices must be connected to a hub and neither device can be off-line for data transfer.
In the existing scheme, equipment needs to generate an equipment key pair before leaving the factory and transmits a public key to a platform; meanwhile, the device generates a platform key pair for each device, and the public key is preset in the corresponding mobile phone, so that the realization is relatively difficult.
In addition, in the existing scheme, authentication is performed only through short messages, and safety risks exist.
Moreover, data migration between different brands of devices is difficult. In the existing scheme, each device needs to be registered on a management platform and generate a corresponding platform key. However, in reality, devices of different brands are difficult to record and manage on the same management platform, which increases the management cost excessively. If the device is not recorded on the management platform, the existing scheme cannot be implemented smoothly.
The embodiment of the invention provides a trusted execution environment data offline migration method and device, which can increase the security of TEE data migration.
The embodiment of the invention provides a trusted execution environment data offline migration method, which is executed by first equipment and comprises the following steps:
establishing a wireless communication link with the second equipment, and carrying out validity check;
decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data;
calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data;
sending the second data to a second device;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, before establishing the wireless communication link with the second device, the method further comprises:
installing a SIM card;
receiving the random password input by a user;
generating the signature data by signing the random password by using an authentication APPLET on the SIM card;
generating the first password and the second password from the random password through a Trusted Application (TA).
In some embodiments, performing a validity check comprises:
generating a first random number, and sending the certificate of the first device and the first random number to a second device;
receiving a second random number, a certificate of the second device, a second session key factor and second signature data sent by the second device;
verifying the certificate of the second device and the second signature data, and generating a first session key factor and first signature data;
generating the second cipher using the first session key factor and a second session key factor;
sending the first session key factor and first signature data to the second device;
and receiving a safety channel establishment confirmation result of the second equipment.
The embodiment of the invention also provides a trusted execution environment data offline migration method, which is executed by second equipment, and the method comprises the following steps:
establishing a wireless communication link with first equipment, and carrying out validity check;
receiving second data sent by the first equipment;
decrypting the second data by using a second password to obtain first data and an MAC value;
verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data;
verifying the signature data by using a random password input by a user;
encrypting and storing the original data by using a trusted application TA key;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, before establishing the wireless communication link with the first device, the method further comprises:
installing a SIM card;
receiving the random password input by a user;
generating the first password and the second password from the random password by a Trusted Application (TA).
In some embodiments, performing the validity check includes:
receiving a first random number and a certificate of a first device, which are sent by the first device;
verifying the certificate of the first device, and generating a second random number, a second session key factor and second signature data;
sending the second random number, the certificate of the second device, the second session key factor and the second signature data to the first device;
receiving a first session key factor and first signature data sent by a first device;
verifying the first signature data by using the certificate of the first device, and generating a second password by using a first session key factor and a second session key factor after the verification is passed;
and sending the safety channel establishment confirmation result to the first equipment.
The following further introduces the technical solution of the present invention by taking the first device as device 1 and the second device as device 2 as an example:
as shown in fig. 2, wherein:
the equipment 1: as a device for exporting data, the device 1 first installs a Subscriber Identity Module (SIM) card, and at the same time, the user inputs a self-defined random password into the device 1 to perform an export initialization operation, that is, the application TA distributes an Enc encryption key (i.e., a first password) and a MAC key from the input password, and the authentication APPLET on the SIM card signs the random password input by the user.
The device 2: as an import data device. After the user finishes the initialization operation exported by the device 1, the SIM card is pulled out and inserted into the device 2, and the user inputs the same password in the device 2 to import the initialization operation. After the initialization operation is completed, the device 1 and the device 2 establish a wireless communication link (such as bluetooth connection), exchange certificates and random numbers, verify the validity of the certificates, and distribute session keys for data transmission by the random numbers on both sides. After the secure channel is established, the device 1 encrypts the data to be migrated and the signature data in the TEE by using a session key (namely, a second password), calculates the MAC, transmits the MAC to the device 2 through a wireless communication link, the device 2 decrypts the data and verifies the MAC, the SIM card authenticates the APPLET to verify the signature data, and the data is stored in the TEE of the device 2 after the signature data passes the authentication.
