KR101662947B1 - Method for Providing Session Security by using Secure Operating System - Google Patents

Method for Providing Session Security by using Secure Operating System Download PDF

Info

Publication number
KR101662947B1
KR101662947B1 KR1020150041512A KR20150041512A KR101662947B1 KR 101662947 B1 KR101662947 B1 KR 101662947B1 KR 1020150041512 A KR1020150041512 A KR 1020150041512A KR 20150041512 A KR20150041512 A KR 20150041512A KR 101662947 B1 KR101662947 B1 KR 101662947B1
Authority
KR
South Korea
Prior art keywords
program
secure
memory area
general
server
Prior art date
Application number
KR1020150041512A
Other languages
Korean (ko)
Inventor
김종서
Original Assignee
(주)에이티솔루션즈
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by (주)에이티솔루션즈 filed Critical (주)에이티솔루션즈
Priority to KR1020150041512A priority Critical patent/KR101662947B1/en
Application granted granted Critical
Publication of KR101662947B1 publication Critical patent/KR101662947B1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The present invention relates to a method of providing a session security using a secure operating system, and more particularly, to a method and system for providing a session security using a security operating system, including a secure operating system having a secure kernel and a normal operating system Wherein the program (n) of the general OS allocates a memory area accessible by the designated program (s) of the secure OS or identifies a pre-allocated memory area, (n) writes transmission information to be transmitted to the designated server in the memory area, and the program (s) of the secure OS verifies transmission information recorded by the program (n) of the general OS from the memory area, The program s exchanges a session key with the server specified by the communication means of the wireless terminal or confirms the session key exchanged with the server, Gram (s) is transmitted by encoding the information transmitted through the session key via the communication means of the wireless terminal to the server.

Description

METHOD FOR PROVIDING SESSION SECURITY USING SECURITY OPERATING SYSTEM

The present invention provides a method for executing a secure OS (Secure Operating System) having a Secure Kennel and a wireless terminal having a general OS (Normal Operating System) The program (n) allocates a memory area accessible from the designated program (s) of the secure OS or identifies a pre-allocated memory area, and transmits transmission information to transmit the program (n) (S) of the secure OS checks transmission information recorded by the program (n) of the general OS from the memory area, and the program (s) of the secure OS reads the communication means of the wireless terminal Exchanges a session key with a designated server or confirms a session key exchanged with the server, and the program (s) of the secure OS encrypts the transmission information through the session key And a session security providing method using a secure operating system transmitted to the server through the communication means of the wireless terminal.

Recently, a Trust Zone technology has been proposed in which each physical processor core is divided into two worlds, Secure World and Normal World, and each world is isolated. Trust Zone technology is equipped with a normal operating system in the normal world, and Secure World is equipped with a security-enhanced operating system. By keeping Secure World isolated from the normal world, even if the normal world is hacked or forged, security of the normal world and isolated secure world .

The isolation of Secure World and Normal World in Trust Zone technology is one of the key points to ensure the security of Secure World. An application executed in the secure world can directly access and control various components such as a display device, a communication device, and an input device provided in the terminal without using the operating system of the normal world (Patent Registration No. 10-1259824) . Although Secure World and Normal World physically share a single processor core in a single terminal and Secure World runs through Normal World, Secure and Normal Worlds, in terms of hardware and software, Other systems.

Therefore, when a session security function is provided to a wireless terminal equipped with a secure world and a normal world, implementing a session security function only through the secure world regardless of the normal world is relatively easy for a person skilled in the art to refer to a technical standard related to the trust zone However, the normal world and the secure world are interlocked with each other in real time, and the necessary procedures are isolated from each other through the isolated world, and externally, each world is implemented as if it is performed without distinction There are technically difficult problems.

In order to solve the above problems, an object of the present invention is to provide a wireless terminal having a secure operating system (OS) having a secure kernel and a normal operating system (OS) (N) of the general OS allocates a memory area accessible from a designated program (s) of the secure OS or identifies a pre-allocated memory area, and a step A second step of recording transmission information to be transmitted to the designated server by the program (n) in the memory area; and a step of checking the transmission information recorded by the program (n) of the general OS from the memory area A third step and a program (s) of the secure OS exchange a session key with a server designated by the communication means of the wireless terminal or confirm a session key exchanged with the server And a fifth step of encrypting the transmission information through the session key and transmitting the encrypted transmission information to the server through the communication means of the wireless terminal. .

A method for providing a session security using a secure operating system according to the present invention is a method for providing a session security using a security operating system (Secure Operating System) having a secure kernel and a wireless terminal having a normal OS (Normal Operating System) (N) of the general OS allocates a memory area accessible from a designated program (s) of the secure OS or identifies a pre-allocated memory area, and a step A second step of recording transmission information to be transmitted to the designated server by the program (n) in the memory area; and a step of checking the transmission information recorded by the program (n) of the general OS from the memory area The third step and the program (s) of the secure OS exchange the session key with the designated server through the communication means of the wireless terminal or confirm the session key exchanged with the server Program (s) of the fourth step and the secure OS, which is characterized in that it includes a fifth step of transmitting by encrypting the transmitted information through the session key to the server via the communication means of the radio terminal.

According to another aspect of the present invention, there is provided a method for providing a session security using a secure operating system, comprising: a sixth step of providing a transmission result of the program (s) And a seventh step of referring to the transmission result of the memory area.

According to another aspect of the present invention, there is provided a method for providing a session security using a secure operating system, comprising the steps of: receiving the encrypted reception information from the server through a communication unit of the wireless terminal; Decrypting the encrypted reception information through the session key, and providing the decrypted reception information to the memory area, and an eighth step of the program (n) referring to reception information of the memory area.

According to the present invention, the secure OS may include a trust zone installed in the processor.

According to the present invention, a method for providing a session security using the secure operating system may include: when the program s is loaded on the secure OS, the program n identifies that the program s is loaded in the secure OS, Further comprising the step of storing identification information for identifying a program (s) loaded in the secure OS in a general OS storage area, wherein the first step is for loading the program (s) in the secure OS through the identification information The memory area is allocated or the pre-allocated memory area is confirmed.

According to another aspect of the present invention, there is provided a method for providing a session security using the secure operating system, the method comprising: transmitting, by the program (n), transmission information to be transmitted to the designated server by the program (n) The method comprising the steps of:

According to the present invention, a method for providing a session security using the secure operating system may include: before the program (n) records transmission information in the memory area, the program (n) and storing the state information for each of the plurality of mobile stations.

According to the present invention, the first step may further include the step of the program (n) operating a secure OS through a SMC (Secure Monitor Call) command.

According to the present invention, the first step may include allocating the memory area to the general OS when the program (n) allocates a memory area, or allocating the memory area to the general OS And the memory area is checked.

According to the present invention, the first step may allocate the memory area to the security monitor that performs the switching procedure between the general OS and the secure OS, or may check the pre-allocated memory area.

delete

According to the present invention, the first step may further comprise setting the program (n) as a process at the general OS side in which the program (n) refers to the memory area.

According to the present invention, when a heterogeneous OS including a general OS and a secure OS is mounted on a wireless terminal, a secure OS exchanges session keys with the server on behalf of a general OS in session security communication with a designated server in a general OS, Based on this, the security OS provides session secure communication between the general OS and the server, thereby providing secure session secure communication against hacking or tampering of the general OS.

1 is a diagram illustrating a functional configuration of a wireless terminal according to an embodiment of the present invention.
2 is a diagram showing a functional configuration of a program according to an embodiment of the present invention.
3 is a diagram illustrating a process of preparing a program s in a secure OS according to an embodiment of the present invention.
4 is a diagram illustrating a transaction interoperation process between a general OS and a secure OS according to an embodiment of the present invention.
5 is a diagram illustrating a process of processing session secure communication with a server through a secure OS according to an embodiment of the present invention.
FIG. 6 is a diagram illustrating a process of processing session secure communication with a server through a secure OS according to another embodiment of the present invention.

The operation principle of the preferred embodiment of the present invention will be described in detail with reference to the accompanying drawings and description. It should be understood, however, that the drawings and the following detailed description are exemplary and explanatory and are intended to provide further explanation of the invention, and are not to be construed as limiting the present invention.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The terms used below are defined in consideration of the functions of the present invention, which may vary depending on the user, intention or custom of the operator. Therefore, the definition should be based on the contents throughout the present invention.

As a result, the technical idea of the present invention is determined by the claims, and the following embodiments are merely means for effectively explaining the technical idea of the present invention to a person having ordinary skill in the art to which the present invention belongs Only.

1 is a functional block diagram of a wireless terminal 100 according to an embodiment of the present invention.

1 is a block diagram illustrating a configuration of a security OS 120 provided with a security kernel 130 and a security server 120 via a secure OS 120 in a wireless terminal 100 equipped with a general OS 110 in which a kernel structure is disclosed. (1) of the present invention, it is possible to refer to and / or modify the FIG. 1 to provide a variety of functions of the wireless terminal 100 It is to be understood that the invention is not limited to the disclosed embodiments, but it is to be understood that the invention is not limited to the disclosed embodiments. The wireless terminal 100 of FIG. 1 may include various terminals such as a smart phone, a tablet PC, and a PDA, which are equipped with the secure OS 120 and the general OS 110.

1, the wireless terminal 100 includes a control unit 105, a memory unit 165, a screen output unit 135, a user input unit 140, a sound processing unit 145, and a short range wireless communication unit 150. [ A wireless network communication unit 155, a USIM reader 160, and a USIM, and has a battery for power supply.

The control unit 105 is a general term for controlling the operation of the wireless terminal 100. The control unit 105 physically includes a processor and an execution memory, ). Preferably, the processor may comprise an ARM processor.

According to the present invention, the control unit 105 includes a normal world in which a normal OS 110 in which a kernel structure, an API and a driver are displayed, and a secure kernel And a secure world in which a secure operating system 120 (Secure Operating System) having a security function 130 is operated. The normal world and the secure world are constructed in a mutually isolated structure. Preferably, the secure OS 120 includes a Trust Zone of the ARM processor. Hereinafter, a functional configuration for the present invention on the general OS 110 and the secure OS 120 will be described with reference to the control unit 105 for convenience.

The memory unit 165 is a generic name of a nonvolatile memory corresponding to a storage unit included in the wireless terminal 100 and includes at least one program code executed through the control unit 105 and at least one And stores the data set.

According to the present invention, the memory unit 165 may include a general OS storage area accessed by the general OS 110 and a secure OS storage area accessed by the secure OS 120, I can not access the OS storage area. The general OS storage area may store program codes corresponding to applications executed through the general OS 110 and at least one data set used by applications of the general OS 110. [ The secure OS storage area may store program codes corresponding to applications executed through the secure OS 120 and at least one data set used by applications of the secure OS 120. [

The general OS 110 has a kernel (hereinafter, referred to as a "general kernel 115" in contrast to the security kernel 130 of the secure OS 120) The general kernel 115 of the wireless terminal 100 includes various functions of the wireless terminal 100 such as the screen output unit 135, the user input unit 140, the sound processing unit 145, the near field wireless communication unit 150, Resources, and may be provided with a driver on the general OS 110 for this purpose. The general kernel 115 of the general OS 110 can not access the secure OS storage area and the general OS 110 and the secure OS 120 are isolated from each other.

The secure OS 120 includes a secure kernel 130 in which a kernel structure is not disclosed and the secure kernel 130 of the secure OS 120 includes a screen output unit 135, a user input unit 140, The mobile terminal 100 may access various resources of the wireless terminal 100 such as the processor 145, the short range wireless communication unit 150 and the wireless network communication unit 155 and may include a driver on the secure OS 120 for this purpose. Preferably, the secure kernel 130 of the secure OS 120 can not access the normal OS storage area, and the secure OS 120 and the normal OS 110 are isolated from each other.

The screen output unit 135 may include a display such as a liquid crystal display (LCD) or a touch screen including a touch input unit as a screen output unit provided in the wireless terminal 100 .

The general kernel 115 of the general OS 110 includes a driver for accessing and controlling the display or the touch screen of the screen output unit 135. The general kernel 115 is connected to the screen output unit 135, The security OS 120 can not access the screen output unit 135. In this case,

The secure kernel 130 of the secure OS 120 has a separate security driver for accessing and controlling the display or the touch screen of the screen output unit 135, The general OS 110 can not access the screen output unit 135 when accessing and controlling the display unit 135. [

The user input unit 140 may be a user input unit provided in the wireless terminal 100 and may include a touch input unit of the touch screen when the screen output unit 135 includes a touch screen. A keypad, and a key button.

The general kernel 115 of the general OS 110 includes a driver for accessing and controlling a touch input unit, a keypad or a key button of the user input unit 140. The general kernel 115 is connected to the user input unit 140 The security OS 120 can not access the user input unit 140. In this case,

The secure kernel 130 of the secure OS 120 has a separate security driver for accessing and controlling the touch input unit, keypad or key button of the user input unit 140, When accessing and controlling the input unit 140, the general OS 110 can not access the user input unit 140.

The sound processing unit 145 may include sound output means and sound input means provided in the wireless terminal 100, and may include a speaker for outputting sound and a microphone for receiving sound.

The general kernel 115 of the general OS 110 includes a driver for accessing and controlling the speaker or microphone of the sound processing unit 145. The general kernel 115 accesses the sound processing unit 145 The security OS 120 can not access the sound processing unit 145 controlled by the general OS 110. [

The secure kernel 130 of the secure OS 120 includes a separate security driver for accessing and controlling the speaker or microphone of the sound processing unit 145. The secure kernel 130 may include a sound driver 145, The general OS 110 can not access the sound processing unit 145 controlled by the secure OS 120. In this case,

The wireless network communication unit 155 and the short-range wireless communication unit 150 are communication means for connecting the wireless terminal 100 to a communication network. Preferably, the wireless terminal 100 is a wireless communication unit And may further include one or more short-range wireless communication units 150. FIG.

The wireless network communication unit 155 collectively refers to communication means for connecting the wireless terminal 100 to a wireless communication network via a base station and includes an antenna for transmitting and receiving a radio frequency signal of a specific frequency band, And at least one processing module. The wireless network communication unit 155 may connect the wireless terminal 100 to a call network including a call channel and a data channel via an exchange and may transmit wireless network data based on a packet communication, To a data network providing communication (e.g., the Internet).

According to an embodiment of the present invention, the wireless network communication unit 155 is a mobile communication unit that performs at least one of connection to a mobile communication network, location registration, call processing, call connection, data communication, and handoff according to the CDMA / WCDMA / ≪ / RTI > Meanwhile, according to the intention of a person skilled in the art, the wireless network communication unit 155 may further include a portable Internet communication configuration for performing at least one of connection to the portable Internet, location registration, data communication and handoff according to the IEEE 802.16 standard, It is evident that the present invention is not limited by the wireless communication configuration provided by the wireless network communication unit 155. [ That is, the wireless network communication unit 155 is a general term for a component that connects to a wireless communication network through a cell-based base station irrespective of a frequency band of a wireless section, a type of a communication network, or a protocol.

The general kernel 115 of the general OS 110 includes a driver for accessing and controlling the wireless network communication unit 155. When the general kernel 115 accesses and controls the sound processing unit 145 The secure OS 120 can not access the wireless network communication unit 155 controlled by the general OS 110.

The secure kernel 130 of the secure OS 120 has a separate security driver for accessing and controlling the wireless network communication unit 155. The secure kernel 130 may access the wireless network communication unit 155 The general OS 110 can not access the wireless network communication unit 155 controlled by the secure OS 120. In this case,

The short-range wireless communication unit 150 is a generic term of a communication unit that connects a communication session using a radio frequency signal within a predetermined distance (for example, about 10 m) as a communication medium and connects the wireless terminal 100 to a communication network The wireless terminal 100 can be connected to the communication network through at least one of Wi-Fi communication, Bluetooth communication, public wireless communication, and UWB. According to an embodiment of the present invention, the short-distance wireless communication unit 150 can connect the wireless terminal 100 to a data network providing packet-based short-range wireless data communication through a wireless AP.

The general kernel 115 of the general OS 110 includes a driver for accessing and controlling the short range wireless communication unit 150. When the general kernel 115 accesses and controls the sound processing unit 145 The secure OS 120 can not access the short range wireless communication unit 150 controlled by the general OS 110. [

The secure kernel 130 of the secure OS 120 has a separate security driver for accessing and controlling the short-range wireless communication unit 150. When the secure kernel 130 accesses the short-range wireless communication unit 150 The general OS 110 can not access the short range wireless communication unit 150 controlled by the secure OS 120. [

The USIM reader 160 is a generic term of a configuration for exchanging at least one data set with a universal subscriber identity module that is mounted or detached from the wireless terminal 100 based on the ISO / IEC 7816 standard , And the data set is exchanged in a half duplex communication manner through an APDU (Application Protocol Data Unit).

The USIM is an SIM type card having an IC chip conforming to the ISO / IEC 7816 standard, and includes an input / output interface including at least one contact connected to the USIM reader 160, a program code for at least one IC chip (Or processing) the program code for the IC chip or extracting (or processing) the data set in accordance with at least one command transmitted from the wireless terminal 100 in connection with the input / output interface To the input / output interface.

According to the present invention, the general OS 110 is loaded with various applications operating using the general kernel 115, and the user can control various applications executed in the general OS 110 through the general kernel 115 The normal OS 115 performs a user operation by the user input unit 140 controlled through the general kernel 115 while displaying one or more interface screens through the screen output unit 135. The general OS 115, The application of the present invention performs a designated operation and provides various services to the user. Hereinafter, an application (or a program module embedded in or linked to an application) operating in accordance with the present invention on the general OS 110 is referred to as " program (n) 200 " Preferably, the program (n) 200 includes an application using an electronic signature such as a banking application, a payment application, or an authentication application executed in the general OS 110 . However, the program (n) 200 is not limited to a banking application, a payment application, or an authentication application. Any application can be used as long as it is an application running on the general OS 110, and belongs to the scope of the present invention .

According to the embodiment of the present invention, the program (n) 200 of the general OS 110 is provided in the upper part of the general kernel 115 on the OS structure and operates using the general kernel 115.

According to the present invention, at least one security application operating on the secure kernel 130 is installed in the secure OS 120. [ The security application on the secure OS 120 operates using the secure kernel 130 and may be connected to the screen output unit 135, the user input unit 140, the sound processing unit 145, The wireless network communication unit 155, the short range wireless communication unit 150, and the like. Hereinafter, a security application (or a program module embedded in or linked to a security application) operating in accordance with the present invention on a general OS 110 is referred to as " program (s) 240 " Preferably, the program (s) 240 may include a security app running on the secure OS 120. [

According to an embodiment of the present invention, the program (s) 240 of the secure OS 120 is provided in the upper part of the secure kernel 130 on the OS structure and operates using the secure kernel 130.

The OS of the wireless terminal 100 is switched from the general OS 110 to the secure OS 120 in the secure OS 120 (or between the general OS 110 and the secure OS 120) Or a security monitor 125 (Secure Monitor) that performs a series of procedures for switching from the security OS 120 to the general OS 110. [ Since the security monitor 125 uses the command of the secure OS 120, FIG. 1 illustrates the security monitor 125 as being provided in the secure OS 120 for the sake of convenience.

The security monitor 125 monitors whether an SMC (Secure Monitor Call) command is generated through the kernel or an IRQ (Interrupt Request) to FIQ (Fast Interrupt Request) Can be performed.

2 is a diagram showing a functional configuration of a program according to an embodiment of the present invention.

2 shows the functional configuration of the program (n) 200 of the general OS 110 and the program (s) 240 of the secure OS 120. In the technical field of the present invention, It will be understood by those skilled in the art that various changes and modifications of the program may be made without departing from the spirit and scope of the present invention as defined by the following claims. The technical characteristics are not limited only by the method shown in FIG.

2, the program (n) 200 of the general OS 110 includes an information checking unit 205 for checking transmission information to be transmitted to a designated server 150 through session security during a specified operation, (S) 240 of the secure OS 120. The secure OS 120 may be configured to perform a series of procedures to transfer the transmission information to the secure OS 120 through the general kernel 115 upon confirmation, And a linkage procedure unit 210 for checking the allocated memory area and providing the confirmed transmission information to the memory area. Meanwhile, according to another embodiment of the present invention, the process of allocating the memory area or checking the pre-allocated memory area may be performed through the program (s) 240 of the secure OS 120, (s) 240 to allocate / verify the memory area may be included as a scope of right.

The program (n) 200 is executed in the general OS 110 to perform at least one designated operation such as banking, settlement, and authentication. The information verification unit 205 performs session security The transmission information to be transmitted to the designated server 150 is confirmed. Preferably, the transmission information includes an information set to be transmitted to the designated server 150 on the information structure and server information (e.g., a server address, a server identification value, etc.) for the server 150 to transmit the information set. The information set of the transmission information may include any information as long as the information is securely transmitted to the designated server 150 through the communication network in connection with the designated operation, and is not limited to specific information. For example, the information set may include various information such as transaction information for banking transactions, payment information for payment settlement, and authentication information for performing an authentication procedure.

The interworking procedure unit 210 checks whether the secure OS 120 is loaded in the wireless terminal 100 at least at the first execution of the program (n) 200 installed in the general OS 110 (S) 240 for processing the session security to the secure OS 120 when the secure OS 120 is installed in the wireless terminal 100. If the program (s) 240 for processing a session security is installed in the secure OS 120, the interworking procedure unit 210 causes the secure OS 120 to load the program (s) And / or information identifying the program (s) 240 mounted on the secure OS 120, in the general OS storage area.

When the transmission information is confirmed through the information checking unit 205, the interworking procedure unit 210 confirms that the program (s) 240 is loaded on the secure OS 120 based on the identification information (S) 240 on the secure OS 120 and / or the program (s) 240 mounted on the secure OS 120.

The linkage procedure unit 210 determines whether the secure OS 120 is a secure OS by checking the transmission information and / or confirming the program (s) 240 of the secure OS 120 through the identification information, (N) 200 immediately before switching to the program (120). The interworking procedure unit 210 may be a program for processing the session security through the general kernel 115 at the time of switching the OS of the wireless terminal 100 from the general OS 110 to the secure OS 120 the OS of the wireless terminal 100 is switched from the general OS 110 to the secure OS 120 and then transmitted to the secure OS 120 from the general OS 210. [ The state of the program (n) 200 (for example, the interface screen state of the program (n) 200, the communication session state of the program (n) 200, etc.) .

According to an embodiment of the present invention, the interworking procedure unit 210 may be configured to execute the security OS 120 immediately before switching to the secure OS 120 through the general kernel 115 (for example, immediately before the security OS 120 is driven via the SMC command) The program (n) 200 may be initialized and / or the general OS 110 (n) may be initialized in the process of switching the general OS 110 to the secure OS 120 by maintaining the state information of the program When the OS of the wireless terminal 100 is switched from the secure OS 120 to the normal OS 110 even if an exceptional situation occurs such as a page fault occurs during the procedure of switching from the secure OS 120 to the secure OS 120, The state of the program (n) 200 can be restored to the state immediately before switching to the secure OS 120 using the state information.

(S) 240 of the secure OS 120 and / or stored the status information of the program (n) 200, the interworking procedure unit 210 generates an SMC command for driving the secure OS 120 through the general kernel 115. [ The security monitor 125 verifies the validity of the SMC command and performs a procedure for driving the secure OS 120 according to the SMC command when the verification is successful.

Meanwhile, at a predetermined point in time before, during, or after the start of the operation of the secure OS 120, the linkage procedure unit 210 accesses the secure OS 120 while being accessible from the program (n) (S) 240 of the program (s) 240, or identifies pre-allocated memory areas. For example, the allocated memory area may include a shared memory for inter-process communication between the program (n) 200 of the general OS 110 and the program (s) 240 of the secure OS 120 have. While the normal shared memory is allocated in the OS for inter-process communication within the same OS, the memory region of the present invention is used for inter-process communication of heterogeneous processes executed in heterogeneous OS including general OS 110 and secure OS 120 Which is a shared memory for providing the data.

According to the first memory area allocation method of the present invention, the linkage procedure unit 210 allocates the memory area on the general OS 110 or checks the memory area allocated on the general OS 110 . In this case, the security monitor 125 can access or monitor the memory area of the general OS 110, and the program (s) 240 of the secure OS 120 can be accessed through the security monitor 125 (Or access to) the memory area of the OS 110 indirectly.

According to the second memory area allocation method of the present invention, the linking procedure unit 210 allocates the memory area on the security monitor 125 or the memory area allocated to the security monitor 125 have. In this case, the interworking procedure unit 210 can allocate the memory area to the security monitor 125 or check the memory area allocated to the security monitor 125 through the SMC command.

According to the third memory area allocation method of the present invention, the interworking procedure unit 210 can access (or access) the program (n) 200 and can also access the program (s) 240 (Or connectable) to the security server 150 on the network capable of accessing (or accessing) the security server 150, or can identify the memory area allocated to the security server 150. When the memory area is allocated to the security server 150 on the network, the program (n) 200 of the general OS 110 and the program (s) 240 of the secure OS 120 are each connected to the security server 150 150 to read or write data to and from the memory area.

The interworking procedure unit 210 may set the program (n) 200 as a process of the general OS 110 that refers to the allocated memory area. Preferably, the interworking procedure unit 210 provides a PID (Process ID) of the program (n) 200 to the memory area so that the program (s) 240 of the secure OS 120 operates The program (s) 240 can set the program (n) 200 as a process of the general OS 110 side to read data recorded in the allocated memory area.

When a memory area accessible by the program (s) 240 of the secure OS 120 is allocated through at least one of the first to third memory area allocation schemes, or when a pre-allocated memory area is identified, The procedure unit 210 can set a program (s) 240 designated as a process accessible from the secure OS 120 to the allocated memory area. For example, the interworking procedure unit 210 may store the address information of the allocated memory area (e.g., a memory address of a RAM, a memory address of a RAM provided in the processor, (S) 240 used by the secure OS 120 through the security monitor 125 and a network address (and / or identification value) identifying the memory area . ≪ / RTI >

(S) 240 of the secure OS 120 is allocated / verified and / or the memory region is made accessible in the program (s) 240 of the secure OS 120 The interworking procedure unit 210 may be configured to interlock with the security monitor 125 to prevent access to the memory area from other processes other than the program (n) 200 of the processes of the general OS 110 . Preferably, the interworking procedure unit 210 uses the memory access control function of the security monitor 125 to control the process of the general OS 110 in a process other than the program (n) Can not be accessed.

Meanwhile, a memory area accessible by the program (s) 240 of the secure OS 120 may be allocated, or a pre-allocated memory area may be identified through at least one of the first to third memory area allocation methods, and / Or the access control procedure of the memory area is performed, the linking procedure unit 210 provides the transmission information confirmed through the information checking unit 205 to the memory area, (s) 240 to securely transmit the transmission information to the designated server 150.

When the secure OS 120 is activated by the SMC command and the program (s) 240 of the secure OS 120 is executed, the access right of the allocated / confirmed memory area is managed by the security monitor 125 (S) 240 of the secure OS 120. In this case,

Referring to FIG. 2, the program (s) 240 of the secure OS 120 may identify a memory area allocated through at least one of the first to third memory area allocation methods, And an interlock processing unit 245 for performing a procedure for interlocking.

When the secure OS 120 is activated and the program (s) 240 of the secure OS 120 is executed, the interworking processing unit 245 interlocks with the operation procedure performed through the security monitor 125, (S) 240 and accesses the memory area through at least one of the first to third memory area allocation methods. Preferably, the interworking processor 245 may perform a procedure of obtaining an access right to the memory area.

Meanwhile, the interworking processor 245 can check the memory area at any time before referring to the memory area in the program (s) 240, and the interworking processor 245 can check the memory area at a specific time The present invention is not limited thereto.

Referring to FIG. 2, the program (s) 240 of the secure OS 120 includes a transmission information checking unit 250 for checking transmission information from a memory area shared with the program (n) 200, A server confirmation unit 255 for confirming the server 150 to which the transmission information is to be transmitted and a server verification unit 255 for exchanging a session key with the verified server 150 using the communication means of the wireless terminal 100, An encryption / decryption processing unit 265 for encrypting the transmission information through the exchanged / confirmed session key, and an encryption / decryption unit 265 for encrypting the transmission information through the exchange / And an information transmission unit 270 for transmitting the encrypted transmission information to the designated server 150 by using the communication means.

When the secure OS 120 is operated and the program (s) 240 of the secure OS 120 is executed, the transmission information confirmation unit 250 transmits the general OS (N) 200 of the general OS 110 and the memory area shared with the program (n) 200 of the general OS 110. The transmission information includes an information set to be transmitted to the designated server 150 and server information (e.g., a server address and a server identification value) for the server 150 to transmit the information set.

When the transmission information is confirmed from the memory area, the server check unit 255 reads the transmission information (e.g., confirms the server information included in the transmission information) and confirms the server 150 to transmit the transmission information.

When the server 150 to which the transmission information is to be transmitted is confirmed, the key exchange / confirmation unit 260 exchanges with the verified server 150 to check the validity of the session key held in the secure OS 120 . If the session key is not confirmed, the key exchange / confirmation unit 260 exchanges a session key with the server 150 through the communication means of the wireless terminal 100 according to a predetermined key exchange algorithm . The exchanged session key is securely stored in the secure OS 120 for a specified validity time.

When the session key for the server 150 is exchanged / confirmed, the encryption / decryption processing unit 265 transmits the transmission information (e.g., information set of transmission information) to the server 150 through the session key in a decodable manner And the information transmission unit 270 transmits the encrypted transmission information to the server 150 through the communication means of the wireless terminal 100. According to the present invention, since the session key exchange and the encryption transfer process are performed on the secure OS 120 isolated from the general OS 110, the secure OS 120 is protected by hacking or tampering.

2, according to an embodiment of the present invention, a program (s) 240 of the secure OS 120 transmits the encrypted transmission information through the communication means of the wireless terminal 100 to the server 150 An information receiving unit 275 for receiving response information corresponding to a result of transmission to the server 150 based on the response information, information for providing the transmission result to the server 150 based on the response information, (280).

When the encrypted transmission information is effectively transmitted to the server 150 through the information transmission unit 270, the server 150 transmits response information (for example, ACK) that received the encrypted transmission information And the information receiving unit 275 receives response information indicating that the encrypted transmission information has been transmitted to the server 150 through the communication means of the wireless terminal 100. [

The information providing unit 280 generates a transmission result of transmitting the transmission information to the server 150 based on the response information and provides the transmission result to the memory area confirmed through the interlock processing unit 245 can do.

When the OS of the wireless terminal 100 is switched to the general OS 110 according to an embodiment of the present invention, the linkage procedure unit 210 of the program (n) 200 acquires the access right of the memory area (Or based on the acquired rights) to access the memory area. Meanwhile, the interworking procedure unit 210 of the program (n) 200 may restore the status of the program (n) 200 immediately before switching to the secure OS 120 using the status information.

2, the program (n) 200 of the general OS 110 refers to the memory area and stores the program (s) 240 provided by the program (s) 240 of the secure OS 120 A reception information confirmation unit 215 for confirming a transmission result and an information processing unit 220 for performing an information processing procedure corresponding to a result of transmitting the transmission information to the server 150. [

When the OS of the wireless terminal 100 is switched to the general OS 110, the reception information confirmation unit 215 refers to the memory area in cooperation with the linkage procedure unit 210, (S) 240 of the program (s) 240 confirms the transfer result provided to the memory area.

The information processing unit 220 reads the transmission result and determines whether the transmission information is securely transmitted to the server 150 through the session security between the secure OS 120 and the server 150. If the transmission information The information processing unit 220 determines whether the transmission information corresponding to the result of securely transmitting the transaction information corresponding to the banking transaction is transmitted to the server 150. For example, A banking procedure, a settlement procedure corresponding to a result of safely transferring payment information corresponding to payment settlement, an authentication procedure corresponding to a result of securely transmitting authentication information for the authentication procedure, and the like).

2, according to another embodiment of the present invention, a program (s) 240 of the secure OS 120 is encrypted and transmitted by the server 150 through the communication means of the wireless terminal 100 An encryption / decryption processing unit 265 for decrypting reception information encrypted through the session key, an information providing unit 280 for providing the decrypted reception information to the memory area, .

The server 150 receiving the transmission information generates reception information corresponding to the transmission information (or extracts reception information from the database), and transmits the reception information to the server (s) 240 via the session key exchanged with the program In this case, the information receiving unit 275 receives the reception information encrypted and transmitted by the server 150 through the communication means of the wireless terminal 100. In this case,

When the encrypted reception information is received through the information reception unit 275, the encryption / decryption processing unit 265 decrypts the encrypted reception information using the session key exchanged with the server 150.

When the reception information is decrypted through the encryption / decryption processing unit 265, the information providing unit 280 provides the reception information to the memory area identified through the linkage processing unit 245, The OS of the wireless terminal 100 is switched from the secure OS 120 to the normal OS 110 according to a designated procedure. Preferably, the information providing unit 280 may record the reception information in the memory area so as to read or refer to the reception information through the program (n) 200 of the general OS 110 .

On the other hand, the encryption / decryption processing unit 265 can encrypt the reception information according to a designated encryption method (for example, encrypt the received information through the encryption key exchanged with the program (n) 200 of the general OS 110) The providing unit 280 may provide the encrypted receiving information to the memory area identified through the interlocking processing unit 245. The received information may be encrypted through the program (n) 200 of the general OS 110.

When the OS of the wireless terminal 100 is switched to the general OS 110 according to an embodiment of the present invention, the linkage procedure unit 210 of the program (n) 200 acquires the access right of the memory area (Or based on the acquired rights) to access the memory area. Meanwhile, the interworking procedure unit 210 of the program (n) 200 may restore the status of the program (n) 200 immediately before switching to the secure OS 120 using the status information.

Referring to FIG. 2, the program (n) 200 of the general OS 110 refers to the memory area and is provided in the program (s) 240 of the secure OS 120 A reception information confirmation unit 215 for confirming one reception information and an information processing unit 220 for performing an information processing procedure corresponding to a result of transmitting the transmission information to the server 150. [

When the OS of the wireless terminal 100 is switched to the general OS 110, the reception information confirmation unit 215 refers to the memory area in cooperation with the linkage procedure unit 210, (S) 240 of the mobile station 200 confirms reception information provided to the memory area. If the program (s) 240 encrypts and provides the reception information, the reception information verification unit 215 can decode the encrypted reception information.

The information processing unit 220 may perform an information processing procedure for providing a designated service based on the received information (for example, a banking procedure corresponding to a banking transaction, a payment procedure corresponding to payment settlement, And a corresponding terminal authentication procedure).

FIG. 3 is a diagram illustrating a process of preparing a program (s) 240 in the secure OS 120 according to an embodiment of the present invention.

3 illustrates a process of installing a program (s) 240 in the secure OS 120 and exchanging a session key with a designated server 150. In the technology field of the present invention, It is possible to refer to and / or modify the drawing (s) 240 so that various implementations of the process of preparing the program (s) 240 (e.g., omitting some steps or changing the sequence) However, the present invention includes all of the above-mentioned embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

Referring to FIG. 3, a program (n) 200 of a general OS 110 is connected to a security OS 120 (or a wireless terminal 100) based on a model (or a type of a processor) ) (Trust zone) is mounted (300). If the secure OS 120 is installed in the wireless terminal 100, the program 200 performs a procedure for loading the program 240 specified in the secure OS 120 (305).

(S) 240 is loaded (310) in the secure OS 120 according to a designated procedure and the program (s) 240 is loaded into the secure OS 120 through the communication means of the wireless terminal 100 Performs a key exchange procedure for exchanging a session key according to a designated key exchange algorithm with the designated server 150 (315). If the session key is exchanged with the server 150 through the key exchange procedure, the program (s) 240 transmits the session key to the secure OS 120 for a specified validity time (e.g., The key may be maintained (320).

When the program (s) 240 is loaded on the secure OS 120, the program 200 of the general OS 110 transmits the program 240 to the secure OS 120 (S) (240) mounted on the secure OS (120), and / or information identifying the presence of the program (s) (240) mounted on the secure OS (120).

4 is a diagram illustrating a transaction interlocking process between the general OS 110 and the security OS 120 according to an embodiment of the present invention.

4 is a flowchart illustrating an operation of the secure OS 120 when the program (n) 200 of the general OS 110 confirms the transmission information to be transmitted to the designated server 150 through the session security while performing the specified operation (S) 240 of the general OS 110, and that the general OS 110 and the program (s) 240 will be described in detail with reference to FIG. 4 and / or modified by those skilled in the art. (Eg, some steps may be omitted or the procedures may be changed) for the interoperation process between the security OS 120 and the security OS 120. However, the present invention includes all the methods And the technical features thereof are not limited only by the method shown in FIG.

Referring to FIG. 4, a program (n) 200 of a general OS 110 performs a specified operation (400) implemented therein and transmits transmission information to be transmitted to a designated server 150 through session security (405). If the transmission information is confirmed, the program (n) 200 includes a program (s) 240 for processing session security on the security OS 120 side of the wireless terminal 100 using the identification information (410). If the program (s) 240 is not loaded in the secure OS 120, the program 200 may execute a procedure for loading the program 240 into the secure OS 120 Can be performed.

Meanwhile, if the program (s) 240 is installed in the secure OS 120, the program (n) 200 may transmit status information of the program (n) 200 before switching to the secure OS 120 (S) 240 of the secure OS 120 by allocating a memory area accessible by the program (s) 240 of the secure OS 120 by switching the OS of the wireless terminal 100 to the secure OS 120, The allocated memory area is checked (420). If the memory area is allocated / confirmed, the program (n) 200 sets the access right of the program (n) 200 to the allocated / confirmed memory area, and at the same time, (S) 240 to access the memory area (425), providing the confirmed transmission information to the memory area (430), and transmitting the confirmed transmission information to the memory The OS of the terminal 100 is switched to the secure OS 120 (435).

When the OS of the wireless terminal 100 is switched to the secure OS 120 and the program s 240 is executed 440, the program s 240 transmits the program 200 (n) (N) 200 and a memory area that can be shared with the program (n) (445). The memory area may be allocated through the program (s) 240 according to an implementation method, and the present invention may include an embodiment in which the program (s) 240 allocates the memory area. If the memory area accessible by the program (s) 240 is not confirmed, the program (s) 240 processes the OS of the wireless terminal 100 to switch to the general OS 110 (450) , When the OS of the wireless terminal 100 is switched to the general OS 110, the program n of the general OS 110 transmits the program n (n) before the switch to the secure OS 120 200) (step 455).

Meanwhile, if a memory area accessible by the program (s) 240 is confirmed, the program (s) 240 confirms the access right to the memory area (460). If the access right to the memory area is not confirmed, the program (s) 240 processes the OS of the wireless terminal 100 to switch to the general OS 110 (450), and the wireless terminal 100 (N) 200 of the general OS 110 restores the state of the program (n) 200 before switching to the secure OS 120 when the OS of the general OS 110 is switched to the general OS 110 (455).

Meanwhile, when the access right to the memory area is confirmed, the program (s) 240 confirms the transmission information from the memory area (465). If the transmission information is not confirmed, the program (s) 240 processes the OS of the wireless terminal 100 to switch to the general OS 110 (450), and the OS of the wireless terminal 100 The program n of the general OS 110 restores the state of the program n 200 before switching to the secure OS 120 when the general OS 110 is switched to the secure OS 120. [ .

Meanwhile, when the transmission information is confirmed, the program (s) 240 reads the transmission information and confirms the server 150 to transmit the transmission information (470).

FIG. 5 is a diagram illustrating a process of processing a session secure communication with the server 150 through the secure OS 120 according to an embodiment of the present invention.

5 is a flowchart illustrating a process of exchanging a session key with the server 150 in the program (s) 240 of the secure OS 120 or confirming the exchanged session key, 200 to the server 150 and providing the transmission result to the program (n) 200 of the general OS 110. In the technical field of the present invention, Those skilled in the art will be able to refer and / or modify this FIG. 5 to illustrate various implementations of the session secure communication process over the secure OS 120 (e.g., some steps may be omitted, However, the present invention includes all of the above-described embodiments, and the technical features of the present invention are not limited only by the method shown in FIG.

5, if the transmission information provided by the program (n) 200 of the general OS 110 is confirmed through the process shown in FIG. 4 and the server 150 to transmit the transmission information is confirmed, The program (s) 240 confirms the session key being exchanged with the confirmed server 150 (500).

If the session key exchanged with the server 150 is not confirmed, the program (s) 240 performs a key exchange procedure for exchanging a session key with the server 150 through the communication means of the wireless terminal 100 (505). The server 150 also performs a key exchange procedure for exchanging a session key with the program (s) 240 (505).

When a key exchange procedure for exchanging a session key with the server 150 is performed, the program (s) 240 confirms the session key exchanged with the server 150 and transmits the confirmed session key to the secure OS 120 (510).

(S) 240 encrypts the transmission information through the session key (515), and transmits the encrypted transmission information to the program (s) 240 via the communication means of the wireless terminal 100 And transmits the encrypted transmission information to the server 150 (520).

The server 150 receives the encrypted transmission information through a communication network 525, decrypts the encrypted transmission information through the exchanged session key 530, and transmits the encrypted transmission information to the program (s) And transmits response information to the transmission information (535).

The program (s) 240 receives response information for the transmission information through the communication means of the wireless terminal 100 (540), generates a transmission result for the response information (545), and transmits the transmission result (N) 200 of the general OS 110 (550). The program (s) 240 processes the OS of the wireless terminal 100 to switch to the general OS 110 (555). When the OS of the wireless terminal 100 is switched to the general OS 110 The program 200 of the general OS 110 restores the state of the program 200 before switching to the secure OS 120 in operation 560.

The program 200 of the general OS 110 identifies and accesses a memory area shared with the program 240 of the secure OS 120 in step 565. Then, (S) 240 of the server 120 (step 570). If the transmission result is not confirmed, the program (n) 200 outputs an error and initializes the operation of the program (n) 200 (575). If the transmission result is confirmed, the program (n) 200 performs an information processing procedure corresponding to the transmission result (580).

6 is a diagram illustrating a process of processing a session secure communication with the server 150 through the secure OS 120 according to another embodiment of the present invention.

6 is a flowchart illustrating a process of exchanging a session key with the server 150 in the program (s) 240 of the secure OS 120 or confirming the exchanged session key, 200, and transmits the encrypted transmission information to the server 150. The server 150 encrypts and transmits the reception information corresponding to the transmission information, and receives and decrypts the received information to transmit the program n The present invention is not limited thereto and can be modified and / or modified in accordance with the present invention by a session security communication process It will be understood that various implementations of the present invention (e.g., some steps omitted or alternatives in which the order is changed) may be deduced, but the present invention includes all of the above- The method only Gong is not limited.

Referring to FIG. 6, if the transmission information provided by the program (n) 200 of the general OS 110 is confirmed through the process shown in FIG. 4 and the server 150 to transmit the transmission information is confirmed, The program (s) 240 confirms the session key being exchanged with the confirmed server 150 (600).

If the session key exchanged with the server 150 is not confirmed, the program (s) 240 performs a key exchange procedure for exchanging a session key with the server 150 through the communication means of the wireless terminal 100 (605), and the server 150 also performs a key exchange procedure for interchanging the session key with the program (s) 240 (605).

When a key exchange procedure for exchanging a session key with the server 150 is performed, the program (s) 240 confirms the session key exchanged with the server 150 and transmits the confirmed session key to the secure OS 120 (610).

If the session key exchanged with the server 150 is confirmed, the program (s) 240 encrypts the transmission information through the session key (615) And transmits the encrypted transmission information to the server 150 (620).

The server 150 receives the encrypted transmission information through a communication network (625), and decrypts the encrypted transmission information through the exchanged session key (630). The server 150 generates or extracts the reception information corresponding to the transmission information in step 635 and encodes the reception information through the session key in step 640 and transmits the encrypted (645).

The program (s) 240 receives the encrypted reception information corresponding to the transmission information through the communication means of the wireless terminal 100 (650), decrypts the encrypted reception information through the session key And provides the decoded reception information to a memory area shared with the program (n) 200 of the general OS 110 (660). According to an embodiment of the present invention, the program (s) 240 encrypts the received information using a predetermined encryption method and provides the encryption information to the memory area (660). The program (s) 240 processes the OS of the wireless terminal 100 to be switched to the general OS 110 (step 665). When the OS of the wireless terminal 100 is switched to the general OS 110 The program 200 of the general OS 110 restores the state of the program 200 before switching to the secure OS 120 in step 670.

The program 200 of the general OS 110 identifies and accesses a memory area shared with the program s 240 of the secure OS 120 in step 675, (S) 240 of the mobile terminal 120 (680). If the reception information is not confirmed, the program (n) 200 outputs an error and can initialize the operation of the program (n) 200 (685). If the received information is confirmed, the program (n) 200 performs an information processing procedure corresponding to the received information (690). If the received information is encrypted in the program (s) Decrypts the encrypted reception information and performs a corresponding information processing procedure (690).

100: wireless terminal 110: general OS
115: Generic kernel 120: Security OS
125: Security Monitor 130: Security Kernel
200: program (n) 205: information verification unit
210: Interworking procedure unit 215: Receiving information checking unit
220: information processing unit 240: program (s)
245: interworking processing unit 250: transmission information checking unit
255: Server Verification Unit 260: Key Exchange / Verification Unit
265: an encryption / decryption processing unit 270:
275: Information receiving unit 280: Information providing unit

Claims (12)

A method for executing a secure operating system (Secure OS) having a secure kernel and a normal operating system having a kernel structure, the method comprising:
A first step in which the program (n) of the general OS allocates a memory area accessible by the designated program (s) of the secure OS or identifies an allocated memory area;
A second step of recording, in the memory area, transmission information to be transmitted to the designated server by the program (n) of the general OS;
A third step of the program (s) of the secure OS verifying transmission information recorded by the program (n) of the general OS from the memory area;
A fourth step of the program (s) of the secure OS exchanging a session key with a server designated by the communication means of the wireless terminal or confirming a session key exchanged with the server; And
And encrypting the transmission information through the session key and transmitting the encrypted transmission information to the server through a communication unit of the wireless terminal.

The method according to claim 1,
A sixth step of providing the transmission result of the program (s) transmitted to the server to the memory area; And
And the program (n) refers to the result of the transfer of the memory area.
The method according to claim 1,
A sixth step of the program (s) receiving the encrypted reception information from the server through the communication means of the wireless terminal;
Decrypting the encrypted reception information through the session key and providing the encrypted reception information to the memory area; And
And the program (n) refers to the reception information of the memory area in the step (e).
The method of claim 1,
And a trust zone mounted on the processor. The method for providing a session security using a secure operating system according to claim 1,
The method according to claim 1,
When the program s is loaded on the secure OS,
Further comprising the step of: identifying, by the program (n), that the program (s) is mounted on the secure OS or identification information identifying the program (s) mounted on the secure OS in a general OS storage area,
Wherein the first step is to allocate the memory area or to identify a pre-allocated memory area when it is identified that the program (s) is mounted on the security OS through the identification information. To provide session security using.
The method according to claim 1,
Before the program (n) records the transmission information in the memory area,
Further comprising checking transmission information to be transmitted to the designated server by the program (n) of the general operating system (OS).
The method according to claim 1,
Before the program (n) records the transmission information in the memory area,
Further comprising the step of storing and maintaining status information on the program (n) immediately before the program (n) is switched to the secure OS.
2. The method according to claim 1,
Further comprising the step of the program (n) operating a secure OS through an SMC (Secure Monitor Call) command.
2. The method according to claim 1,
When the program (n) allocates a memory area, allocates the memory area to the general OS or verifies a memory area pre-allocated to the general OS when checking a pre-allocated memory area. How to provide session security using operating system.
2. The method according to claim 1,
Wherein the program (n) allocates the memory area to the security monitor performing the switching procedure between the general OS and the security OS, or identifies the pre-allocated memory area.
delete 2. The method according to claim 1,
Further comprising setting the program (n) as a process of a general OS side in which the program (n) refers to the memory area.

KR1020150041512A 2015-03-25 2015-03-25 Method for Providing Session Security by using Secure Operating System KR101662947B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150041512A KR101662947B1 (en) 2015-03-25 2015-03-25 Method for Providing Session Security by using Secure Operating System

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150041512A KR101662947B1 (en) 2015-03-25 2015-03-25 Method for Providing Session Security by using Secure Operating System

Publications (1)

Publication Number Publication Date
KR101662947B1 true KR101662947B1 (en) 2016-10-05

Family

ID=57153803

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150041512A KR101662947B1 (en) 2015-03-25 2015-03-25 Method for Providing Session Security by using Secure Operating System

Country Status (1)

Country Link
KR (1) KR101662947B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101923054B1 (en) * 2016-11-25 2018-11-29 (주)휴네시온 Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof
WO2019098790A1 (en) * 2017-11-20 2019-05-23 삼성전자 주식회사 Electronic device and method for transmitting and receiving data on the basis of security operating system in electronic device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140011998A (en) * 2012-07-20 2014-01-29 오베르뛰르 테크놀로지스 Updating an operating system for secure element

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20140011998A (en) * 2012-07-20 2014-01-29 오베르뛰르 테크놀로지스 Updating an operating system for secure element

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101923054B1 (en) * 2016-11-25 2018-11-29 (주)휴네시온 Wire and wireless gateway for detecting malignant action autonomously based on signature and method thereof
WO2019098790A1 (en) * 2017-11-20 2019-05-23 삼성전자 주식회사 Electronic device and method for transmitting and receiving data on the basis of security operating system in electronic device
US11347897B2 (en) 2017-11-20 2022-05-31 Samsung Electronics Co., Ltd. Electronic device and method for transmitting and receiving data on the basis of security operating system in electronic device

Similar Documents

Publication Publication Date Title
US10318944B2 (en) Near field communication terminal for performing secure payment and secure payment method using the same
CN103793815A (en) Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards
KR101338323B1 (en) System and method for user authentication
KR20180027378A (en) Method and devices for transmitting a secured data package to a communication device
KR101662947B1 (en) Method for Providing Session Security by using Secure Operating System
CN111404706A (en) Application downloading method, secure element, client device and service management device
KR101628615B1 (en) Method for Providing Safety Electronic Signature by using Secure Operating System
KR101853970B1 (en) Method for Relaying Authentication Number
KR101628614B1 (en) Method for Processing Electronic Signature by using Secure Operating System
KR20160124336A (en) Method for Providing Electronic Signature by using Secure Operating System
KR101628610B1 (en) Method for Providing One Time Password by using Secure Operating System
KR101866031B1 (en) Method for Providing Server type One Time Password by using Secure Operating System
KR20170010341A (en) Method for Processing Certification by using Secure Operating System
KR101678793B1 (en) Method for Verifying Integrity of Application by using Secure Operating System
KR101702770B1 (en) Method for Providing Security Keypad by using Secure Operating System
KR101505735B1 (en) Method for Authenticating Near Field Communication Card by using Time Verification
KR101702771B1 (en) Method for Providing High Speed Data Encoding/Decoding by using Secure Operating System
KR101777041B1 (en) Method for Generating One Time Password based on Asynchronous Local Area Radio Communication
KR20150101016A (en) Method for Controlling Transaction Means by using End-To-End Mutual Authentication based on Near Field Communication
KR101777044B1 (en) Card for Generating One Time Password based on Asynchronous Local Area Radio Communication
KR101777042B1 (en) Card for Generating Electronic Signature based on Asynchronous Local Area Radio Communication
KR101846646B1 (en) Method for Providing Security Communication based on Asynchronous Local Area Radio Communication
KR101972492B1 (en) Method for Operating Multiple One Time Password based on SD Memory
KR101777043B1 (en) Method for Generating Electronic Signature based on Asynchronous Local Area Radio Communication
KR20170095797A (en) Method for Processing Certification by using Secure Operating System

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190902

Year of fee payment: 4