CN116528230A - Verification code processing method, mobile terminal and trusted service system - Google Patents

Abstract

The invention discloses a verification code processing method, a mobile terminal and a trusted service system. The verification code processing method comprises the steps that a mobile terminal receives a verification code fed back to the mobile terminal through an operator short message platform by the aid of the verification code platform, and the verification code is stored in a safe container of the mobile terminal; in a trusted execution environment of a mobile terminal, a verification code in a secure container is accessed by invoking a trusted application therein. According to the scheme disclosed by the invention, the trusted application is called to process the verification code in the trusted execution environment of the mobile terminal, and the trusted application calls the security container to access the verification code, so that the security in the verification code processing process is improved; invoking trusted application and trusted user interface in a trusted execution environment to process and safely display the verification code, storing sensitive data in a safe container of the mobile terminal, performing two-way authentication between a verification code platform and the mobile terminal, and carrying out data transmission encryption and verification, thereby further improving the safety in the verification code processing process.

Description

Verification code processing method, mobile terminal and trusted service system

Technical Field

The present invention relates to the field of security technologies of mobile terminals, and in particular, to a method for processing a verification code, a mobile terminal, and a trusted service system.

Background

With the popularity of mobile terminals and the richness of their functions, the openness of mobile terminals is increasing, and in relatively speaking, the security problem of information in mobile terminals is also becoming more important, for example, the current method of sending verification codes to mobile terminals to verify user rights has been widely used in the scenes of login, mobile payment/transfer, etc.

However, in the prior art, during the process of inputting (short message) verification codes by users, the short message verification codes are exposed in the mobile terminal application in a clear manner, and there is a risk of being stolen. In addition, in the short message verification code service process, the verification code platform end and the mobile equipment end lack mutual identity authentication, and the risk of being counterfeited by a third party exists. In the verification code service transmission process, measures such as encryption transmission and data integrity verification are not adopted, and the risk of interception of the verification code exists.

Therefore, a new verification code processing method, a mobile terminal and a trusted service system are desired, which can overcome the above problems.

Disclosure of Invention

In view of the above problems, the present invention aims to provide a method for processing a verification code, a mobile terminal and a trusted service system, and in particular, to a method for protecting the security of a mobile phone short message verification code based on a TEE, so as to improve the security in the verification code processing process.

According to an aspect of the present invention, there is provided a verification code processing method, including:

the mobile terminal receives a verification code fed back to the mobile terminal by the verification code platform through the short message platform of the operator, and stores the verification code into a safe container of the mobile terminal;

in the trusted execution environment of the mobile terminal, the verification code in the secure container is accessed by calling a trusted application therein.

Optionally, the verification code processing method further includes:

the verification code platform generates the verification code and sends the verification code to the operator short message platform;

the operator short message platform generates a verification code short message comprising the verification code;

and the mobile terminal receives the verification code short message fed back to the mobile terminal by the operator short message platform and stores the verification code short message into the safe container.

Optionally, the verification code processing method further includes:

The mobile terminal sends a verification code request to the verification code platform;

receiving a verification code short message fed back by the operator short message platform through a modem of the mobile terminal, wherein verification code data of the verification code short message is generated by the verification code platform, and the modem stores the verification code short message comprising the verification code into a safe container of the mobile terminal;

when the secure container comprises a SIM card, the trusted application accesses a trusted execution environment secure element application program interface, and the trusted execution environment secure element application program interface accesses a plug-in service and a modem driver of a universal integrated circuit card and reads and writes the SIM card;

when the secure container comprises an eSE patch card, the trusted application accesses a trusted execution environment secure element application program interface, and the trusted execution environment secure element application program interface accesses a plug-in service and an eSE driver of an eSE and reads and writes the eSE patch card;

when the secure container comprises a trusted execution environment soft SIM card, the trusted application accesses a trusted execution environment secure element application program interface, and the trusted execution environment secure element application program interface accesses a plug-in service and a soft SIM card simulation driver of the trusted execution environment soft SIM card and reads and writes the trusted execution environment soft SIM card.

Optionally, the verification code processing method further includes:

sensitive data is stored in the secure container,

the secure container comprises at least one of a trusted execution environment soft SIM card, an eSE patch card, an eSIM module and a SIM card;

the sensitive data includes at least one of the authentication code and a security key.

Optionally, the verification code processing method further includes:

and in the trusted execution environment of the mobile terminal, calling a corresponding trusted application to apply for the verification code and/or receive the verification code and/or verify the verification code and/or reply the verification code.

Optionally, the verification code processing method further includes:

the trusted application generates a unique key according to the unique identifier of the mobile terminal; and

the mobile terminal performs key negotiation with the verification code platform, generates the negotiated root key respectively,

the unique key is used for safety authentication and key negotiation between the mobile terminal and the verification code platform when the user registers;

the negotiated root key is used for generating a unique authentication, encryption and verification key between the mobile terminal and the verification code platform when a user registers;

The unique authentication, encryption and verification key is used for authentication, encryption and verification of information transmitted between the mobile terminal and the verification code platform in the processes of application, receiving and verification of the verification code.

Optionally, the trusted application generating the unique key according to the unique identification of the mobile terminal includes:

performing exclusive OR operation on the unique identifier of the mobile terminal and the local random number to obtain first data;

carrying out hash operation on the first data to obtain second data;

the second data is exclusive or complex, and third data is obtained; the third data reach the required symmetric key length or asymmetric private key length; and

and generating a unique security authentication and negotiation key according to the third data.

Optionally, generating the unique authentication, encryption and verification key between the mobile terminal and the verification code platform during user registration includes:

the root key generated after the mobile terminal and the verification code platform carry out key negotiation is used as a scattered key to carry out scattering so as to obtain first data;

and carrying out key processing on the first data according to different key types to obtain a unique authentication, encryption and verification key.

Optionally, the verification code processing method further includes:

the mobile terminal sends a verification code request to the verification code platform, the verification code platform generates the verification code and applies for generating a verification code short message to the operator short message platform, and the operator short message platform sends the verification code short message to the mobile terminal;

after the mobile terminal receives the verification code, the mobile terminal acquires the input verification code through a trusted user interface;

the trusted application obtains the input verification code; the input verification code is encrypted by a service encryption key of the secure container and/or signed by a service verification key to obtain a verification code ciphertext; the verification code ciphertext is sent to a client application of the mobile terminal;

the client application sends the verification code ciphertext to the verification code platform, and the verification code platform performs verification and/or decryption through a corresponding service verification key and/or a corresponding service decryption key to obtain a verification code plaintext;

and the verification code platform compares whether the verification code plaintext is the same with the verification code generated when the verification code platform applies for the verification code or not, and sends a comparison result to the client application.

Optionally, the verification code processing method further includes:

the mobile terminal applies for a short message verification code through a trusted user interface;

the client application of the trusted execution environment monitors a service call trusted application interface to acquire feedback of an instruction for applying a short message verification code;

the client application of the mobile terminal sends an identity authentication request to the verification code platform; the verification code platform generates an authentication random number and sends the authentication random number to a client application and a trusted application of the mobile terminal; the trusted application encrypts the authentication random number through a secure container service authentication key to obtain an encrypted random number, and sends the encrypted random number to the verification code platform; the verification code platform verifies the encrypted random number to verify the identity of the mobile terminal, and sends a verification result to the client application;

the trusted application generates a terminal authentication random number through the secure container and sends the terminal authentication random number to the verification code platform; the verification code platform encrypts the terminal authentication random number through a service authentication key to obtain an encrypted terminal authentication random number, and sends the encrypted terminal authentication random number to the trusted application;

The trusted application verifies the encrypted terminal authentication random number through the secure container to verify the identity of the verification code platform.

Optionally, the verification code processing method further includes:

after the mobile terminal obtains the input mobile phone number through a trusted user interface, the client application uses the mobile phone number as a parameter and sends a verification code request to the verification code platform;

the client application calls the trusted application, the trusted application encrypts and/or signs the message requested by the verification code through a secure container service encryption key to obtain a transmission message ciphertext, and the transmission message ciphertext is sent to the verification code platform;

after the verification code platform verifies and/or decrypts the transmission message ciphertext, generating the short message verification code data;

and after the verification code platform encrypts and/or signs the verification code data, generating a verification code ciphertext, sending the verification code ciphertext to the operator short message platform to generate the verification code short message, and sending the verification code short message to the mobile terminal corresponding to the mobile phone number by the operator short message platform.

Optionally, the verification code processing method further includes:

The client application calls a trusted application interface to acquire the verification code;

the secure container of the mobile terminal checks and decrypts the verification code and repacks the verification code short message;

the trusted application receives the verification code short message of the secure container; and

the trusted application displays the verification code short message through a trusted user interface, and the trusted user interface provides a verification code input window.

According to another aspect of the present invention, there is provided a mobile terminal including:

the receiving module is used for receiving the verification code fed back by the verification code platform through the short message platform of the operator; and

a secure container for storing the verification code,

wherein, in the trusted execution environment of the mobile terminal, the verification code in the secure container is accessed through a trusted application therein.

According to yet another aspect of the present invention, there is provided a trusted service system comprising:

a verification code platform; and

the mobile terminal as described above is provided with a mobile terminal,

the mobile terminal sends a verification code request to the verification code platform, and the verification code platform sends the verification code to the mobile terminal through the operator short message platform.

According to the verification code processing method, the mobile terminal and the trusted service system, the trusted application is called in the trusted execution environment of the mobile terminal to process the verification code, so that the safety in the verification code processing process is improved.

Further, the sensitive data related in the verification code processing process are stored in the safe container, so that the safety of the sensitive data is ensured, and the safety of the sensitive data access in the verification code processing process is improved; the combination of the trusted execution environment and the Secure container enables the verification code processing process to reach the financial security protection level of TEE+SE (Secure Element).

Further, the display and the input of the verification code are performed in a Trusted User Interface (TUI) of a Trusted Execution Environment (TEE), so that the verification code is prevented from being intercepted by a third-party illegal program in the display and input process, and the safety in the verification code processing process is improved.

Further, two-way identity authentication is performed on both the verification code platform and the mobile terminal for interaction processing of the verification code service, so that the verification code processing service is prevented from being counterfeited by a third-party illegal program, and the safety in the verification code processing process is improved.

Further, in the data transmission process of the verification code service interaction processing, data privacy (encryption) transmission and/or data integrity verification are performed, so that the safety of data transmission is ensured, and the safety in the verification code processing process is improved.

Further, the technical scheme of the application fully utilizes the security capability of a Trusted Execution Environment (TEE) and a cryptographic algorithm, effectively protects the legitimacy of identities of both a verification code platform and a mobile terminal, and the privacy and integrity of verification code application, issuing, verification and other process data, and effectively protects the privacy of user/enterprise information and the property of the user/enterprise from being lost.

Drawings

The above and other objects, features and advantages of the present invention will become more apparent from the following description of embodiments of the present invention with reference to the accompanying drawings, in which:

fig. 1 shows a method flow chart of a verification code processing method according to a first embodiment of the invention.

Fig. 2 shows a schematic architecture diagram of a mobile terminal according to a second embodiment of the present invention.

Fig. 3 shows a captcha trusted display interface according to a third embodiment of the present invention.

Fig. 4 shows a timing diagram of a captcha key agreement according to a fourth embodiment of the present invention.

Fig. 5 shows a timing diagram of application and delivery of a captcha according to a fifth embodiment of the present invention.

Fig. 6 shows a timing chart of a verification code processing method according to a sixth embodiment of the present invention.

Fig. 7 shows a timing chart of a verification code verification method according to a seventh embodiment of the present invention.

Detailed Description

Various embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. The same reference numbers will be used throughout the drawings to refer to the same or like parts. For clarity, the various features of the drawings are not drawn to scale. Furthermore, some well-known portions may not be shown in the drawings.

The following describes in further detail the embodiments of the present invention with reference to the drawings and examples. Numerous specific details of the invention, such as construction, materials, dimensions, processing techniques and technologies, may be set forth in the following description in order to provide a thorough understanding of the invention. However, as will be understood by those skilled in the art, the present invention may be practiced without these specific details.

It will be understood that when a layer, an area, or a structure is described as being "on" or "over" another layer, another area, it can be referred to as being directly on the other layer, another area, or another layer or area can be included between the layer and the other layer, another area. And if the component is turned over, that layer, one region, will be "under" or "beneath" the other layer, another region.

Fig. 1 shows a method flow chart of a verification code processing method according to a first embodiment of the invention. As shown in fig. 1, the verification code processing method according to the first embodiment of the present invention includes the steps of:

in step S101, a mobile terminal receives a verification code fed back to the mobile terminal by a verification code platform through an operator short message platform, and stores the verification code in a secure container of the mobile terminal;

specifically, the verification code platform generates a verification code and sends the verification code to the operator short message platform, and the operator short message platform generates a short message (verification code short message comprising the verification code); a mobile terminal modem (modem) receives a verification code short message fed back to the mobile terminal by an operator short message platform, and stores the verification code short message and the verification code into a secure container of the mobile terminal;

the verification code platform is, for example, a verification code service server of a third party (an Ali cloud short message, a Temming cloud short message, a Hua cloud short message, a part of short message aggregation platform and the like). The operator short message platform is a traditional operator short message service platform such as mobile, unicom, telecom, vodafeng and the like. The verification code is, for example, a short message verification code, a message verification code (Message Authentication Codes, MAC) or the like.

The mobile terminal receives the verification code short message fed back to the mobile terminal by the operator short message platform, and stores the short message and the verification code into the safe container after receiving the verification code short message. The mobile terminal is a terminal device with a modem communication function, such as a smart phone, a smart watch, and the like.

Optionally, the method for processing the verification code according to the embodiment of the invention further comprises the steps of calling a client application in the mobile terminal, calling a trusted application by the client application, and after the trusted application calls the secure container for encryption and signing, obtaining a verification code application ciphertext by the client application to apply for the verification code to the verification code platform (sending a verification code request).

Optionally, the verification code platform generates a verification code, encrypts and signs the verification code, and then sends the verification code to the operator short message platform to generate a short message, the operator short message platform sends a verification code ciphertext short message, and the modem in the mobile terminal receives the verification code ciphertext short message fed back by the operator short message platform.

In step S102, in the trusted execution environment of the mobile terminal, the authentication code in the secure container is accessed by invoking the trusted application therein.

In a trusted execution environment (Trusted Execution Environment, TEE) of the mobile terminal, the authentication code in the secure container is accessed by invoking a trusted application (Trusted Application, TA) therein. After the trusted application accesses the verification code, processing of the verification code includes, for example, completing the display, input, verification, and result reply of the verification code through the trusted application and/or trusted user interface (Trusted User Interface, TUI). For example, in a trusted execution environment of the mobile terminal, a corresponding trusted application and/or trusted application interface (TUI) is invoked to verify the passcode and/or reply to the passcode.

Fig. 2 shows a schematic architecture diagram of a mobile terminal according to a second embodiment of the present invention. As shown in fig. 2, in a second embodiment of the present invention, the TEE System-based short message authentication code security protection architecture is, for example, a System on Chip (SoC).

The SoC is an integration of an application chip (Application Processor, AP), which is an application chipset running in the SoC, and a baseband chip (Baseband Processor, BP), the REEs (Rich Execution Environment, rich execution environments) and TEEs, which are systems running on the APs.

And a modem (modem) which is a BP baseband chipset and is used for sending and receiving the short message.

The client application program (Client Application, CA) is an application running on the REE system, the trusted application is a high-security application running on the TEE system, and the CA can call the TA to protect the security of the processes of application, issuing, verification and the like of the short message verification code. Optionally, the TUI of the TEE can be used for protecting the safety display after the short message verification code is issued to the local and the safety input of the short message verification stage.

Optionally, the verification code processing method according to the embodiment of the invention further includes:

the mobile terminal sends a verification code application request to a verification code platform; the verification code platform generates a verification code after receiving a verification code application request, and sends the verification code to the operator short message platform to generate a short message, and the operator short message platform sends (feeds back) the verification code short message to the mobile terminal.

And receiving the verification code short message fed back to the mobile terminal by the short message platform of the operator through a modem (modem) of the mobile terminal, and storing the received short message and the verification code into a safe container of the mobile terminal by the modem. Optionally, sensitive data is stored in a secure container. The secure container includes at least one of a trusted execution environment soft SIM, an eSIM patch card, a SIM card, and the like. The sensitive data includes at least one of a verification code and a security key, etc.

Specifically, the Secure container may include three implementation manners of a TEE soft SIM, an eSIM (Embedded Subscriber Identity Module ) patch card of an eSE (Secure Element) manner, and a SIM card, and may store the sms data and the Secure key related to the present invention through the Secure container. After receiving the short message data, the modem accesses the SIM card or the eSIM patch card through 7816, accesses the soft SIM application in the TA through the simulated 7816, and stores the short message data into the secure container. In the case of a SIM card, the TA of the TEE system is used to access the TEE SE API (Application Programming Interface, application program interface), which accesses the plug-in services and modem drivers of the UICC (Universal Integrated Circuit Card ), and the SIM card is read and written according to the calling procedure. In the case that the secure container is an eSIM (eSE) patch card, using the TA of the TEE system, the TA accesses the TEE SE API, which accesses the plug-in services of the eSE and the eSE driver, and reads and writes the eSIM patch (eSE chip) card according to the calling procedure. In the case that the secure container is a TEE soft SIM, using the TA of the TEE system, the TA accesses the TEE SE API, which accesses the plug-in services and soft SIM emulation drivers of The (TEE) soft SIM, and reads and writes the soft SIM application (TEE soft SIM) according to the calling procedure.

Fig. 3 shows a captcha display interface according to a third embodiment of the present invention. Specifically, fig. 3 shows a mobile phone short message authentication code TUI structure based on a TEE system according to a third embodiment of the present application. The TUI is a high-security trusted user interface running in the TEE system, and can be used with the TA to more safely protect the input and display of the short message verification code. After the TA reads the short message verification code through the modem, the safe reading of the short message verification code is protected, and the safe input of the short message verification code is protected when the TA automatically and/or manually fills the short message verification code into the TUI interface through the TUI. Alternatively, TUI captcha input may support 4 digits of captcha input, or 6 digits of captcha input. After the validation code is entered, validation may be initiated in the TA of the TUI.

Fig. 4 shows a timing diagram of a captcha key agreement according to a fourth embodiment of the present invention. As shown in fig. 4, in the fourth embodiment of the present application, the text message authentication code key negotiation process based on the TEE system is performed between the text message authentication code operation server (authentication code platform), the client application (CA in re) in the rich execution environment, and the trusted application in the trusted execution environment (TA in TEE).

First, nouns involved in the key agreement process are explained.

DUID: the mobile terminal side unique identification, including but not limited to IMEI (International Mobile Equipment Identity ), device serial number or custom unique identification number, etc., the DUID may be used to generate public and private key pairs for authentication and key agreement at the end side.

Rt: and the mobile terminal security container is generated and used for authenticating and negotiating the key, and the mobile terminal random number.

Rs: and the verification code platform generates a platform-side random number used for authentication and key negotiation.

Pt: the mobile terminal secure container generates a terminal unique key (including but not limited to a symmetric key, a CA certificate or a public key) through the DUID for secure authentication and key agreement.

Ps: the captcha platform generates a platform key (including but not limited to a symmetric key, a CA certificate or a public key) for secure authentication and key agreement.

RootK: after authentication and key negotiation of the platform and the end side are completed, the root keys of the platform and the end side are negotiated through a key negotiation algorithm.

Taut: the mobile terminal security container and the verification code platform generate service authentication keys through the RootK and the same key dispersion algorithm, and the service authentication keys are used for two-way handshake authentication of the platform and the end side in the verification code service interaction process and are used for confirming the legitimacy of the identities of the platform and the end side.

Tenc: the mobile terminal security container and the verification code platform generate a service encryption key through the RootK and the same key dispersion algorithm, and the service encryption key is used for encrypting the transmitted verification code interaction data and the verification code per se in the verification code service interaction process and protecting the privacy of the transmission service data.

Tdek: the mobile terminal security container and the verification code platform are used for signing the transmitted verification code interaction data and verification code per se in the verification code service interaction process through the RootK and the same key dispersion algorithm, and are used for protecting the integrity of the transmission service data.

In the optional verification code processing method, a trusted application generates a unique key according to a unique identification (DUID) of a mobile terminal; the mobile terminal performs key negotiation with the verification code platform, and generates the negotiated root keys respectively. The unique key is used for safety authentication and key negotiation between the mobile terminal and the verification code platform when the user registers. The negotiated root key is used for generating unique authentication, encryption and verification keys between the mobile terminal and the verification code platform when the user registers. The unique authentication, encryption and verification key is used for authentication, encryption and verification of the transmission information between the mobile terminal and the verification code platform in the verification code application, receiving and verification processes. Optionally, generating the unique authentication, encryption and verification key between the mobile terminal and the verification code platform at the time of user registration includes: the method comprises the steps that a root key generated after key negotiation is conducted on a mobile terminal and a verification code platform is used as a scattered key to be scattered, and first data are obtained; and carrying out key processing on the first data according to different key types to obtain a unique authentication, encryption and verification key. In the embodiment, the root key obtains the algorithm dividing process of the unique authentication, encryption and verification key through the decentralized algorithm, so that the randomness and uniqueness of the authentication, encryption and verification key are ensured, the difficulty of violently cracking the authentication, encryption and verification key is increased, and the security in the verification code processing process is further ensured.

Specifically, when the user registers an account, the mobile terminal TA generates its own unique keys Pt and Rt through the DUID of the secure container, and uses SSL2.0 and above protocols (including but not limited to SSL2.0/SSL3.0/TLS1.0/TLS1.1/TLS1.2/TLS1.3/GMTLS 1.1), and performs key negotiation with the authentication code platform to generate root keys RootK after each negotiation.

The algorithm of key negotiation between the verification code platform and the mobile terminal secure container does not comprise the algorithms DH-ANON and ECDH-ANON without identity authentication, and the algorithm list can be as follows:

in a specific embodiment, the key negotiation process between the authentication code platform and the mobile terminal CA is as follows:

in the preparation stage, after the deployment of the verification code platform is completed, a platform side key Ps can be generated in advance on the verification code platform (a short message verification code operation server side).

In the negotiation process, under the condition that a negotiation algorithm is adopted as an asymmetric key, the mobile terminal generates a platform side public-private key pair in advance, and the private key is stored in an encryptor. Depending on the type of negotiation algorithm, ps may support asymmetric algorithms such as RSA/DSA/SM2/SM 9/ECDSA. Alternatively, the generated public key may be directly used as Ps, or the generated public key may be issued to the CA institution and then a public key certificate may be generated as Ps.

In the negotiation process, under the condition that a negotiation algorithm is PSK and SRP symmetric key negotiation algorithm, a unique identification DUID of the mobile terminal can be imported to a verification code platform in advance by a server integrating the verification code security service TA function described in the application, and the verification code platform generates a unique Ps according to the same algorithm as the mobile terminal TA.

In the user registration stage, a user registers a user account through a UI interface of a mobile terminal CA, the mobile terminal CA calls a TA interface, and the TA acquires a terminal unique identifier DUID through a secure container to generate a unique key Pt and a terminal random number Rt.

The mobile terminal CA obtains the unique terminal identification DUID from the TA through the secure container, and requests the authentication code platform to carry out identity authentication and key negotiation by taking the DUID as a parameter. After receiving the request, the verification code platform generates a platform random number Rs, performs identity authentication and key negotiation with the mobile terminal CA, and the algorithm supported by negotiation can refer to the list.

After the authentication code platform and the mobile terminal CA complete identity authentication and key negotiation, a root key RootK is generated in the authentication code platform and a mobile terminal secure container.

Alternatively, in the case where the forward secret algorithm is not supported, the permanent keys Taut, tenc, tdek may be generated at the time of registration; under the condition of supporting a forward secret algorithm, only the RootK is generated, the secret keys Taut, tenc and Tdek are temporarily generated in the subsequent verification code service, and the service is deleted after the service is finished.

Optionally, in the case of adopting a PSK and SRP symmetric negotiation algorithm, the RootK is equal to Ps and Pt, the random numbers involved in calculating Ps and Pt are also equal, and the DUID is negotiated, and the DUID sent by the platform during key negotiation queries whether the DUID introduced by the platform preparation stage matches and exists.

The verification code platform returns key negotiation generating results such as RootK to the mobile terminal CA, and the mobile terminal TA returns key negotiation generating results such as RootK of the security container to the CA, so that the authentication negotiation process in the registration stage is completed.

In an optional embodiment of the present invention, the trusted application generating the unique key according to the unique identifier of the mobile terminal includes performing an exclusive-or operation on the unique identifier of the mobile terminal and the local random number to obtain first data; carrying out hash operation on the first data to obtain second data; the second data is exclusive or complex, and third data is obtained; the third data reach the required symmetric key length or asymmetric private key length; a unique security authentication and negotiation key is generated based on the third data.

Specifically, the verification code platform or the mobile terminal TA generates its own unique key Px through the DUID of the secure container, and the adopted algorithm is as follows:

step one: first data (X) are obtained by exclusive OR of the DUID (unique identification of the mobile terminal) and the local random number (R).

Step two: the second data (result Y) is obtained using X to perform a HASH algorithm (including but not limited to SHA-1, SHA-224, SHA384, SHA512, MD5, etc.).

Step three: based on the result Y exclusive or complex number (F) (a fixed complex number similar to A5 can be used for customization), third data (result Z) is obtained to achieve the required symmetric key length or asymmetric private key length.

Step four: and classifying (generating a corresponding unique security authentication and negotiation key Px according to the third data) according to the result Z after the difference. For example, in the case that the negotiation algorithm is an asymmetric key, Z is an asymmetric private key, and the public key Px can be generated through the private key Z by using the algorithm interface for generating the public key by using each private key; under the condition of adopting a PSK key negotiation algorithm, the negotiated key is a symmetric key, namely a unique key Px; in case of using the SRP key agreement algorithm, the first 2 bytes (4 characters) or the first 3 bytes (6 characters) or the first 4 bytes (8 characters) of the result Z may be taken as the password Px.

In the above embodiment of the present application, pt generated by the algorithm adopted has uniqueness, so that subsequent generation of RootK and uniqueness of Taut, tenc and Tdek can be ensured, and a purpose of one machine-one secret is achieved.

In an alternative embodiment of the present invention, the algorithm used by the mobile terminal security container or captcha platform to generate unique authentication, encryption and verification keys (including symmetric keys or asymmetric keys) through the RootK is as follows:

step one: and adopting a key dispersion algorithm, taking the RootK as a root key, adding the previous 2 byte key types with the subsequent complex number complementary bytes (shown in the following table) as a dispersion factor, and adopting 3DES-CBC to obtain Taut, tenc and Tdek.

Step two: and (3) processing the Taut, the Tenc and the Tdek obtained in the first step according to different key characteristics of a key negotiation algorithm to obtain a unique authentication, encryption and verification key between the final verification platform and the mobile terminal.

Under the condition that the Taut, the Tenc and the Tdek keys are symmetric keys, the root key of the Rootk adopts a result Z which is not segmented as the Rootk under the condition of adopting an SRP negotiation algorithm, the follow-up complex number of the dispersion factors supplements bytes, the byte length is different according to the lengths required by the supportable follow-up verification code business security algorithm DES/3DES/AES/SM1/SM4/SM7 and other symmetric algorithm types, and the complex numbers with different lengths are filled.

Under the condition that the Taut, tenc and Tdek keys are asymmetric keys, the follow-up complex number of the dispersion factors supplements bytes, the byte length is different according to the lengths required by the supportable follow-up verification code service security algorithm RSA/DSA/ECDSA/SM2/SM9 and other asymmetric algorithm types, and the complex numbers with different lengths are filled. And respectively taking the scattered Taut, tenc and Tdek as private keys, namely Tauts, tencs and Tdeks, and obtaining corresponding security service public keys Tautp, tencp and Tdekp through an algorithm interface for generating a public key by the private keys.

Fig. 5 shows a timing diagram of application and delivery of a captcha according to a fifth embodiment of the present invention. As shown in fig. 5, in a fifth embodiment of the present application, a text message verification code application and a method for issuing a text message verification code based on a TEE system are performed among a short message management platform of an operator, a service end of the short message verification code operation, a client application in a rich execution environment, and a trusted application in a trusted execution environment.

Specifically, the application and the issuing of the short message verification code are performed through the TUI interface of the mobile terminal and the trusted application and the secure container of the TEE. In the process of transmitting data with the verification code platform, the identity authentication of the same end side of the platform can be performed by using a security service key (unique authentication, encryption and verification key), the data encryption and signature verification are performed, and the legality of the identities of the two parties of the interaction of the platform and the terminal, and the privacy and the integrity of the data transmission are ensured.

In a specific embodiment, the application and the issuing of the short message verification code include the following steps:

step one: the user inputs the mobile phone number on the TUI interface and clicks the "send verification code" button to apply for the short message verification code (one way for the mobile terminal to obtain the verification code request instruction through the Trusted User Interface (TUI)).

Step two: the CA monitoring service of the mobile terminal TEE calls a TA interface, and a user clicking event return result (feedback of a verification code request instruction) of the TUI is obtained.

Step three: the mobile terminal CA sends an identity authentication request to the verification code platform, the verification code platform generates an authentication random number (Rs) and sends the authentication random number (Rs) to the CA and TA of the mobile terminal, the TA encrypts the Rs (the encrypted platform authentication random number is obtained) through a secure container service authentication key and then returns the Rs to the verification code platform, the verification code platform verifies the encryption result, the verification code platform verifies the validity of the identity of the mobile terminal, and the platform returns the identity authentication result to the mobile terminal CA.

The mobile terminal TA generates a terminal authentication random number (Rt) through the secure container and sends the terminal authentication random number (Rt) to the verification code platform, the verification code platform encrypts Rt (obtains an encrypted terminal authentication random number) through a service authentication key and then returns the encrypted terminal authentication random number to the mobile terminal TA, and the mobile terminal TA verifies an encryption result through the secure container to finish the validity verification of the identity of the verification code platform by the mobile terminal.

Step four: the mobile terminal CA uses the mobile phone number as a parameter, sends a short message verification code application request (verification code request) to the verification code platform, calls a TA by the CA, encrypts through a security container service encryption key, signs through a service verification key (obtaining a verification code application message ciphertext), sends the verification code platform with the verification code platform to verify the signed message, and generates short message verification code data after decryption.

Step five: the verification code platform encrypts the verification code data through a service encryption key, signs the verification code data through the service verification key, calls an interface provided by an operator short message management platform (short message platform) to generate a verification code short message, and sends the short message verification code to a modem (modem) of the mobile terminal device, and the modem stores the short message data into a secure container.

Step six: the short message platform replies a short message generation result to the verification code platform, and the verification code platform transmits the short message verification code generation result in a penetrating way and sends the short message generation result to the mobile terminal equipment CA corresponding to the mobile phone number.

Optionally, in the process of applying and issuing the verification code by the mobile terminal and the verification code platform, the related service authentication key, service encryption key and service verification key processing method is as follows:

in the case that the negotiation algorithm is an asymmetric key, the service authentication key is a public key Tautp, the service encryption key is a public key Tencp, and the service verification key is a public key Tdekp. The service authentication and encryption process involves asymmetric algorithms including, but not limited to, RSA/DSA/SM2/SM9/ECDSA and the like; the service verification process involves signature hash algorithms including, but not limited to, MD5/SHA1/SHA256/SHA384/SHA512/SM3, etc.

In the case that the negotiation algorithm is adopted as the symmetric key, the service authentication key is the key Taut after the distributed rootk=z is used, the service encryption key is the Tenc, and the service verification key is the Tdek. The service authentication and encryption process involves symmetric algorithms including, but not limited to, DES/3DES/AES/SM1/SM4/SM7, etc.; the business verification process involves signature algorithms including, but not limited to, CMAC/HMAC, etc.

Fig. 6 shows a timing chart of a verification code display processing method according to a sixth embodiment of the present invention.

As shown in fig. 6, in a sixth embodiment of the present application, a method for displaying and processing a short message authentication code based on a TEE system includes obtaining an authentication code through a trusted application, verifying and decrypting the authentication code by a secure container of a mobile terminal, and repackaging the authentication code. The trusted application acquires the verification code short message of the secure container, displays the verification code through the TUI, and provides a verification code input window through the TUI.

Specifically, after a trusted application (TA in TEE) in a trusted execution environment passes through a secure container for verification and decryption of a verification code, a short message is repackaged; a trusted application in a trusted execution environment acquires a verification code short message of a secure container; the trusted application in the trusted execution environment displays the verification code short message in the system notification bar and the system preset short message app through the TUI, and the user inputs the displayed short message verification code in the safe TUI interface.

In a specific embodiment, after receiving the short message generation result, the mobile terminal CA invokes the TA interface to obtain the verification code short message from the secure container.

The secure container verifies and decrypts the verification code, repacks the short message, and returns the verification code short message data to the TA.

After receiving the short message of the verification code, the mobile terminal TA can display the verification code in the following two modes. Mode one: and displaying the verification code short message in a notification column of the mobile terminal system by adopting a TUI technology. Mode two: and generating a short message notice in a short message app preset in the mobile phone, and displaying a verification code short message by the short message app through a TUI technology after clicking the short message notice by a user.

The user inputs the verification code on the safe TUI interface after seeing the displayed verification code plaintext data through the TUI of the mobile terminal system notification bar or the TUI of the mobile phone preset short message app.

Fig. 7 shows a timing chart of a verification code verification method according to a seventh embodiment of the present invention. As shown in fig. 7, in the seventh embodiment of the present application, the method for verifying a short message verification code based on the TEE system is performed among a short message verification code operation server (verification code platform), a client application in a rich execution environment, and a trusted application in a trusted execution environment, for example, applying for a short message verification code, issuing a short message verification code, displaying a short message verification code, inputting a short message verification code, and the like are performed among the three.

The mobile terminal sends a verification code request to the verification code platform, the verification code platform generates a short message verification code and sends the short message verification code to the operator short message platform, and the operator short message platform generates a short message and sends the verification code short message to the mobile terminal. After the mobile terminal receives the verification code short message, the mobile terminal acquires the input verification code through a Trusted User Interface (TUI). The trusted application obtains the input verification code through the TUI, and the input verification code is encrypted through the service encryption key of the secure container and/or signed through the service verification key to obtain the verification code ciphertext. And the verification code ciphertext is sent to a client application of the mobile terminal. And the client application sends the verification code ciphertext to a verification code platform, and the verification code platform performs verification and/or decryption through a corresponding service verification key and/or a corresponding service decryption key to obtain the verification code plaintext. The verification code platform compares whether the verification code plaintext is the same with the verification code generated when the verification code platform applies for the verification code, and sends the comparison result to the client application.

Specifically, the process of verifying the short message verification code by using the secure TUI interface is as follows:

step one: after the user finishes inputting the verification code on the TUI interface, clicking a login button to verify the short message verification code.

Step two: the mobile terminal TA obtains the user click event of the TUI and the TUI input result, encrypts the user click event and the TUI input result by the service encryption key of the secure container, signs the user click event and the TUI input result by the service verification key (obtains the verification code ciphertext), and returns the verification code ciphertext to the mobile terminal CA.

Step three: the mobile terminal CA sends the verification code result to the verification code platform, and uses the corresponding service verification key to verify, after the service decrypts the key (obtaining the verification code plaintext), the verification code plaintext is compared with the verification code generated in the verification code application stage.

Step four: the verification code platform returns a verification code comparison result to the mobile terminal CA, the mobile terminal CA informs the TUI processing result, so as to finish the verification code verification process and enter the follow-up step of the service.

Optionally, in the verification process of the verification code by the mobile terminal and the verification code platform, the related service encryption key and service verification key processing method is as follows:

in the case that the negotiation algorithm is an asymmetric key, the service encryption key is the public key Tencp, and the service verification key is the public key Tdekp. The service encryption process involves asymmetric algorithms including but not limited to RSA/DSA/SM2/SM9/ECDSA and the like; the business verification process involves a hash algorithm of the signature, including but not limited to

MD5/SHA1/SHA256/SHA384/SHA512/SM3, etc.

In the case that the negotiation algorithm is adopted as the symmetric key, the service encryption key is the key Tenc after the distributed rootk=z is used, and the service verification key is Tdek. The symmetric algorithm involved in the service encryption process comprises, but is not limited to, DES/3DES/AES/SM1/SM4/SM7 and other algorithms; the business verification process involves algorithms in the signing process including, but not limited to, CMAC/HMAC, etc.

According to another aspect of the present invention, a mobile terminal is provided. The mobile terminal comprises a receiving module, a receiving module and a processing module, wherein the receiving module is used for receiving a verification code short message fed back by an operator short message platform; and the secure container is used for storing the short message and the verification code, wherein the verification code in the secure container is accessed through a trusted application in the trusted execution environment of the mobile terminal.

The mobile terminal according to the embodiment of the invention is used for realizing the verification code processing method.

According to yet another aspect of the present invention, a trusted service system is provided. The trusted service system comprises a verification code platform (short message verification code operation service end) and the mobile terminal. The mobile terminal sends a verification code request to the verification code platform, the verification code platform generates a verification code, and applies for generating a short message to the operator short message platform, and the operator short message platform sends the verification code short message to the mobile terminal. Optionally, the trusted service system according to the embodiment of the present invention further includes the operator sms management platform described in the fifth embodiment.

It should be noted that in this document relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.

Embodiments in accordance with the present invention, as described above, are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention and various modifications as are suited to the particular use contemplated. The invention is limited only by the claims and the full scope and equivalents thereof.

Claims (14)

1. A method of captcha processing, comprising:

the mobile terminal receives a verification code fed back to the mobile terminal by the verification code platform through the short message platform of the operator, and stores the verification code into a safe container of the mobile terminal;

in the trusted execution environment of the mobile terminal, the verification code in the secure container is accessed by calling a trusted application therein.

2. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

the verification code platform generates the verification code and sends the verification code to the operator short message platform;

the operator short message platform generates a verification code short message comprising the verification code;

and the mobile terminal receives the verification code short message fed back to the mobile terminal by the operator short message platform and stores the verification code short message into the safe container.

3. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

the mobile terminal sends a verification code request to the verification code platform;

receiving a verification code short message fed back by the operator short message platform through a modem of the mobile terminal, wherein verification code data of the verification code short message is generated by the verification code platform, and the modem stores the verification code short message comprising the verification code into a safe container of the mobile terminal;

When the secure container comprises a SIM card, the trusted application accesses a trusted execution environment secure element application program interface, and the trusted execution environment secure element application program interface accesses a plug-in service and a modem driver of a universal integrated circuit card and reads and writes the SIM card;

when the secure container comprises an eSE patch card, the trusted application accesses a trusted execution environment secure element application program interface, and the trusted execution environment secure element application program interface accesses a plug-in service and an eSE driver of an eSE and reads and writes the eSE patch card;

when the secure container comprises a trusted execution environment soft SIM card, the trusted application accesses a trusted execution environment secure element application program interface, and the trusted execution environment secure element application program interface accesses a plug-in service and a soft SIM card simulation driver of the trusted execution environment soft SIM card and reads and writes the trusted execution environment soft SIM card.

4. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

sensitive data is stored in the secure container,

the secure container comprises at least one of a trusted execution environment soft SIM card, an eSE patch card, an eSIM module and a SIM card;

The sensitive data includes at least one of the authentication code and a security key.

5. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

and in the trusted execution environment of the mobile terminal, calling a corresponding trusted application to apply for the verification code and/or receive the verification code and/or verify the verification code and/or reply the verification code.

6. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

the trusted application generates a unique key according to the unique identifier of the mobile terminal; and

the mobile terminal performs key negotiation with the verification code platform, generates the negotiated root key respectively,

the unique key is used for safety authentication and key negotiation between the mobile terminal and the verification code platform when the user registers;

the negotiated root key is used for generating a unique authentication, encryption and verification key between the mobile terminal and the verification code platform when a user registers;

the unique authentication, encryption and verification key is used for authentication, encryption and verification of information transmitted between the mobile terminal and the verification code platform in the processes of application, receiving and verification of the verification code.

7. The authentication code processing method of claim 6, wherein the trusted application generating a unique key from the unique identification of the mobile terminal comprises:

performing exclusive OR operation on the unique identifier of the mobile terminal and the local random number to obtain first data;

carrying out hash operation on the first data to obtain second data;

the second data is exclusive or complex, and third data is obtained; the third data reach the required symmetric key length or asymmetric private key length; and

and generating a unique security authentication and negotiation key according to the third data.

8. The captcha processing method of claim 6, wherein generating a unique authentication, encryption, and verification key between the mobile terminal and the captcha platform upon user registration includes:

the root key generated after the mobile terminal and the verification code platform carry out key negotiation is used as a scattered key to carry out scattering so as to obtain first data;

and carrying out key processing on the first data according to different key types to obtain a unique authentication, encryption and verification key.

9. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

The mobile terminal sends a verification code request to the verification code platform, the verification code platform generates the verification code and applies for generating a verification code short message to the operator short message platform, and the operator short message platform sends the verification code short message to the mobile terminal;

after the mobile terminal receives the verification code, the mobile terminal acquires the input verification code through a trusted user interface;

the trusted application obtains the input verification code; the input verification code is encrypted by a service encryption key of the secure container and/or signed by a service verification key to obtain a verification code ciphertext; the verification code ciphertext is sent to a client application of the mobile terminal;

the client application sends the verification code ciphertext to the verification code platform, and the verification code platform performs verification and/or decryption through a corresponding service verification key and/or a corresponding service decryption key to obtain a verification code plaintext;

and the verification code platform compares whether the verification code plaintext is the same with the verification code generated when the verification code platform applies for the verification code or not, and sends a comparison result to the client application.

10. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

The mobile terminal applies for a short message verification code through a trusted user interface;

the client application of the trusted execution environment monitors a service call trusted application interface to acquire feedback of an instruction for applying a short message verification code;

the client application of the mobile terminal sends an identity authentication request to the verification code platform; the verification code platform generates an authentication random number and sends the authentication random number to a client application and a trusted application of the mobile terminal; the trusted application encrypts the authentication random number through a secure container service authentication key to obtain an encrypted random number, and sends the encrypted random number to the verification code platform; the verification code platform verifies the encrypted random number to verify the identity of the mobile terminal, and sends a verification result to the client application;

the trusted application generates a terminal authentication random number through the secure container and sends the terminal authentication random number to the verification code platform; the verification code platform encrypts the terminal authentication random number through a service authentication key to obtain an encrypted terminal authentication random number, and sends the encrypted terminal authentication random number to the trusted application;

The trusted application verifies the encrypted terminal authentication random number through the secure container to verify the identity of the verification code platform.

11. The authentication code processing method according to claim 10, wherein the authentication code processing method further comprises:

after the mobile terminal obtains the input mobile phone number through a trusted user interface, the client application uses the mobile phone number as a parameter and sends a verification code request to the verification code platform;

the client application calls the trusted application, the trusted application encrypts and/or signs the message requested by the verification code through a secure container service encryption key to obtain a transmission message ciphertext, and the transmission message ciphertext is sent to the verification code platform;

after the verification code platform verifies and/or decrypts the transmission message ciphertext, generating the short message verification code data;

and after the verification code platform encrypts and/or signs the verification code data, generating a verification code ciphertext, sending the verification code ciphertext to the operator short message platform to generate the verification code short message, and sending the verification code short message to the mobile terminal corresponding to the mobile phone number by the operator short message platform.

12. The authentication code processing method according to claim 1, wherein the authentication code processing method further comprises:

the client application calls a trusted application interface to acquire the verification code;

the secure container of the mobile terminal checks and decrypts the verification code and repacks the verification code short message;

the trusted application receives the verification code short message of the secure container; and

the trusted application displays the verification code short message through a trusted user interface, and the trusted user interface provides a verification code input window.

13. A mobile terminal, comprising:

the receiving module is used for receiving the verification code fed back by the verification code platform through the short message platform of the operator; and

a secure container for storing the verification code,

and in the trusted execution environment of the mobile terminal, accessing the verification code in the secure container by calling the trusted application therein.

14. A trusted service system comprising:

a verification code platform; and

the mobile terminal according to claim 13,

the mobile terminal sends a verification code request to the verification code platform, and the verification code platform sends the verification code to the mobile terminal through the operator short message platform.