The TEE data migration is divided into 4 main steps of initialization operation, wireless link establishment between devices, secure channel establishment between devices and TEE data transmission. In the initialization operation, a user inputs a self-defined random password in export equipment and import equipment, and the TA generates an MAC key and an Enc key from the random password; then the import and export devices establish wireless communication links (such as Bluetooth and the like); after the communication link is established, the import equipment and the export equipment exchange certificates and random numbers to check the validity of the equipment, and after the equipment passes the verification, the two parties generate a session key by a session key factor 1 and a session key factor 2, so that the establishment of the secure channel is completed. In the TA data transmission process, the safety of TA privacy data transmission is ensured by operations of data encryption and decryption, MAC verification, session key encryption and decryption, SIM card APPLET signature verification and authentication and the like. The specific process is shown in fig. 3, and comprises the following steps:
step 1, the device 1 is used as a exporting party to carry out initialization operation: the SIM card is inserted into the equipment 1, the user inputs a self-defined random password, and the TA generates a message authentication code MAC key and a data encryption key Enc by the random key. Meanwhile, the authentication APPLET on the SIM card signs the random password input by the user to generate signature data SIG;
step 2, the device 2 is used as an importing party to perform initialization operation: the SIM card is inserted into the equipment 2, the user inputs the password which is the same as that of the equipment 1, and the TA generates a message authentication code MAC key and a data encryption key Enc by a random key;
step 3, establishing a wireless communication link (such as Bluetooth connection) between the devices 1 and 2;
step 4, the device 1 generates a random number 1 and sends the certificate of the device 1 and the random number 1 to the device 2;
step 5, the equipment 2 verifies the certificate of the equipment 1, generates a random number 2 and a session key factor 2, and generates signature data 2;
step 6, the device 2 generates a random number 2, and sends the certificate of the device 2, the random number 2, the session key factor 2 and the signature data 2 to the device 1;
and 7, verifying the certificate of the equipment 2 by the equipment 1, verifying the signature data 2, generating a session key factor 1, and signing the data. Generating a session key by a session key factor 1 and a session key factor 2;
step 8, the device 1 sends a session key factor 1 and signature data;
step 9, the device 2 verifies the signature data through the device 1 certificate, and the verification generates a session key through the session key factor 1 and the session key factor 2;
step 10, the device 2 sends a safety channel establishment confirmation result to the device 1;
and step 13, the device 2 decrypts the data by using the session key, verifies the MAC value, decrypts the data by using the Enc key, verifies the signature data SIG by using the random password input by the user through the authentication APPLET on the SIM card, and finally encrypts and stores the transmitted original data by using the TA key.
Through the steps 1-13, the TEE data migration is completed. The TEE data transfer does not need to be connected with a background server; the identity validity of the user is verified by using the SIM card to authenticate the APPLET and the user-defined password signature, and the validity between the devices is verified based on a device certificate system, so that the safety is enhanced; in addition, the MAC key and the Enc key are generated through the random password input by the user, so that data is prevented from being stolen by third-party hacker equipment, and the security is further enhanced.
In the embodiment, during data export and import, the first device and the second device do not need to be connected with a background server, and data is transmitted through a wireless link safety channel between the two devices, so that the risk of data leakage in the transmission process is reduced. In addition, in the embodiment, the validity of the user identity is verified by using the SIM card and the user-defined password, so that the security risk is reduced. Moreover, in the embodiment, by exchanging the device certificate and the certificate verification, the authentication process between different devices is increased, so that data migration between devices of different brands becomes possible.
The embodiment of the present invention further provides an offline migration apparatus for trusted execution environment data, which is applied to a first device, as shown in fig. 4, and includes a transceiver 11 and a processor 12,
the processor 12 is configured to establish a wireless communication link with a second device, and perform validity check; decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data; calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data;
the transceiver 11 is configured to transmit the second data to a second device;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor 12 is also used to install a SIM card;
the transceiver 11 is further configured to receive the random password input by the user;
the processor 12 is further configured to generate the signature data for the random cryptographic signature using an authentication APPLET on the SIM card; generating the first password and the second password from the random password through a Trusted Application (TA).
In some embodiments, the processor 12 is further configured to generate a first random number, send the certificate of the first device and the first random number to a second device;
the transceiver 11 is further configured to receive a second random number, a certificate of the second device, a second session key factor, and second signature data sent by the second device;
the processor 12 is further configured to verify the certificate of the second device and the second signature data, and generate a first session key factor and first signature data; generating the second cipher using the first session key factor and a second session key factor;
the transceiver 11 is further configured to send the first session key factor and first signature data to the second device; and receiving a safety channel establishment confirmation result of the second equipment.
The embodiment of the present invention further provides an offline migration apparatus for trusted execution environment data, which is applied to a second device, as shown in fig. 5, and includes a transceiver 21 and a processor 22,
the processor 22 is configured to establish a wireless communication link with a first device and perform validity check;
the transceiver 21 is configured to receive second data sent by the first device;
the processor 22 is further configured to decrypt the second data by using a second password, so as to obtain first data and a MAC value; verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data; verifying the signature data by using a random password input by a user; encrypting and storing the original data by using a trusted application TA key;
wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor 22 is also used to install a SIM card;
the transceiver 21 is further configured to receive the random password input by the user;
the processor 22 is further configured to generate the first password and the second password from the random password through a trusted application TA.
In some embodiments, the transceiver 21 is further configured to receive a first random number and a certificate of the first device sent by the first device;
the processor 22 is further configured to verify a certificate of the first device, generate a second random number, a second session key factor, and second signature data;
the transceiver 21 is further configured to send the second random number, the certificate of the second device, the second session key factor, and the second signature data to the first device; receiving a first session key factor and first signature data sent by a first device;
the processor 22 is further configured to verify the first signature data by using the certificate of the first device, and generate the second password by using the first session key factor and the second session key factor after the verification is passed;
the transceiver 21 is further configured to send a secure channel establishment confirmation result to the first device.
An embodiment of the present invention further provides an offline migration apparatus for trusted execution environment data, as shown in fig. 6, including a memory 31, a processor 32, and a computer program stored in the memory 31 and capable of running on the processor 32; the processor 32, when executing the program, implements the trusted execution environment data offline migration method described above.
In some embodiments, the trusted execution environment data offline migration apparatus is applied to a first device, and the processor 32 is configured to establish a wireless communication link with a second device and perform validity check; decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data; calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data; sending the second data to a second device; wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor 32 is further configured to receive the random password input by the user; generating the signature data by signing the random password by using an authentication APPLET on the SIM card; generating the first password and the second password from the random password through a Trusted Application (TA).
In some embodiments, the processor 32 is further configured to generate a first random number, and send the certificate of the first device and the first random number to a second device; receiving a second random number, a certificate of the second device, a second session key factor and second signature data sent by the second device; verifying the certificate of the second device and the second signature data, generating a first session key factor and first signature data; generating the second cipher using the first session key factor and a second session key factor; sending the first session key factor and first signature data to the second device; and receiving a safety channel establishment confirmation result of the second equipment.
In some embodiments, the trusted execution environment data offline migration apparatus is applied to a second device, and the processor 32 is configured to establish a wireless communication link with a first device and perform validity check; receiving second data sent by the first equipment; decrypting the second data by using a second password to obtain first data and an MAC value; verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data; verifying the signature data by using a random password input by a user; encrypting and storing the original data by using a trusted application TA key; wherein the first password and the second password are generated by using a random password input by a user.
In some embodiments, the processor 32 is also used to install a SIM card; receiving the random password input by a user; generating the first password and the second password from the random password by a Trusted Application (TA).
In some embodiments, the processor 32 is further configured to receive the first random number and the certificate of the first device sent by the first device; verifying the certificate of the first device, and generating a second random number, a second session key factor and second signature data; sending the second random number, the certificate of the second device, the second session key factor and the second signature data to the first device; receiving a first session key factor and first signature data sent by a first device; verifying the first signature data by using the certificate of the first device, and generating a second password by using a first session key factor and a second session key factor after the verification is passed; and sending the safety channel establishment confirmation result to the first equipment.
Embodiments of the present invention further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the trusted execution environment data offline migration method described above.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technologies, compact disc read only memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage terminal devices to be detected, or any other non-transmission medium that can be used to store information that can be accessed by a computer terminal device to be detected. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1. A trusted execution environment data offline migration method, performed by a first device, the method comprising:
establishing a wireless communication link with the second equipment, and carrying out validity check;
decrypting data to be transmitted to generate original data, and encrypting the original data and the signature data by using a first password to obtain first data;
calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data;
sending the second data to a second device;
wherein the first password and the second password are generated by using a random password input by a user.
