CN105871539A - Secret key processing method and apparatus - Google Patents

Secret key processing method and apparatus Download PDF

Info

Publication number
CN105871539A
CN105871539A CN 201610156470 CN201610156470A CN105871539A CN 105871539 A CN105871539 A CN 105871539A CN 201610156470 CN201610156470 CN 201610156470 CN 201610156470 A CN201610156470 A CN 201610156470A CN 105871539 A CN105871539 A CN 105871539A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
key
command
module
slot
slots
Prior art date
Application number
CN 201610156470
Other languages
Chinese (zh)
Inventor
施迅
余发江
赵波
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communication including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0877Generation of secret information including derivation or calculation of cryptographic keys or passwords using additional device, e.g. trusted platform module [TPM], smartcard, USB or hardware security module [HSM]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communication
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB

Abstract

The embodiment of the invention provides a secret key processing method and apparatus, relates to the field of communications, and can avoid returning an error code representing that a space is full in the secret key loading process and ensure that secret keys are successfully loaded. The secret key processing method comprises the steps of acquiring a secret key loading command, wherein the secret key loading command indicates to load a first secret key on a TPM (Trusted Platform Module) chip; if all secret key slots in the TPM chip are in a non-idle state, releasing a first secret key slot in all the secret key slots in the TPM chip; and according to the secret key loading command, loading the first secret key in the first secret key slot.

Description

—种密钥处理方法及装置 - kind of key processing method and apparatus

技术领域 FIELD

[0001]本发明涉及通信领域,尤其涉及一种密钥处理方法及装置。 [0001] The present invention relates to the field of communications, particularly to a method and apparatus for processing key.

背景技术 Background technique

[0002]在通信系统中,为了保证数据的安全,终端设备(Terminal Device)通常需要使用密钥对数据进行加密,这些密钥一旦泄露,与其相关的被加密数据的机密性将受到严重影响。 [0002] In a communication system, in order to ensure data security, the terminal equipment (Terminal Device) usually uses a key to encrypt the data, these keys when disclosed, is associated with the encrypted confidential data will be seriously affected. 因此必须提供安全保护机制,防止密钥以明文的形式保存在系统或代码中。 Therefore it must provide security mechanisms to prevent keys in clear text or code stored in the system. TPM(Trusted Platform Module,可信平台模块)是常用的一种密钥保护方案,通过集成密钥和加解密运算引擎,能够提供基于硬件的敏感信息安全存储功能。 TPM (Trusted Platform Module, Trusted Platform Module) is commonly used as a protection key scheme, through the integration of key decryption operations and processing engine, to provide hardware-based security sensitive information storage function. TPM芯片是一种符合TPM标准的芯片,其中,TPM标准是由TCG(Trusted Computing Group,可信计算组织)提出的,该标准通过在计算机系统中嵌入一个包含密钥生成、加解密计算、安全存储和防篡改功能的芯片,使非法用户无法对其内部的数据进行访问更改,从而确保了数据加密的安全性。 TPM chip is a standard in line with TPM chip, wherein, TPM standard is proposed by the TCG (Trusted Computing Group, the Trusted Computing Group), by embedding of the standard in a computer system comprising a key generation, encryption and decryption computing, security chip memory and tamper-resistant features, so that unauthorized users can not access changes to its internal data, ensuring data encryption security.

[0003]现有技术中,通常一个TPM芯片内具有5至10个密钥插槽,密钥只有装载在密钥插槽内,才能被应用程序调用。 [0003] In the prior art, usually within a TPM chip having 5-10 key slot, the key is loaded only in the key slot, an application can be called. 若TPM芯片的密钥插槽已被占满,且仍有应用程序试图进行密钥装载时,TPM芯片就会返回空间已满的错误码。 If the TPM chip key slot is already filled, and there is still an application tries to perform key when loading, is full TPM chip returns an error code.

发明内容 SUMMARY

[0004]本发明实施例提供一种密钥处理方法及装置,能够避免在密钥装载时返回空间已满的错误码,保证密钥装载的顺利进行。 Embodiments provide a key processing method and apparatus [0004] according to the present invention, it is possible to avoid the error code returned is full at the time the key is loaded, to ensure smooth loading key.

[0005]为达到上述目的,本发明的实施例采用如下技术方案: [0005] To achieve the above object, embodiments of the present invention adopts the following technical solutions:

[0006]第一方面,本发明实施例提供一种密钥处理方法,包括: [0006] In a first aspect, embodiments of the present invention provides a key processing method, comprising:

[0007]首先,获取密钥装载命令,密钥装载命令指示在可信平台模块TPM芯片装载第一密钥;其次,判断TPM芯片内的所有密钥插槽是否均处于非空闲状态,若TPM芯片内的所有密钥插槽均处于非空闲状态,则释放TPM芯片内所有密钥插槽中的第一密钥插槽;最后,根据密钥装载命令,在第一密钥插槽上装载第一密钥。 [0007] First, a load command key, the key mount command indicating a trusted platform module TPM chip mounting a first key; secondly, it is determined whether all the keys in the TPM chip slots are in a non-idle state, if the TPM All keys within the chip slots are in a non-idle state, a first key is released all slots in the TPM chip key slots; Finally, the load command key, loaded on the first key slot The first key.

[0008]本发明实施例提供的密钥处理方法中,由于在获取指示在可信平台模块TPM芯片装载第一密钥的密钥装载命令,且TPM芯片内的所有密钥插槽均处于非空闲状态时,密钥处理装置能够释放所述TPM芯片内所有密钥插槽中的第一密钥插槽,并根据密钥装载命令,在所述第一密钥插槽上装载所述第一密钥。 [0008] The embodiment of the present invention is provided a key processing method, since the load obtaining command indicating a trusted platform module TPM chip mounting key the first key, and all keys in the TPM chip slots are in a non- when idle, the key processing apparatus capable of releasing a first key slots in all keys of the TPM chip slots, and the load command based on the key, said first load on the first key slot a key. 因此,能够避免在密钥装载时返回空间已满的错误码,保证密钥装载的顺利进行,合理地使用TPM芯片内存空间资源。 Accordingly, it is possible to avoid the error code returned is full at the time the key is loaded, to ensure smooth loading of the key, the rational use of the TPM chip memory resources.

[0009]可选的,所述方法还包括: [0009] Optionally, the method further comprising:

[0010]在释放所述第一密钥插槽前,确认TPM芯片内的所有密钥插槽与密钥的映射关系。 [0010] In releasing the key slot before the first, confirm that all the mapping relationship with the key slot of the key in the TPM chip. [0011 ]可选的,释放TPM芯片内所有密钥插槽中的第一密钥插槽,具体包括: [0011] Alternatively, the release of the first key slot TPM chip keys in all slots, comprises:

[0012]获取第一密钥插槽的标识,其中,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥;以及根据第一密钥插槽的标识,指示TPM芯片释放第一密钥插槽。 [0012] obtains the identifier of the first key slot, wherein the first key slot occupied key to occupy all the keys in the key slots with a minimum number of keys, or the key occupies the first a key slot to occupy all the keys in the key slot of the key in the first loading; and according to the identifier of the first key slot, indicating release of the first key slot TPM chip.

[0013]本发明实施例提供的密钥处理方法中,占用所述第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用所述第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥。 [0013] embodiment of the present invention is provided a key processing method, the occupancy of the first key in the key slot to take up all keys in the key slots with a minimum number of keys, or occupying the the first key in the key slot to occupy all the keys in the key slot of the key in the first loaded. 通过合理的方式选择第一密钥插槽,尽可能地保证在装载第一密钥时其他密钥插槽不受影响。 Selecting a first key slot in a reasonable manner, as much as possible to ensure that during the loading the first key slot other key is not affected.

[0014]可选的,所述方法还包括: [0014] Optionally, the method further comprising:

[0015]在释放第一密钥插槽前,保存占用第一密钥插槽的密钥的现场记录。 [0015] Before the release of the first key slot, occupied the first key in the key slot to save the recording scene.

[0016]本发明实施例提供的密钥处理方法中,在释放第一密钥插槽前,保存占用第一密钥插槽的密钥的现场记录,以使得下次再装载该密钥时,能够直接恢复该密钥的现场记录,实现密钥的快速装载。 [0016] When the embodiment of the present invention is provided a key processing method, prior to the release of the first key slot, occupies a first key stored in the key slot of the recording site, so that the next time the key is loaded to directly recover the key field record, fast loading key.

[0017]可选的,所述方法还包括: [0017] Optionally, the method further comprising:

[0018]在第一插槽上装载第一密钥时,确认存储器中存储有第一密钥的现场记录,获取并恢复第一密钥的现场记录。 [0018] When loading a first slot on a first key, stored in the memory to confirm live recording the first key, and acquires the first key recovery field recording.

[0019]本发明实施例提供的密钥处理方法中,在第一插槽上装载第一密钥时,若存储器中存储有第一密钥的现场记录,也可以直接恢复第一密钥的现场记录,实现密钥的快速装载。 [0019] The key processing method according to an embodiment of the present invention, the first key is loaded on the first slot, if there is stored in the memory recording the first key field, can be recovered directly of the first key live recording, fast loading key.

[0020]可选的,所述方法还包括: [0020] Optionally, the method further comprising:

[0021]在第一密钥插槽上装载第一密钥时,记录第一密钥插槽与第一密钥的映射关系,以便根据映射关系从第一密钥插槽获取到第一密钥。 [0021] When loading the first key in the first key slot, recording the first key mapping relationship between the first key slot, so as to obtain a first slot from the first cipher key according to the mapping relation key.

[0022]可选的,所述方法还包括: [0022] Optionally, the method further comprising:

[0023]获取密钥释放命令,密钥释放命令用于触发TPM芯片释放占用TPM芯片内的第二密钥插槽的第二密钥; [0023] to obtain a key release command, a release command key for triggering the release of the TPM chip occupies a second second key slot in the TPM chip;

[0024]根据密钥释放命令,在第二密钥插槽上释放第二密钥; [0024] The key release command to release a second key on a second key slot;

[0025]在第二密钥插槽上释放第二密钥时,删除第二密钥插槽与第二密钥的映射关系。 [0025] When the second key is released on the second key slot, remove the mapping between the second key slot and the second key.

[0026]在第一种可能的实现方式中,在获取密钥装载命令前,所述方法还包括: [0026] In a first possible implementation, the key before getting a load command, the method further comprising:

[0027]判断TPM芯片内处于空闲状态的密钥插槽的个数是否大于或等于预设门限;若TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限,则从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中的任意一个命令,第一命令包括密钥装载命令。 Whether the number of idle state [0027] Analyzing the TPM chip key slot is greater than or equal to a preset threshold; if the number of key slots in an idle state in the TPM chip equal to or greater than a preset threshold, from obtaining at least one received command to a first command, the first command is a command to any one of the at least one command, the command includes a first load command key.

[0028]在第二种可能的实现方式中,在获取密钥装载命令前,所述方法还包括: [0028] In a second possible implementation, the key before getting a load command, the method further comprising:

[0029]判断TPM芯片内处于空闲状态的密钥插槽的个数是否小于预设门限;若TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限,则从接收到的至少一个命令中获取第一命令,第一命令为所述至少一个命令中优先级最高的命令,第一命令包括密钥装载命令。 The number of idle [0029] Analyzing the TPM chip key slot is less than a preset threshold; if the number of key slots in an idle state in the TPM chip smaller than a preset threshold, from the received at least obtaining a first command in a command, a first command to said at least one of highest priority command command, the first command includes a load command key.

[0030]本发明实施例提供的密钥处理方法中,通过判断芯片内处于空闲状态的密钥插槽的个数是否大于或者等于预设门限,并在所述芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限时,从接收到的至少一个命令中获取第一命令,所述第一命令为所述至少一个命令中的任意一个命令;在所述芯片内处于空闲状态的密钥插槽的个数小于预设门限时,从接收到的至少一个命令中获取第一命令,所述第一命令为所述至少一个命令中优先级最高的命令,保证合理地利用TPM芯片内的密钥插槽。 [0030] The number of the key slot embodiment of the present invention to provide a key processing method, the chip is determined by the idle state is greater than or equal to a preset threshold, and in an idle state within the chip key the number of slots is equal to or greater than a preset threshold, acquiring at least one first command from the received command, the first command is a command of said at least one command any; idle within the chip the number of key slot state is less than a preset threshold, acquiring at least one first command from the received command, the first command to said at least one command highest priority, to ensure reasonable use the key slot in the TPM chip.

[0031 ]第二方面,本发明实施例提供一种密钥处理装置,密钥处理装置包括获取模块、确认模块、释放模块和装载模块; [0031] a second aspect, the present invention provides a key processing apparatus, the key processing apparatus includes an acquisition module, a validation module, and a release module loading module;

[0032]获取模块,用于获取密钥装载命令,密钥装载命令指示在可信平台模块TPM芯片装载第一密钥; [0032] The acquisition module for acquiring key load command, a key indicative of a first load command key trusted platform module TPM chip is loaded;

[0033]确认模块,用于在获取模块获取密钥装载命令后,确认TPM芯片内的所有密钥插槽均处于非空闲状态; [0033] The determining module, configured to load an encryption key obtaining module obtains the command, confirm that all keys in the TPM chip slots are in a non-idle state;

[0034]释放模块,用于若TPM芯片内的所有密钥插槽均处于非空闲状态,则释放TPM芯片内所有密钥插槽中的第一密钥插槽; [0034] releasing module configured to, if the TPM chip key slots are all in the non-idle state, a first key is released all slots in the TPM chip key slots;

[0035]装载模块,用于在释放模块释放TPM芯片内所有密钥插槽中的第一密钥插槽后,根据密钥装载命令,在第一密钥插槽上装载第一密钥。 [0035] The loading module, configured to, after release of the first releasing module TPM chip key slots in the key slots in all, based on the key loading command, to load the first key in the first key slot.

[0036]本发明实施例提供的密钥处理装置的技术效果可以参见上述第一方面密钥处理装置执行的密钥处理方法中描述的密钥处理装置的技术效果,此处不再赘述。 A technical effect of providing the key processing apparatus according to embodiment [0036] A technical effect of the present invention may be found in the key of the key processing means processing apparatus to perform the method described in the first aspect of the key processing will not be repeated here.

[0037]可选的,确认模块,还用于在释放模块释放第一密钥插槽前,确认TPM芯片内的所有密钥插槽与密钥的映射关系。 [0037] Alternatively, the determining module is further configured to release the first module before releasing the key slot, to confirm all of the mappings with the key slot of the key in the TPM chip.

[0038]可选的,释放模块,具体用于获取第一密钥插槽的标识,其中,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥;以及根据第一密钥插槽的标识,指示TPM芯片释放第一密钥插槽。 [0038] Alternatively, the release module is configured to obtain the identifier of the first key slot, wherein the first key slot occupies a key to take up all keys in the key slots with a minimum number of key, or the key occupies the first key slot to occupy all the keys in the key slot of the key in the first loading; and according to the identifier of the first key slot, indicating release of the first dense TPM chip key slot.

[0039]可选的,密钥处理装置还包括保存模块; [0039] Alternatively, the key processing apparatus further comprises storing module;

[0040]保存模块,用于在释放模块释放第一密钥插槽前,保存占用第一密钥插槽的密钥的现场记录。 [0040] The storage module, before releasing module configured to release a first key slot, recording key storage site first key slot occupancy.

[0041]可选的,装载模块,具体用于在装载模块在第一插槽上装载第一密钥时,确认存储器中存储有第一密钥的现场记录,获取并恢复第一密钥的现场记录。 [0041] Optionally, the loading module, particularly when the loading module for loading the first key in the first slot, acknowledgment live records stored in the memory of the first key, the first key obtaining and recovery field notes.

[0042]可选的,密钥处理装置还包括记录模块; [0042] Optionally, the apparatus further comprises a recording key processing module;

[0043]记录模块,用于在装载模块在第一密钥插槽上装载第一密钥时,记录第一密钥插槽与第一密钥的映射关系,以便根据映射关系从第一密钥插槽获取到第一密钥。 [0043] The recording module, configured to, when the loading module is loaded on the first key in the first key slot, recording the first key slot mapping relation between the first key to the first ciphertext mapping relationship key slot to get the first key.

[0044]可选的,获取模块,还用于获取密钥释放命令,密钥释放命令用于触发TPM芯片释放占用TPM芯片内的第二密钥插槽的第二密钥; [0044] Optionally, the acquisition module is further configured to obtain the key release command, a release command key for triggering the release of the TPM chip occupies a second second key slot in the TPM chip;

[0045]所述释放模块,还用于在所述获取模块获取密钥释放命令后,根据密钥释放命令,在第二密钥插槽上释放第二密钥; [0045] The release module is further configured to acquire the key module after obtaining the release command, a release command according to the key, the second key is released on the second key slot;

[0046]所述记录模块,还用于在所述释放模块在第二密钥插槽上释放第二密钥时,删除第二密钥插槽与第二密钥的映射关系。 [0046] The recording module is further configured to, when the releasing module to release the second key slot on the second key, the second key to delete the mapping relationship and the second key slot.

[0047]可选的,确认模块,还用于在获取模块获取密钥装载命令前,确认TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限; [0047] Alternatively, the determining module is further configured to acquire the key obtaining module before the load command, to confirm the number of the key slot in an idle state in the TPM chip equal to or greater than a preset threshold;

[0048]获取模块,还用于在确认模块确认TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限后,从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中的任意一个命令,第一命令包括密钥装载命令。 [0048] The acquisition module is further configured to acquire at least one command from the first command received after the confirmation module to confirm the number of key slots in an idle state in the TPM chip equal to or greater than a preset threshold, the first command is a command to any one of the at least one command, the command includes a first load command key.

[0049]可选的,确认模块,还用于在获取模块获取密钥装载命令前,确认TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限; [0049] Alternatively, the determining module is further configured to acquire the key obtaining module before the load command, to confirm the number of the key slot in an idle state in the TPM chip smaller than a preset threshold;

[0050]获取模块,还用于在确认模块确认TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限后,从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中优先级最高的命令,第一命令包括密钥装载命令。 [0050] The acquisition module is further confirmation module for confirming the number of the key in the TPM chip slot idle state is less than a preset threshold, acquiring at least one command from the first command is received, the first command at least one of highest priority command command, the first command includes a load command key.

[0051]第三方面,本发明实施例还提供一种终端设备,所述终端设备包括存储器、处理器、通信接口和系统总线; [0051] a third aspect, embodiments of the present invention further provides a terminal device, the terminal device comprises memory, a processor, a communication interface and a system bus;

[0052] 所述存储器、所述处理器和所述通信接口通过所述系统总线连接,所述存储器用于存储计算机指令,所述处理器用于执行所述存储器存储的计算机指令,以使所述终端设备执行如上述第一方面所述的密钥处理方法。 [0052] the memory, the processor and the communication interface is connected through the system bus, a memory for storing computer instructions, the processor to execute computer instructions stored in the memory, so that the the key terminal apparatus performs processing method according to the first aspect.

[0053]本发明实施例提供的终端设备的技术效果可以参见上述第一方面密钥处理装置执行的密钥处理方法中描述的密钥处理装置的技术效果,此处不再赘述。 [0053] The technical effect of the terminal device according to an embodiment of the present invention, reference may be key aspect of the technical effect of the first key processing apparatus performs a key processing method described processing apparatus, not further described herein.

[0054]第四方面,本发明实施例还提供一种软件产品,所述软件产品包括实现密钥处理方法的计算机指令。 [0054] a fourth aspect, embodiments of the present invention further provides a software product, the software product comprising a computer-implemented method of processing the instruction key.

[0055]所述计算机指令可以存储在可读存储介质上;处理器可以从该可读存储介质上读取到计算机指令并执行,使得处理器实现密钥处理方法。 The [0055] instructions may be stored on a computer-readable storage medium; processor can read from the storage medium into a computer-readable instructions and executed, cause the processor to realize the key processing method.

[0056]本发明实施例提供一种密钥处理方法及装置,通过获取密钥装载命令,密钥装载命令指示在可信平台模块TPM芯片装载第一密钥;若TPM芯片内的所有密钥插槽均处于非空闲状态,则释放TPM芯片内所有密钥插槽中的第一密钥插槽;根据密钥装载命令,在第一密钥插槽上装载第一密钥。 [0056] The embodiments of the present invention there is provided a key processing method and apparatus, by acquiring the load command key, the key mount command indicating a trusted platform module TPM chip mounting a first key; if all keys in the TPM chip each slot is not idle, then releasing the first key slots in the TPM chip all keys slots; load command based on the key, the first key is loaded on the first key slot. 基于上述实施例的描述,由于在获取指示在可信平台模块TPM芯片装载第一密钥的密钥装载命令,且TPM芯片内的所有密钥插槽均处于非空闲状态时,密钥处理装置能够释放所述TPM芯片内所有密钥插槽中的第一密钥插槽,并根据密钥装载命令,在所述第一密钥插槽上装载所述第一密钥。 Based upon the above embodiment described, since the acquisition command indicating key loading a trusted platform module TPM chip mounting the first key, and all keys in the TPM chip slots are in a non-idle state, the key processing means the first key slot can be released within the TPM chip slots all keys, and a key according to the loading command, to load the first key in the first key slot. 因此,能够避免在密钥装载时返回空间已满的错误码,保证密钥装载的顺利进行,合理地使用TPM芯片内存空间资源。 Accordingly, it is possible to avoid the error code returned is full at the time the key is loaded, to ensure smooth loading of the key, the rational use of the TPM chip memory resources.

附图说明 BRIEF DESCRIPTION

[0057]为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例。 [0057] In order to more clearly illustrate the technical solutions in the embodiments or the prior art embodiment of the present invention, briefly introduced hereinafter, embodiments are described below in the accompanying drawings or described in the prior art needed to be used in describing the embodiments the drawings are only some embodiments of the present invention.

[0058]图1为本发明实施例提供的一种基于TSS 1.2版本的芯片的系统架构图一; [0058] FIG. 1 is provided to implement a version of the TSS 1.2 chip based on a system architecture diagram of the present invention;

[0059]图2为本发明实施例提供的一种基于TSS 2.0版本的芯片的系统架构图一; [0059] FIG. 2 provides to implement a system architecture of FIG TSS 2.0 version of the present invention based on a chip;

[0060]图3为本发明实施例提供的一种密钥处理方法的流程示意图一; [0060] FIG. 3 is a schematic flow of one kind of key processing method according to an embodiment of the invention, a schematic diagram;

[0061]图4为本发明实施例提供的一种密钥处理方法的流程示意图二; [0061] FIG. 4 process one kind of key processing method according to an embodiment of the present invention, a schematic view of two;

[0062]图5为本发明实施例提供的一种密钥处理方法的流程示意图三; [0062] FIG. 5 is a schematic flow of one kind of key processing method according to an embodiment three schematic invention;

[0063]图6为本发明实施例提供的一种密钥处理方法的流程示意图四; [0063] FIG. 6 A SECRET KEY flow processing method according to an embodiment of the present invention, a schematic view of four;

[0064]图7为本发明实施例提供的一种密钥处理方法的流程示意图五; [0064] FIG. 7 is a schematic flow of one kind of key processing method according to an embodiment five schematic invention;

[0065]图8为本发明实施例提供的一种密钥处理装置的结构示意图一; Structure [0065] FIG. 8 A SECRET KEY processing apparatus according to an embodiment of the present invention, a schematic diagram;

[0066]图9为本发明实施例提供的一种密钥处理装置的结构示意图二; Structure [0066] FIG 9 one kind of the key processing apparatus according to an embodiment of the present invention, a schematic view of two;

[0067]图10为本发明实施例提供的一种密钥处理装置的结构示意图三; Structure [0067] FIG. 10 shows a key INVENTION A processing apparatus according to an embodiment of the schematic three;

[0068]图11本发明实施例提供的一种基于TSS 1.2版本的芯片的系统架构图二; It provided one kind of [0068] 11 embodiment of the present invention TSS 1.2 version of the chip architecture based on Figure II;

[0069]图12为本发明实施例提供的一种基于TSS 2.0版本的芯片的系统架构图二; [0069] Figure 12 provides one kind of embodiment of the present invention based on a system architecture diagram TSS 2.0 version of two chips;

[0070]图13为本发明实施例提供的一种终端设备的硬件示意图。 [0070] FIG. 13 is a hardware schematic diagram of a terminal device according to an embodiment of the present invention.

具体实施方式 detailed description

[0071]下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行详细地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。 [0071] below in conjunction with the present invention in the accompanying drawings, technical solutions in the embodiments will be described in detail with the present invention, obviously, the described embodiments are merely part of embodiments of the present invention rather than all embodiments.

[0072]本发明实施例中描述的技术可以用于各种芯片,尤其是TPM芯片。 The techniques described in the Examples [0072] The present invention may be used in a variety of chips, in particular TPM chip. TCG除了提出TPM标准外,还定义了TSS(TPM Software Stack,TPM软件栈),其中,TSS是一种为上层可信计算应用提供访问TPM接口的软件系统。 In addition to presenting TCG TPM standards, also defines the TSS (TPM Software Stack, TPM software stack), wherein, the TSS is a TPM interface providing access to the upper layer application software trusted computing system.

[0073]图1是本发明实施例提供的一种基于TSS 1.2版本的芯片的系统架构,包括:精简API (Applicat1n Program Interface,应用编程接口)、TDDL(TPM Device DriverLibrary,TPM设备驱动库)、TCS(TCG Core Service,核心服务)和TSP(TCG ServiceProvider,服务提供者)四层。 [0073] FIG. 1 is a system architecture provided in TSS 1.2-based version of the embodiment of the present invention, a chip, comprising: a streamlined API (Applicat1n Program Interface, an application programming interface), TDDL (TPM Device DriverLibrary, TPM device driver library), TCS (TCG core service, core services) and TSP (TCG ServiceProvider, service provider) four. 其中,精简API为各种应用程序提供兼容性服务;TDDL为不同的TPM设备提供一个统一的驱动程序库函数接口; TCS负责将以字节流的形式发送TPM命令和接收TPM命令响应,并为TPM命令的并发调用基本的排队处理;TSP负责密钥管理和为应用程序提供API接口。 Wherein, for a variety of applications to streamline API compatibility provide services; TDDL drivers provide a uniform interface to library functions for different TPM device; form of the TCS will be responsible for transmitting a byte stream TPM commands TPM commands and receive responses and to concurrent calls TPM command of basic queuing process; TSP is responsible for key management and provides API interfaces for applications.

[0074]图2是本发明实施例提供的一种基于TSS 2.0版本的芯片的系统架构,包括:精简AP1、特征AP1、增强系统AP1、系统AP1、TCTI(TPM Command Transmiss1n Interface,TPM命令传输接口)、TAB(TPM Access Broker,TPM访问代理)和资源管理器。 [0074] FIG. 2 is a system architecture provided in TSS 2.0-based version of the embodiment of the present invention, a chip, comprising: a streamline AP1, characterized AP1, enhanced system AP1, the system AP1, TCTI (TPM Command Transmiss1n Interface, TPM command transmission interface ), TAB (TPM access Broker, TPM access proxy) and Explorer. 其中,精简API为各种应用程序提供兼容性服务;资源管理器主要提供TPM对象(例如密钥)、上下文的管理;TAB用于处理多进程对TPM访问的同步,保证一个进程调用一个TPM命令时不被其他进程干扰;TCTI用于处理底层所有TPM的通信方式,如本地TPM、TPM模拟器、虚拟TPM、远程TPM等;系统API用于通过字节流的形式发送TPM命令和接收TPM命令;增强系统AP1、特征API为应用程序提供更好的底层抽象。 Among them, streamlined API compatibility for a variety of applications to provide services; Explorer TPM provides the main objects (such as keys), context management; TAB to handle multiple processes to synchronize access to the TPM, to ensure that a process calls a TPM command when not interfere with other processes; TCTI underlying communication system for processing all of the TPM, such as TPM local, TPM simulator, virtual TPM, and other remote TPM; TPM system API commands for transmitting and receiving the TPM command byte stream ; enhancement system AP1, characterized in API provides a better abstraction of the underlying application.

[0075] 本发明实施例提供的密钥处理方法既可以应用于图1所示的TSS 1.2,也可以应用于图2所示的TSS 2.0,本发明可应用的TSS不做限制,TSS 1.2和TSS 2.0仅是示例。 [0075] The key processing method according to an embodiment of the present invention may be applied to TSS 1.2 shown in Figure 1, may be applied to TSS 2.0 shown in Figure 2, the TSS of the present invention is applicable is not restricted, and TSS 1.2 TSS 2.0 is merely an example.

[0076] TSS可以部署到TPM芯片,也可以部署到终端设备中,部署形式可以是中间件形式。 [0076] TSS can be deployed to the TPM chip, can also be deployed to the terminal device, the middleware may be deployed in the form of the form. TSS如果是部署到TPM芯片,由TPM芯片的处理器基于TSS来执行密钥处理方法。 If TSS is deployed to the TPM chip, based on the TPM chip processor TSS performs key processing method. TSS如果是部署到终端设备,由终端设备的处理器基于TSS来执行密钥处理方法。 If TSS is deployed to the terminal device, by the processor of the terminal device based on the TSS performs a key processing method.

[0077]另外,本发明实施例所描述的终端设备,可以是无线终端也可以是有线终端,无线终端可以是指向用户提供语音和/或数据连通性的设备,具有无线连接功能的手持式设备、或连接到无线调制解调器的其他处理设备。 [0077] Further, the terminal device described in embodiments of the present invention, a wireless terminal may be a wired terminal, a wireless terminal may refer to providing voice and connectivity devices / or data, having wireless connection capability, a handheld device , connected to a wireless modem or other processing device. 无线终端可以经无线接入网(例如,RAN,rad1access network)与一个或多个核心网进行通信,无线终端可以是移动终端,如移动电话(或称为“蜂窝”电话)和具有移动终端的计算机,例如,可以是便携式、袖珍式、手持式、计算机内置的或者车载的移动装置,它们与无线接入网交换语言和/或数据。 The wireless terminal may be via a radio access network (e.g., RAN, rad1access network) with one or more core networks of communication, the wireless terminal may be a mobile terminal such as a mobile phone (or "cellular" telephone) and a mobile terminal having computer, for example, may be a portable, pocket, handheld, computer-included, or car mobile device, which the radio access network and exchanges voice and / or data. 例如,个人通信业务(PCS,personal communicat1n service)电话、无绳电话、会话发起协议(SIP)话机、无线本地环路(WLL,wireless local loop)站、个人数字助理(PDA,personal digitalassistant)等设备。 For example, a personal communication service (PCS, personal communicat1n service) phone, a cordless telephone, a Session Initiation Protocol (SIP) phone, a wireless local loop (WLL, wireless local loop) station, a personal digital assistant (PDA, personal digitalassistant) and other equipment. 无线终端也可以称为系统、订户单元(subscriber unit)、订户站(subscriber stat1n),移动站(mobile stat1n)、移动台(mobile)、远程站(remotestat1n)、接入点(access point)、远程终端(remote terminal)、接入终端(accessterminal)、用户终端(user terminal)、用户代理(user agent)、用户设备(user device)、或用户装备(user equipment)。 A wireless terminal can also be called a system, subscriber unit (subscriber unit), subscriber stations (subscriber stat1n), the mobile station (mobile stat1n), the mobile station (Mobile), a remote station (remotestat1n), an access point (access point), remote terminal (remote terminal), an access terminal (accessterminal), a user terminal (user terminal), the user agent (user agent), the user equipment (user device), or user equipment (user equipment).

[0078]还需要说明的是,本文中术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/SB,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。 [0078] It is further noted that the term "and / or" merely describe a relationship of associated objects representing three relationships may exist, for example, A and / SB, may indicate: the presence of A alone, both A and B, and B present three cases. 另外,本文中字符,一般表示前后关联对象是一种“或”的关系。 Further, the character, the object context-generally represents an "or" relationship.

[0079]本发明实施例提供一种密钥处理方法,如图3所示,具体的,该方法包括: [0079] An embodiment provides a key processing method of the present invention, shown in Figure 3, specifically, the method comprising:

[0080] SlOl、TSS获取密钥装载命令。 [0080] SlOl, TSS command to load an encryption key acquisition.

[0081]其中,密钥装载命令指示在可信平台模块TPM芯片装载第一密钥。 [0081] wherein the key mount command indicating a trusted platform module TPM chip mounting a first key.

[0082]需要说明的是,本发明实施例所提供的密钥处理方法的是在TSS软件层面上实现的,具体的,TSS部署在密钥处理装置中,其中,密钥处理装置可以是TPM芯片,也可以是终端设备中,本发明对此并不做限制。 [0082] Incidentally, a key processing method provided by embodiments of the present invention is implemented in software on TSS level, specifically, in the key deployment TSS processing apparatus, wherein the key processing means may be a TPM chip, may be a terminal device, do not limit this invention.

[0083]本发明实施例所提到的TPM芯片可以处理的命令通常分为四类:密钥装载命令、密钥释放命令、长作业命令和短作业命令。 [0083] The command TPM chip embodiment mentioned embodiment of the present invention can be generally processed into four categories: load command key, the key release command job commands and short length job commands. 其中,密钥装载命令是指在空闲状态的密钥插槽内装载密钥的命令;密钥释放命令是指释放密钥插槽被装载的密钥的命令;长作业命令和短作业命令均是指应用程序调用密钥插槽内装载的密钥的命令。 Wherein the key loading commands are those loaded in the key slot of the key idle state; release key release key commands are those slots are loaded key; long and short job command jobs are command refers to the application calls the command key loaded in the key slot. TPM芯片获取其他类型的命令(如密钥释放命令、长作业命令或者短作业命令)的情况将在下述实施例中进行详细描述,此处不再赘述。 TPM chip for additional types of commands (e.g., a release command key, longer or shorter job command job commands) case will be described in detail in the following embodiment, it is not repeated here.

[0084] S102、若TPM芯片内的所有密钥插槽均处于非空闲状态,则TSS释放TPM芯片内所有密钥插槽中的第一密钥插槽。 [0084] S102, if all keys in the TPM chip slots are in a non-idle state, a first key slot TSS release all keys within the TPM chip slots.

[0085] TSS释放TPM芯片内的第一密钥插槽,具体实现可以是:TSS指示所述TPM芯片释放第一密钥插槽。 [0085] TSS release of the first key in the TPM chip socket, a specific implementation may be: TSS indicative of the TPM chip releasing the first key slot.

[0086] TSS获取密钥装载命令后,首先需要确认TPM芯片内的所有密钥插槽是否均处于非空闲状态。 After [0086] TSS acquiring key load command, first confirm whether all the keys in the TPM chip slots are in a non-idle state. 具体的,TSS确认TPM芯片内的所有密钥插槽是否均处于非空闲状态的方法可以为:TSS确认TPM芯片内的所有密钥插槽与密钥的映射关系。 Specifically, TSS verify that all keys in the TPM chip slots are in a non-idle state, the method may be: TSS confirm all the mappings with the key slot of the key in the TPM chip. 若TPM芯片内的所有密钥插槽各自映射不同密钥,则说明TPM芯片内的所有密钥插槽均处于非空闲状态;若TPM芯片内的至少一个密钥插槽没有与任何一个密钥存在映射关系,则说明TPM芯片内的没有与任何一个密钥存在映射关系的密钥插槽处于空闲状态。 If all keys in the TPM chip slots each map different keys, then all the keys in the TPM chip slots are in a non-idle state; if at least one key slot without the key in the TPM chip with any mapping relationship exists, then there is no idle any key maps into a key slot in the TPM chip.

[0087]若TPM芯片内的所有密钥插槽中有至少一个密钥插槽处于空闲状态,则表明该至少一个密钥插槽为空闲的密钥插槽,此时直接在任意一个空闲的密钥插槽上装载第一密钥即可;若TPM芯片内的所有密钥插槽均处于非空闲状态,则表明TPM芯片内所有的密钥插槽均被占满,此时,TSS需要释放TPM芯片内的第一密钥插槽。 [0087] If all the keys have the TPM chip slots within at least one key slot in the idle state, it means that the at least one key slot of the key slot is idle, in any case directly idle loading the first key to the key slot; if all keys in the TPM chip slots are in a non-idle state, it indicates that all the TPM chip key slots are filled, at this time, the TSS need releasing the first key in the TPM chip slot.

[0088]需要说明的是,第一密钥插槽可以是TPM芯片内所有密钥插槽中的任意一个密钥插槽。 [0088] Incidentally, the first key slot can be any key slots in all keys in the TPM chip slots. 优选的,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用所述第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥。 Preferably, the key of the first key slot occupying a minimum number of keys used to take up all the keys in the key slot, or the key occupies the first key slot to take up all keys key in the first loading of the key slot.

[0089] S103、TSS根据密钥装载命令,在第一密钥插槽上装载第一密钥。 [0089] S103, TSS load command based on the key, the first key is loaded on the first key slot.

[0090] TSS在所述第一密钥插槽上装载所述第一密钥,具体实现可以是:TSS指示所述TPM芯片在所述第一密钥插槽上装载所述第一密钥。 [0090] TSS loading the first key in the first key slot, a specific implementation may be: TSS indicative of the TPM chip loading the first key in the first key slot .

[0091]具体的,TSS根据密钥装载命令,在第一密钥插槽上装载第一密钥的过程可以包括:TSS根据第一密钥,获取第一密钥的父密钥,其中,第一密钥的父密钥是指第一密钥的上一级密钥;若第一密钥的父密钥为SRK(Storage Root Key,存储根密钥),则TSS使用SRK对密钥数据进行解密,解密得到第一密钥的明文,再将第一密钥装载在第一密钥插槽上,生成第一密钥句柄。 Process [0091] Specifically, according to the TSS command to load an encryption key, the first key in the key slot may include a first loading: TSS from the first key, the first key obtaining the master key, wherein the master key is first key refers to a key of the first key; if the first key is a master key SRK (storage root key, storage root key), a key for the TSS using SRK decrypts the data, decrypts the first key, the first key and then loaded on the first key slot, to generate a first key handle. 需要说明的是,若第一密钥的父密钥不为SRK,则TSS继续获取第一密钥的祖父密钥,其中,第一密钥的祖父密钥是指第一密钥的父密钥的上一级密钥,直到获取到SRK为止;假设第一密钥的父密钥为SRK,本实施例首先使用SRK获得第一密钥的父密钥的明文,在空闲的密钥插槽上装载第一密钥的父密钥,并使用第一密钥的父密钥对密钥数据进行解密,解密得到第一密钥的明文,再将第一密钥装载在第一密钥插槽上,生成第一密钥句柄。 Incidentally, if the master key of the first key is not the SRK, the grandfather key TSS continue receiving the first key, wherein the key grandfather first key is encrypted first key refers to the parent keys on a key, until obtaining up to SRK; master key is assumed that the first key is SRK, the present embodiment is first plaintext SRK obtained using the master key of the first key, the key inserted in the idle loading the first key groove of the master key, the master key and the first key using the decryption key data, decrypts the first key, the first key and then loading the first key the slot, generating a first key handle. 从而使得应用程序能够根据第一密钥句柄,调用接受执行加密、签名、验证或者HMAC(HashMessage Authenticat1n Code,哈希消息认证码)计算等操作。 So that the application can be based on the first key handle, call accepts perform encryption, signing, verification, or HMAC (HashMessage Authenticat1n Code, Hash Message Authentication Code) calculation operations.

[0092]具体的,如图4所示,本发明实施例提供的密钥处理方法的完整流程包括: [0092] Specifically, as shown in FIG. 4, the complete process of the key processing method according to an embodiment of the present invention comprises:

[0093] S201、TSS判断TPM芯片内处于空闲状态的密钥插槽的个数是否大于或等于预设门限。 [0093] S201, TSS is determined whether the number of the key slot in an idle state in the TPM chip equal to or greater than a preset threshold.

[0094]可以理解的是,在步骤S201执行之前,TSS首先在同一时间可能会接受到至少一个应用程序发出的至少一个命令,那么,需要对至少一个命令的执行顺序做出定义。 [0094] can be understood that, before step S201 execution, TSS first of all at the same time may receive at least one of the at least one command issued by the application, then the need to make the definition of the execution order of at least one command. 其中,一个应用程序能够发出一个命令,也能够发出多个命令,本发明不做限制。 Wherein an application can issue a command, it is possible to issue a plurality of commands, according to the present invention is not limited.

[0095]可选的,TSS能够对接收到的至少一条命令按照命令类型进行分类。 [0095] Alternatively, TSS can be received at least one command to be classified by the type of command. 即TSS将密钥装载命令分为一类,将密钥释放命令分为一类,将长作业命令分为一类,以及将短作业命令分为一类,同一类型的命令的执行先后根据TSS接收命令的时间先后决定。 TSS command to load an encryption key that is divided into a class, the class of a key into a release command, the command is divided into a long job class and the job command is divided into a class of a short, execution of the command has the same type according to TSS the time has decided to receive commands.

[0096] TSS判断TPM芯片内处于空闲状态的密钥插槽的个数是否大于或等于预设门限。 [0096] TSS is determined whether the number of the key slot in an idle state in the TPM chip equal to or greater than a preset threshold. 其中,预设门限可以小于或等于芯片内密钥插槽的总个数。 The preset threshold can be equal to or less than the total number of the key slot of the chip. 通常的,预设门限小于芯片内密钥插槽的总个数,假设TPM芯片内具有6个密钥插槽,可以设置预设门限为2。 Typically, the total number is smaller than the preset threshold chip key slot, a key slot 6 is assumed to have the TPM chip, the preset threshold may be set to 2.

[0097] S202、若TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限,则TSS从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中的任意一个命令。 [0097] S202, if the number of key slots in an idle state in the TPM chip equal to or greater than a preset threshold, the TSS acquired from at least one first command in the received command, the first command to the at least one command any command.

[0098]若TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限,则说明TPM芯片内处于空闲状态的密钥插槽还有很多,此时TSS从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中的任意一个命令。 [0098] When in the idle state in the TPM chip key slot number equal to or greater than a preset threshold, then the idle slot within the TPM chip key, there are many, this time from the received at least TSS acquiring a command to a first command, the first command is a command of any of the at least one command.

[0099] S203、若TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限,则TSS从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中优先级最高的命令。 [0099] S203, if the number of key slots in an idle state in the TPM chip smaller than a preset threshold, the TSS acquired from at least one first command received commands, the first command is a command to the at least one priority the highest order.

[0100]若TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限,则说明TPM芯片内处于空闲状态的密钥插槽很少,甚至可能没有处于空闲状态的密钥插槽,此时TSS从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中优先级最高的命令,如此能够保证优先级高的命令能够优先执行。 If the number of key slots in an idle state in the TPM chip [0100] less than a preset threshold, it indicates that the key slot is in an idle state in the TPM chip less, or even no idle slot key At this time TSS obtained from at least one received command in the first command, the first command to the at least one command in the command with the highest priority, so to ensure a higher priority command can be preferentially executed.

[0101]通常的,TSS可以处理的四类命令的优先级从高到低依次为:密钥释放命令、短作业命令、长作业命令,以及密钥装载命令。 Four highest to lowest priority order [0101] normal, the TSS can be processed as follows: the key release command, a short job command, job command length, and the key loading commands.

[0102]需要说明的是,TSS在处理命令时是依次执行的,因此,TSS每次从接收到的至少一个命令中获取的第一命令都是一个单独的命令。 [0102] It should be noted, therefore, each of the first TSS command acquired from at least one command in the received command is a single command TSS when processing is performed sequentially. 在执行完第一命令后,TSS可以返回执行步骤S202或步骤S203,直至接收到的所有命令执行完毕。 After the execution of the first command, TSS may return to step S202 or step S203, the command received until all finished.

[0103] S204、TSS判断第一命令是否为密钥装载命令。 [0103] S204, TSS command determines whether a first load command key.

[0104]其中,密钥装载命令指示在TPM芯片装载第一密钥。 [0104] wherein the key indicated in the load command to load a first key TPM chip.

[0105] S205、若第一命令为密钥装载命令,则TSS判断第一密钥是否已经装载。 [0105] S205, if the first command is a command to load an encryption key, the first key is determined TSS has been loaded.

[0106]若第一密钥已经装载,则无需再装载第一密钥,下述步骤无须执行。 [0106] If the first key has been loaded, there is no need to reload the first key, the steps performed need.

[0107] S206、若第一密钥未装载,则TSS获取TPM芯片内的所有密钥插槽的状态。 [0107] S206, if the first key is not loaded, the acquisition status of all keys TSS slots in the TPM chip.

[0108]若第一密钥未装载,则TSS需要获取TPM芯片内的所有密钥插槽的状态,判断TPM芯片内的所有密钥插槽是否均处于非空闲状态。 [0108] When the first key is not loaded, the TSS need to get the status of all keys in the TPM chip slots, determines whether all the keys in the TPM chip slots are in a non-idle state. 具体的,TSS确认TPM芯片内的所有密钥插槽是否均处于非空闲状态的方法可以为:TSS确认TPM芯片内的所有密钥插槽与密钥的映射关系。 Specifically, TSS verify that all keys in the TPM chip slots are in a non-idle state, the method may be: TSS confirm all the mappings with the key slot of the key in the TPM chip. 若TPM芯片内的至少一个密钥插槽处于空闲状态,则表明TPM芯片内至少有一个空闲的密钥插槽,此时直接在任意一个空闲的密钥插槽上装载第一密钥即可。 If at least one key in the TPM chip slot is idle, the key indicates that at least one idle slot in the TPM chip, when the first key can be directly loaded on an idle any key slot .

[0109] S207、若TPM芯片内的所有密钥插槽均处于非空闲状态,则TSS释放芯片内所有密钥插槽中的第一密钥插槽。 [0109] S207, if all keys in the TPM chip slots are in a non-idle state, a first key slots in the TSS looses all keys slots.

[0110] 具体的,如图5所示,步骤S207可以包括S207a和S207b: [0110] Specifically, as shown in FIG. 5, step S207 may include S207a and S207b:

[0111] S207a、若TPM芯片内的所有密钥插槽均处于非空闲状态,TSS获取第一密钥插槽。 [0111] S207a, if all keys in the TPM chip slots are in a non-idle state, TSS obtaining the first key slot.

[0112]其中,TSS获取第一密钥插槽是指TSS获取满足预设条件的第一密钥插槽,其中,满足预设条件的第一密钥插槽是指:占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥。 [0112] wherein obtaining the first key slot TSS TSS refers to meeting a preset condition acquiring a first key slot, wherein the preset condition is satisfied first key slot means: a first key occupies a key slot to take up all keys in the key slots with a minimum number of keys, or the key occupies the first key slot to take up all keys in the key slots in the first loading density key.

[0113] S207b、TSS释放第一密钥插槽。 [0113] S207b, TSS releasing the first key slot. 具体实现是,TSS是指示TPM芯片释放第一密钥插槽。 It is a specific implementation, TSS indicating release of the first key slot TPM chip.

[0114] 可选的,如图6所示,在步骤S207a和步骤S207b之间,方法还包括步骤S207c: [0114] Alternatively, as shown in FIG. 6, between the step S207a and step S207 b, the method further comprising the step S207c:

[0115] S207c、TSS保存占用第一密钥插槽的密钥的现场记录。 [0115] S207c, TSS save occupy the first key in the key slot of the field notes.

[0116]需要说明的是,本发明实施例提供的密钥处理方法中,与TPM芯片连接的存储器或者TPM芯片内部的存储器可以保存密钥的现场记录,其中,密钥的现场记录是指密钥装载时所需的文件、状态等信息,以保证下次装载该密钥时能够快速地从存储器中读取到该密钥的现场记录,恢复密钥。 [0116] Incidentally, a key processing method according to an embodiment of the present invention, a memory or a memory chip inside the TPM chip may be connected to the TPM recording key storage site, wherein the site density recording key means required for loading a file key, and other status information can be quickly read so as to ensure that the loading from memory the next time the key field of the record key, a recovery key.

[0117]因此,在TSS释放第一密钥插槽之前,TSS需要保存占用第一密钥插槽的密钥的现场记录。 Before [0117] Thus, in releasing the first key slot TSS, TSS need to preserve the scene of the recording of the first key in the key slot occupied.

[0118] S208、TSS在第一密钥插槽上装载第一密钥。 [0118] S208, TSS loading the first key in the first key slot. 具体实现是,TSS是指示TPM芯片在第一密钥插槽上装载第一密钥。 Is a specific implementation, TSS is the first key indicating TPM chip loaded on the first key slot.

[0119] 具体的,如图7所示,步骤S208可以包括S208a和S208b: [0119] Specifically, as shown in FIG. 7, step S208 may include S208a and S208b:

[0120] S208a、TSS判断存储器中是否存储有第一密钥的现场记录。 [0120] S208a, TSS is determined whether the scene is stored in a memory recording the first key.

[0121] TSS在第一密钥插槽上装载第一密钥时,首先判断存储器中是否存储有第一密钥的现场记录,若存储器中未存储有第一密钥的现场记录,则TSS在第一密钥插槽上装载第一密钥。 [0121] TSS is loaded when the first key in the first key slot, first determines whether the first key is stored in the recording memory field in the memory if the record is not stored in the first key field, the TSS loading a first key in the first key slot. 具体的装载过程已经在上述实施例中进行了详细描述,此处不再赘述。 Specific loading process has been described in detail in the above-described embodiment is not repeated here.

[0122] S208b、若存储器中存储有第一密钥的现场记录,则TSS获取并恢复第一密钥的现场记录。 [0122] S208b, if the memory contains a first key field recording, the recorded site and restore TSS obtain the first key.

[0123]若存储器中存储有第一密钥的现场记录,则TSS获取并恢复第一密钥的现场记录,实现快速装载密钥。 [0123] If the memory stores a first key field recording, the recorded site and restore TSS obtain the first key, the key to achieve fast loading.

[0124] S209、TSS在密钥装载记录中记录第一信息。 [0124] S209, TSS loading key recorded in the first information recording.

[0125]其中,第一信息至少包括第一密钥插槽与第一密钥的映射关系。 [0125] wherein the first mapping relation information includes at least a first key and the first key slot.

[0126]需要说明的是,在密钥装载记录中实时记录着当前时刻TPM芯片内所有密钥插槽的状态。 [0126] Note that the real-time status of all keys are recorded in the current time slot in the TPM chip load an encryption key record. 当TSS在第一密钥插槽上装载第一密钥后,TSS在密钥装载记录中记录第一信息,第一信息至少包括第一密钥插槽与第一密钥的映射关系。 TSS when the first key is loaded on the first key slot, TSS key recorded in the first information recording medium is loaded, the first information includes at least a first key slot mapping relation between the first key.

[0127] S210、若第一命令不为密钥装载命令,则TSS判断第一命令是否为密钥释放命令。 [0127] S210, if the first command is not a command to load an encryption key, it is determined whether a first command key TSS release command.

[0128] 步骤S210是与步骤S205并列的步骤。 [0128] Step S210 is a step parallel to step S205.

[0129]其中,密钥释放命令用于触发芯片释放第二密钥,第二密钥为占用芯片内的第二密钥插槽的密钥。 [0129] wherein the key release command is used to trigger release of a second chip key, the second key is the second key in the slot occupied by the chip.

[0130] S211、若第一命令为密钥释放命令,则TSS在第二密钥插槽上释放第二密钥。 [0130] S211, if the first release command is a command key, the second key is released on the TSS second key slot.

[0131] S212、TSS在密钥装载记录中删除第二信息。 [0131] S212, TSS second information deleted key record is loaded.

[0132]其中,第二信息至少包括第二密钥插槽与第二密钥的映射关系。 [0132] wherein the second mapping relation information comprises at least a second key and second key slots.

[0133]需要说明的是,在密钥装载记录中实时记录着当前时刻TPM芯片内所有密钥插槽的状态。 [0133] Note that the real-time status of all keys are recorded in the current time slot in the TPM chip load an encryption key record. 当TSS在第二密钥插槽上释放第二密钥后,TSS在密钥装载记录中删除第二信息,第二信息至少包括第二密钥插槽与第二密钥的映射关系。 TSS when releasing the second key slot on the second key, second information TSS deleted key record is loaded, the second mapping relation information comprises at least a second key and second key slots.

[0134]需要补充的是,若第一命令既不为密钥装载命令,也不为密钥释放命令,则说明第一命令为长作业命令或者短作业命令,由于长作业命令或者短作业命令请求使用的一定是密钥插槽中已经装载了的密钥,因此只需在密钥装载记录中对长作业命令或者短作业命令请求使用的密钥的使用次数进行记录即可。 [0134] It should be added that if the first command is neither a command to load an encryption key, the key is not a release command, then the first command is a short or a long job command job command, job command due to the long or short job command must be requested using the key slot of the key has been loaded, and therefore simply loading the key record requested number using a secret key used for recording can be short or long job command job command.

[0135]本发明实施例提供一种密钥处理方法,通过获取密钥装载命令,密钥装载命令指示在可信平台模块TPM芯片装载第一密钥;若TPM芯片内的所有密钥插槽均处于非空闲状态,则释放TPM芯片内所有密钥插槽中的第一密钥插槽;根据密钥装载命令,在第一密钥插槽上装载第一密钥。 [0135] Embodiments of the present invention there is provided a key processing method, by acquiring the load command key, the key mount command indicating a trusted platform module TPM chip mounting a first key; if all keys in the TPM chip slots are in the non-idle state, a first key is released all slots in the TPM chip key slots; load command based on the key, the first key is loaded on the first key slot. 基于上述实施例的描述,由于在获取指示在可信平台模块TPM芯片装载第一密钥的密钥装载命令,且TPM芯片内的所有密钥插槽均处于非空闲状态时,密钥处理装置能够释放所述TPM芯片内所有密钥插槽中的第一密钥插槽,并根据密钥装载命令,在所述第一密钥插槽上装载所述第一密钥。 Based upon the above embodiment described, since the acquisition command indicating key loading a trusted platform module TPM chip mounting the first key, and all keys in the TPM chip slots are in a non-idle state, the key processing means the first key slot can be released within the TPM chip slots all keys, and a key according to the loading command, to load the first key in the first key slot. 因此,能够避免在密钥装载时返回空间已满的错误码,保证密钥装载的顺利进行,合理地使用TPM芯片内存空间资源。 Accordingly, it is possible to avoid the error code returned is full at the time the key is loaded, to ensure smooth loading of the key, the rational use of the TPM chip memory resources.

[0136]本发明实施例提供一种密钥处理装置,如图8所示,密钥处理装置用于执行以上方法中的密钥处理装置所执行的步骤。 The embodiment provides a key processing apparatus [0136] according to the present invention, as shown, the key processing means for processing a key step in performing the method of the above apparatus performed 8. 密钥处理装置可以包括相应步骤所对应的模块。 Key processing apparatus can include means corresponding to the respective steps. 示例性的,密钥处理装置可以包括获取模块10、确认模块11、释放模块12和装载模块13。 Exemplary, the key processing means 10 may comprise an acquisition module, a validation module 11, module 12 and the release of the load module 13.

[0137]获取模块10,用于获取密钥装载命令,密钥装载命令指示在可信平台模块TPM芯片装载第一密钥。 [0137] obtaining module 10, configured to obtain a load command key, a key indicative of a first load command key trusted platform module TPM chip loaded.

[0138]确认模块11,用于在获取模块10获取密钥装载命令后,确认TPM芯片内的所有密钥插槽均处于非空闲状态。 [0138] determining module 11, configured to acquire the key obtaining module 10 after the load command, confirm that all keys in the TPM chip slots are in a non-idle state.

[0139]释放模块12,用于在确认模块11确认TPM芯片内的所有密钥插槽均处于非空闲状态后,则释放TPM芯片内满足预设条件的第一密钥插槽。 [0139] releasing module 12, the module 11 for confirmation after confirming that all keys in the TPM chip slots are in a non-idle state, the release of the TPM chip meets a preset condition first key slot.

[0140]装载模块13,用于在释放模块12释放TPM芯片内所有密钥插槽中的第一密钥插槽后,根据所述密钥装载命令,在第一密钥插槽上装载第一密钥。 [0140] loading module 13, the module 12 for release after release of the first key slots in the TPM chip keys in all slots according to the load command key, the first key slot LOADING a key.

[0141]可选的,确认模块11,还用于在释放模块12释放所述第一密钥插槽前,确认TPM芯片内的所有密钥插槽与密钥的映射关系。 [0141] Alternatively, the validation module 11 is further configured to release releasing module 12 before the first key slot, to confirm all of the mappings with the key slot of the key in the TPM chip.

[0142]可选的,释放模块12,具体用于获取第一密钥插槽的标识,其中,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥;以及根据第一密钥插槽的标识,指示TPM芯片释放第一密钥插槽。 [0142] Optionally, releasing module 12 is configured to acquire the first identification key slot, wherein the first key slot occupied key to occupy all the keys in the key slots with a minimum number of key, or the key occupies the first key slot to occupy all the keys in the key slot of the key in the first loading; and according to the identifier of the first key slot, indicating release of the first chip TPM the key slot.

[0143]可选的,如图9所示,密钥处理装置还包括保存模块14。 [0143] Optionally, as shown in FIG. 9, the key processing apparatus further includes a saving module 14.

[0144]保存模块14,用于在释放模块12释放第一密钥插槽前,保存占用第一密钥插槽的密钥的现场记录。 [0144] saving module 14 for releasing the module 12 before release of the first key slot, recording key storage site first key slot occupancy.

[0145]可选的,装载模块13,具体用于在装载模块13在第一插槽上装载所述第一密钥时,确认存储器中存储有第一密钥的现场记录,获取并恢复第一密钥的现场记录。 [0145] Optionally, the loading module 13, particularly when the loading module 13 to the first loading the first key slot, acknowledgment live records stored in the memory of the first key, and acquires a first recovery live recording of a key.

[0146] 可选的,如图10所示,密钥处理装置还包括记录模块15。 [0146] Optionally, as shown in FIG. 10, the key processing apparatus further comprises a recording module 15.

[0147]记录模块15,用于在装载模块13在第一密钥插槽上装载第一密钥时,记录第一密钥插槽与第一密钥的映射关系,以便根据映射关系从第一密钥插槽获取到第一密钥。 [0147] The recording module 15, when the loading module for loading the first key 13 on the first key slot, recording the first key slot mapping relation between the first key, according to the mapping relationship from a key slot to acquire the first key.

[0148]可选的,获取模块10,还用于获取密钥释放命令,密钥释放命令用于触发密钥处理装置释放占用TPM芯片内的第二密钥插槽的第二密钥。 [0148] Optionally, the acquisition module 10 is further configured to obtain the key release command, a release command key for triggering the release of a second key processing apparatus in the second key slot occupied TPM chip.

[0149]释放模块12,还用于在获取模块10获取密钥释放命令后,在第二密钥插槽上释放第二密钥。 [0149] releasing module 12 is further configured to, after acquisition module 10 acquires the key release command to release the second key in the second key slot.

[0150]记录模块15,还用于在释放模块12在第二密钥插槽上释放第二密钥后,在密钥装载记录中删除第二信息,第二信息至少包括第二密钥插槽与第二密钥的映射关系。 [0150] The recording module 15 is further configured to release the module 12 after the release of the second key slot on the second key, delete key carrying the recording second information, the second information including at least a second key inserted mapping relationship between the groove and the second key.

[0151]可选的,确认模块11,还用于在获取模块10获取密钥装载命令前或者获取密钥释放命令前,确认TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限。 [0151] Alternatively, the validation module 11 is further configured to prior to the acquisition module 10 acquires the key before acquiring the load command or a release command key, the key to confirm the number of slots in an idle state in the TPM chip greater than or equal preset threshold.

[0152]获取模块10,还用于在确认模块11确认TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限后,从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中的任意一个命令,第一命令包括密钥装载命令或者密钥释放命令。 [0152] obtaining module 10 is further configured to acquire at least one command from the first command received after the confirmation module 11 confirms the number of key slots in an idle state in the TPM chip equal to or greater than a preset threshold, the first command is a command to any one of the at least one command, the command includes a first load command key or the key release command.

[0153]可选的,确认模块11,还用于在获取模块10获取密钥装载命令前或者获取密钥释放命令前,确认TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限。 [0153] Alternatively, the validation module 11 is further configured to prior to the acquisition module 10 acquires the key before acquiring the load command or a release command key, the key to confirm the number of slots in an idle state in less than a preset TPM chip threshold.

[0154]获取模块10,还用于在确认模块11确认TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限后,从接收到的至少一个命令中获取第一命令,第一命令为至少一个命令中优先级最高的命令,第一命令包括密钥装载命令或者密钥释放命令。 [0154] obtaining module 10 is further configured to acquire at least one command from the first command received after the confirmation module 11 confirms the number of key slots in an idle state in the TPM chip smaller than a preset threshold, the first the at least one command to the highest priority command command, the first command includes a load command key or the key release command.

[0155]可以理解的是,本实施例的密钥处理装置可对应于上述如图3-图7任意之一的实施例的密钥处理方法中的密钥处理装置,并且本实施例的密钥处理装置中的各个模块的划分和/或功能等均是为了实现如图3-图7任意之一所示的方法流程,为了简洁,在此不再赘述。 [0155] It will be appreciated that the key processing apparatus according to the present embodiment may correspond to the key processing method of one embodiment of any of the above 7 in FIGS. 3 key processing apparatus according to the present embodiment and dense It is to divide and / or functions of the respective devices etc. key processing module in order to achieve flow of the method shown in FIGS. 3 to 7 of any one of, for brevity, are not repeated herein.

[0156]示例性的,TSS部署在密钥处理装置中,如图11所示,基于TSS 1.2版本的芯片的系统架构具体可以包括:精简AP1、TDDL、TCS和TSP四层。 [0156] Exemplary, the TSS deployed in the key processing apparatus shown in FIG. 11, based on the TSS 1.2 version of the system architecture of the chip may specifically include: streamlining AP1, TDDL, TCS and TSP four. 其中,TSP层可以包括父密钥装载释放模块和父密钥存储模块,父密钥装载释放模块和父密钥存储模块对应于上述密钥处理装置中的装载模块13;TCS层可以包括多级队列调度模块、密钥装载释放模块、现场记录存储模块、密钥装载记录模块,现场记录存储模块内存储着现场记录,密钥装载记录模块内存储着密钥装载记录,多级队列调度模块对应于上述密钥处理装置中的获取模块10,密钥装载释放模块对应于上述密钥处理装置中的装载模块13,现场记录存储模块对应于上述密钥处理装置中的保存模块14,密钥装载记录模块对应于上述密钥处理装置中的记录模块15。 Wherein, the TSP layer may include a master key and a master key module loading release storage module, the master key and the master key module loading release storage module corresponding to the key processing means in the loading module 13; TCS layer may comprise a multi-stage queue scheduling module, a key release load module, a field record storage module, a key carrying the recording module, the storage module stores the recording field records field, carrying the recording key stored within the key carrying the recording module, multi-level scheduling queue corresponding to module a key obtaining module to the processing means 10, a key release load module corresponding to the key processing means 13 in the loading module, the scene module stored in the recording process corresponding to the key stored in the device module 14, a key loading module corresponding to the recording means records the key processing module 15.

[0157]又示例性的,如图12所示,基于TSS 2.0版本的芯片的系统架构具体可以包括:精简AP1、特征AP1、增强系统AP1、系统AP1、TCT1、TAB和资源管理器。 [0157] and exemplary, 12, based on the system architecture TSS 2.0 version of the chip may specifically include: streamlining AP1, characterized AP1, enhanced system AP1, the system AP1, TCT1, TAB and the resource manager. 其中,特征API可以包括父密钥装载释放模块和父密钥存储模块,父密钥装载释放模块和父密钥存储模块对应于上述密钥处理装置中的装载模块13;资源管理器可以包括多级队列调度模块、密钥装载释放模块、现场记录存储模块、密钥装载记录模块,现场记录存储模块内存储着现场记录,密钥装载记录模块内存储着密钥装载记录,多级队列调度模块对应于上述密钥处理装置中的获取模块10,密钥装载释放模块对应于上述密钥处理装置中的装载模块13,现场记录存储模块对应于上述密钥处理装置中的保存模块14,密钥装载记录模块对应于上述密钥处理装置中的记录模块15。 Wherein the API features may include the master key and the master key module loading release storage module, the master key and the master key module loading release storage module corresponding to the key processing means in the loading module 13; the resource manager may include a plurality of stage queue scheduling module, a key release load module, a field record storage module, a key carrying the recording module, the storage module stores the recording field records field, carrying the recording key stored within the key carrying the recording module, the multi-stage queue scheduling module corresponding to the key processing apparatus obtaining module 10, a key release load module corresponding to the key processing means 13 in the loading module, the scene module stored in the recording process corresponding to the key stored in the device module 14, the key the load module corresponding to the recording means records the key processing module 15.

[0158]本发明实施例提供一种密钥处理装置,包括获取模块、确认模块、释放模块和装载模块;获取模块,用于获取密钥装载命令,密钥装载命令指示在可信平台模块TPM芯片装载第一密钥;确认模块,用于在获取模块获取密钥装载命令后,确认TPM芯片内的所有密钥插槽均处于非空闲状态;释放模块,用于若TPM芯片内的所有密钥插槽均处于非空闲状态,则释放TPM芯片内所有密钥插槽中的第一密钥插槽;装载模块,用于在释放模块释放TPM芯片内所有密钥插槽中的第一密钥插槽后,根据密钥装载命令,在第一密钥插槽上装载第一密钥。 [0158] An embodiment provides a key processing apparatus according to the present invention includes an acquisition module, a validation module, and a release module loading module; acquiring module for acquiring key load command, load command instructs the key in the Trusted Platform Module TPM loading a first chip key; confirmation means for after the key obtaining module obtains the load command, confirm that all keys in the TPM chip slots are in a non-idle state; releasing module configured if all dense in the TPM chip key slots are in a non-idle state, a first key is released all slots in the TPM chip key slots; loading module, for releasing a first cipher key within the TPM chip all slots in the releasing module after the key slot, according to the load command key, the first key is loaded on the first key slot. 基于上述实施例的描述,由于在获取指示在可信平台模块TPM芯片装载第一密钥的密钥装载命令,且TPM芯片内的所有密钥插槽均处于非空闲状态时,密钥处理装置能够释放所述TPM芯片内所有密钥插槽中的第一密钥插槽,并根据密钥装载命令,在所述第一密钥插槽上装载所述第一密钥。 Based upon the above embodiment described, since the acquisition command indicating key loading a trusted platform module TPM chip mounting the first key, and all keys in the TPM chip slots are in a non-idle state, the key processing means the first key slot can be released within the TPM chip slots all keys, and a key according to the loading command, to load the first key in the first key slot. 因此,能够避免在密钥装载时返回空间已满的错误码,保证密钥装载的顺利进行,合理地使用TPM芯片内存空间资源。 Accordingly, it is possible to avoid the error code returned is full at the time the key is loaded, to ensure smooth loading of the key, the rational use of the TPM chip memory resources.

[0159]本发明实施例还提供一种终端设备,如图13所示,该终端设备包括:存储器20、处理器21、通信接口22和系统总线23。 [0159] Embodiments of the present invention further provides a terminal device, shown in FIG. 13, the terminal apparatus comprising: a memory 20, a processor 21, a communication interface 22 and a system bus 23.

[0160] 存储器20、处理器21和通信接口22通过系统总线23连接,存储器20用于存储一些计算机指令,处理器21用于执行计算机指令,以使终端设备执行如图3-图7任意之一的密钥处理方法。 [0160] The memory 20, the processor 21 and the communication interface 22 are connected via a system bus 23, a memory 20 for storing a number of computer instructions, a processor 21 for executing computer instructions, so that the terminal apparatus to perform any of FIGS. 3 7 a key processing method. 具体的密钥处理方法可参见上述如图3-图7任意之一所示的实施例中的相关描述,此处不再赘述。 Specific key processing methods can be found in the above-described embodiment shown in FIG. 3 to 7 of any one of the related description is not repeated here.

[0161]具体的,处理器21可以是如图8-图10任意之一所示的实施例中描述的密钥处理装置,也可以是包括如图8-图10任意之一所示的实施例中描述的密钥处理装置的其他能够实现处理器功能的硬件结构。 [0161] Specifically, the processor 21 may be any one shown in FIG. 8-10 of the key processing apparatus described embodiment, it may include any one of the 10 8- FIG embodiment shown in FIG. other possible to implement the processor functions of the hardware configuration of the key processing apparatus described in the embodiment.

[0162] 处理器21可以为中央处理器(central processing unit'CF^J)。 [0162] The processor 21 may be a central processing unit (central processing unit'CF ^ J). 处理器21还可以为其他通用处理器、数字信号处理器(digital signal processing,DSP)、专用集成电路(applicat1n specific integrated circui t,ASIC)、现场可编程门阵列(fie Id-programmable gate array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。 The processor 21 may be other general purpose processor, a digital signal processor (digital signal processing, DSP), application specific integrated circuits (applicat1n specific integrated circui t, ASIC), a field programmable gate array (fie Id-programmable gate array, FPGA ) or other programmable logic device, discrete gate or transistor logic, discrete hardware components like. 通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。 A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

[0163] 处理器21可以为专用处理器,该专用处理器可以包括基带处理芯片、射频处理芯片等中的至少一个。 [0163] The processor 21 may be a dedicated processor, the processor may comprise at least one dedicated baseband processing chip, the RF chip and the like. 进一步地,该专用处理器还可以包括具有终端设备其他专用处理功能的芯片。 Further, the processor may further include a chip dedicated terminal device having other special processing function.

[0164] 存储器20可以包括易失性存储器(volatile memory ),例如随机存取存储器(random-access memory ,RAM);存储器20也可以包括非易失性存储器(non-volatilememory),例如只读存储器(read-only memory,ROM),快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器20还可以包括上述种类的存储器的组合。 [0164] The memory 20 may include volatile memory (volatile memory), such as a random access memory (random-access memory, RAM); a memory 20 may also include non-volatile memory (non-volatilememory), such as read only memory (read-only memory, ROM), flash memory (flash memory), a hard disk (hard disk drive, HDD) or a solid state drive (solid-state drive, SSD); a memory 20 may further include combinations of the above types of memory.

[0165]系统总线23可以包括数据总线、电源总线、控制总线和信号状态总线等。 [0165] The system bus 23 may include a data bus, power bus, control bus, and status signal bus and the like. 本实施例中为了清楚说明,在图13中将各种总线都示意为系统总线23。 In this embodiment, for clarity in FIG. 13 in the various buses are illustrated as a system bus 23.

[0166]通信接口22可以包括接收器和发送器。 [0166] The communication interface 22 may include a receiver and a transmitter. 并且在终端设备的具体实现中,接收器和发送器具体可以是终端设备上的收发器。 In a particular implementation, and the terminal device, the transmitter and the receiver may be a transceiver on a particular terminal device. 该收发器可以为无线收发器。 The transceiver may be a wireless transceiver.

[0167]在具体实现过程中,上述如图3-图7任意之一所示的方法流程中的各步骤均可以通过硬件执行软件形式的计算机执行指令实现。 [0167] In a specific implementation, the method of the above-described flow shown in FIG. 3 to 7 of any one of the steps may be implemented by a computer executing instructions in the form of hardware executing software. 为避免重复,此处不再赘述。 To avoid duplication, not repeat them here.

[0168]本发明实施例提供一种终端设备。 Embodiment [0168] The present invention provides a terminal device. 基于上述实施例的描述,由于在获取指示在可信平台模块TPM芯片装载第一密钥的密钥装载命令,且TPM芯片内的所有密钥插槽均处于非空闲状态时,密钥处理装置能够释放所述TPM芯片内所有密钥插槽中的第一密钥插槽,并根据密钥装载命令,在所述第一密钥插槽上装载所述第一密钥。 Based upon the above embodiment described, since the acquisition command indicating key loading a trusted platform module TPM chip mounting the first key, and all keys in the TPM chip slots are in a non-idle state, the key processing means the first key slot can be released within the TPM chip slots all keys, and a key according to the loading command, to load the first key in the first key slot. 因此,能够避免在密钥装载时返回空间已满的错误码,保证密钥装载的顺利进行,合理地使用TPM芯片内存空间资源。 Accordingly, it is possible to avoid the error code returned is full at the time the key is loaded, to ensure smooth loading of the key, the rational use of the TPM chip memory resources.

[0169]本发明实施例还提供一种软件产品,该软件产品可以包括实现密钥处理方法的计算机指令。 Example [0169] The present invention further provides a software product, the software product may comprise computer instructions for implementing the key processing method.

[0170]计算机指令可以存储在可读存储介质上;处理器可以从该可读存储介质上读取到计算机指令并执行,使得处理器实现密钥处理方法。 [0170] Computer readable instructions may be stored on a storage medium; processor can read from the storage medium into a computer-readable instructions and executed, cause the processor to realize the key processing method.

[0171]所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。 [0171] Those skilled in the art may clearly understand that, for convenience and brevity of description, only the division of the functional modules is illustrated, in practice, according to the necessity foregoing functions by different functional modules completed, the internal structure of the apparatus is divided into different functional modules to complete all or part of the functions described above. 上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。 Specific working process of the foregoing system, apparatus, and unit, reference may be the corresponding process in the method embodiment, which is not repeated herein.

[0172]在本申请所提供的几个实施例中,应该理解到,所揭露的装置和方法,可以通过其它的方式实现。 [0172] In several embodiments provided herein present embodiment, it should be understood that the apparatus and methods disclosed may be implemented in other manners. 例如,以上所描述的装置实施例仅仅是示意性的,例如,模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。 For example, the described apparatus embodiments are merely illustrative of, for example, dividing the modules or units is merely logical function division, there may be other division in actual implementation, for example, a plurality of units or components may be combined or It can be integrated into another system, or some features may be ignored or not performed. 另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。 Another point, displayed or coupling or direct coupling or communication between interconnected in question may be through some interface, device, or indirect coupling or communication connection unit, may be electrical, mechanical, or other forms.

[0173]另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。 [0173] Additionally, functional units may be integrated in various embodiments of the present invention in a processing unit, separate units may be physically present, may be two or more units are integrated into one unit. 上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。 The integrated unit may be implemented in the form of hardware, software functional units may also be implemented.

[0174]集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。 [0174] If the integrated unit is implemented as a separate product sold or used in the form of a software functional unit may be stored in a computer-readable storage medium. 基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器(processor)执行本发明各个实施例方法的全部或部分步骤。 Based on such understanding, the technical solutions of the present invention essentially, or the part or all of the technical solutions contributing to the prior art may be embodied in part or in the form of a software product, which computer software product is stored in a storage medium , including several instructions for instructing a computer device (may be a personal computer, a server, or network device) or (processor) to perform all or part of the steps of the method of various embodiments of the present invention. 而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。 The storage medium includes: U disk, mobile hard disk, a read-only memory (ROM, Read-Only Memory), a random access various memories (RAM, Random Access Memory), a magnetic disk, or an optical medium can store program codes .

[0175]以上,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。 [0175] above are merely specific embodiments of the present invention, but the scope of the present invention is not limited thereto, any skilled in the art in the art within the technical scope of the present invention is disclosed, variations or replacement that can be easily, It shall fall within the scope of the present invention. 因此,本发明的保护范围应以权利要求的保护范围为准。 Accordingly, the scope of the present invention should be defined by the scope of the claims.

Claims (17)

  1. 1.一种密钥处理方法,其特征在于,包括: 获取密钥装载命令,所述密钥装载命令指示在可信平台模块TPM芯片装载第一密钥;若所述TPM芯片内的所有密钥插槽均处于非空闲状态,则释放所述TPM芯片内所有密钥插槽中的第一密钥插槽; 根据所述密钥装载命令,在所述第一密钥插槽上装载所述第一密钥。 A key processing method characterized by comprising: acquiring a key load command, load command instructs the key in a trusted platform module TPM chip mounting a first key; if the TPM chip all the secret key slots are in a non-idle state, a first key is released the slots in the TPM chip all key slots; key according to the load command, the load on the first key slot said first key.
  2. 2.根据权利要求1所述的密钥处理方法,其特征在于,所述方法还包括: 在所述释放所述第一密钥插槽前,确认所述TPM芯片内的所有密钥插槽与密钥的映射关系。 The key processing method according to claim 1, wherein said method further comprises: a first key slot in the front of the release, it was confirmed that all keys in the TPM chip slots mapping relationships with key.
  3. 3.根据权利要求1或2所述的密钥处理方法,其特征在于,所述释放所述TPM芯片内所有密钥插槽中的第一密钥插槽,具体包括: 获取所述第一密钥插槽的标识,其中,占用所述第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用所述第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥; 根据所述第一密钥插槽的标识,指示所述TPM芯片释放所述第一密钥插槽。 3. The key processing method according to claim 12, wherein the release key slots in the first all keys TPM chip slots, comprises: obtaining the first identification key slot, wherein the first key slot occupying a key to take up all keys in the key slots with a minimum number of keys, or the first key slot occupies key to occupy all the keys in the key slot of the key in the first loading; according to the identifier of the first key slot, indicative of the TPM chip releasing the first key slot.
  4. 4.根据权利要求1至3任一项所述的密钥处理方法,其特征在于,所述方法还包括: 在所述释放所述第一密钥插槽前,保存占用所述第一密钥插槽的密钥的现场记录。 1 according to a key processing method according to any one of claim 3, wherein said method further comprises: releasing the front of the first key slot, save the first encrypted occupies live recording key slot of the key.
  5. 5.根据权利要求1至4任一项所述的密钥处理方法,其特征在于,所述方法还包括: 在所述第一插槽上装载所述第一密钥时,确认存储器中存储有第一密钥的现场记录,获取并恢复所述第一密钥的现场记录。 1 according to the key processing method of any one of claims 1-4, wherein said method further comprises: when loading on the first slot of the first key stored in the memory to confirm record live first key, obtaining and recovering the first key field recording.
  6. 6.根据权利要求1至5任一项所述密钥处理方法,其特征在于,所述方法还包括: 在所述第一密钥插槽上装载所述第一密钥时,记录所述第一密钥插槽与所述第一密钥的映射关系,以便根据所述映射关系从所述第一密钥插槽获取到所述第一密钥。 1 according to the key processing method according to any one of claims 5, wherein said method further comprises: when the first key slot on loading the first key, the recording the first key slot and the mapping relationship between the first key so as to obtain the slot according to the mapping relation from the first key to the first key.
  7. 7.根据权利要求1至6任一项所述的密钥处理方法,其特征在于,在所述获取密钥装载命令前,所述方法还包括: 确认所述TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限; 从接收到的至少一个命令中获取第一命令,所述第一命令为所述至少一个命令中的任意一个命令,所述第一命令包括密钥装载命令。 1 according to a key processing method according to any one of claims claim 6, characterized in that, prior to loading the key acquisition command, said method further comprising: idle state confirmation tight within said TPM chip key slot number equal to or greater than a preset threshold; obtaining a first command received from the at least one command in the first command is a command of said at least one of any command the first command comprises a dense key load command.
  8. 8.根据权利要求1至7任一项所述的密钥处理方法,其特征在于,在所述获取密钥装载命令前,所述方法还包括: 确认所述TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限; 从接收到的至少一个命令中获取第一命令,所述第一命令为所述至少一个命令中优先级最高的命令,所述第一命令包括密钥装载命令。 A key processing method according to any one of claim 7, wherein, prior to loading the key acquisition command, said method further comprising: idle state confirmation tight within said TPM chip the number of key slots less than a preset threshold; obtaining a first command received from the at least one command in the first command to the at least one of highest priority command command, the first command comprises a key load command.
  9. 9.一种密钥处理装置,其特征在于,所述密钥处理装置包括获取模块、确认模块、释放模块和装载模块; 所述获取模块,用于获取密钥装载命令,所述密钥装载命令指示在可信平台模块TPM芯片装载第一密钥; 所述确认模块,用于在所述获取模块获取密钥装载命令后,确认所述TPM芯片内的所有密钥插槽均处于非空闲状态; 所述释放模块,用于若所述TPM芯片内的所有密钥插槽均处于非空闲状态,则释放所述TPM芯片内所有密钥插槽中的第一密钥插槽; 所述装载模块,用于在所述释放模块释放所述TPM芯片内所有密钥插槽中的第一密钥插槽后,根据所述密钥装载命令,在所述第一密钥插槽上装载所述第一密钥。 A key processing apparatus, wherein the key processing apparatus includes an acquisition module, a validation module, and a module loading module release; the obtaining module, configured to acquire key command loading, loading said key command indicating a trusted platform module TPM chip mounting a first key; the confirmation module, for, after loading the key obtaining module obtains the command, confirm that all keys in the TPM chip slots are in the non-idle state; the release module, for if all the keys of the TPM chip slots are in a non-idle state, a first key is released the slots in the TPM chip for all of the key slot; the loading module, for releasing module after the release of the first key slots in all keys of the TPM chip slots, according to the key mount command, loaded on the first key slot the first key.
  10. 10.根据权利要求9所述的密钥处理装置,其特征在于, 所述确认模块,还用于在所述释放模块释放所述第一密钥插槽前,确认所述TPM芯片内的所有密钥插槽与密钥的映射关系。 10. The key processing apparatus according to claim 9, wherein said confirmation module is further configured to release the first module before releasing the key slot, to confirm all within the TPM chip mapping between key slots and keys.
  11. 11.根据权利要求9或10所述的密钥处理装置,其特征在于, 所述释放模块,具体用于获取所述第一密钥插槽的标识,其中,占用所述第一密钥插槽的密钥为占用所有密钥插槽的密钥中使用次数最少的密钥,或者,占用所述第一密钥插槽的密钥为占用所有密钥插槽的密钥中最早装载的密钥;以及根据所述第一密钥插槽的标识,指示所述TPM芯片释放所述第一密钥插槽。 11. The key processing apparatus of claim 9 or claim 10, wherein said release module is configured to obtain the identifier of the first key slot, wherein the first key is inserted occupies key groove to take up all keys in the key slots with a minimum number of keys, or the key occupies the first key slot to take up all keys in the key slot of the earliest loaded key; and according to the identifier of the first key slot, indicative of the TPM chip releasing the first key slot.
  12. 12.根据权利要求9至11任一项所述的密钥处理装置,其特征在于,所述密钥处理装置还包括保存t旲块; 所述保存模块,用于在所述释放模块释放所述第一密钥插槽前,保存占用所述第一密钥插槽的密钥的现场记录。 12. The key processing apparatus 9-1 according to any one of claim 11, wherein said processing means further comprises a key storage block Dae t; the storing module, for releasing the releasing module before said first key slot, recording the first key storage site occupancy of the key slot.
  13. 13.根据权利要求9至12任一项所述的密钥处理装置,其特征在于, 所述装载模块,具体用于在所述装载模块在第一插槽上装载所述第一密钥时,确认存储器中存储有第一密钥的现场记录,获取并恢复所述第一密钥的现场记录。 13. The key processing apparatus 9-1 according to any one of claim 12, wherein said loading module is used for the loading module on a first loading the first key slot confirmed live records stored in the memory of a first key, obtaining and recovering the first key field recording.
  14. 14.根据权利要求9至13任一项所述的密钥处理装置,其特征在于,所述密钥处理装置还包括记录模块; 所述记录模块,用于在所述装载模块在所述第一密钥插槽上装载所述第一密钥时,记录所述第一密钥插槽与所述第一密钥的映射关系,以便根据所述映射关系从所述第一密钥插槽获取到所述第一密钥。 14. The key processing apparatus 9-1 according to any one of claim 13, wherein said apparatus further comprises a recording key processing module; the recording module, the loader module for the first loading the first key on a key slot, recording the first key slot and the mapping relationship between the first key to the first key from slot according to the mapping relation to obtain the first key.
  15. 15.根据权利要求9至14任一项所述的密钥处理装置,其特征在于, 所述确认模块,还用于在所述获取模块获取密钥装载命令前,确认所述TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限; 所述获取模块,还用于在所述确认模块确认所述TPM芯片内处于空闲状态的密钥插槽的个数大于或等于预设门限后,从接收到的至少一个命令中获取第一命令,所述第一命令为所述至少一个命令中的任意一个命令,所述第一命令包括密钥装载命令。 15. The key processing apparatus 9-1 according to any of claim 14, wherein said confirmation module is further configured to acquire the key obtaining module before the load command, is recognized in the TPM chip the number of key slots idle threshold is greater than or equal to a preset; the obtaining module is further configured to confirm the acknowledgment number of the key module in an idle slot state in the TPM chip greater than or equal after the preset threshold, acquiring at least one command received from the first command, the first command is a command of said at least one of any of a command to load the first command comprises a key command.
  16. 16.根据权利要求9至15任一项所述的密钥处理装置,其特征在于, 所述确认模块,还用于在所述获取模块获取密钥装载命令前,确认所述TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限; 所述获取模块,还用于在所述确认模块确认所述TPM芯片内处于空闲状态的密钥插槽的个数小于预设门限后,从接收到的至少一个命令中获取第一命令,所述第一命令为所述至少一个命令中优先级最高的命令,所述第一命令包括密钥装载命令。 16. The key processing apparatus 9-1 according to any of claim 15, wherein said confirmation module is further configured to prior to the acquisition module acquires the key load command, is recognized in the TPM chip the number of key slots in an idle state is less than a preset threshold; the obtaining module is further configured to, after the acknowledgment number of the acknowledgment key slot modules in an idle state in said TPM chip smaller than a preset threshold obtaining at least one first command from the received command, the first command to said at least one of highest priority command command, the first command includes a load command key.
  17. 17.—种终端设备,其特征在于,所述终端设备包括存储器、处理器、通信接口和系统总线; 所述存储器、所述处理器和所述通信接口通过所述系统总线连接,所述存储器用于存储计算机指令,所述处理器用于执行所述存储器存储的计算机指令,以使所述终端设备执行权利要求1-8任一项所述的密钥处理方法。 17.- kinds of terminal device, wherein said terminal device comprises memory, a processor, a communication interface, and a system bus; the memory, the processor and the communication interface is connected through the system bus, the memory for storing computer instructions, the processor to execute computer instructions stored in the memory, so that the key terminal apparatus processing method according to any one of claims 1-8 performed.
CN 201610156470 2016-03-18 2016-03-18 Secret key processing method and apparatus CN105871539A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201610156470 CN105871539A (en) 2016-03-18 2016-03-18 Secret key processing method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 201610156470 CN105871539A (en) 2016-03-18 2016-03-18 Secret key processing method and apparatus
PCT/CN2016/101582 WO2017157006A1 (en) 2016-03-18 2016-10-09 Secret key processing method and apparatus

Publications (1)

Publication Number Publication Date
CN105871539A true true CN105871539A (en) 2016-08-17

Family

ID=56624643

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201610156470 CN105871539A (en) 2016-03-18 2016-03-18 Secret key processing method and apparatus

Country Status (2)

Country Link
CN (1) CN105871539A (en)
WO (1) WO2017157006A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017157006A1 (en) * 2016-03-18 2017-09-21 华为技术有限公司 Secret key processing method and apparatus

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060111111A1 (en) * 2004-11-24 2006-05-25 Shlomo Ovadia Method and system to support fast hand-over of mobile subscriber stations in broadband wireless networks
US20100281249A1 (en) * 2009-05-03 2010-11-04 Kabushiki Kaisha Toshiba Media independent handover protocol security
CN102842005A (en) * 2011-06-21 2012-12-26 国民技术股份有限公司 CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method
CN103138939A (en) * 2013-03-28 2013-06-05 武汉大学 Secret key use time management method based on credible platform module under cloud storage mode
CN104331329A (en) * 2014-09-30 2015-02-04 上海斐讯数据通信技术有限公司 Mobile office security system and method supporting domain management
CN105245334A (en) * 2015-10-28 2016-01-13 武汉大学 TPM secret key and authorized data backup recovery system and method thereof

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8064605B2 (en) * 2007-09-27 2011-11-22 Intel Corporation Methods and apparatus for providing upgradeable key bindings for trusted platform modules
CN101547198B (en) * 2009-01-22 2011-12-28 北京网御星云信息技术有限公司 Connection control method and apparatus for network security device
CN102136044B (en) * 2010-07-14 2013-08-28 华为技术有限公司 Safe starting method, device and computer system
CN103763315B (en) * 2014-01-14 2016-12-07 北京航空航天大学 One kind of apparatus used in mobile trusted cloud storage data access control method
CN105871539A (en) * 2016-03-18 2016-08-17 华为技术有限公司 Secret key processing method and apparatus

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060111111A1 (en) * 2004-11-24 2006-05-25 Shlomo Ovadia Method and system to support fast hand-over of mobile subscriber stations in broadband wireless networks
US20100281249A1 (en) * 2009-05-03 2010-11-04 Kabushiki Kaisha Toshiba Media independent handover protocol security
CN102842005A (en) * 2011-06-21 2012-12-26 国民技术股份有限公司 CSP (chip scale package) module of TSPI (telephony service provider interface) based on TSM (tivoli storage manager) and CSP implementation method
CN103138939A (en) * 2013-03-28 2013-06-05 武汉大学 Secret key use time management method based on credible platform module under cloud storage mode
CN104331329A (en) * 2014-09-30 2015-02-04 上海斐讯数据通信技术有限公司 Mobile office security system and method supporting domain management
CN105245334A (en) * 2015-10-28 2016-01-13 武汉大学 TPM secret key and authorized data backup recovery system and method thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017157006A1 (en) * 2016-03-18 2017-09-21 华为技术有限公司 Secret key processing method and apparatus

Also Published As

Publication number Publication date Type
WO2017157006A1 (en) 2017-09-21 application

Similar Documents

Publication Publication Date Title
US20120317638A1 (en) Method and devices for managing permission requests to allow access to a computing resource
US20050221766A1 (en) Method and apparatus to perform dynamic attestation
US20060095454A1 (en) System and method for secure collaborative terminal identity authentication between a wireless communication device and a wireless operator
US20070266422A1 (en) Centralized Dynamic Security Control for a Mobile Device Network
US20070198419A1 (en) Method of transferring digital rights
US20090298468A1 (en) System and method for deleting data in a communication device
US9049013B2 (en) Trusted security zone containers for the protection and confidentiality of trusted service manager data
US20120317565A1 (en) Methods and devices for controlling access to computing resources
US20130166899A1 (en) Method and system for controlling system settings of a computing device
EP1645931A1 (en) Secure loading and storing of data in a data processing device
US20140181518A1 (en) Secure mobile app connection bus
US8589667B2 (en) Booting and configuring a subsystem securely from non-local storage
US20080148414A1 (en) Portable digital rights management (drm)
US20070208826A1 (en) System and method of storing data files at a remote storage facility
US20140096145A1 (en) Hardware message queues for intra-cluster communication
US8948382B2 (en) Secure protocol for peer-to-peer network
US20130333015A1 (en) Biometric cloud communication and data movement
US20140189781A1 (en) Mobile enterprise server and client device interaction
US20120226823A1 (en) Document distribution system and method
US20070157020A1 (en) Method and apparatus for providing session key for WUSB security and method and apparatus for obtaining the session key
US8625805B1 (en) Digital security bubble
US9037870B1 (en) Method and system for providing a rotating key encrypted file system
US20140082376A1 (en) System, Method and Apparatus for Securely Saving/Retrieving Data on a Data Storage
US20090083429A1 (en) Generic Digital Rights Management Framework, and Applications Thereof
CN102523578A (en) Over-the-air card writing method, apparatus and system

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination