CN104102876A - Device for safeguarding operational security of client side - Google Patents
Device for safeguarding operational security of client side Download PDFInfo
- Publication number
- CN104102876A CN104102876A CN201410342446.2A CN201410342446A CN104102876A CN 104102876 A CN104102876 A CN 104102876A CN 201410342446 A CN201410342446 A CN 201410342446A CN 104102876 A CN104102876 A CN 104102876A
- Authority
- CN
- China
- Prior art keywords
- middleware
- security
- operating system
- client
- secure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
An embodiment of the invention discloses a device for safeguarding operational security of a client side. The device comprises a security part, an unsecure operating system, a secure operating system, a first middleware proxy, a second middleware proxy and second middleware, wherein the first middleware proxy and the second middleware proxy operate in the unsecure operating system, and the second middleware operates in the secure operating system. Client-side applications are installed on the unsecure operating system and directly call first middleware and call the second middleware through the second middleware proxy. Sensitive data in the client-side applications are stored in the security part, the first middleware is used for completing a part of service functions in the client-side applications in the unsecure operating system, and the second middleware is used for completing another part of service functions of the client-side applications by interacting with the security part in the unsecure operating system. According to the embodiment, potential security hazards of operations completed by the client side are reduced or even avoided.
Description
Technical field
The present invention relates to field of embedded technology, particularly relate to the device that ensures client security of operation.
Background technology
The application system of bank system of web or e-financing system etc. generally by: service end, go-between layer and client form, and the security of whole application system need to be ensured by the security of operation of above three parts.For example, in bank system of web, service end and go-between layer ensure its security of operation by bank, and the security of operation of client is ensured by Web bank's safety feature.
At present, Web bank's safety feature of main flow is: Net silver shield (also can be called USBKey, its profile seems a portable USB flash disk), Net silver shield, as the terminal of authenticating user identification and trading signature, is widely used in various terminal authentication products by Web bank and e-finance etc.Equally, in other application system except bank system of web, also there is the device that ensures client security of operation.
In the device of these guarantee client security of operation, can be integrated with microprocessor, storer and Chip Operating System (COS, Chip On Sysetem), and form an independently computer system, there is independently data-handling capacity.And, by the data processing of security mechanism guarantee in this device and the safety of transmission of COS.
Because these devices that ensure client security of operation are all smaller and more exquisite in shape, therefore, the configuration of its Chip Operating System and hardware conventionally can be too not high.And be subject to the restriction of configuration aspect, conventionally the very high operation of some security requirements can only be given to this device carries out, and give client executing by operation relatively low all the other some security requirements, thereby avoid bringing too large working pressure to this device.
But, realizing in process of the present invention, the present inventor finds that in prior art, at least there are the following problems: because client operates in the execution environment (execution environment comprises operating system part and corresponding hardware components) of an opening, and open execution environment itself is dangerous, incredible, will there is very large potential safety hazard in the operation therefore, being completed by client.For example, the PIN code of inputting Net silver shield as user in client is so that client when submitting to Net silver shield and verifying, because the execution environment of an opening cannot stop the attack of the Malwares such as keyboard record, therefore, probably there will be PIN code to reveal.
Summary of the invention
In order to solve the problems of the technologies described above, the embodiment of the present invention provides the device that ensures client security of operation, to reduce even to avoid the potential safety hazard of the operation being completed by client.
The embodiment of the invention discloses following technical scheme:
A kind of device that ensures client security of operation, comprise: safety component, non-security operating system, secure operating system, the first middleware and the second middleware that operate in described non-security operating system are acted on behalf of, and operated in the second middleware in described secure operating system; Wherein,
In described non-security operating system, client application is installed, described client application is directly called described the first middleware, and described client application is by the second middleware described in described the second middleware proxy call;
Described safety component is for realizing the information security of described device;
Described the first middleware is for predefined Part I service function in described non-security operating system completes described client application;
Described the second middleware in described secure operating system by carrying out alternately with described safety component, complete predefined Part II service function in described client application.
Described secure operating system is arranged in secure execution environments, and described non-security operating system is arranged in non-security execution environment, between described secure execution environments and described non-security execution environment, isolates by hardware firewall.
Described secure execution environments and described non-security execution environment share identical hardware system.
Described hardware system is credible execution environment TEE chip hardware system.
Between described secure execution environments and described non-security execution environment, switch by safety monitor.
Described the second middleware is undertaken by application programming interfaces API and described safety component alternately.
Described the second middleware at least comprises input middleware, output middleware, authentication middleware, signature middleware and file management middleware.
Described the second middleware agency at least comprises: input middleware agency, output middleware agency, authentication middleware agency, signature middleware agency and file management middleware agency.
Described safety component comprises Chip Operating System COS and safety element SE chip hardware system.
Described COS at least comprises input subsystem, output subsystem, authentication subsystem, signature subsystem and file managemnent subsystem.
Described COS also comprises: lifecycle subsystem, and for managing each life cycle of described COS.
As can be seen from the above-described embodiment, compared with prior art, the invention has the advantages that:
The device that ensures client security of operation is built in the equipment at client place, that is to say, client and the device that ensures client security of operation are integrated in same equipment.In this equipment, include two operating systems of isolation mutually: secure operating system and non-security operating system, the non-security execution environment at the secure execution environments at this secure operating system place and this non-security operating system place shares same hardware system.For there is no security requirement, or the low-down operation of security requirement, can be carried out by non-security operating system control.And for the higher operation of security requirement, can be carried out by secure execution environments control.For example, the operation such as input of PIN code.Therefore, can reduce even to avoid the potential safety hazard of the operation being completed by client.
In addition, due to the secure execution environments at this secure operating system place and the shared same hardware system of the non-security execution environment at this non-security operating system place, therefore, also provide cost savings, reduced complicacy and power consumption.
And, the device that ensures client security of operation being built in to the equipment at client place, can also prevent from that user is unexpected in process of service execution the device that ensures client security of operation is extracted, ensure the smooth execution of business.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the structural drawing of an embodiment of a kind of device that ensures client security of operation provided by the invention;
Fig. 2 is the structural drawing of another embodiment of a kind of device that ensures client security of operation provided by the invention;
Fig. 3 is the structural drawing of another embodiment of a kind of device that ensures client security of operation provided by the invention;
Fig. 4 is the method flow diagram of realizing signature operation by the device of guarantee client security of operation of the present invention.
Embodiment
The embodiment of the present invention provides a kind of device that ensures client security of operation.The core of technical solution of the present invention is, for the device that ensures client security of operation provides more powerful hardware and software performance, the device that ensures client security of operation is built in the equipment at client place, that is to say, client and the device that ensures client security of operation are integrated in same equipment.Equipment after this is integrated is the device of the novel guarantee client security of operation of the present invention's proposition.This device can be PC, can be also various mobile terminals (comprising mobile phone and panel computer etc.).Wherein, in this device, two parallel execution environments have been isolated: non-security execution environment and secure execution environments.For there is no security requirement, or the low-down operation of security requirement, can be placed in non-security execution environment and carry out.And for the higher operation of security requirement, can be placed in secure execution environments and carry out.
At present, " secure operating system " (also can be called trusted operating system) refer to computer information system in autonomous access control, force to meet corresponding safety specifications aspect ten of access control, mark, identity discriminating, object reuse, audit, data integrity, covert channel analysis, trusted path and trusted recoveries etc.The principal character of " secure operating system " is:
1, principle of least privilege, each superuser only has the power that can carry out his work.
2, realize autonomous access control and force access control, forcing access control to comprise confidentiality access control and integrality access control.
3, security audit.
4, security domain isolation.
As long as there has been the security function of these bottoms, various mixing as virus, trojan horse program, network intrusions and the people of " application software " could really be resisted for illegal operation, because they have run counter to the safety rule of operating system, has also just lost the basis of operation.
Secure execution environments, for example, credible execution environment (TEE, Trusted Execution Environment), refer to by the secure operating system of operation through authenticating on the terminal device adopting safe design, thereby the application execution environment that can trust is provided on existing terminal device.As required, the equipment of operation TEE can reach EAL2,3 or higher level.Above-mentioned safe design comprises aspects such as adopting SoC (System On Chip, Chip Operating System) chip and circuit board layout rule.Aspect SoC chip, the application processor core on mobile terminal is used the Cortex family chip of ARM company more at present, and ARM company has realized TrustZone technology on Cortex processor.
TrustZone technology makes SoC chip possess normal and safe two states, under normal condition, can move the non-security operating systems such as Android, and carries out corresponding application program.Under safe condition, can security of operation operating system (Trusted OS), and carry out the higher operation of some security requirement and service, as operations such as user cipher input, Transaction Information show, secured session foundation with remote server, encryption and decryption data, preservation user sensitive informations.When time in a safe condition, each application program under non-security operating system does not have control to whole terminal device, only there is the corresponding application program under secure operating system can access terminal equipment, as, display, keyboard, SD card and NFC (close range wireless communication, Near Field Communication) equipment on terminal device etc.
Secure operating system can resist various at present known long-range attacks and local software is attacked, and part hardware attack can not be resisted the various tamper resistant hardwares attacks that smart card has.
In addition, aspect software, application program can be divided into two parts, a part is the application program operating under the non-security operating systems such as Android, these application programs provide friendly interface for user, and another part is the security service operating in secure operating system, and these services will be carried out the higher operation of security, as, user profile input and transaction content confirmation etc.
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, below in conjunction with accompanying drawing, the embodiment of the present invention is described in detail.
Refer to Fig. 1, the structural drawing of its embodiment who is a kind of device that ensures client security of operation provided by the invention, this device 10 comprises: safety component 11, non-security operating system 12, secure operating system 13, the first middleware 121 and the second middleware that operate in non-security operating system 12 are acted on behalf of 122, and operated in the second middleware 131 in secure operating system 13.Wherein,
In non-security operating system 12, client application 20 is installed, client application 20 is directly called the first middleware 121 operating in non-security operating system 12, and client application 20 calls by the second middleware agency 122 who operates in non-security operating system 12 the second middleware 131 operating in secure operating system 13.
Safety component 11 is for realizing the information security of described device.
The first middleware 121 is for predefined Part I service function in non-security operating system 12 completes client application 20.The second middleware 131 in secure operating system 13 by carrying out alternately, completing predefined Part II service function in client application with safety component 11.For example, in the time that the device 10 of this guarantee client security of operation applies to Web bank's application, the sensitive data 21 that safety component 11 is stored includes but not limited to PIN code and transaction key.
Predefined Part I service function is the low service function of more predefined securities, that is, the first middleware completes the low service function of some securities in client application.And predefined Part II service function is more predefined safe service functions, that is, the second middleware completes some safe service functions in client application.For example, safe service function includes but not limited to: user profile input and trading signature etc.
Safety component 11 is specifically as follows a USBKey module (storage sensitive data), the second middleware in secure operating system by carrying out alternately, can realizing the mathematical operation such as trading signature and encryption and decryption with this USBKey module.
Wherein, middleware is on the upper strata of operating system, network and database, the lower floor of application program, and total effect is for the environment of operation with exploitation is provided in the application program on own upper strata, helps the application program of user flexibility, efficiently exploitation and integrated complex.
In a preferred embodiment of the present invention, as shown in Figure 2, secure operating system 12 is arranged in a secure execution environments, and non-security operating system 13 is arranged in a non-security execution environment, in the middle of secure execution environments and non-security execution environment, isolates by hardware firewall.
In another preferred embodiment of the present invention, described secure execution environments and described non-security execution environment share identical hardware system.For example, this hardware system is credible execution environment (TEE, Trusted Execution Environment) chip hardware system.
In another preferred embodiment of the present invention, between described secure execution environments and described non-security execution environment, switch by safety monitor.
Wherein can realize the switching between two physical address spaces in secure execution environments and non-security execution environment by memory attribute.That is, secure address space and non-security address space, non-security execution environment can only be accessed non-security address space, and can not access security address space.
In another preferred embodiment of the present invention, as shown in Figure 3, the second middleware 131 is undertaken by application programming interfaces (API, Application Programming Interface) and safety component 11 alternately.
In technical scheme of the present invention, secure operating system provides the running environment of a safety for the second middleware, and the second middleware is a kind of safe and reliable middleware.Therefore, can be using middleware relevant operation very high to security requirement in client application as the second middleware, it is operated in secure operating system, and using middleware relevant operation lower to security requirement in client application as the first middleware, it is operated in non-security operating system.Certainly, also can be using each middleware relevant to all operations in client application all as the second middleware.
In a preferred embodiment of the present invention, the second middleware at least comprises: input middleware, output middleware, authentication middleware, signature middleware and file management middleware.
For example, input middleware can be the middleware of keyboard or touch control device, and input middleware is operated in secure operating system as the second middleware, can prevent the attack of some Malwares such as keyboard record, avoid the appearance of the problems such as PIN code leakage, ensured security.
Between secure operating system and non-security operating system, realize safety isolation in order to realize, thereby ensure to operate in the security of each the second middleware in secure operating system, the client application that is positioned at non-security operating system must be called the second middleware by authorized agency (, the second middleware agency).Understandable, the second middleware agency is equivalent to the escape way between non-security operating system and secure operating system.
Corresponding with the second middleware, in another preferred embodiment of the present invention, the second middleware agency at least comprises: input middleware agency, output middleware agency, authentication middleware agency, signature middleware agency and file management middleware agency.
In another preferred embodiment of the present invention, safety component 11 comprises COS (Chip Operating System, Chip Operating System) and SE (safety element, Secure Element) chip hardware system.
Wherein, by can the ensure safety safety of the interior data manipulation of parts 11, data transmission of the security mechanism of COS.Safety component 11 has very high level of security, the higher associative operation of all security requirements can be carried out in secure operating system 13 and safety component 11, secure operating system 13 provides higher safe operational performance, and safety component 11 provides higher safe storage and operational performance.
For coordinate with secure operating system in the second middleware complete the higher operation of security requirement, in another preferred embodiment of the present invention, corresponding with the second middleware, COS at least comprises input subsystem, output subsystem, authentication subsystem, signature subsystem and file managemnent subsystem.
Understandable, the input middleware in the second middleware by with COS in input subsystem carry out alternately, completing the input function in client application.Output middleware in the second middleware by with COS in output subsystem carry out alternately, completing the output function in client application.Authentication middleware in the second middleware by with COS in authentication subsystem carry out alternately, completing the identity authentication function in client application.Signature middleware in the second middleware by with COS in signature subsystem carry out alternately, completing the signature function in client application.File management middleware in the second middleware by with COS in file managemnent subsystem carry out alternately, completing the file management facilities in client application.And because being is initiated to set up and communicate by letter with the COS of safety component by the second middleware that is arranged in secure operating system, all operations all complete in secure operating system, therefore, have ensured the tight security of operation.
In another preferred implementation of the present invention, above-mentioned COS also comprises lifecycle subsystem, for managing each life cycle of described COS.
For example, each life cycle of COS includes but not limited to the development and production stage.
As can be seen from the above-described embodiment, compared with prior art, the invention has the advantages that:
The device that ensures client security of operation is built in the equipment at client place, that is to say, client and the device that ensures client security of operation are integrated in same equipment.In this equipment, include two operating systems of isolation mutually: secure operating system and non-security operating system, the non-security execution environment at the secure execution environments at this secure operating system place and this non-security operating system place shares same hardware system.For there is no security requirement, or the low-down operation of security requirement, can be carried out by non-security operating system control.And for the higher operation of security requirement, can be carried out by secure execution environments control.For example, the operation such as input of PIN code.Therefore, can reduce even to avoid the potential safety hazard of the operation being completed by client.
In addition, due to the secure execution environments at this secure operating system place and the shared same hardware system of the non-security execution environment at this non-security operating system place, therefore, also provide cost savings, reduced complicacy and power consumption.
And, the device that ensures client security of operation being built in to the equipment at client place, can also prevent from that user is unexpected in process of service execution the device that ensures client security of operation is extracted, ensure the smooth execution of business.
In bank system of web, for the client application of Web bank, in the transaction operation completing between itself and service end, one of most important operation is exactly signature operation, and this operation is also very high for security requirement.Be operating as example with trading signature below, illustrate in the device of guarantee client security of operation of the present invention, how to realize once signed operation.Refer to shown in Fig. 4, it,, for realize the method flow diagram of signature operation by the device of guarantee client security of operation of the present invention, specifically comprises the steps:
Step 401: in non-security operating system, start Web bank's client application.
Step 402: Web bank's client application is called the first middleware in non-security operating system.
Step 403: Web bank's client application is called the second middleware agency in non-security operating system, so that by the second middleware in the second middleware proxy call secure operating system.
Step 404: safety monitor monitors operating system is switched to secure operating system from non-security operating system.
Step 405: in secure operating system, secure operating system control inputs middleware receives the PIN code of user's input.
Step 406: secure operating system is set up the escape way between itself and safety component, and send request the request message of checking PIN code to safety component by escape way.
Wherein, in this request message, carry PIN code.
Step 407: safety component in response to request message, is verified PIN code, and after being verified, sent the response message that PIN is verified by escape way to secure operating system.
Step 408: secure operating system control signature middleware carries out the verification of transaction negotiation and transaction data.
For example, the verification of transaction data can comprise that whether the total length of checkout transaction data consistent with the total count off of transaction data, the form of checkout transaction data whether meet the demands and checkout transaction data whether complete.
Step 409: after transaction negotiation and transaction data are verified, transaction data is sent to safety component by secure operating system control signature middleware.
Meanwhile, secure operating system can also be controlled output middleware demonstration dealing money and relevant information.
Step 410: safety component carries out trading signature to transaction data, and trading signature data are sent to secure operating system by signature middleware.
Step 411: secure operating system control output middleware shows trading signature result.
Step 412: secure operating system control inputs middleware receives the trade confirmation key set code of user's input.
Step 413: safety monitor switches back non-security operating system by operating system from secure operating system.
Step 414: trading signature result is returned to Web bank's client application by non-security operating system.
The technician in described field can be well understood to, and for convenience of description and succinctly, the specific works process of the system of foregoing description, device and unit, can, with reference to the corresponding process in preceding method embodiment, not repeat them here.
In several embodiment provided by the present invention, should be understood that disclosed system, apparatus and method can realize by another way.For example, described above to device embodiment be only schematic, for example, the division of described unit, be only that a kind of logic function is divided, when actual realization, can have other dividing mode, for example multiple unit or assembly can be in conjunction with being maybe integrated into another system, or some features can ignore, or do not carry out.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, indirect coupling or the communication connection of device or unit can be electrical, mechanical or other form.
The described unit as separating component explanation can or can be also physically to separate, and the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in multiple network element.Can select according to the actual needs some or all of unit wherein to realize the object of the present embodiment scheme.
In addition, the each functional unit in each embodiment of the present invention can be integrated in a processing unit, can be also that the independent physics of unit exists, and also can be integrated in a unit two or more unit.Above-mentioned integrated unit both can adopt the form of hardware to realize, and can adopt the form of SFU software functional unit to realize.
It should be noted that, one of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, can carry out the hardware that instruction is relevant by computer program to complete, described program can be stored in a computer read/write memory medium, this program, in the time carrying out, can comprise as the flow process of the embodiment of above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
Above a kind of device that ensures client security of operation provided by the present invention is described in detail, applied specific embodiment herein principle of the present invention and embodiment are set forth, the explanation of above embodiment is just for helping to understand method of the present invention and core concept thereof; , for one of ordinary skill in the art, according to thought of the present invention, all will change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention meanwhile.
Claims (11)
1. one kind ensures the device of client security of operation, it is characterized in that, comprise: safety component, non-security operating system, secure operating system, the first middleware and the second middleware that operate in described non-security operating system are acted on behalf of, and operated in the second middleware in described secure operating system; Wherein,
In described non-security operating system, client application is installed, described client application is directly called described the first middleware, and described client application is by the second middleware described in described the second middleware proxy call;
Described safety component is for realizing the information security of described device;
Described the first middleware is for predefined Part I service function in described non-security operating system completes described client application;
Described the second middleware in described secure operating system by carrying out alternately with described safety component, complete predefined Part II service function in described client application.
2. device according to claim 1, it is characterized in that, described secure operating system is arranged in secure execution environments, and described non-security operating system is arranged in non-security execution environment, between described secure execution environments and described non-security execution environment, isolates by hardware firewall.
3. device according to claim 2, is characterized in that, described secure execution environments and described non-security execution environment share identical hardware system.
4. device according to claim 3, is characterized in that, described hardware system is credible execution environment TEE chip hardware system.
5. device according to claim 2, is characterized in that, between described secure execution environments and described non-security execution environment, switches by safety monitor.
6. device according to claim 1, is characterized in that, described the second middleware is undertaken by application programming interfaces API and described safety component alternately.
7. device according to claim 1, is characterized in that, described the second middleware at least comprises input middleware, output middleware, authentication middleware, signature middleware and file management middleware.
8. device according to claim 7, is characterized in that, described the second middleware agency at least comprises: input middleware agency, output middleware agency, authentication middleware agency, signature middleware agency and file management middleware agency.
9. device according to claim 7, is characterized in that, described safety component comprises Chip Operating System COS and safety element SE chip hardware system.
10. device according to claim 9, is characterized in that, described COS at least comprises input subsystem, output subsystem, authentication subsystem, signature subsystem and file managemnent subsystem.
11. devices according to claim 10, is characterized in that, described COS also comprises: lifecycle subsystem, and for managing each life cycle of described COS.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410342446.2A CN104102876A (en) | 2014-07-17 | 2014-07-17 | Device for safeguarding operational security of client side |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410342446.2A CN104102876A (en) | 2014-07-17 | 2014-07-17 | Device for safeguarding operational security of client side |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104102876A true CN104102876A (en) | 2014-10-15 |
Family
ID=51671019
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410342446.2A Pending CN104102876A (en) | 2014-07-17 | 2014-07-17 | Device for safeguarding operational security of client side |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104102876A (en) |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104462935A (en) * | 2014-12-24 | 2015-03-25 | 宇龙计算机通信科技(深圳)有限公司 | Method and terminal for performing safety verification on application program in multi-operation system |
| CN104598793A (en) * | 2015-01-08 | 2015-05-06 | 百度在线网络技术(北京)有限公司 | Fingerprint authentication method and fingerprint authentication device |
| CN104866782A (en) * | 2015-05-29 | 2015-08-26 | 宇龙计算机通信科技(深圳)有限公司 | Data processing method and apparatus |
| CN105205370A (en) * | 2015-08-24 | 2015-12-30 | 北京恒信安科技有限公司 | Safety protection method for mobile terminal, mobile terminal, safety system and application method |
| CN105260664A (en) * | 2015-09-24 | 2016-01-20 | 宇龙计算机通信科技(深圳)有限公司 | Security protection method and terminal for application among multiple systems |
| CN105335673A (en) * | 2015-12-14 | 2016-02-17 | 联想(北京)有限公司 | Information safety processing method and device |
| CN105468980A (en) * | 2015-11-16 | 2016-04-06 | 华为技术有限公司 | Security control method, device and system |
| CN105574720A (en) * | 2015-12-14 | 2016-05-11 | 联想(北京)有限公司 | Secure information processing method and secure information processing apparatus |
| CN105630534A (en) * | 2015-04-27 | 2016-06-01 | 宇龙计算机通信科技(深圳)有限公司 | TrustZone framework-based application program execution method and device as well as terminal |
| WO2016095506A1 (en) * | 2014-12-19 | 2016-06-23 | 深圳市中兴微电子技术有限公司 | Ciphertext data decryption method, system and computer storage medium |
| WO2016101559A1 (en) * | 2014-12-26 | 2016-06-30 | 深圳市中兴微电子技术有限公司 | Secure data access method and device, and computer storage medium |
| CN105787353A (en) * | 2014-12-17 | 2016-07-20 | 联芯科技有限公司 | Credible application management system and loading method for credible applications |
| CN105809419A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction system |
| CN105809433A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction method |
| CN105809441A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction method |
| CN105809536A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction system |
| CN105959287A (en) * | 2016-05-20 | 2016-09-21 | 中国银联股份有限公司 | Biological feature based safety certification method and device |
| CN106027257A (en) * | 2016-05-05 | 2016-10-12 | 北京元心科技有限公司 | Method and system for securely performing identity authentication |
| WO2016172944A1 (en) * | 2015-04-30 | 2016-11-03 | 华为技术有限公司 | Interface display method of terminal and terminal |
| WO2017045497A1 (en) * | 2015-09-16 | 2017-03-23 | 深圳市中兴微电子技术有限公司 | User verification method, client, controller, and computer storage medium |
| WO2017071546A1 (en) * | 2015-10-29 | 2017-05-04 | 中国银联股份有限公司 | Trusted user interface display method and system |
| CN106778193A (en) * | 2016-11-14 | 2017-05-31 | 北京握奇智能科技有限公司 | A kind of client and UI exchange methods |
| CN106845282A (en) * | 2017-01-06 | 2017-06-13 | 奇酷互联网络科技(深圳)有限公司 | Mobile terminal and its method of controlling security and device |
| CN106897639A (en) * | 2017-01-06 | 2017-06-27 | 奇酷互联网络科技(深圳)有限公司 | The method and apparatus of mobile terminal and its safety verification |
| CN106940776A (en) * | 2016-01-04 | 2017-07-11 | 中国移动通信集团公司 | A kind of sensitive data operating method and mobile terminal |
| CN107003889A (en) * | 2014-12-24 | 2017-08-01 | 英特尔公司 | System and method for providing the compatible credible performing environment of global platform |
| CN107169343A (en) * | 2017-04-25 | 2017-09-15 | 深圳市金立通信设备有限公司 | A kind of method and terminal of control application program |
| CN107392055A (en) * | 2017-07-20 | 2017-11-24 | 深圳市金立通信设备有限公司 | A kind of dual system safety chip control method, terminal, computer-readable recording medium and the dual system framework based on safety chip |
| CN108335105A (en) * | 2018-01-18 | 2018-07-27 | 中国建设银行股份有限公司 | Data processing method and relevant device |
| CN108599938A (en) * | 2018-04-23 | 2018-09-28 | 北京数字认证股份有限公司 | The method and system of mobile terminal private data are protected by credible performing environment |
| CN111125711A (en) * | 2019-12-03 | 2020-05-08 | 支付宝(杭州)信息技术有限公司 | Security task processing method and device, electronic equipment and storage medium |
| CN111666172A (en) * | 2020-06-07 | 2020-09-15 | 中信银行股份有限公司 | Method and device for protecting online banking environment, electronic equipment and storage medium |
| CN112305962A (en) * | 2020-10-21 | 2021-02-02 | 麒麟软件有限公司 | Wireless device control method based on ARM platform supporting Trustzone |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034036A (en) * | 2010-09-07 | 2011-04-27 | 北京握奇数据系统有限公司 | Permission management method and equipment |
| CN103793629A (en) * | 2012-10-26 | 2014-05-14 | 三星电子株式会社 | System-on-chip processing secure contents and mobile device comprising the same |
-
2014
- 2014-07-17 CN CN201410342446.2A patent/CN104102876A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102034036A (en) * | 2010-09-07 | 2011-04-27 | 北京握奇数据系统有限公司 | Permission management method and equipment |
| CN103793629A (en) * | 2012-10-26 | 2014-05-14 | 三星电子株式会社 | System-on-chip processing secure contents and mobile device comprising the same |
Non-Patent Citations (1)
| Title |
|---|
| 王熙友: "ARM TrustZone安全隔离技术研究与应用", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (39)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105787353A (en) * | 2014-12-17 | 2016-07-20 | 联芯科技有限公司 | Credible application management system and loading method for credible applications |
| WO2016095506A1 (en) * | 2014-12-19 | 2016-06-23 | 深圳市中兴微电子技术有限公司 | Ciphertext data decryption method, system and computer storage medium |
| CN107003889A (en) * | 2014-12-24 | 2017-08-01 | 英特尔公司 | System and method for providing the compatible credible performing environment of global platform |
| CN104462935A (en) * | 2014-12-24 | 2015-03-25 | 宇龙计算机通信科技(深圳)有限公司 | Method and terminal for performing safety verification on application program in multi-operation system |
| WO2016101559A1 (en) * | 2014-12-26 | 2016-06-30 | 深圳市中兴微电子技术有限公司 | Secure data access method and device, and computer storage medium |
| CN105809536A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction system |
| CN105809441A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction method |
| CN105809433A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction method |
| CN105809419A (en) * | 2014-12-29 | 2016-07-27 | 北京握奇智能科技有限公司 | Online banking transaction system |
| CN104598793A (en) * | 2015-01-08 | 2015-05-06 | 百度在线网络技术(北京)有限公司 | Fingerprint authentication method and fingerprint authentication device |
| CN105630534A (en) * | 2015-04-27 | 2016-06-01 | 宇龙计算机通信科技(深圳)有限公司 | TrustZone framework-based application program execution method and device as well as terminal |
| WO2016172944A1 (en) * | 2015-04-30 | 2016-11-03 | 华为技术有限公司 | Interface display method of terminal and terminal |
| US10891397B2 (en) | 2015-04-30 | 2021-01-12 | Huawei Technologies Co., Ltd. | User interface display method for terminal, and terminal |
| CN104866782A (en) * | 2015-05-29 | 2015-08-26 | 宇龙计算机通信科技(深圳)有限公司 | Data processing method and apparatus |
| CN105205370B (en) * | 2015-08-24 | 2018-12-04 | 北京恒信安科技有限公司 | Mobile terminal safety means of defence and mobile terminal, security system and methods for using them |
| CN105205370A (en) * | 2015-08-24 | 2015-12-30 | 北京恒信安科技有限公司 | Safety protection method for mobile terminal, mobile terminal, safety system and application method |
| WO2017045497A1 (en) * | 2015-09-16 | 2017-03-23 | 深圳市中兴微电子技术有限公司 | User verification method, client, controller, and computer storage medium |
| CN105260664A (en) * | 2015-09-24 | 2016-01-20 | 宇龙计算机通信科技(深圳)有限公司 | Security protection method and terminal for application among multiple systems |
| WO2017071546A1 (en) * | 2015-10-29 | 2017-05-04 | 中国银联股份有限公司 | Trusted user interface display method and system |
| CN105468980A (en) * | 2015-11-16 | 2016-04-06 | 华为技术有限公司 | Security control method, device and system |
| CN105468980B (en) * | 2015-11-16 | 2018-07-03 | 华为技术有限公司 | The method, apparatus and system of a kind of security management and control |
| CN105574720A (en) * | 2015-12-14 | 2016-05-11 | 联想(北京)有限公司 | Secure information processing method and secure information processing apparatus |
| CN105335673A (en) * | 2015-12-14 | 2016-02-17 | 联想(北京)有限公司 | Information safety processing method and device |
| CN106940776A (en) * | 2016-01-04 | 2017-07-11 | 中国移动通信集团公司 | A kind of sensitive data operating method and mobile terminal |
| CN106027257A (en) * | 2016-05-05 | 2016-10-12 | 北京元心科技有限公司 | Method and system for securely performing identity authentication |
| CN105959287A (en) * | 2016-05-20 | 2016-09-21 | 中国银联股份有限公司 | Biological feature based safety certification method and device |
| CN106778193A (en) * | 2016-11-14 | 2017-05-31 | 北京握奇智能科技有限公司 | A kind of client and UI exchange methods |
| CN106778193B (en) * | 2016-11-14 | 2023-02-03 | 北京握奇智能科技有限公司 | Client and UI interaction method |
| CN106897639B (en) * | 2017-01-06 | 2020-12-22 | 奇酷互联网络科技(深圳)有限公司 | Mobile terminal and security verification method and device thereof |
| CN106845282A (en) * | 2017-01-06 | 2017-06-13 | 奇酷互联网络科技(深圳)有限公司 | Mobile terminal and its method of controlling security and device |
| CN106897639A (en) * | 2017-01-06 | 2017-06-27 | 奇酷互联网络科技(深圳)有限公司 | The method and apparatus of mobile terminal and its safety verification |
| CN107169343A (en) * | 2017-04-25 | 2017-09-15 | 深圳市金立通信设备有限公司 | A kind of method and terminal of control application program |
| CN107392055A (en) * | 2017-07-20 | 2017-11-24 | 深圳市金立通信设备有限公司 | A kind of dual system safety chip control method, terminal, computer-readable recording medium and the dual system framework based on safety chip |
| CN108335105A (en) * | 2018-01-18 | 2018-07-27 | 中国建设银行股份有限公司 | Data processing method and relevant device |
| CN108599938A (en) * | 2018-04-23 | 2018-09-28 | 北京数字认证股份有限公司 | The method and system of mobile terminal private data are protected by credible performing environment |
| CN111125711B (en) * | 2019-12-03 | 2021-05-07 | 支付宝(杭州)信息技术有限公司 | Security task processing method and device, electronic equipment and storage medium |
| CN111125711A (en) * | 2019-12-03 | 2020-05-08 | 支付宝(杭州)信息技术有限公司 | Security task processing method and device, electronic equipment and storage medium |
| CN111666172A (en) * | 2020-06-07 | 2020-09-15 | 中信银行股份有限公司 | Method and device for protecting online banking environment, electronic equipment and storage medium |
| CN112305962A (en) * | 2020-10-21 | 2021-02-02 | 麒麟软件有限公司 | Wireless device control method based on ARM platform supporting Trustzone |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104102876A (en) | Device for safeguarding operational security of client side | |
| CN104318182B (en) | A kind of intelligent terminal shielding system and method extended based on processor security | |
| CN103748594B (en) | For ARM*TRUSTZONETMThe credible platform module based on firmware realized | |
| US8935746B2 (en) | System with a trusted execution environment component executed on a secure element | |
| CN1997955B (en) | Method and apparatus for providing secure virtualization of a trusted platform module | |
| US8322610B2 (en) | Secure access module for integrated circuit card applications | |
| CN104012034B (en) | The certification of the application relevant for network access | |
| US9582656B2 (en) | Systems for validating hardware devices | |
| WO2017108977A1 (en) | Method and system for enhancing the security of a transaction | |
| CN103400068B (en) | Multi-level verification is used to control user to the system and method for the access of locked resource | |
| US8874931B2 (en) | System and method for securing a user interface | |
| CN103353931A (en) | Security-enhanced computer systems and methods | |
| CN102333072B (en) | Network banking trusted transaction system and method based on intelligent terminal | |
| CN205656721U (en) | Based on intelligence POS safety circuit of android system | |
| Nepal et al. | A mobile and portable trusted computing platform | |
| EP3387605B1 (en) | Interception of touch pad events for handling in a secure environment | |
| KR101173911B1 (en) | Network Separation System with a Switching Type of Selection Between Virtual Machines | |
| CN101150459B (en) | Method and system for improving safety of information safety device | |
| US20230020873A1 (en) | Device driver for contactless payments | |
| US11593780B1 (en) | Creation and validation of a secure list of security certificates | |
| US11507958B1 (en) | Trust-based security for transaction payments | |
| CN107315610A (en) | Realize method, device and the computer-readable recording medium of cryptographic function | |
| CN109918910A (en) | A kind of keyboard manager | |
| Shepherd | Techniques for Establishing Trust in Modern Constrained Sensing Platforms with Trusted Execution Environments | |
| CN109872148A (en) | Trust data processing method, device and mobile terminal based on TUI |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20141015 |