2. The method of offline migration of trusted execution environment data according to claim 1, wherein prior to establishing a wireless communication link with a second device, said method further comprises:
installing a SIM card;
receiving the random password input by a user;
generating the signature data by signing the random password by using an authentication APPLET on the SIM card;
generating the first password and the second password from the random password by a Trusted Application (TA).
3. The method of claim 1, wherein performing a validity check comprises:
generating a first random number, and sending the certificate of the first device and the first random number to a second device;
receiving a second random number, a certificate of the second device, a second session key factor and second signature data sent by the second device;
verifying the certificate of the second device and the second signature data, and generating a first session key factor and first signature data;
generating the second cipher using the first session key factor and the second session key factor;
sending the first session key factor and first signature data to the second device;
and receiving a safety channel establishment confirmation result of the second equipment.
4. A trusted execution environment data offline migration method, performed by a second device, the method comprising:
establishing a wireless communication link with first equipment, and carrying out validity check;
receiving second data sent by the first equipment;
decrypting the second data by using a second password to obtain first data and an MAC value;
verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data;
verifying the signature data by using a random password input by a user;
encrypting and storing the original data by using a trusted application TA key;
wherein the first password and the second password are generated by using a random password input by a user.
5. The trusted execution environment data offline migration method of claim 4, wherein, prior to establishing the wireless communication link with the first device, the method further comprises:
installing a SIM card;
receiving the random password input by a user;
generating the first password and the second password from the random password through a Trusted Application (TA).
6. The method for offline migration of trusted execution environment data according to claim 4, wherein performing validity check comprises:
receiving a first random number and a certificate of a first device, which are sent by the first device;
verifying the certificate of the first device, and generating a second random number, a second session key factor and second signature data;
sending the second random number, the certificate of the second device, the second session key factor and the second signature data to the first device;
receiving a first session key factor and first signature data sent by a first device;
verifying the first signature data by using the certificate of the first device, and generating a second password by using a first session key factor and a second session key factor after the verification is passed;
and sending the safety channel establishment confirmation result to the first equipment.
7. An off-line migration apparatus of trusted execution environment data, applied to a first device, includes a transceiver and a processor,
the processor is used for establishing a wireless communication link with the second equipment and carrying out validity check; decrypting data to be transmitted to generate original data, and encrypting the original data and signature data by using a first password to obtain first data; calculating the MAC value of the first data by using an MAC password, and encrypting the first data and the MAC value by using a second password to obtain second data;
the transceiver is configured to transmit the second data to a second device;
wherein the first password and the second password are generated by using a random password input by a user.
8. The trusted execution environment data offline migration device is applied to a second device and comprises a transceiver and a processor,
the processor is used for establishing a wireless communication link with the first equipment and carrying out validity check;
the transceiver is used for receiving second data sent by the first equipment;
the processor is further configured to decrypt the second data using a second password to obtain first data and a MAC value; verifying the MAC value, and decrypting the first data by using a first password to obtain original data and signature data; verifying the signature data by using a random password input by a user; encrypting and storing the original data by using a trusted application TA key;
wherein the first password and the second password are generated by using a random password input by a user.
9. An apparatus for offline migration of trusted execution environment data, comprising a memory, a processor, and a computer program stored on the memory and executable on the processor; wherein the processor, when executing the program, implements the trusted execution environment data offline migration method of any one of claims 1-3 or the trusted execution environment data offline migration method of any one of claims 4-6.
10. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, carries out the steps of the trusted execution environment data offline migration method of any one of claims 1 to 3 or the trusted execution environment data offline migration method of any one of claims 4 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110029319.7A CN114765544A (en) | 2021-01-11 | 2021-01-11 | Trusted execution environment data offline migration method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110029319.7A CN114765544A (en) | 2021-01-11 | 2021-01-11 | Trusted execution environment data offline migration method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114765544A true CN114765544A (en) | 2022-07-19 |
Family
ID=82364212
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110029319.7A Pending CN114765544A (en) | 2021-01-11 | 2021-01-11 | Trusted execution environment data offline migration method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114765544A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116933285A (en) * | 2023-07-19 | 2023-10-24 | 贝壳找房(北京)科技有限公司 | Upgrading method, equipment, medium and computer program product for data encryption |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101651543A (en) * | 2009-09-04 | 2010-02-17 | 瑞达信息安全产业股份有限公司 | Creditable calculation platform key migration system and key migration method thereof |
| US20140075502A1 (en) * | 2012-09-11 | 2014-03-13 | Selim Aissi | Resource management of execution environments |
| CN107786550A (en) * | 2017-10-17 | 2018-03-09 | 中电长城(长沙)信息技术有限公司 | A kind of safety communicating method of self-service device, safe communication system and self-service device |
| CN108600222A (en) * | 2018-04-24 | 2018-09-28 | 北京握奇智能科技有限公司 | The communication means of client application and trusted application, system and terminal |
| CN111262811A (en) * | 2018-11-30 | 2020-06-09 | 中移物联网有限公司 | Data encryption transmission method and device, equipment and storage medium |
| US20200280559A1 (en) * | 2017-09-27 | 2020-09-03 | Huawei Technologies Co., Ltd. | Security enhanced technique of authentication protocol based on trusted execution environment |
-
2021
- 2021-01-11 CN CN202110029319.7A patent/CN114765544A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101651543A (en) * | 2009-09-04 | 2010-02-17 | 瑞达信息安全产业股份有限公司 | Creditable calculation platform key migration system and key migration method thereof |
| US20140075502A1 (en) * | 2012-09-11 | 2014-03-13 | Selim Aissi | Resource management of execution environments |
| US20200280559A1 (en) * | 2017-09-27 | 2020-09-03 | Huawei Technologies Co., Ltd. | Security enhanced technique of authentication protocol based on trusted execution environment |
| CN107786550A (en) * | 2017-10-17 | 2018-03-09 | 中电长城(长沙)信息技术有限公司 | A kind of safety communicating method of self-service device, safe communication system and self-service device |
| CN108600222A (en) * | 2018-04-24 | 2018-09-28 | 北京握奇智能科技有限公司 | The communication means of client application and trusted application, system and terminal |
| CN111262811A (en) * | 2018-11-30 | 2020-06-09 | 中移物联网有限公司 | Data encryption transmission method and device, equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116933285A (en) * | 2023-07-19 | 2023-10-24 | 贝壳找房(北京)科技有限公司 | Upgrading method, equipment, medium and computer program product for data encryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10595201B2 (en) | Secure short message service (SMS) communications | |
| CN110380852B (en) | Bidirectional authentication method and communication system | |
| CN106470104B (en) | Method, device, terminal equipment and system for generating shared key | |
| EP2522100B1 (en) | Secure multi-uim authentication and key exchange | |
| CN106788989B (en) | Method and equipment for establishing secure encrypted channel | |
| CN101720071B (en) | Short message two-stage encryption transmission and secure storage method based on safety SIM card | |
| CN111552270B (en) | Safety authentication and data transmission method and device for vehicle-mounted diagnosis | |
| CN109075973B (en) | Method for carrying out unified authentication on network and service by using ID-based cryptography | |
| CN103036880A (en) | Network information transmission method, transmission equipment and transmission system | |
| AU2020396746B2 (en) | Provisioning method and terminal device | |
| KR20110083886A (en) | Apparatus and method for other portable terminal authentication in portable terminal | |
| CN107094156A (en) | A kind of safety communicating method and system based on P2P patterns | |
| CN109450620A (en) | The method and mobile terminal of security application are shared in a kind of mobile terminal | |
| CN113015159A (en) | Initial security configuration method, security module and terminal | |
| CN104243452A (en) | Method and system for cloud computing access control | |
| CN114331456A (en) | Communication method, device, system and readable storage medium | |
| CN113676448A (en) | Off-line equipment bidirectional authentication method and system based on symmetric key | |
| CN116132043B (en) | Session key negotiation method, device and equipment | |
| CN114765544A (en) | Trusted execution environment data offline migration method and device | |
| CN113422753B (en) | Data processing method, device, electronic equipment and computer storage medium | |
| KR101329789B1 (en) | Encryption Method of Database of Mobile Communication Device | |
| CN115801232A (en) | Private key protection method, device, equipment and storage medium | |
| CN109492359A (en) | A kind of secure network middleware and its implementation and device for authentication | |
| CN114297355A (en) | Method and system for establishing secure session, solid state disk and terminal equipment | |
| CN114285557A (en) | Communication encryption method, system and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |