CN104125216A - Method, system and terminal capable of improving safety of trusted execution environment - Google Patents
Method, system and terminal capable of improving safety of trusted execution environment Download PDFInfo
- Publication number
- CN104125216A CN104125216A CN201410308622.0A CN201410308622A CN104125216A CN 104125216 A CN104125216 A CN 104125216A CN 201410308622 A CN201410308622 A CN 201410308622A CN 104125216 A CN104125216 A CN 104125216A
- Authority
- CN
- China
- Prior art keywords
- trusted application
- smart card
- destination server
- server
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The embodiment of the invention discloses a method, a system and a terminal capable of improving the safety of a trusted execution environment. The method comprises the following steps of: acquiring the connection request initiated by a trusted application to a target server, the connection request containing the identification of the target server; acquiring a server list stored in a smart card through a modulator-demodulator; judging whether the target sever is contained in the server list according to the identification of the target server; if so, then allowing the trusted application to establish connection with the target server, or else, then refusing the trusted application to establish connection with the target server. The embodiment of the invention is capable of improving the safety of the TEE through the smart card.
Description
Technical field
The embodiment of the present invention relates to communication technical field, relates in particular to a kind of method, system and terminal that promotes credible execution environment fail safe.
Background technology
Along with high speed development and the consumption electronic product of mobile network and intelligent terminal are intelligentized universal, the kind of mobile application and quantity are more and more.Current mobile application has been not limited only to the basic function to intelligent terminal, the expansion of amusement function aspect; all trades and professions are expanded in its related field gradually to; for example: the Secure Application of thin terminal etc. under financial application that mobile payment is relevant, content copyright protection application and cloud computing, these sector applications all need the terminal operating environment of higher level of security.
But, the design of the operating system of intelligent terminal itself mainly lays particular emphasis on the requirement of functional aspect, not from safety perspective, add the opening of whole system, huge property, complexity simultaneously and cannot stop corresponding system vulnerability, cause some to utilize the rogue program of these leaks constantly to occur, thereby cause application program to be in danger.Although can utilize some software protecting means, as fire compartment wall, antivirus software etc. are protected accordingly, due to emerging in an endless stream and regular system update upgrading of new virus program, cause accomplishing the protection completely on software.
Based on these problems, industry conducts in-depth research work, a kind of novel solution thinking is proposed, same hardware device is divided into the execution environment of isolating on two kinds of separate and hardware: common execution environment (Rich Execution Environment, and credible execution environment (Trusted Execution Environment, TEE) REE).Software and hardware resources on platform can be designated respectively two kinds of execution environment states, the software and hardware resources that is designated Secure execution state can only be accessed by credible execution environment, and the software and hardware resources that is designated normal execution can be accessed by two kinds of execution environments.The at present conventional Mobile operating system of common execution environment operation is as Android etc., and function is simple, size of code is little in one of credible execution environment operation, sealing and can artificially audit the SOS of control.The higher application deployment of security requirement, in SOS, and provides security service for the common application being deployed in Mobile operating system.In the time that common application is called corresponding Secure Application execution, hardware device is switched to credible execution environment by common execution environment and carries out, now whole hardware device is in trusted status, and equipment is all controlled alternately with the external world, ensures it is all genuine and believable behavior.
Software and hardware execution environment and the REE of TEE are similar, peculiar technology by chip is (as the Trustzone technology of ARM, or many CPU of Intel technology), realize the isolation of the physical movement environment of TEE and REE, thereby ensure the fail safe of the application program in TEE running environment.The peripheral hardware that TEE uses all needs to possess security attribute, the secure data risk of leakage causing when so just can avoiding TEE access peripheral hardware.
In a concrete application, for example user, using in the process of mobile phone, runs into the sensitive operation such as payment, just need to from REE, be switched in TEE and complete corresponding operating, and user's the information such as password, account all completes input under the environment of TEE.The appearing at of TEE technology ensured the isolation of mobile-phone payment application and data to a certain extent, and than it, original in REE, to complete all payment activities be to have promoted fail safe naturally.But TEE technology itself can not ensure that user data is not tampered or attacks completely, and TEE is not a complete totally enclosed operating system and running environment, application in TEE still needs to realize and the data interaction of remote server by REE, for example, in on-line payment process, application in TEE needs and remote server communicates, application in TEE is initiated connection request by REE to remote server, completed the linkage function of data by the operating system in REE, in to TEE, apply in addition regular update, while repairing software vulnerability and upgrading security algorithm, also need to carry out data interaction by REE and remote server, fail safe still cannot ensure.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of method, system and terminal that promotes credible execution environment fail safe, can promote by smart card the fail safe of TEE.
Embodiment of the present invention first aspect provides a kind of method that promotes credible execution environment TEE fail safe, comprising:
Obtain the connection request that trusted application is initiated to destination server, in described connection request, comprise the mark of described destination server;
Obtain the server list of storing in smart card by modulator-demodulator;
Judge according to the mark of described destination server whether described destination server is included in described server list;
If so, allow described trusted application and described destination server to connect, if not, refuse described trusted application and described destination server connects.
In conjunction with the first aspect of the embodiment of the present invention, in the first execution mode of embodiment of the present invention first aspect, after described trusted application and described destination server connect, described method also comprises:
The mark of described trusted application is sent to described smart card by described modulator-demodulator, to ask described smart card according to the identifying algorithm corresponding with mark described trusted application that store in described smart card, described trusted application to be authenticated.
In conjunction with the first execution mode of embodiment of the present invention first aspect, in the second execution mode of embodiment of the present invention first aspect, when the mark of described trusted application is sent to described smart card by described modulator-demodulator, the verify data of the authentication request also described trusted application being sent in response to described destination server is sent to described smart card by described modulator-demodulator, comprises the mark of described destination server in described verify data;
After the described smart card of request authenticates described trusted application, described method also comprises:
Judge described smart card to the authentication result of described trusted application whether for successfully;
Be successfully time at described smart card to the authentication result of described trusted application, by described modulator-demodulator, from the provisional communication key that described smart card obtains that data to transmitting between described trusted application and described destination server are encrypted, decipher, signature or verification are used, described provisional communication key is generated according to the mark of the mark of described trusted application, described destination server and default algorithm by described smart card.
In conjunction with the second execution mode of embodiment of the present invention first aspect, in the third execution mode of embodiment of the present invention first aspect, server list, identifying algorithm and provisional communication key in described smart card are in charge of by smart card publisher.
In conjunction with the first aspect of the embodiment of the present invention, or the first execution mode of first aspect, or the second execution mode of first aspect, or the third execution mode of first aspect, in the 4th kind of execution mode of embodiment of the present invention first aspect, described smart card comprises: user identity identification SIM card, Universal Integrated Circuit Card UICC and universal embedded integrated circuit card eUICC.
In conjunction with the first aspect of the embodiment of the present invention, or the first execution mode of first aspect, or the second execution mode of first aspect, or the third execution mode of first aspect, in the 5th kind of execution mode of embodiment of the present invention first aspect, between described trusted application and described destination server, connect by described modem dialup, or connect by WIFI between described trusted application and described destination server.
In conjunction with the first aspect of the embodiment of the present invention, or the first execution mode of first aspect, or the second execution mode of first aspect, or the third execution mode of first aspect, in the 6th kind of execution mode of embodiment of the present invention first aspect, the server of required connection when described server list comprises the server of required connection when described trusted application is carried out numerical value processing and described trusted application is safeguarded.
Embodiment of the present invention second aspect provides a kind of terminal, and described terminal is supported credible execution environment TEE, comprising:
The first acquiring unit, for obtaining the connection request of trusted application to destination server initiation, comprises the mark of described destination server in described connection request;
Second acquisition unit, for obtaining the server list that smart card is stored by modulator-demodulator;
Judging unit, for judging according to the mark of described destination server whether described destination server is included in described server list;
Processing unit, for in the time that described destination server is included in described server list, allow described trusted application and described destination server to connect, in the time that described destination server is not included in described server list, refuse described trusted application and described destination server connects.
In conjunction with the second aspect of the embodiment of the present invention, in the first execution mode of embodiment of the present invention second aspect, described terminal also comprises:
Transmitting element, for after described trusted application and described destination server connect, the mark of described trusted application is sent to described smart card by described modulator-demodulator, to ask described smart card according to the identifying algorithm corresponding with mark described trusted application that store in described smart card, described trusted application to be authenticated.
In conjunction with the first execution mode of embodiment of the present invention second aspect, in the second execution mode of embodiment of the present invention second aspect, described transmitting element also for, when the mark of described trusted application is sent to described smart card by described modulator-demodulator, the verify data of the authentication request also described trusted application being sent in response to described destination server is sent to described smart card by described modulator-demodulator, comprises the mark of described destination server in described verify data;
Described judging unit also for, judge described smart card to the authentication result of described trusted application whether for successfully;
Described terminal also comprises:
The 3rd acquiring unit, for being successfully time at described smart card to the authentication result of described trusted application, by described modulator-demodulator, from the provisional communication key that described smart card obtains that data to transmitting between described trusted application and described destination server are encrypted, decipher, signature or verification are used, described provisional communication key is generated according to the mark of the mark of described trusted application, described destination server and default algorithm by described smart card.
In conjunction with the second execution mode of embodiment of the present invention second aspect, in the third execution mode of embodiment of the present invention second aspect, server list, identifying algorithm and provisional communication key in described smart card are in charge of by smart card publisher.
In conjunction with the second aspect of the embodiment of the present invention, or the first execution mode of second aspect, or the second execution mode of second aspect, or the third execution mode of second aspect, in the 4th kind of execution mode of embodiment of the present invention second aspect, described smart card comprises: user identity identification SIM card, Universal Integrated Circuit Card UICC and universal embedded integrated circuit card eUICC.
In conjunction with the second aspect of the embodiment of the present invention, or the first execution mode of second aspect, or the second execution mode of second aspect, or the third execution mode of second aspect, in the 5th kind of execution mode of embodiment of the present invention second aspect, described terminal also comprises:
Connect and set up unit, for connecting by described modem dialup between described trusted application and described destination server, or will between described trusted application and described destination server, connect by WIFI.
In conjunction with the second aspect of the embodiment of the present invention, or the first execution mode of second aspect, or the second execution mode of second aspect, or the third execution mode of second aspect, in the 6th kind of execution mode of embodiment of the present invention second aspect, the server of required connection when described server list comprises the server of required connection when described trusted application is carried out numerical value processing and described trusted application is safeguarded.
The embodiment of the present invention third aspect provides a kind of system that promotes credible execution environment TEE fail safe, comprises as the terminal that any one execution mode provided, server and the smart card of aforementioned second aspect or second aspect.
As can be seen from the above technical solutions, the embodiment of the present invention has the following advantages:
In the embodiment of the present invention, obtain the connection request that trusted application is initiated to destination server, in described connection request, comprise the mark of described destination server; Obtain the server list of storing in smart card by modulator-demodulator; Judge according to the mark of described destination server whether described destination server is included in described server list; If so, allow described trusted application and described destination server to connect, if not, refuse described trusted application and described destination server connects.Be in the embodiment of the present invention, trusted application realizes mutual with destination server by smart card, replace trusted application of the prior art to realize the process mutual with destination server by REE, in the embodiment of the present invention, believable server list is stored in smart card, due to smart card, to have chip less, to features such as external port are single, the strick precaution of physical attacks and software attacks is better than to REE environment, therefore believable server list is stored in smart card, can effectively prevent that user profile is tampered and attacks, ensure that trusted application is connected to legal server, promote the fail safe of TEE environment.
Brief description of the drawings
In order to be illustrated more clearly in the technical scheme of the embodiment of the present invention, to the accompanying drawing of required use in embodiment be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is embodiment schematic diagram of method that the present invention promotes credible execution environment fail safe;
Fig. 2 is another embodiment schematic diagram of method that the present invention promotes credible execution environment fail safe;
Fig. 3 is embodiment schematic diagram of terminal of the present invention;
Fig. 4 is another embodiment schematic diagram of terminal of the present invention;
Fig. 5 is another embodiment schematic diagram of terminal of the present invention;
Fig. 6 is embodiment schematic diagram of system that the present invention promotes credible execution environment fail safe.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The embodiment of the present invention provides a kind of method, system and terminal that promotes credible execution environment fail safe, can promote by smart card the fail safe of TEE.
Refer to Fig. 1, embodiment of method that the present invention promotes credible execution environment fail safe comprises:
101, terminal is obtained the connection request that trusted application is initiated to destination server;
In the present embodiment, in terminal, can support two kinds of running environment: credible execution environment TEE and common execution environment REE, wherein, trusted application (Trusted Application, TA) operates in credible execution environment.The mark that comprises destination server in the connection request that trusted application is initiated to destination server, this mark can comprise address, the port numbers etc. of destination server.
102, terminal is obtained the server list of storing in smart card by modulator-demodulator;
In specific implementation, modulator-demodulator can be a part for terminal composition, is contained in terminal.Smart card can be another equipment that is independent of terminal, and smart card is for Storage Server List.It is less that smart card has chip, to physical characteristics such as external port are single.
103, whether terminal judges destination server is included in server list, if so, performs step 104, if not, performs step 105;
If the mark of destination server is consistent with the mark of the server comprising in server list, think that destination server is included in server list, otherwise, think that destination server is not contained in server list, this process judging is that the destination server connecting in order to ensure trusted application is believable server.
104, allow trusted application and destination server to connect;
105, refusal trusted application and destination server connect.
In the present embodiment, trusted application realizes mutual with destination server by smart card, replace trusted application of the prior art to realize the process mutual with destination server by REE, in the present embodiment, believable server list is stored in smart card, due to smart card, to have chip less, to features such as external port are single, the strick precaution of physical attacks and software attacks is better than to REE environment, therefore believable server list is stored in smart card, can effectively prevent that user profile is tampered and attacks, ensure that trusted application is connected to legal server, promote the fail safe of TEE environment.
For ease of understanding, the present invention described promote the method for credible execution environment TEE fail safe below with a specific embodiment, refer to Fig. 2, the method for the present embodiment comprises:
201, terminal is obtained the connection request that trusted application is initiated to destination server;
In the present embodiment, in terminal, can support two kinds of running environment: credible execution environment TEE and common execution environment REE, wherein, trusted application (Trusted Application, TA) operates in credible execution environment.The mark that comprises destination server in the connection request that trusted application is initiated to destination server, this mark can comprise address, the port numbers etc. of destination server.
202, terminal is obtained the server list of storing in smart card by modulator-demodulator;
In specific implementation, smart card can be a kind of equipment that terminal exists that is independent of, smart card comprises user identity identification (Subscriber Identity Module, SIM) card, Universal Integrated Circuit Card (Universal Integrated Circuit Card, UICC) and embedded (embed) Universal Integrated Circuit Card eUICC.
Server list comprises the server of required connection when trusted application is carried out the server that need to connect when numerical value is processed and trusted application is safeguarded.Wherein, numerical value processing can comprise payment, checking, inquiry and reconciliation etc.; The maintenance that trusted application is carried out can comprise: trusted application is carried out program updates, repaired software vulnerability and upgrading security algorithm etc.
203, whether terminal judges destination server is included in server list, if not, performs step 204, if so, performs step 205;
204, terminal refusal trusted application and destination server connect;
205, terminal allows trusted application and destination server to connect;
Between trusted application and destination server, connect by modem dialup, or connect by WIFI between trusted application and destination server.
206, terminal is sent to smart card by the mark of verify data and trusted application by modulator-demodulator, to ask smart card to authenticate trusted application, comprises the mark of destination server in described verify data;
In smart card, store different identifying algorithms, the mark (Application, AID) of every kind of corresponding a kind of trusted application of identifying algorithm, for authenticating corresponding trusted application.
After trusted application and destination server connect, destination server need to authenticate trusted application, destination server can be initiated authentication request to trusted application by existing wireless link, the authentication request that trusted application response destination server is initiated, return authentication data.
Terminal is obtained verify data, the mark AID of verify data and trusted application is sent to smart card by modulator-demodulator, with identifying algorithm corresponding to the AID with trusted application of being stored according to self by smart card, trusted application is authenticated, and authentication result is returned to terminal.
207, terminal judges authentication result, whether for successfully, if so, performs step 208, if not, performs step 209, end process;
208, terminal is obtained provisional communication key by modulator-demodulator from smart card.
The authentication result of returning when smart card is successfully time; terminal is obtained provisional communication key by modulator-demodulator from smart card; provisional communication key is generated according to the mark of the mark of trusted application, destination server and default algorithm by smart card; terminal use provisional communication key to the data of transmitting between trusted application and destination server be encrypted, decipher, signature or verification etc., with the safety and integrity of protected data.
Once the disconnection that is connected of trusted application and destination server, provisional communication key lost efficacy, be that trusted application all can be used different provisional communication keys from the each communication of destination server, even if ensured that certain communication process is cracked, and also can not result in greater loss.
In addition, in the present embodiment, server list, identifying algorithm and provisional communication key in smart card are in charge of by smart card publisher, be that smart card publisher holds root key and root certificate, be responsible for safeguarding the data of storing in smart card, these maintenances comprise writing, upgrade and deleting of data in smart card.In terminal, do not there is root key and root certificate, ensured the uniqueness of data storage in smart card, improved the fail safe of data storage in smart card.User can nullify smart card by smart card publisher, so just can avoid lost terminal to cause the loss of user's fund, and smart card publisher can close by simple note the authentication function of smart card, and deletes server list.
In the present embodiment, trusted application realizes mutual with destination server by smart card, replace trusted application of the prior art to realize the process mutual with destination server by REE, by believable server list, identifying algorithm is stored in smart card, and the provisional communication key using in communication process between trusted application and destination server is also responsible for generation by smart card, smart card and terminal independently exist, and the maintenance of smart card is responsible for by smart card publisher, can effectively prevent that card internal information is tampered, in addition because smart card itself has stronger strick precaution physical attacks and the ability of software attacks, the confidential data that the communication process of trusted application and destination server relates to are all obtained by smart card, and the verification process of trusted application is also placed in smart card to be realized, therefore, the present embodiment can be avoided credible execution environment by malicious attack or implant rogue program, thereby improve the fail safe of credible execution environment.
The terminal below embodiment of the present invention being provided is described, and the terminal of the present embodiment is supported credible execution environment TEE, refers to Fig. 3, and the terminal 300 of the present embodiment comprises:
The first acquiring unit 301, for obtaining the connection request of trusted application to destination server initiation, comprises the mark of destination server in described connection request;
Second acquisition unit 302, for obtaining the server list that smart card is stored by modulator-demodulator;
Judging unit 303, for judging according to the mark of destination server whether destination server is included in server list;
Processing unit 304, in the time that destination server is included in server list, allows trusted application and destination server to connect, and in the time that destination server is not included in server list, refusal trusted application and destination server connect.
In the present embodiment, judging unit judges that by the server list of obtaining from smart card whether the destination server of trusted application request connection is legal, processing unit is in the time that destination server is included in server list, allow trusted application and destination server to connect, in destination server is not included in server list time, refusal trusted application and destination server connect, be in the present embodiment, trusted application realizes mutual with destination server by smart card, replace trusted application of the prior art to realize the process mutual with destination server by REE, believable server list is stored in smart card, due to smart card, to have chip less, to features such as external port are single, the strick precaution of physical attacks and software attacks is better than to REE environment, therefore believable server list is stored in smart card, can effectively prevent that user profile is tampered and attacks, ensure that trusted application is connected to legal server, promote the fail safe of TEE environment.
The terminal that further describes the embodiment of the present invention below, refers to Fig. 4, and the terminal 400 of the present embodiment comprises:
The first acquiring unit 401, for obtaining the connection request of trusted application to destination server initiation, comprises the mark of destination server in described connection request;
Second acquisition unit 402, for obtaining the server list that smart card is stored by modulator-demodulator;
Judging unit 403, for judging according to the mark of destination server whether destination server is included in server list;
Processing unit 404, in the time that destination server is included in server list, allows trusted application and destination server to connect, and in the time that destination server is not included in server list, refusal trusted application and destination server connect;
Connect and set up unit 405, for connecting by modem dialup between trusted application and destination server, or will between trusted application and destination server, connect by WIFI;
Transmitting element 406, for after trusted application and destination server connect, the verify data of authentication request and the mark of trusted application that trusted application is sent in response to destination server are sent to smart card by modulator-demodulator, trusted application is authenticated according to the identifying algorithm corresponding with mark trusted application that store in smart card with request smart card, in described verify data, comprise the mark of destination server;
Wherein, judging unit 403 also for, judge smart card to the authentication result of trusted application whether for successfully;
Terminal 400 also comprises the 3rd acquiring unit 407, for being successfully time at smart card to the authentication result of trusted application, by modulator-demodulator, from the provisional communication key that smart card obtains that data to transmitting between trusted application and destination server are encrypted, decipher, signature and verification are used, described provisional communication key is generated according to the mark of the mark of trusted application, destination server and default algorithm by smart card.
For ease of understanding, the interactive mode between the each unit in the terminal 400 with a practical application scene, the present embodiment being provided is below described, specific as follows:
First, in the terminal of the present embodiment, can support two kinds of running environment: credible execution environment TEE and common execution environment REE, wherein, trusted application (Trusted Application, TA) operates in credible execution environment.Trusted application is initiated connection request to destination server, and the first acquiring unit 401 obtains connection request, comprises the mark of destination server in connection request, and this mark can comprise address, the port numbers etc. of destination server.
Next second acquisition unit 402 obtains the server list of storing in smart card by modulator-demodulator.Wherein, smart card can be and is independent of a kind of equipment that terminal exists, and smart card comprises user identity identification SIM card, Universal Integrated Circuit Card UICC and universal embedded integrated circuit card eUICC.The server of required connection when server list comprises the server of required connection when trusted application is carried out numerical value processing and trusted application is safeguarded.Wherein, numerical value processing can comprise payment, checking, inquiry and reconciliation etc.; The maintenance that trusted application is carried out can comprise: trusted application is carried out program updates, repaired software vulnerability and upgrading security algorithm etc.
Judging unit 403 judges whether destination server is included in server list.Particularly, judging unit 403 judges that the mark of destination server is consistent with the mark of the server comprising in server list, if, think that destination server is included in server list, otherwise, think that destination server is not contained in server list, this process judging is that the destination server connecting in order to ensure trusted application is believable server.When processing unit 404 is no in the judged result of judging unit 403, refusal trusted application and destination server connect, and in the judged result of judging unit 403, when being, permission trusted application and destination server connect.
In the time that processing unit 404 allows trusted application and destination server to connect, connection is set up unit 405 and will between trusted application and destination server, be connected by modem dialup, or will between trusted application and destination server, connect by WIFI.
After trusted application and destination server connect, destination server need to authenticate trusted application, destination server can be initiated authentication request to trusted application by existing wireless link, the authentication request that trusted application response destination server is initiated, return authentication data.The first acquiring unit 401 obtains verify data, by transmitting element 406, the mark of verify data and trusted application is sent to smart card by modulator-demodulator, with request smart card, trusted application is authenticated, in described verify data, comprise the mark of destination server.
In smart card, store different identifying algorithms, the mark (Application, AID) of every kind of corresponding a kind of trusted application of identifying algorithm, for authenticating corresponding trusted application.Smart card authenticates trusted application according to the identifying algorithm corresponding to the AID with trusted application of self storage, and authentication result is returned to terminal.
Judging unit 403 judges that authentication result that smart card returns is whether for successfully, if success, obtain provisional communication key by modulator-demodulator from smart card by the 3rd acquiring unit 407, provisional communication key is generated according to the mark of the mark of trusted application, destination server and default algorithm by smart card, terminal use provisional communication key to the data of transmitting between trusted application and destination server be encrypted, decipher, signature or verification etc., with the safety and integrity of protected data; If not failure, end process.
Once the disconnection that is connected of trusted application and destination server, provisional communication key lost efficacy, be that trusted application all can be used different provisional communication keys from the each communication of destination server, even if ensured that certain communication process is cracked, and also can not result in greater loss.
In addition, in the present embodiment, server list, identifying algorithm and provisional communication key in smart card are in charge of by smart card publisher, be that smart card publisher holds root key and root certificate, be responsible for safeguarding the data of storing in smart card, these maintenances comprise writing, upgrade and deleting of data in smart card.In terminal, do not there is root key and root certificate, ensured the uniqueness of data storage in smart card, improved the fail safe of data storage in smart card.User can nullify smart card by smart card publisher, so just can avoid lost terminal to cause the loss of user's fund, and smart card publisher can close by simple note the authentication function of smart card, and deletes server list.
In the present embodiment, judging unit judges that according to the server list of storing in smart card whether destination server is legal, verify data is sent to smart card by transmitting element, trusted application is authenticated by smart card, and obtained from smart card by the 3rd acquiring unit by the provisional communication key using in process, be in the present embodiment, trusted application realizes mutual with destination server by smart card, replace trusted application of the prior art to realize the process mutual with destination server by REE, because smart card itself has stronger strick precaution physical attacks and the ability of software attacks, the confidential data that the communication process of trusted application and destination server relates to are all obtained by smart card, and the verification process of trusted application is also placed in smart card to be realized, therefore, the present embodiment can be avoided credible execution environment by malicious attack or implant rogue program, thereby improve the fail safe of credible execution environment.
Refer to Fig. 5 below, Fig. 5 shows the structure of the terminal that the embodiment of the present invention provides, and the terminal that the embodiment of the present invention provides can be for implementing the method for the credible execution environment TEE of the lifting fail safe that above-described embodiment provide.For convenience of explanation, only show the part relevant to the embodiment of the present invention, concrete ins and outs do not disclose, and please refer to the inventive method embodiment part and understand.In actual applications, terminal 500 can be mobile phone, panel computer, the equipment such as number digital assistants (Personal Digital Assistant, PDA).Specifically:
Terminal 500 can comprise RF (Radio Frequency, radio frequency) circuit 510, the memory 520 that includes one or more computer-readable recording mediums, input unit 530, display unit 540, transducer 550, voicefrequency circuit 560, WiFi (wireless fidelity, Wireless Fidelity) module 570, include one or one parts such as processor 580 and power supply 590 of processing above core.It will be understood by those skilled in the art that the structure shown in Fig. 5 does not form the restriction to the off-grid terminal 500 of predictive user, can comprise the parts more more or less than diagram, or combine some parts, or different parts are arranged.Wherein:
RF circuit 510 can be used in messaging or communication process, and the reception of signal and transmission especially, after the downlink information of base station is received, transfer to more than one or one processor 580 to process; In addition, send to base station by relating to up data.Conventionally, RF circuit 510 includes but not limited to antenna, at least one amplifier, tuner, one or more oscillator, subscriber identity module (SIM) card, transceiver, coupler, LNA (Low Noise Amplifier, low noise amplifier), duplexer etc.In addition, RF circuit 510 can also be by radio communication and network and other devices communicatings.Described radio communication can be used arbitrary communication standard or agreement, include but not limited to GSM (Global System of Mobile communication, global system for mobile communications), GPRS (General Packet Radio Service, general packet radio service), CDMA (Code Division Multiple Access, code division multiple access), WCDMA (Wideband Code Division Multiple Access, Wideband Code Division Multiple Access (WCDMA)), LTE (Long Term Evolution, Long Term Evolution), Email, SMS (Short Messaging Service, Short Message Service) etc.
Memory 520 can be used for storing software program and module, and processor 580 is stored in software program and the module of memory 520 by operation, thereby carries out various function application and data processing.Memory 520 can mainly comprise storage program district and storage data field, wherein, and the application program (such as sound-playing function, image player function etc.) that storage program district can storage operation system, at least one function is required etc.; Storage data field can be stored according to the use of memory device and be created data (such as voice data, phone directory etc.).In addition, memory 520 can comprise high-speed random access memory, can also comprise nonvolatile memory, for example at least one disk memory, flush memory device or other volatile solid-state parts.Correspondingly, memory 520 can also comprise Memory Controller, so that processor 580 and the access of input unit 530 to memory 520 to be provided.
Input unit 530 can be used for receiving numeral or the character information of input, and generation is inputted with user arranges and function control is relevant keyboard, mouse, action bars, optics or trace ball signal.Particularly, input unit 530 can comprise touch-sensitive surperficial 531 and other input equipments 532.Touch-sensitive surperficial 531, also referred to as touch display screen or Trackpad, can collect user or near touch operation (using any applicable object or near the operations of annex on touch-sensitive surperficial 531 or touch-sensitive surperficial 531 such as finger, stylus such as user) thereon, and drive corresponding jockey according to predefined formula.Optionally, touch-sensitive surperficial 531 can comprise touch detecting apparatus and two parts of touch controller.Wherein, touch detecting apparatus detects user's touch orientation, and detects the signal that touch operation brings, and sends signal to touch controller; Touch controller receives touch information from touch detecting apparatus, and converts it to contact coordinate, then gives processor 580, and the order that energy receiving processor 580 is sent is also carried out.In addition, can adopt the polytypes such as resistance-type, condenser type, infrared ray and surface acoustic wave to realize touch-sensitive surperficial 531.Except touch-sensitive surperficial 531, input unit 530 can also comprise other input equipments 532.Particularly, other input equipments 532 can include but not limited to one or more in physical keyboard, function key (such as volume control button, switch key etc.), trace ball, mouse, action bars etc.
Display unit 540 can be used for showing the information inputted by user or the various graphical user interface of the information that offers user and terminal 500, and these graphical user interface can be made up of figure, text, icon, video and its combination in any.Display unit 540 can comprise display floater 541, optionally, can adopt the form such as LCD (Liquid Crystal Display, liquid crystal display), OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) to configure display floater 541.Further, touch-sensitive surperficial 531 can cover display floater 541, when touch-sensitive surperficial 531 detect thereon or near touch operation after, send processor 580 to determine the type of touch event, corresponding vision output is provided according to the type of touch event with preprocessor 580 on display floater 541.Although in Fig. 5, touch-sensitive surperficial 531 with display floater 541 be as two independently parts realize input and input function, in certain embodiments, can by touch-sensitive surperficial 531 and display floater 541 integrated and realize input and output function.
Terminal 500 also can comprise at least one transducer 550, such as optical sensor, motion sensor and other transducers.Particularly, optical sensor can comprise ambient light sensor and proximity transducer, and wherein, ambient light sensor can regulate according to the light and shade of ambient light the brightness of display floater 541, proximity transducer can, in the time that terminal 500 moves in one's ear, cut out display floater 541 and/or backlight.As the one of motion sensor, Gravity accelerometer can detect the size of the acceleration that (is generally three axles) in all directions, when static, can detect size and the direction of gravity, can be used for application (such as horizontal/vertical screen switching, dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, knock) of identification terminal 500 attitudes etc.; As for also other transducers such as configurable gyroscope, barometer, hygrometer, thermometer, infrared ray sensor of terminal 500, do not repeat them here.
Voicefrequency circuit 560, loud speaker 561, microphone 562 can provide the audio interface between user and terminal 500.Voicefrequency circuit 560 can, by the signal of telecommunication after the voice data conversion receiving, be transferred to loud speaker 561, is converted to voice signal output by loud speaker 561; On the other hand, the voice signal of collection is converted to the signal of telecommunication by microphone 562, after being received by voicefrequency circuit 560, be converted to voice data, after again voice data output processor 580 being processed, through RF circuit 510 to send to such as another terminal, or export voice data to memory 520 so as further process.Voicefrequency circuit 560 also may comprise earphone jack, so that communicating by letter of peripheral hardware earphone and terminal 500 to be provided.
WiFi belongs to short range wireless transmission technology, terminal 500 by WiFi module 570 can help that user sends and receive e-mail, browsing page and access streaming video etc., it provides wireless broadband internet access for user.Although Fig. 5 shows WiFi module 570, be understandable that, it does not belong to must forming of terminal 500, completely can be as required in the essential scope that does not change invention and omit.
Processor 580 is control centres of terminal 500, utilize the various piece of various interface and the whole terminal of connection, by moving or carry out the software program and/or the module that are stored in memory 520, and call the data that are stored in memory 520, carry out various functions and the deal with data of memory device, thereby memory device is carried out to integral monitoring.Optionally, processor 580 can comprise one or more processing cores; Preferably, processor 580 can integrated application processor and modem processor, and wherein, application processor is mainly processed operating system, user interface and application program etc., and modem processor is mainly processed radio communication.Be understandable that, above-mentioned modem processor also can not be integrated in processor 580.
Terminal 500 also comprises the power supply 590 (such as battery) to all parts power supply, preferably, power supply can be connected with processor 580 logics by power-supply management system, thereby realizes the functions such as management charging, electric discharge and power managed by power-supply management system.Power supply 590 can also comprise the random component such as one or more direct current or AC power, recharging system, power failure detection circuit, power supply changeover device or inverter, power supply status indicator.
Although not shown, terminal 500 can also comprise camera, bluetooth module etc., does not repeat them here.Specifically in the present embodiment, terminal 500 includes memory 520, and one or more than one program, one of them or more than one program are stored in memory 520, and are configured to carry out above-mentioned more than one or one program package containing for carrying out the instruction of following operation by more than one or one processor 580:
Obtain the connection request that trusted application is initiated to destination server, in described connection request, comprise the mark of destination server;
Obtain the server list of storing in smart card by modulator-demodulator;
Judge according to the mark of destination server whether destination server is included in server list;
If so, allow trusted application and destination server to connect, if not, refuse trusted application and destination server connects.
It should be noted that, the terminal 500 that the embodiment of the present invention provides, can also be used for realizing other function of said apparatus embodiment, does not repeat them here.
The embodiment of the present invention also provides a kind of system that promotes credible execution environment TEE fail safe, refers to Fig. 6, and described system comprises terminal 601, smart card 602 and server 603.Wherein:
Terminal 601 for, obtain the connection request that trusted application is initiated to destination server, in connection request, comprise the mark of destination server; Obtain the server list of storing in smart card by modulator-demodulator; Judge according to the mark of destination server whether destination server is included in server list; If so, allow trusted application and destination server to connect, if not, refuse trusted application and destination server connects; Terminal 601 is supported credible execution environment TEE, and trusted application is carried out in credible execution environment;
Smart card 602 is for, Storage Server List;
Server 603 for, in the time that destination server is included in server list, connect with trusted application.
In addition, the terminal 601 in the present embodiment, can also be used for realizing other function of said apparatus embodiment, does not repeat them here.
In above embodiment, all independently exist for example with smart card and terminal and describe, in actual applications, smart card also can be included in terminal, and for example, smart card is SIM card, and terminal is mobile phone, and SIM is inserted in the draw-in groove of mobile phone, is not specifically limited herein.
It should be noted that, device embodiment described above is only schematic, the wherein said unit as separating component explanation can or can not be also physically to separate, the parts that show as unit can be or can not be also physical locations, can be positioned at a place, or also can be distributed in multiple network element.Can select according to the actual needs some or all of module wherein to realize the object of the present embodiment scheme.In addition, in device embodiment accompanying drawing provided by the invention, the annexation between module represents to have communication connection between them, specifically can be implemented as one or more communication bus or holding wire.Those of ordinary skill in the art, in the situation that not paying creative work, are appreciated that and implement.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add essential common hardware by software and realize, and can certainly comprise that application-specific integrated circuit (ASIC), dedicated cpu, private memory, special components and parts etc. realize by specialized hardware.Generally, all functions being completed by computer program can realize with corresponding hardware easily, and the particular hardware structure that is used for realizing same function can be also diversified, such as analog circuit, digital circuit or special circuit etc.But software program realization is better execution mode under more susceptible for the purpose of the present invention condition.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium can read, as the floppy disk of computer, USB flash disk, portable hard drive, read-only memory (ROM, Read-Only Memory), random access memory (RAM, Random Access Memory), magnetic disc or CD etc., comprise that some instructions (can be personal computers in order to make a computer equipment, server, or the network equipment etc.) carry out the method described in the present invention each embodiment.
The one above embodiment of the present invention being provided promotes credible execution environment TEE fail safe and system, terminal is described in detail, for one of ordinary skill in the art, according to the thought of the embodiment of the present invention, all will change in specific embodiments and applications, therefore, this description should not be construed as limitation of the present invention.
Claims (15)
1. a method that promotes credible execution environment TEE fail safe, is characterized in that, comprising:
Obtain the connection request that trusted application is initiated to destination server, in described connection request, comprise the mark of described destination server;
Obtain the server list of storing in smart card by modulator-demodulator;
Judge according to the mark of described destination server whether described destination server is included in described server list;
If so, allow described trusted application and described destination server to connect, if not, refuse described trusted application and described destination server connects.
2. the method for claim 1, is characterized in that, after described trusted application and described destination server connect, described method also comprises:
The mark of described trusted application is sent to described smart card by described modulator-demodulator, to ask described smart card according to the identifying algorithm corresponding with mark described trusted application that store in described smart card, described trusted application to be authenticated.
3. method as claimed in claim 2, it is characterized in that, when the mark of described trusted application is sent to described smart card by described modulator-demodulator, the verify data of the authentication request also described trusted application being sent in response to described destination server is sent to described smart card by described modulator-demodulator, comprises the mark of described destination server in described verify data;
After the described smart card of request authenticates described trusted application, described method also comprises:
Judge described smart card to the authentication result of described trusted application whether for successfully;
Be successfully time at described smart card to the authentication result of described trusted application, by described modulator-demodulator, from the provisional communication key that described smart card obtains that data to transmitting between described trusted application and described destination server are encrypted, decipher, signature or verification are used, described provisional communication key is generated according to the mark of the mark of described trusted application, described destination server and default algorithm by described smart card.
4. method as claimed in claim 3, is characterized in that, server list, identifying algorithm and provisional communication key in described smart card are in charge of by smart card publisher.
5. the method as described in claim 1 to 4 any one, is characterized in that, described smart card comprises: user identity identification SIM card, Universal Integrated Circuit Card UICC and universal embedded integrated circuit card eUICC.
6. the method as described in claim 1 to 4 any one, it is characterized in that, between described trusted application and described destination server, connect by described modem dialup, or connect by WIFI between described trusted application and described destination server.
7. the method as described in claim 1 to 4 any one, is characterized in that, the server of required connection when described server list comprises the server of required connection when described trusted application is carried out numerical value processing and described trusted application is safeguarded.
8. a terminal, described terminal is supported credible execution environment TEE, it is characterized in that, comprising:
The first acquiring unit, for obtaining the connection request of trusted application to destination server initiation, comprises the mark of described destination server in described connection request;
Second acquisition unit, for obtaining the server list that smart card is stored by modulator-demodulator;
Judging unit, for judging according to the mark of described destination server whether described destination server is included in described server list;
Processing unit, for in the time that described destination server is included in described server list, allow described trusted application and described destination server to connect, in the time that described destination server is not included in described server list, refuse described trusted application and described destination server connects.
9. terminal as claimed in claim 7, is characterized in that, described terminal also comprises:
Transmitting element, for after described trusted application and described destination server connect, the mark of described trusted application is sent to described smart card by described modulator-demodulator, to ask described smart card according to the identifying algorithm corresponding with mark described trusted application that store in described smart card, described trusted application to be authenticated.
10. terminal as claimed in claim 8, is characterized in that,
Described transmitting element also for, when the mark of described trusted application is sent to described smart card by described modulator-demodulator, the verify data of the authentication request also described trusted application being sent in response to described destination server is sent to described smart card by described modulator-demodulator, comprises the mark of described destination server in described verify data;
Described judging unit also for, judge described smart card to the authentication result of described trusted application whether for successfully;
Described terminal also comprises:
The 3rd acquiring unit, for being successfully time at described smart card to the authentication result of described trusted application, by described modulator-demodulator, from the provisional communication key that described smart card obtains that data to transmitting between described trusted application and described destination server are encrypted, decipher, signature or verification are used, described provisional communication key is generated according to the mark of the mark of described trusted application, described destination server and default algorithm by described smart card.
11. terminals as claimed in claim 10, is characterized in that, server list, identifying algorithm and provisional communication key in described smart card are in charge of by smart card publisher.
12. terminals as described in claim 8 to 11 any one, is characterized in that, described smart card comprises: user identity identification SIM card, Universal Integrated Circuit Card UICC and universal embedded integrated circuit card eUICC.
13. terminals as described in claim 8 to 11 any one, is characterized in that, described terminal also comprises:
Connect and set up unit, for connecting by described modem dialup between described trusted application and described destination server, or will between described trusted application and described destination server, connect by WIFI.
14. terminals as described in claim 8 to 11 any one, is characterized in that, described server list comprises the server of required connection when described trusted application is carried out the server of numerical value required connection while processing and described trusted application is safeguarded.
15. 1 kinds promote the system of credible execution environment TEE fail safe, it is characterized in that, described system comprises terminal, server and the smart card as described in claim 8 to 14 any one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410308622.0A CN104125216B (en) | 2014-06-30 | 2014-06-30 | A kind of method, system and terminal for lifting credible performing environment security |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410308622.0A CN104125216B (en) | 2014-06-30 | 2014-06-30 | A kind of method, system and terminal for lifting credible performing environment security |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104125216A true CN104125216A (en) | 2014-10-29 |
| CN104125216B CN104125216B (en) | 2017-12-15 |
Family
ID=51770480
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410308622.0A Active CN104125216B (en) | 2014-06-30 | 2014-06-30 | A kind of method, system and terminal for lifting credible performing environment security |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104125216B (en) |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105447387A (en) * | 2015-11-05 | 2016-03-30 | 工业和信息化部电信研究院 | Trusted application detection method and apparatus based on hardware isolation environment |
| CN105631364A (en) * | 2015-05-20 | 2016-06-01 | 宇龙计算机通信科技(深圳)有限公司 | Security property switching method, security property switching apparatus and terminal |
| CN105656890A (en) * | 2015-12-30 | 2016-06-08 | 深圳数字电视国家工程实验室股份有限公司 | FIDO (Fast Identity Online) authenticator, system and method based on TEE (Trusted Execution Environment) and wireless confirmation |
| CN105678183A (en) * | 2015-12-30 | 2016-06-15 | 青岛海信移动通信技术股份有限公司 | User data management method and device for intelligent terminal |
| CN105809036A (en) * | 2016-04-01 | 2016-07-27 | 中国银联股份有限公司 | TEE access control method and mobile terminal for achieving same |
| CN105978917A (en) * | 2016-07-19 | 2016-09-28 | 恒宝股份有限公司 | System and method for trusted application security authentication |
| CN106102054A (en) * | 2016-05-27 | 2016-11-09 | 深圳市雪球科技有限公司 | A kind of method and communication system that safe unit is carried out safety management |
| CN106200891A (en) * | 2015-05-08 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The display method of user interface, Apparatus and system |
| CN106453196A (en) * | 2015-08-04 | 2017-02-22 | 中国移动通信集团公司 | Secret key writing device, system and method for trusted execution environment |
| CN106936774A (en) * | 2015-12-29 | 2017-07-07 | 中国电信股份有限公司 | Authentication method and system in credible performing environment |
| CN107077565A (en) * | 2015-11-25 | 2017-08-18 | 华为技术有限公司 | The collocation method and equipment of a kind of safe configured information |
| CN107111715A (en) * | 2014-12-16 | 2017-08-29 | 英特尔公司 | Credible performing environment is used for the security of code and data |
| CN107211026A (en) * | 2015-03-22 | 2017-09-26 | 苹果公司 | It is intended to the method and apparatus of checking for the user authentication in mobile device and the mankind |
| CN107592964A (en) * | 2015-06-09 | 2018-01-16 | 英特尔公司 | Systems, devices and methods for the multiple-owner transfer of the ownership of equipment |
| CN107924449A (en) * | 2016-03-18 | 2018-04-17 | 华为技术有限公司 | A kind of notification message processing method, device and terminal |
| CN108235767A (en) * | 2016-11-03 | 2018-06-29 | 华为技术有限公司 | A kind of partition method, device and terminal for paying application |
| CN108614711A (en) * | 2018-04-20 | 2018-10-02 | 北京握奇智能科技有限公司 | TA mirrored storages method, apparatus and terminal |
| CN109005029A (en) * | 2018-06-25 | 2018-12-14 | 北京迪曼森科技有限公司 | Trusted application mark generation method and system, application method and apply end equipment |
| CN109150900A (en) * | 2018-09-18 | 2019-01-04 | 温州职业技术学院 | A kind of information security of computer network system |
| WO2019051935A1 (en) * | 2017-09-18 | 2019-03-21 | Huawei Technologies Co., Ltd. | Securing delegated credentials in third-party networks |
| CN109831775A (en) * | 2019-02-02 | 2019-05-31 | 华为技术有限公司 | A kind of processor, baseband chip and SIM card information transmission method |
| CN110176987A (en) * | 2016-02-02 | 2019-08-27 | 阿里巴巴集团控股有限公司 | A kind of method, apparatus, equipment and the computer storage medium of equipment certification |
| US10432611B2 (en) | 2015-08-07 | 2019-10-01 | Alibaba Group Holding Limited | Transaction processing method and client based on trusted execution environment |
| CN110941825A (en) * | 2019-12-13 | 2020-03-31 | 支付宝(杭州)信息技术有限公司 | Application monitoring method and device |
| CN110971591A (en) * | 2015-03-16 | 2020-04-07 | 阿里巴巴集团控股有限公司 | Method and system for multi-process access to trusted application |
| CN111712815A (en) * | 2018-08-14 | 2020-09-25 | 华为技术有限公司 | Artificial intelligence AI processing method and AI processing device |
| CN112329071A (en) * | 2020-12-16 | 2021-02-05 | 支付宝(杭州)信息技术有限公司 | Privacy data processing method, system, device and equipment |
| CN112784249A (en) * | 2021-01-25 | 2021-05-11 | 公安部第三研究所 | Method, system, processor and computer readable storage medium for implementing mobile terminal authentication processing under non-identification condition |
| CN112926046A (en) * | 2021-03-26 | 2021-06-08 | 公安部第三研究所 | Method and system for authenticating anonymous identification information of mobile terminal equipment for protecting equipment identification information |
| WO2021164166A1 (en) * | 2020-02-20 | 2021-08-26 | 苏州浪潮智能科技有限公司 | Service data protection method, apparatus and device, and readable storage medium |
| CN113572789A (en) * | 2021-08-17 | 2021-10-29 | 四川启睿克科技有限公司 | Secret-free login system and method for Internet of things intelligent equipment application |
| CN115048642A (en) * | 2021-11-29 | 2022-09-13 | 荣耀终端有限公司 | Communication method between trusted applications in multiple trusted execution environments and electronic equipment |
| WO2023174393A1 (en) * | 2022-03-18 | 2023-09-21 | 维沃移动通信有限公司 | Security evaluation method and apparatus, electronic device, and readable storage medium |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101867966A (en) * | 2009-04-16 | 2010-10-20 | 中兴通讯股份有限公司 | Method for reporting measurement report of closed user group cell |
| CN102111477A (en) * | 2011-02-25 | 2011-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Method, terminal and smart card for terminal security verification |
| CN102542698A (en) * | 2011-12-27 | 2012-07-04 | 浙江省电力公司 | Safety protective method of electric power mobile payment terminal |
| CN102573015A (en) * | 2008-05-31 | 2012-07-11 | 华为技术有限公司 | Network selection method, system and device |
| US20130109352A1 (en) * | 2011-10-27 | 2013-05-02 | T-Mobile USA, Inc | Mobile Device-Type Locking |
| WO2014040724A1 (en) * | 2012-09-11 | 2014-03-20 | Giesecke & Devrient Gmbh | Content management for mobile station with runtime environment |
| CN103745155A (en) * | 2014-01-03 | 2014-04-23 | 东信和平科技股份有限公司 | Credible Key and safe operation method thereof |
| CN103793815A (en) * | 2014-01-23 | 2014-05-14 | 武汉天喻信息产业股份有限公司 | Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards |
-
2014
- 2014-06-30 CN CN201410308622.0A patent/CN104125216B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102573015A (en) * | 2008-05-31 | 2012-07-11 | 华为技术有限公司 | Network selection method, system and device |
| CN101867966A (en) * | 2009-04-16 | 2010-10-20 | 中兴通讯股份有限公司 | Method for reporting measurement report of closed user group cell |
| CN102111477A (en) * | 2011-02-25 | 2011-06-29 | 宇龙计算机通信科技(深圳)有限公司 | Method, terminal and smart card for terminal security verification |
| US20130109352A1 (en) * | 2011-10-27 | 2013-05-02 | T-Mobile USA, Inc | Mobile Device-Type Locking |
| CN102542698A (en) * | 2011-12-27 | 2012-07-04 | 浙江省电力公司 | Safety protective method of electric power mobile payment terminal |
| WO2014040724A1 (en) * | 2012-09-11 | 2014-03-20 | Giesecke & Devrient Gmbh | Content management for mobile station with runtime environment |
| CN103745155A (en) * | 2014-01-03 | 2014-04-23 | 东信和平科技股份有限公司 | Credible Key and safe operation method thereof |
| CN103793815A (en) * | 2014-01-23 | 2014-05-14 | 武汉天喻信息产业股份有限公司 | Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards |
Non-Patent Citations (1)
| Title |
|---|
| ZAHEER AHMAD ET AL: "Enhancing the Security of Mobile Applications by Using TEE and (U)SIM", 《2013 IEEE 10TH INTERNATION CONFERENCE ON AND 10TH INTERNATIONAL CONFERENCE ON AUTONOMIC AND TRUSTED COMPUTING (UIC/ATC)》 * |
Cited By (58)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107111715B (en) * | 2014-12-16 | 2020-11-10 | 英特尔公司 | Using a trusted execution environment for security of code and data |
| CN107111715A (en) * | 2014-12-16 | 2017-08-29 | 英特尔公司 | Credible performing environment is used for the security of code and data |
| CN110971591B (en) * | 2015-03-16 | 2022-04-05 | 创新先进技术有限公司 | Method and system for multi-process access to trusted application |
| CN110971591A (en) * | 2015-03-16 | 2020-04-07 | 阿里巴巴集团控股有限公司 | Method and system for multi-process access to trusted application |
| CN107211026A (en) * | 2015-03-22 | 2017-09-26 | 苹果公司 | It is intended to the method and apparatus of checking for the user authentication in mobile device and the mankind |
| US10856148B2 (en) | 2015-03-22 | 2020-12-01 | Apple Inc. | Methods and apparatus for user authentication and human intent verification in mobile devices |
| CN107211026B (en) * | 2015-03-22 | 2021-01-08 | 苹果公司 | Method and apparatus for user authentication and human intent verification in mobile devices |
| CN106200891A (en) * | 2015-05-08 | 2016-12-07 | 阿里巴巴集团控股有限公司 | The display method of user interface, Apparatus and system |
| US10788984B2 (en) | 2015-05-08 | 2020-09-29 | Alibaba Group Holding Limited | Method, device, and system for displaying user interface |
| CN106200891B (en) * | 2015-05-08 | 2019-09-06 | 阿里巴巴集团控股有限公司 | Show the method, apparatus and system of user interface |
| CN105631364A (en) * | 2015-05-20 | 2016-06-01 | 宇龙计算机通信科技(深圳)有限公司 | Security property switching method, security property switching apparatus and terminal |
| CN107592964B (en) * | 2015-06-09 | 2021-05-28 | 英特尔公司 | System, apparatus and method for multi-owner transfer of ownership of a device |
| CN107592964A (en) * | 2015-06-09 | 2018-01-16 | 英特尔公司 | Systems, devices and methods for the multiple-owner transfer of the ownership of equipment |
| CN106453196A (en) * | 2015-08-04 | 2017-02-22 | 中国移动通信集团公司 | Secret key writing device, system and method for trusted execution environment |
| CN106453196B (en) * | 2015-08-04 | 2020-01-07 | 中国移动通信集团公司 | Key writing device, system and method for trusted execution environment |
| US10432611B2 (en) | 2015-08-07 | 2019-10-01 | Alibaba Group Holding Limited | Transaction processing method and client based on trusted execution environment |
| CN105447387B (en) * | 2015-11-05 | 2018-06-19 | 工业和信息化部电信研究院 | The method and device of trusted application detection based on hardware isolated environment |
| CN105447387A (en) * | 2015-11-05 | 2016-03-30 | 工业和信息化部电信研究院 | Trusted application detection method and apparatus based on hardware isolation environment |
| US11100227B2 (en) | 2015-11-25 | 2021-08-24 | Huawei Technologies Co., Ltd. | Security indication information configuration method and device |
| CN107077565A (en) * | 2015-11-25 | 2017-08-18 | 华为技术有限公司 | The collocation method and equipment of a kind of safe configured information |
| CN107077565B (en) * | 2015-11-25 | 2019-11-26 | 华为技术有限公司 | A kind of configuration method and equipment of safety instruction information |
| CN106936774B (en) * | 2015-12-29 | 2020-02-18 | 中国电信股份有限公司 | Authentication method and system in trusted execution environment |
| CN106936774A (en) * | 2015-12-29 | 2017-07-07 | 中国电信股份有限公司 | Authentication method and system in credible performing environment |
| CN105678183A (en) * | 2015-12-30 | 2016-06-15 | 青岛海信移动通信技术股份有限公司 | User data management method and device for intelligent terminal |
| CN105678183B (en) * | 2015-12-30 | 2018-09-18 | 青岛海信移动通信技术股份有限公司 | A kind of user data management and device of intelligent terminal |
| CN105656890B (en) * | 2015-12-30 | 2018-11-06 | 深圳数字电视国家工程实验室股份有限公司 | A kind of FIDO authenticators and system and method based on TEE and without line justification |
| CN105656890A (en) * | 2015-12-30 | 2016-06-08 | 深圳数字电视国家工程实验室股份有限公司 | FIDO (Fast Identity Online) authenticator, system and method based on TEE (Trusted Execution Environment) and wireless confirmation |
| CN110176987A (en) * | 2016-02-02 | 2019-08-27 | 阿里巴巴集团控股有限公司 | A kind of method, apparatus, equipment and the computer storage medium of equipment certification |
| CN107924449A (en) * | 2016-03-18 | 2018-04-17 | 华为技术有限公司 | A kind of notification message processing method, device and terminal |
| CN107924449B (en) * | 2016-03-18 | 2020-03-10 | 华为技术有限公司 | Notification message processing method and device and terminal |
| CN105809036B (en) * | 2016-04-01 | 2019-05-10 | 中国银联股份有限公司 | A kind of TEE access control method and the mobile terminal for realizing this method |
| CN105809036A (en) * | 2016-04-01 | 2016-07-27 | 中国银联股份有限公司 | TEE access control method and mobile terminal for achieving same |
| CN106102054A (en) * | 2016-05-27 | 2016-11-09 | 深圳市雪球科技有限公司 | A kind of method and communication system that safe unit is carried out safety management |
| CN105978917A (en) * | 2016-07-19 | 2016-09-28 | 恒宝股份有限公司 | System and method for trusted application security authentication |
| CN108235767A (en) * | 2016-11-03 | 2018-06-29 | 华为技术有限公司 | A kind of partition method, device and terminal for paying application |
| US11762983B2 (en) | 2016-11-03 | 2023-09-19 | Huawei Technologies Co., Ltd. | Payment application isolation method and apparatus, and terminal |
| WO2019051935A1 (en) * | 2017-09-18 | 2019-03-21 | Huawei Technologies Co., Ltd. | Securing delegated credentials in third-party networks |
| US10511575B2 (en) | 2017-09-18 | 2019-12-17 | Huawei Technologies Co., Ltd. | Securing delegated credentials in third-party networks |
| CN108614711A (en) * | 2018-04-20 | 2018-10-02 | 北京握奇智能科技有限公司 | TA mirrored storages method, apparatus and terminal |
| CN109005029A (en) * | 2018-06-25 | 2018-12-14 | 北京迪曼森科技有限公司 | Trusted application mark generation method and system, application method and apply end equipment |
| CN109005029B (en) * | 2018-06-25 | 2019-08-16 | 北京迪曼森科技有限公司 | Trusted application mark generation method and system, application method and apply end equipment |
| CN111712815A (en) * | 2018-08-14 | 2020-09-25 | 华为技术有限公司 | Artificial intelligence AI processing method and AI processing device |
| US11954204B2 (en) | 2018-08-14 | 2024-04-09 | Huawei Technologies Co., Ltd. | Artificial intelligence AI processing method and AI processing apparatus |
| CN109150900A (en) * | 2018-09-18 | 2019-01-04 | 温州职业技术学院 | A kind of information security of computer network system |
| CN109831775A (en) * | 2019-02-02 | 2019-05-31 | 华为技术有限公司 | A kind of processor, baseband chip and SIM card information transmission method |
| CN109831775B (en) * | 2019-02-02 | 2021-12-03 | 华为数字技术(苏州)有限公司 | Processor, baseband chip and SIM card information transmission method |
| CN110941825A (en) * | 2019-12-13 | 2020-03-31 | 支付宝(杭州)信息技术有限公司 | Application monitoring method and device |
| CN110941825B (en) * | 2019-12-13 | 2022-05-27 | 支付宝(杭州)信息技术有限公司 | Application monitoring method and device |
| WO2021164166A1 (en) * | 2020-02-20 | 2021-08-26 | 苏州浪潮智能科技有限公司 | Service data protection method, apparatus and device, and readable storage medium |
| CN112329071A (en) * | 2020-12-16 | 2021-02-05 | 支付宝(杭州)信息技术有限公司 | Privacy data processing method, system, device and equipment |
| CN112784249A (en) * | 2021-01-25 | 2021-05-11 | 公安部第三研究所 | Method, system, processor and computer readable storage medium for implementing mobile terminal authentication processing under non-identification condition |
| CN112784249B (en) * | 2021-01-25 | 2024-03-22 | 公安部第三研究所 | Method, system, processor and computer readable storage medium for implementing mobile terminal authentication processing under no-identification condition |
| CN112926046A (en) * | 2021-03-26 | 2021-06-08 | 公安部第三研究所 | Method and system for authenticating anonymous identification information of mobile terminal equipment for protecting equipment identification information |
| CN112926046B (en) * | 2021-03-26 | 2024-04-19 | 公安部第三研究所 | Mobile terminal equipment anonymous identification information authentication method for protecting equipment identification information |
| CN113572789A (en) * | 2021-08-17 | 2021-10-29 | 四川启睿克科技有限公司 | Secret-free login system and method for Internet of things intelligent equipment application |
| CN115048642B (en) * | 2021-11-29 | 2023-04-25 | 荣耀终端有限公司 | Communication method between trusted applications in multi-trusted execution environment and electronic equipment |
| CN115048642A (en) * | 2021-11-29 | 2022-09-13 | 荣耀终端有限公司 | Communication method between trusted applications in multiple trusted execution environments and electronic equipment |
| WO2023174393A1 (en) * | 2022-03-18 | 2023-09-21 | 维沃移动通信有限公司 | Security evaluation method and apparatus, electronic device, and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104125216B (en) | 2017-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104125216A (en) | Method, system and terminal capable of improving safety of trusted execution environment | |
| EP3200487B1 (en) | Message processing method and apparatus | |
| US9703971B2 (en) | Sensitive operation verification method, terminal device, server, and verification system | |
| CN104901805B (en) | A kind of identification authentication methods, devices and systems | |
| CN103634294A (en) | Information verifying method and device | |
| CN105704123A (en) | Business processing method, device and system | |
| CN106713266B (en) | Method, device, terminal and system for preventing information leakage | |
| CN104572325A (en) | Progressive response form processing method and terminal | |
| WO2014108005A1 (en) | Co-verification method, two-dimensional code generation method, and device and system therefor | |
| CN106709347B (en) | Using the method and device of operation | |
| CN109873794B (en) | Protection method for denial of service attack and server | |
| CN104852885A (en) | Method, device and system for verifying verification code | |
| CN104967593A (en) | Identity verification method, apparatus and system | |
| CN104993961A (en) | Equipment control methods, devices and system | |
| CN106570358A (en) | Method and device for setting application permissions | |
| WO2015078274A1 (en) | Devices and methods for password storage | |
| CN104965722A (en) | Method and apparatus for displaying information | |
| CN108090345B (en) | Linux system external command execution method and device | |
| CN104901991A (en) | Methods, devices and system for transferring virtual resource | |
| CN104158790A (en) | User login method, device and equipment | |
| CN104735657A (en) | Security terminal verification method, device and system and wireless access point binding method | |
| CN104901806A (en) | Method, device and system for processing virtual resources | |
| CN103546887A (en) | Application software transmitting method, device and terminal and server | |
| CN104573437A (en) | Information authentication method, device and terminal | |
| US11516654B2 (en) | Method for automatically encrypting short message, storage device and mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |