CN105930731B - A kind of method and device of security application TA interaction - Google Patents

A kind of method and device of security application TA interaction Download PDF

Info

Publication number
CN105930731B
CN105930731B CN201510967898.4A CN201510967898A CN105930731B CN 105930731 B CN105930731 B CN 105930731B CN 201510967898 A CN201510967898 A CN 201510967898A CN 105930731 B CN105930731 B CN 105930731B
Authority
CN
China
Prior art keywords
data
tee
ree
application
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510967898.4A
Other languages
Chinese (zh)
Other versions
CN105930731A (en
Inventor
陈成钱
周钰
郭伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN201510967898.4A priority Critical patent/CN105930731B/en
Publication of CN105930731A publication Critical patent/CN105930731A/en
Application granted granted Critical
Publication of CN105930731B publication Critical patent/CN105930731B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method and devices of security application TA interaction, this method comprises: the first TA in credible performing environment TEE, which during executing data processing request, is generated, applies interaction data about first of the 2nd TA in the TEE;First TA is out of service after sending the application operation request about the 2nd TA to general purpose execution environment REE;The application operation about the 2nd TA that 2nd TA receives the REE forwarding runs the 2nd TA after requesting;2nd TA obtains described first and applies interaction data, and interaction data is applied according to described the first of acquisition, generate the result data about the 2nd TA, to solve the exchange method between TA in the prior art, process switching frequently occurs inside TEE, TEE system is caused to there are problems that security risk.

Description

A kind of method and device of security application TA interaction
Technical field
The present invention relates to the communications field more particularly to a kind of method and devices of security application TA interaction.
Background technique
The development of mobile communication technology brings the fast development of mobile terminal technology, and modern mobile terminal device provides Powerful and flexible REE (Rich Execution Environment, general purpose execution environment), but also equipment is caused to be held simultaneously Vulnerable to security threat.TEE (Trusted Execution Environment, credible performing environment) is current in order to solve Security risk existing for mobile terminal device and the technical solution proposed.TEE and REE runs parallel in the same equipment, TEE It can guarantee storage, processing and protection that sensitive data is carried out in believable environment, and the security software for authorization is (credible soft Part) safe performing environment is provided, by executing protection, secrecy, complete realizing and pacify end to end with data access authority Entirely.Wherein, TA (Trusted Application, security application) is run on TEE, and CA (Client Application, it is general Logical application) it runs on REE, CA is located at TEE client end AP I (the Application Programming of REE by calling Interface, Application Programming Interface) access TA is removed, thus the security function provided using TEE and TA.
Interaction in TEE between TA at present is as shown in Figure 1, when the first TA needs to complete the function of common application request When accessing the n-th TA, TA interaction data needed for needing assembled good the n-th TA of target, and data hair is carried out by internal communication module It send, meanwhile, in this course, the scheduling of the n-th TA, the n-th TA of selected target operation, target the are carried out by application schedules module NTA obtains the TA interaction data sent of the first TA from internal communication module and is handled, after processing, by above-mentioned inverse process, By application schedules module reschedule the first TA operation, and obtain processing result complete entire operation process after, return most terminate Fruit is to CA.
As it can be seen that the data exchange process between security application and switching are in TEE in the prior art, due to process It is uncertain to switch bring, easily makes TEE in not knowing, brings security risk for TEE system.
Summary of the invention
The embodiment of the present invention provides a kind of security application TA method and device of interaction, to solve in the prior art TA it Between exchange method, process switching frequently occurs inside TEE, TEE system is caused to there are problems that security risk.
The method of the present invention includes a kind of security application TA exchange method, this method comprises: in credible performing environment TEE One TA is generated during executing data processing request and is applied interaction data about first of the 2nd TA in the TEE;Described One TA is out of service after sending the application operation request about the 2nd TA to general purpose execution environment REE;2nd TA receives institute The 2nd TA is run after stating the application operation request about the 2nd TA of REE forwarding;2nd TA obtains described the One applies interaction data, and applies interaction data according to described the first of acquisition, generates the result data about the 2nd TA.
Based on same inventive concept, the embodiment of the present invention further provides for a kind of security application TA interactive device, the dress Setting in credible performing environment TEE, comprising: the first TA running unit, for generating during executing data processing request First about the 2nd TA in the TEE applies interaction data;First TA transmission unit, for being sent out to general purpose execution environment REE Send the application operation about the 2nd TA out of service after requesting;2nd TA receiving unit, for receiving described in the REE forwarding About the 2nd TA of operation after the application operation request of the 2nd TA;2nd TA running unit, for obtaining the first application interaction Data, and interaction data is applied according to described the first of acquisition, generate the result data about the 2nd TA.
The embodiment of the present invention by using REE as in TEE the first TA and the 2nd TA interaction terminal, as the first TA When the data processing request that parsing receives needs to use two TA, the first TA generates the 2nd TA operation request, and will The 2nd TA operation request is sent to REE, the 2nd TA operation request is forwarded from REE to the 2nd TA, so that the 2nd TA of operation. After the 2nd TA operation, associated interaction data of applying is obtained, and apply interaction data according to described the first of acquisition, Generate the result data about the 2nd TA.As it can be seen that the process interacted between the first TA and the 2nd TA inside TEE, By REE forward command, the movement of process switching no longer occurs inside TEE, and then improves the security level of TEE system, keeps away Process frequent switching bring security risk is exempted from.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment Attached drawing is briefly introduced, it should be apparent that, drawings in the following description are only some embodiments of the invention, for this For the those of ordinary skill in field, without any creative labor, it can also be obtained according to these attached drawings His attached drawing.
Fig. 1 provides the system of a kind of credible performing environment and general purpose execution environment interaction for the prior art;
Fig. 2 provides the system of a kind of credible performing environment and general purpose execution environment interaction for the embodiment of the present invention;
Fig. 3 provides a kind of TA exchange method flow diagram for the embodiment of the present invention;
Fig. 4 provides a kind of interaction figure paid between TA and transfer TA for the embodiment of the present invention;
Fig. 5 provides a kind of interaction figure of inverse process between transfer TA and payment TA for the embodiment of the present invention;
Fig. 6 provides a kind of TA interactive device structural schematic diagram for the embodiment of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into It is described in detail to one step, it is clear that the described embodiments are only some of the embodiments of the present invention, rather than whole implementation Example.Based on the embodiments of the present invention, obtained by those of ordinary skill in the art without making creative efforts All other embodiment, shall fall within the protection scope of the present invention.
Shown in Figure 2, the embodiment of the present invention provides the system of a kind of credible performing environment and general purpose execution environment interaction, It in REE and TEE on same mobile terminal device, REE include CA and REE communication unit including running parallel;TEE includes TEE Communication unit, several TA and setting storage region.In the embodiment of the present invention, REE follows GlobalPlatform TEE Client API (global platform International Standards Organization is credible performing environment client application programming interface) specification, TEE are followed (global platform International Standards Organization is credible, and performing environment internal applications program GlobalPlatform TEE Internal API Interface) specification, GlobalPlatform TEE Client API specification, GlobalPlatformTEE Internal API rule Model is well known to those skilled in the art industry standard.
There are problems that process switching when interaction between TA each in the TEE pointed out in background technique, the present invention is implemented Example provides a kind of TA exchange method flow diagram, and shown in Figure 3, specifically implementation method includes:
The first TA in step S101, TEE is generated during executing data processing request about in the TEE second The first of TA applies interaction data.
Step S102, the first TA are out of service after sending the application operation request about the 2nd TA to REE.
Step S103, the application operation about the 2nd TA that the 2nd TA receives the REE forwarding are transported after requesting Row the 2nd TA.
Step S104, the 2nd TA obtains described first and applies interaction data, and applies according to described the first of acquisition Interaction data generates the result data about the 2nd TA.
In above-mentioned steps, the first TA and the 2nd TA are in together in TEE, and the first TA needs to use when handling request of data 2nd TA, the first TA is answered by sending the application operation request about the 2nd TA, REE to REE by the 2nd TA's in the present embodiment It is sent to the 2nd TA with operation request, so that starting the 2nd TA operation, obtains the first application interaction data and generate about the 2nd TA Result data.From above-mentioned steps as can be seen that the first TA and the 2nd TA in TEE without phone channel, but pass through external REE Carry out forward command, so as to avoid the process switching in TEE, ensure that the stability of TEE system;Meanwhile TEE's and REE It is only the forwarding using operation order without regard to the data for needing secrecy in TEE environment in interactive process, therefore still can be in TEE Believable environment in carry out sensitive data storage, processing and protection.
Further, the first TA is stored in the setting memory block in the TEE using interaction data for described second Domain, and the access authority for setting storage region is set as the first TA and the 2nd TA, in this way, the second application interaction Data are stored in TEE and only the first TA and the 2nd TA are accessible, ensure that the safety of data.
Similarly, the 2nd TA is stored in the setting storage region in the TEE using interaction data for described first, and is arranged The access authority for setting storage region is the first TA and the 2nd TA, in this way, the first application interaction data stores In TEE and only the first TA and the 2nd TA are accessible, ensure that the safety of data.
What above-described embodiment only needed the 2nd TA cooperation to describe with the execution of the first TA, there may be more in actual use Layer calls cooperation, and the execution of such as the 2nd TA needs the cooperation of the 3rd TA;The execution of the data processing request of first TA is in the 2nd TA Cooperation execute after some stage needs again the 4th TA cooperate, the 5th TA cooperate etc., no matter which kind of situation, be referring to above-mentioned reality It applies example to be performed, i.e., is realized between utility command by REE;Further, in order to guarantee the safety of interaction data, TA is generated Data be stored in TEE and set access authority.
Further, the first TA receives the carrying that the common application CA in REE is sent before handling data processing request The data processing request of first TA mark, specifically, REE passed through CA before this and send asking for selection the first TA of operation to TEE environment It asks, then the data processing request for carrying the first TA mark is being sent to TEE by REE, and the first TA receives the data processing and asks It asks, executes the process of processing, the place of the data processing request is finally also sent from the first TA to the CA of the REE Manage result.Wherein, the Application Programming Interface that the first TA in the TEE passes through the TEE and the intercommunication of the REE API receives the described of the REE forwarding and asks summed data processing request using operation about the first TA, similarly, in the TEE The 2nd TA the institute of the REE forwarding is received by the Application Programming Interface API of the TEE and the intercommunication of the REE The 2nd TA is run after stating the application operation request about the 2nd TA.
For the detailed process for illustrating above-mentioned TA interaction, the present invention is implemented by providing Fig. 4 interaction figure shown, and citing is retouched It states.
Taobao's client in step S201, user's operation mobile terminal REE generates one about 50 yuan of payment data The payment data request about 50 yuan is sent in mobile terminal TEE by request.
Step S202, TEE parses payment data request and determines the mark containing payment TA, therefore confirms and be responsible for processing branch That pay request is payment TA, therefore notifies payment TA operation, and handle payment data request.
Step S203 needs to use another TA's during payment TA handles 50 yuan of payment data request Processing result data, such as, the feedback data of the external Unionpay's system of 50 yuan of payment data request needs, and external silver Connection system is communicated with the transfer TA inside TEE.Therefore inside TEE, which is handled by transfer TA transfer, therefore It pays TA and stops processing this payment data request, and generate interaction data relevant to transfer TA, by this part interaction number It is stored in the storage region of the setting in TEE together according to the result data generated in treatment process just now with payment TA In.The partial data is added to shared mark when being stored in setting storage region, in this way, subsequent only payment TA and transfer This accessible partial data of TA, ensure that the safety of data.
Step S204, after payment TA generates above-mentioned data, generating a destination address is transfer TA, and source address is payment The application operation request about transfer TA of TA, and payment TA out of service, are then sent to REE for this application operation request In CA, later payment TA out of service.The purpose for the arrangement is that there is REE as intermediary, starting operation transfer TA is avoided Process switching is directly carried out between payment TA and transfer TA.
CA in step S205, REE forwards this application operation to request to pass through the TEE and institute to transfer TA, transfer TA The Application Programming Interface API for stating the intercommunication of REE receives this application operation request, and transfer TA brings into operation.
Step S206, transfer TA obtain associated interaction data from the storage region of setting, and handle this part Interaction data generates processing result, after transfer TA is finished, interaction data relevant to payment TA is generated, so as to subsequent branch It pays TA and determines that remaining payment data is requested using the associated interaction data in this part.
The result that the interaction data relevant to payment TA of generation and operation generate is stored in and sets by step S207, transfer TA Fixed storage region, and shared mark is added, in case continuation payment TA is obtained.
It can be seen that, on the one hand, the interaction between payment TA and transfer TA in above-mentioned TEE is to provide order by external REE Triggering, the mode for needing process switching to be just able to achieve TA interaction inside prior art TEE has been abandoned, TEE is significantly simplified System is realized, is reduced TEE system for the occupancy of resource, while the control run by external REE for TA, is made TEE System has more certainty and stability;On the other hand, it when paying operation request of the TA to REE sending operation transfer TA, terminates The operation of payment TA reduces answering for TEE realization this ensure that the process for only having a TA in the inside TEE running Miscellaneous degree.
After payment TA shown in Fig. 4 and transfer TA completes above-mentioned interaction, further, payment TA can be obtained further Take transfer TA generate as a result, in conjunction with transfer TA generate result be finally completed the data request processing result, specifically, After result data of the generation about the 2nd TA, further includes: the 2nd TA is generated about the first TA in the TEE Second apply interaction data;2nd TA stops after sending the application operation request about the first TA to the REE Operation;The application operation about the first TA that first TA receives the REE forwarding runs the first TA after requesting;It is described First TA obtains described second and applies interaction data and the result data about the 2nd TA;First TA is according to obtaining Described second taken applies interaction data and the result data about the 2nd TA, and generation is asked about the data processing The processing result asked.
For globality describe TEE and REE cooperate complete data processing request as a result, the embodiment of the present invention into Example in one step combination Fig. 4, provides interaction figure shown in fig. 5, and whole mistakes of data processing request are fully described by by Fig. 5 Journey.
Step S301~step S307, it is identical with step S201~step S207 in Fig. 2, it repeats no more.
After step S308, transfer TA generate above-mentioned data, generating a destination address is payment TA, and source address is transfer The application operation request about the first TA of TA, and transfer TA out of service, are then sent to REE for this application operation request In CA, later transfer TA out of service.
CA in step S309, REE forwards this application operation request to pass through the TEE and institute to TA, payment TA is paid The Application Programming Interface API for stating the intercommunication of REE receives this application operation request, and payment TA brings into operation.
Step S310, payment TA obtain associated interaction data and payment TA life before from the storage region of setting At result data and transfer TA generate result data.
Step S311 pays this part interaction data of TA combination the above results data processing, generates final processing result.
Step S312, payment TA feed back the processing result ultimately generated by the API between the TEE and the REE To CA.
To sum up, the TA in TEE is during handling REE application request, can be completed under the cooperation of REE with TEE other Communication between TA can complete the function of each TA interaction under conditions of TEE is without process switching.
Based on the same technical idea, the embodiment of the present invention also provides a kind of device, and it is real which can be performed the above method Apply example.Device provided in an embodiment of the present invention is as shown in Figure 6, comprising: the first TA running unit 401, the first TA transmission unit 402, the 2nd TA receiving unit 403, the 2nd TA running unit 404, in which:
First TA running unit 401, for generating about in the TEE second during executing data processing request The first of TA applies interaction data;
First TA transmission unit 402, after sending the application operation request about the 2nd TA to general purpose execution environment REE It is out of service;
2nd TA receiving unit 403, after receiving described in REE forwarding about the application operation request of the 2nd TA Run the 2nd TA;
2nd TA running unit 404 for obtaining described first using interaction data, and is answered according to described the first of acquisition With interaction data, the result data about the 2nd TA is generated.
In the device of said units composition, when in the device the first TA and the 2nd TA interaction occurs when because first TA and the 2nd TA are in together in TEE, and the first TA needs to use the result data of the 2nd TA feedback when handling request of data, above-mentioned Device can be seen that the first TA and the 2nd TA in TEE without phone channel, but by external REE come forward command, to keep away Exempt from the process switching in TEE, ensure that the stability of TEE system;Meanwhile in the interactive process of TEE and REE, only answer With the forwarding of operation order without regard to the data for needing secrecy in TEE environment, therefore can still be carried out in the believable environment of TEE Storage, processing and the protection of sensitive data.
Further, the 2nd TA transmission unit 405, for sending the application operation about the first TA to the REE It is out of service after request.
First TA receiving unit 406, after receiving described in REE forwarding about the application operation request of the first TA Run the first TA.
The first TA running unit 401 is also used to be stored in setting in the TEE using interaction data for described second Determine storage region, and the access authority for setting storage region is set as the first TA and the 2nd TA.In this way, second It is stored in TEE using interaction data and only the first TA and the 2nd TA is accessible, ensure that the safety of data.
Similarly, the 2nd TA running unit 404 is also used to the 2nd TA for described first and is stored in institute using interaction data The setting storage region in TEE is stated, and the access authority for setting storage region is set as the first TA and described second TA ensure that data in this way, the first application interaction data is stored in TEE and only the first TA and the 2nd TA are accessible Safety.
What above-described embodiment only needed the 2nd TA cooperation to describe with the execution of the first TA, there may be more in actual use Layer calls cooperation, and the execution of such as the 2nd TA needs the cooperation of the 3rd TA;The execution of the data processing request of first TA is in the 2nd TA Cooperation execute after some stage needs again the 4th TA cooperate, the 5th TA cooperate etc., no matter which kind of situation, be referring to above-mentioned reality It applies example to be performed, i.e., is realized between utility command by REE;Further, in order to guarantee the safety of interaction data, TA is generated Data be stored in TEE and set access authority.
Further, the first TA is before handling data processing request, TEE communication unit 407, for receiving in REE The data processing request for the first TA of the carrying mark that common application CA is sent, specifically, REE passed through CA before this and sent out to TEE environment It sends to be elected and selects the request of the first TA of operation, then the data processing request for carrying the first TA mark is being sent to TEE by REE, and first TA receives the data processing request, executes the process of processing, is finally also sent from the first TA to the CA of the REE The processing result of the data processing request.Wherein the second TA receiving unit 403 is specifically used for: by the TEE and institute The Application Programming Interface API for stating the intercommunication of REE receives the asking using operation about the 2nd TA of the REE forwarding The 2nd TA is run after asking.Similarly, the answering by the TEE and the intercommunication of the REE of the 2nd TA in the TEE With programming interface API receive REE forwarding described in about running the 2nd TA after the application operation request of the 2nd TA.
For the detailed process for illustrating above-mentioned TA interaction, the present invention is implemented by providing interaction figure shown in fig. 5, citing Description.
Taobao's client in step S301, user's operation mobile terminal REE generates one about 50 yuan of payment data The payment data request about 50 yuan is sent in mobile terminal TEE by request.TEE communication unit 407 receives in REE The request of data for the carrying payment TA mark that Taobao's client is sent.
Step 302, TEE parses payment data request and determines the mark containing payment TA, therefore confirms and be responsible for processing branch That pay request is payment TA, therefore notifies payment TA operation, and handle payment data request.
Step S303 needs to use another TA's during payment TA handles 50 yuan of payment data request Processing result data, such as, 50 yuan of payment data request needs external Unionpay system feedback data, the feedback data quilt Transfer TA transfer processing, therefore interaction data relevant to transfer TA is generated, by this part interaction data and payment TA just now Treatment process in the result data that has generated be stored in the storage region of the setting in TEE together.The partial data exists When being stored in setting storage region, it is added to shared mark, in this way, subsequent only payment this accessible part TA and transfer TA Data ensure that the safety of data.
Step S304, after generating above-mentioned data, generating a destination address is transfer TA, and source address is to pay the pass of TA In the application operation request of transfer TA, then by this application operation CA that is sent in REE of request, later and branch out of service Pay TA.The purpose for the arrangement is that there is REE as intermediary, starting operation transfer TA is avoided between payment TA and transfer TA directly Carry out process switching.
CA in step S305, REE forwards this application operation request to transfer TA, this application operation request, transfer TA brings into operation.
Step S306 obtains associated interaction data from the storage region of setting, and handles this part interaction number According to, processing result is generated, after being finished, generation interaction data relevant to payment TA, so that continuation payment TA utilizes this portion Associated interaction data is divided to determine remaining payment data request.
The result that the interaction data relevant to payment TA of generation and operation generate is stored in depositing for setting by step S307 Storage area domain, and shared mark is added, in case continuation payment TA is obtained.
Step S308, after generating above-mentioned data, generating a destination address is payment TA, and source address is the pass of transfer TA In the application operation request of the first TA, the CA that then this application operation request is sent in REE, transfer out of service later TA。
CA in step S309, REE forwards this application operation request to payment TA, by the TEE and the REE it The Application Programming Interface API of intercommunication receives this application operation request, and payment TA brings into operation.
Step S310 obtains associated interaction data from the storage region of setting and pays the knot that TA is generated before The result data that fruit data and transfer TA are generated.
Step S311 pays this part interaction data of TA combination the above results data processing, generates final processing result.
The processing result ultimately generated is fed back to CA by the API between the TEE and the REE by step S312.
To sum up, the TA in TEE is during handling REE application request, can be completed under the cooperation of REE with TEE other Communication between TA can complete the function of each TA interaction under conditions of TEE is without process switching.First inside TEE The process interacted between TA and the 2nd TA does not retransmit the movement of process switching by REE forward command inside TEE, into And the security level of TEE system is improved, avoid process frequent switching bring security risk.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates, Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies Within, then the present invention is also intended to include these modifications and variations.

Claims (10)

1. a kind of method of security application TA interaction, which is characterized in that this method comprises:
The first TA in credible performing environment TEE is generated during executing data processing request about the 2nd TA in the TEE First apply interaction data;
First TA is out of service after sending the application operation request about the 2nd TA to general purpose execution environment REE;
The application operation about the 2nd TA that 2nd TA receives the REE forwarding runs described second after requesting TA;
2nd TA obtains described first and applies interaction data, and applies interaction data according to described the first of acquisition, generates Result data about the 2nd TA.
2. the method as described in claim 1, which is characterized in that after result data of the generation about the 2nd TA, Further include:
2nd TA, which is generated, applies interaction data about second of the first TA in the TEE;
2nd TA is out of service after sending the application operation request about the first TA to the REE;
The application operation about the first TA that first TA receives the REE forwarding runs described first after requesting TA;
First TA obtains described second and applies interaction data and the result data about the 2nd TA;
First TA applies interaction data and the result data about the 2nd TA according to described the second of acquisition, raw At the processing result about the data processing request.
3. method according to claim 2, which is characterized in that the first TA in the credible performing environment TEE is executing number Before processing request, further includes:
First TA receives the data processing request for carrying the first TA mark that the common application CA in REE is sent;
First TA is generated after the processing result about the data processing request, further includes:
First TA sends the processing result of the data processing request to the CA of the REE.
4. the method as described in claim 1, which is characterized in that first application generated about the 2nd TA in the TEE After interaction data, further includes:
First TA is stored in the setting storage region in the TEE using interaction data for described first, and described in setting The access authority of storage region is set as the first TA and the 2nd TA.
5. the method as described in claim 1, which is characterized in that the 2nd TA receives the described about the of REE forwarding The 2nd TA is run after the application operation request of two TA, comprising:
The 2nd TA in the TEE receives institute by the Application Programming Interface API of the TEE and the intercommunication of the REE The 2nd TA is run after stating the application operation request about the 2nd TA of REE forwarding.
6. a kind of device of security application TA interaction, which is characterized in that the device is located in credible performing environment TEE, comprising:
First TA running unit, for generating first about the 2nd TA in the TEE during executing data processing request Using interaction data;
First TA transmission unit, for stopping after sending the application operation request about the 2nd TA to general purpose execution environment REE Only run;
2nd TA receiving unit is transported for receiving after the application operation described in the REE forwarding about the 2nd TA is requested Row the 2nd TA;
2nd TA running unit is interacted for obtaining described first using interaction data, and according to first application of acquisition Data generate the result data about the 2nd TA.
7. device as claimed in claim 6, which is characterized in that the 2nd TA running unit is also used to generate about described The second of the first TA applies interaction data in TEE;
2nd TA transmission unit, for out of service after sending the application operation request about the first TA to the REE;
First TA receiving unit is transported for receiving after the application operation described in the REE forwarding about the first TA is requested Row the first TA;
The first TA running unit is also used to obtain described second and applies interaction data and the knot about the 2nd TA Fruit data;According to the second application interaction data of acquisition and about the result data of the 2nd TA, generate about described The processing result of data processing request.
8. device as claimed in claim 7, which is characterized in that further include:
TEE communication unit, for receiving at the data that the first TA of the carrying that the common application CA in the REE is sent is identified Reason request;
The first TA transmission unit is also used to send the processing result of the data processing request to the CA of the REE.
9. device as claimed in claim 6, which is characterized in that further include:
The first TA running unit is also used to the setting storage being stored in described first using interaction data in the TEE Region, and the access authority for setting storage region is set as the first TA and the 2nd TA.
10. device as claimed in claim 6, which is characterized in that the 2nd TA receiving unit is specifically used for:
The pass of the REE forwarding is received by the Application Programming Interface API of the TEE and the intercommunication of the REE The 2nd TA is run after the application operation request of the 2nd TA.
CN201510967898.4A 2015-12-21 2015-12-21 A kind of method and device of security application TA interaction Active CN105930731B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510967898.4A CN105930731B (en) 2015-12-21 2015-12-21 A kind of method and device of security application TA interaction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510967898.4A CN105930731B (en) 2015-12-21 2015-12-21 A kind of method and device of security application TA interaction

Publications (2)

Publication Number Publication Date
CN105930731A CN105930731A (en) 2016-09-07
CN105930731B true CN105930731B (en) 2018-12-28

Family

ID=56840006

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510967898.4A Active CN105930731B (en) 2015-12-21 2015-12-21 A kind of method and device of security application TA interaction

Country Status (1)

Country Link
CN (1) CN105930731B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106845285B (en) * 2016-12-28 2023-04-07 北京握奇智能科技有限公司 Method for realizing service by matching TEE system and REE system and terminal equipment
CN106990972B (en) * 2017-04-13 2021-04-02 沈阳微可信科技有限公司 Method and device for operating a trusted user interface
CN107888589A (en) * 2017-11-10 2018-04-06 恒宝股份有限公司 A kind of method and its system for calling trusted application
CN109214215B (en) * 2018-06-19 2021-10-26 中国银联股份有限公司 Separate switching method and system based on TEE and REE
EP3671551A4 (en) 2018-08-01 2020-12-30 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Data processing method and apparatus, computer-readable storage medium and electronic device
EP3835983B1 (en) 2018-08-14 2023-10-04 Huawei Technologies Co., Ltd. Artificial intelligence (ai) processing method and ai processing device
CN111597226B (en) * 2020-04-26 2023-06-16 北京百度网讯科技有限公司 Data mining system, method, device, electronic equipment and storage medium
CN113645255B (en) * 2021-10-13 2022-01-21 北京创米智汇物联科技有限公司 Communication method between trusted application TAs, related device and equipment, and storage medium
CN115048642B (en) * 2021-11-29 2023-04-25 荣耀终端有限公司 Communication method between trusted applications in multi-trusted execution environment and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301289A (en) * 2013-07-17 2015-01-21 中国银联股份有限公司 Apparatus for security information interaction
CN204360381U (en) * 2014-12-31 2015-05-27 北京握奇智能科技有限公司 mobile device
CN104765612A (en) * 2015-04-10 2015-07-08 武汉天喻信息产业股份有限公司 System and method for having access to credible execution environment and credible application
CN105101169A (en) * 2014-05-13 2015-11-25 中国移动通信集团公司 Method and apparatus of information processing by trusted execution environment, terminal and SIM card

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
PL2148479T3 (en) * 2004-12-24 2013-04-30 Aspera Inc Bulk data transfer

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104301289A (en) * 2013-07-17 2015-01-21 中国银联股份有限公司 Apparatus for security information interaction
CN105101169A (en) * 2014-05-13 2015-11-25 中国移动通信集团公司 Method and apparatus of information processing by trusted execution environment, terminal and SIM card
CN204360381U (en) * 2014-12-31 2015-05-27 北京握奇智能科技有限公司 mobile device
CN104765612A (en) * 2015-04-10 2015-07-08 武汉天喻信息产业股份有限公司 System and method for having access to credible execution environment and credible application

Also Published As

Publication number Publication date
CN105930731A (en) 2016-09-07

Similar Documents

Publication Publication Date Title
CN105930731B (en) A kind of method and device of security application TA interaction
CN104937572B (en) The method and apparatus handled for business and/or live load
CN103384237B (en) Method for sharing IaaS cloud account, shared platform and network device
CN103514395B (en) Plug-in right control method and system
CN106331178B (en) A kind of information sharing method and mobile terminal
CN107770269A (en) A kind of service response method and its terminal
CN105592019B (en) The method that two-way access is applied between dual execution environment
CN106339632B (en) A kind of method, user equipment and system for distributing M2M equipment management permission
CN104077123A (en) Interface display method, device, terminal and server
CN109788029A (en) Gray scale call method, device, terminal and the readable storage medium storing program for executing of micro services
CN108011899A (en) A kind of session establishment optimization method, device and system
CN107818013A (en) A kind of application scheduling method thereof and device
CN105960784A (en) System and method for creating service chains and virtual networks in the cloud
CN106648937A (en) Broadcast agent method and device for Android applications
CN106357602A (en) Live broadcasting method and live broadcasting APP server and collaborated APP client
CN112291363A (en) Wireless communication method, device, electronic equipment and computer readable storage medium
CN102147660B (en) A kind of method and apparatus of the input based on multiple user collaborative editor
CN106791957A (en) Net cast processing method and processing device
CN105635124A (en) Flow control method and device
US9614900B1 (en) Multi-process architecture for a split browser
CN105847319A (en) Mobile terminal network request method and system
CN109729139A (en) Access request retransmission method, device, equipment and readable storage medium storing program for executing
CN107678863A (en) The page assembly means of communication and device
CN103197950B (en) Plug-in virtual machine implementation method
CN106302241A (en) Online message array dispatching method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant