CN107483213B

CN107483213B - Security authentication method, related device and system

Info

Publication number: CN107483213B
Application number: CN201710731168.3A
Authority: CN
Inventors: 侯高鹏; 张强
Original assignee: Beijing Huada Zhibao Electronic System Co Ltd
Current assignee: Beijing Huada Zhibao Electronic System Co Ltd
Priority date: 2017-08-23
Filing date: 2017-08-23
Publication date: 2020-02-21
Anticipated expiration: 2037-08-23
Also published as: CN107483213A

Abstract

The invention discloses a method for safety certification, which is applied to a safety certification system, wherein the safety certification system comprises terminal equipment and an SIM card, the SIM card is internally provided with a TEE, and the method comprises the steps of receiving a safety certification request initiated by the terminal equipment; when the security authentication request passes, receiving data to be authenticated sent by the terminal equipment through a trusted application program, wherein the trusted application program runs in a TEE (trusted enhanced environment) built in the SIM card; calling a trusted driver in the terminal equipment, controlling external equipment of the terminal equipment by using the trusted driver, wherein the trusted driver and the TEE have a unique calling relationship; and carrying out authentication operation on the data to be authenticated by utilizing external equipment of the terminal equipment so as to obtain an authentication result, and sending the authentication result to the terminal equipment. The invention also provides the terminal equipment and a security authentication system. The invention can ensure that the terminal equipment can also realize the safety certification under TEE only by adopting the SIM card with lower replacement frequency, thereby improving the practicability and safety of the scheme.

Description

Security authentication method, related device and system

Technical Field

The embodiment of the invention relates to the field of information security, in particular to a security authentication method, a related device and a system.

Background

With the development of mobile communication technology, terminal devices have become indispensable devices. The terminal device is no longer a simple voice communication tool, but has the processing capability and network function of a computer, and has been widely applied to social contact, transportation, finance, shopping and other aspects.

At present, some solutions are proposed to eliminate the security risk of the current terminal device, for example, a security application is added inside the terminal device, and the security application can scan whether the environment of the user inputting information is secure, so as to provide a safer experience for the user.

However, only a few terminal devices are installed with security applications, and the frequency of replacing terminal devices by users is increasing, so that the requirement of downloading the security applications in the terminal devices every time is greatly limited for users who have high security requirements and frequently replace terminal devices.

Disclosure of Invention

The embodiment of the invention provides a security authentication method, a related device and a system, wherein a user can adopt a user identity identification card with lower replacement frequency, so that terminal equipment can realize security authentication under TEE, and the practicability and the security of the scheme are improved.

In view of this, a first aspect of the present invention provides a method for security authentication, where the method is applied to a security authentication system, and the security authentication system includes a terminal device and a user identity card, where the user identity card has a built-in trusted execution environment TEE, and the method includes:

receiving a security authentication request initiated by the terminal equipment, wherein the security authentication request is sent to the terminal equipment by a server;

when the security authentication request passes, receiving data to be authenticated sent by the terminal equipment through a trusted application program, wherein the trusted application program runs in the TEE built in the user identity identification card;

calling a trusted driver in the terminal equipment, and controlling external equipment of the terminal equipment by using the trusted driver, wherein the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment, and the trusted driver and the TEE have a unique calling relationship;

and carrying out authentication operation on the data to be authenticated by utilizing external equipment of the terminal equipment to obtain an authentication result, and sending the authentication result to the terminal equipment.

With reference to the first aspect of the embodiment of the present invention, in a first possible implementation manner, before the invoking a trusted driver in the terminal device and controlling an external device of the terminal device by using the trusted driver, the method further includes:

authenticating with the trusted driver through the trusted application;

and if the authentication is passed, determining that the trusted driver and the TEE have a unique calling relationship.

With reference to the first aspect of the embodiment of the present invention, in a second possible implementation manner, after the invoking a trusted driver in the terminal device and controlling an external device of the terminal device by using the trusted driver, the method further includes:

and controlling an external device of the terminal device to display a first target interface under the TEE, wherein the first target interface is used for receiving verification information input by a user, and the verification information comprises a Personal Identification Number (PIN) and/or user fingerprint information.

With reference to the second implementation manner of the first aspect of the embodiment of the present invention, in a third possible implementation manner, after the controlling the external device of the terminal device to display the first target interface under the TEE, the method further includes:

receiving the verification information sent by the trusted driver;

and if the verification information meets the preset condition, controlling external equipment of the terminal equipment to display a second target interface under the TEE, wherein the second target interface is used for displaying the information to be confirmed of the user and receiving the authentication confirmation information input by the user.

With reference to the third implementation manner of the first aspect of the embodiment of the present invention, in a fourth possible implementation manner, the performing, by using an external device of the terminal device, an authentication operation on the data to be authenticated includes:

receiving the authentication confirmation information sent by the trusted driver;

and carrying out authentication operation on the data to be authenticated according to the authentication confirmation information.

With reference to the first aspect of the embodiment of the present invention, in a fifth possible implementation manner, the sending the authentication result to the terminal device includes:

and sending the authentication result to the terminal equipment by adopting a preset communication mode so that the terminal equipment sends the authentication result to the server, wherein the preset communication mode comprises at least one of Bluetooth, Near Field Communication (NFC) technology, wireless fidelity (WiFi) and Radio Frequency (RF) technology.

With reference to the first aspect of the embodiment of the present invention, and any one of the first to fifth implementation manners of the first aspect, in a sixth possible implementation manner, after the sending the authentication result to the terminal device, the method further includes:

sending a peripheral control releasing instruction to the trusted driver through the trusted application program, so that the trusted driver stops controlling the external equipment of the terminal equipment according to the peripheral control releasing instruction;

or the like, or, alternatively,

and when receiving the authentication confirmation information sent by the trusted driver, determining that the trusted driver automatically stops controlling the external equipment of the terminal equipment.

The second aspect of the present invention provides a security authentication method, which is applied to a security authentication system, where the security authentication system includes a terminal device and a user identity card, where the user identity card has a built-in trusted execution environment TEE, and the method includes:

sending a security authentication request to the user identity identification card, wherein the security authentication request is sent to the terminal equipment by a server;

when the security authentication request passes, sending data to be authenticated to a trusted application program in the user identity identification card, wherein the trusted application program runs in the TEE built in the user identity identification card;

controlling external equipment of the terminal equipment through a trusted driver, wherein the trusted driver is called by the user identity identification card, the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment, and the trusted driver and the TEE have a unique calling relationship;

and receiving an authentication result sent by the user identity identification card, wherein the authentication result is obtained after the user identity identification card performs authentication operation on the data to be authenticated.

With reference to the second aspect of the embodiment of the present invention, in a first possible implementation manner, before controlling the external device of the terminal device through the trusted driver, the method further includes:

authenticating with the trusted application through the trusted driver;

With reference to the second aspect of the embodiment of the present invention, in a second possible implementation manner, after the external device of the terminal device is controlled by the trusted driver, the method further includes:

displaying a first target interface under the TEE, wherein the first target interface is used for receiving authentication information input by a user, and the authentication information comprises a personal identification number PIN and/or user fingerprint information.

With reference to the second implementation manner of the second aspect of the embodiment of the present invention, in a third possible implementation manner, after the first target interface is displayed under a TEE, the method further includes:

sending the verification information to the user identity identification card through the trusted driver;

and if the verification information meets the preset condition, displaying a second target interface under the TEE, wherein the second target interface is used for displaying the information to be confirmed of the user and receiving the authentication confirmation information input by the user.

With reference to the third implementation manner of the second aspect of the embodiment of the present invention, in a fourth possible implementation manner, after the displaying a second target interface under the TEE, the method further includes:

and sending authentication confirmation information to the user identity identification card through the trusted driver so that the user identity identification card carries out authentication operation on the data to be authenticated according to the authentication confirmation information.

With reference to the second aspect of the embodiment of the present invention, in a fifth possible implementation manner, the receiving an authentication result sent by the user identity card includes:

and receiving the authentication result sent by the user identity identification card by adopting a preset communication mode so that the terminal equipment sends the authentication result to the server, wherein the preset communication mode comprises at least one of Bluetooth, Near Field Communication (NFC) technology, wireless fidelity (WiFi) and Radio Frequency (RF) technology.

With reference to the second aspect of the embodiment of the present invention, and any one of the first to fifth implementation manners of the second aspect, in a sixth possible implementation manner, after receiving the authentication result sent by the user identity card, the method further includes:

receiving, by the trusted driver, a release control peripheral instruction sent by the trusted application program, where the release control peripheral instruction is used to instruct the trusted driver to stop controlling an external device of the terminal device;

or the like, or, alternatively,

and when the authentication confirmation information is sent through the credible drive, automatically stopping controlling the external equipment of the terminal equipment.

A third aspect of the present invention provides a user identification card, where the user identification card is applied to a security authentication system, the security authentication system further includes a terminal device, where the user identification card has a built-in trusted execution environment TEE, and the user identification card includes:

a receiving module, configured to receive a security authentication request initiated by the terminal device, where the security authentication request is sent to the terminal device by a server;

the receiving module is further configured to receive, by using a trusted application program when the security authentication request passes, data to be authenticated sent by the terminal device, where the trusted application program runs in the TEE built in the user identity card;

the control module is used for calling a trusted driver in the terminal equipment and controlling external equipment of the terminal equipment by using the trusted driver, wherein the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment, and the trusted driver and the TEE have a unique calling relationship;

and the authentication module is used for performing authentication operation on the data to be authenticated received by the receiving module by utilizing the external equipment of the terminal equipment controlled by the control module so as to obtain an authentication result and sending the authentication result to the terminal equipment.

A fourth aspect of the present invention provides a terminal device, where the terminal device is applied to a security authentication system, the security authentication system further includes a user identity card, where the user identity card is embedded with a trusted execution environment TEE, and the terminal device includes:

the sending module is used for sending a security authentication request to the user identity identification card, wherein the security authentication request is sent to the terminal equipment by a server;

the sending module is further configured to send data to be authenticated to a trusted application program in the user identity card when the security authentication request passes, where the trusted application program runs in the TEE built in the user identity card;

the control module is used for controlling external equipment of the terminal equipment through a trusted driver, wherein the trusted driver is called by the user identity identification card, the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment, and the trusted driver and the TEE have a unique calling relationship;

and the receiving module is used for receiving an authentication result sent by the user identity identification card, wherein the authentication result is obtained after the user identity identification card authenticates the data to be authenticated sent by the sending module.

The fifth aspect of the present invention provides a user identification card, which is applied to a security authentication system, wherein the security authentication system further comprises a terminal device, wherein the user identification card is internally provided with a trusted execution environment TEE, and comprises a memory, a transceiver, a processor and a bus system;

wherein the memory is used for storing programs;

the processor is used for executing the program in the memory, and specifically comprises the following steps:

utilizing external equipment of the terminal equipment to carry out authentication operation on the data to be authenticated so as to obtain an authentication result, and sending the authentication result to the terminal equipment;

the bus system is used for connecting the memory, the transceiver and the processor so as to enable the memory, the transceiver and the processor to communicate.

Optionally, the processor is further configured to perform the following steps:

authenticating with the trusted driver through the trusted application;

Optionally, the processor is further configured to perform the following steps:

receiving the verification information sent by the trusted driver;

Optionally, the processor is specifically configured to perform the following steps:

Optionally, the processor is further configured to perform the following steps:

or the like, or, alternatively,

A sixth aspect of the present invention provides a terminal device, where the terminal device is applied to a security authentication system, and the security authentication system further includes a user identity identification card, where the user identity identification card is internally provided with a trusted execution environment TEE, and the terminal device includes a memory, a transceiver, a processor, and a bus system;

wherein the memory is used for storing programs;

receiving an authentication result sent by the user identity identification card, wherein the authentication result is obtained after the user identity identification card performs authentication operation on the data to be authenticated;

Optionally, the processor is further configured to perform the following steps:

authenticating with the trusted application through the trusted driver;

Optionally, the processor is further configured to perform the following steps:

or the like, or, alternatively,

A seventh aspect of the present invention provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of the above-mentioned aspects.

The eighth aspect of the present invention further provides a computer-readable storage medium having stored therein instructions, which, when run on a computer, cause the computer to perform the method of the above-mentioned aspects.

A ninth aspect of the present invention provides a security authentication system, where the security authentication system includes a terminal device and a user identity card, where the user identity card has a built-in trusted execution environment TEE, and the system includes:

the terminal equipment receives a security authentication request sent by a server;

the terminal equipment sends a security authentication request to the user identity identification card;

when the security authentication request passes, the user identity identification card receives data to be authenticated, which is sent by the terminal equipment, through a trusted application program, wherein the trusted application program runs in the TEE built in the user identity identification card;

the user identity identification card calls a trusted driver in the terminal equipment and controls external equipment of the terminal equipment by using the trusted driver, wherein the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment, and the trusted driver and the TEE have a unique calling relationship;

and the user identity identification card carries out authentication operation on the data to be authenticated by using external equipment of the terminal equipment so as to obtain an authentication result, and sends the authentication result to the terminal equipment.

According to the technical scheme, the embodiment of the invention has the following advantages:

the embodiment of the invention provides a security authentication method, which is applied to a security authentication system, wherein the security authentication system comprises a terminal device and a user identity identification card, a trusted execution environment TEE is arranged in the user identity identification card, the user identity identification card receives a security authentication request initiated by the terminal device, the security authentication request is sent to the terminal device by a server, when the security authentication request passes, the user identity identification card can receive data to be authenticated sent by the terminal device through a trusted application program, the trusted application program runs in the TEE arranged in the user identity identification card, the user identity identification card calls a trusted driver in the terminal device and controls an external device of the terminal device by utilizing the trusted driver, the trusted driver is positioned at the bottom layer of an operating system of the terminal device, and the trusted driver and the TEE have a unique calling relationship, and finally, the user identity identification card carries out authentication operation on the data to be authenticated by using external equipment of the terminal equipment so as to obtain an authentication result, and the authentication result is sent to the terminal equipment. In this way, place the TEE who has higher security in the user identity identification card in, control terminal equipment by this user identity identification card and switch into TEE operating system from rich execution environment operating system for terminal equipment also can accomplish the authentication flow under TEE operating system, and like this, the user only need adopt the lower user identity identification card of change frequency can make terminal equipment also can realize safety certification under the TEE, thereby promotes the practicality and the security of scheme.

Drawings

Fig. 1 is a schematic diagram of an internal structure of a security authentication system according to an embodiment of the present invention;

FIG. 2 is a diagram of an embodiment of a method for secure authentication according to an embodiment of the present invention;

FIG. 3 is a schematic diagram of an internal structure of a SIM card according to an embodiment of the present invention;

fig. 4 is a schematic diagram of an internal structure of a terminal device according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of an embodiment of a SIM card according to the present invention;

FIG. 6 is a schematic diagram of another embodiment of a SIM card according to the present invention;

FIG. 7 is a schematic diagram of another embodiment of a SIM card according to the present invention;

FIG. 8 is a diagram of an embodiment of a terminal device in an embodiment of the present invention;

fig. 9 is a schematic diagram of another embodiment of the terminal device in the embodiment of the present invention;

fig. 10 is a schematic diagram of another embodiment of the terminal device in the embodiment of the present invention;

fig. 11 is a schematic diagram of another embodiment of the terminal device in the embodiment of the present invention;

FIG. 12 is a schematic structural diagram of a SIM card according to an embodiment of the present invention;

fig. 13 is a schematic structural diagram of a terminal device in an embodiment of the present invention;

fig. 14 is a schematic diagram of an embodiment of a security authentication system according to an embodiment of the present invention.

Detailed Description

The terms "first," "second," "third," "fourth," and the like in the description and in the claims, as well as in the drawings, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.

It should be understood that the present invention is applied to a security authentication system, please refer to fig. 1, where fig. 1 is a schematic diagram of an internal structure of a security authentication system according to an embodiment of the present invention, and as shown in the figure, the system may include a Subscriber Identity Module (SIM) card, a terminal device, and a server.

The user identification card mainly comprises four functions, wherein the first function is to store user related data, and the data stored by the user identification card can be divided into four types, and the first type is data which is fixedly stored. Such data is written by the sim card center before the Mobile Equipment (ME) is sold, including International Mobile Subscriber Identity (IMSI) and Key Identifier (KI), etc.; the second type is data about the network that is temporarily stored. Such as Location Area Identity (LAI), Temporary Mobile Subscriber Identity (TMSI), and forbidden public telephone network codes; the third type is related service codes, such as Personal Identification Number (PIN), unlock code (PUK), and billing rate; the fourth type is a telephone directory, which is a telephone number input by a mobile phone user at any time.

The second function is the operation and management of the user PIN, the user identification card is protected by the PIN code, the PIN is a four-to-eight-bit personal password, the user identification card can be started only when the user inputs the correct PIN code, the terminal equipment can access the user identification card, and the user can surf the internet and talk only after the PIN authentication is passed.

And the third function is user identity authentication to confirm whether the user identity is legal, the authentication process is carried out between a network and a user identity identification card, and the authentication time is generally when the terminal equipment registers network access and calls. When authentication begins, the network generates a 128-bit random number, which is transmitted to the mobile station via the radio control channel, and the subscriber identity card calculates a response signal (SRES) to the received random number according to a key identifier (Ki) in the card and an algorithm a3, and sends the result back to the server. The server finds out Ki of the user in the authentication center, calculates SRES by using the same random number and algorithm A3, compares the SRES with the received SRES, and confirms that the authentication is passed if the SRES is consistent with the SRES.

The fourth function is the security algorithm and the key in the user identification card, and the most sensitive data in the user identification card are the security algorithms A3, A8, Ki, PIN, PUK and Kc. The A3 and A8 algorithms are written to and cannot be read from when the user identification card is produced. The PIN code can be set by the user on the mobile phone, the PUK code is held by the operator, and Kc is derived from Ki during the encryption process.

The user identification card has a chip with a microprocessor, 5 modules are arranged in the chip, and each module corresponds to one function: a microprocessor (CPU) (8bit), a program read-only memory (ROM) (3 to 8kbit)), a Random Access Memory (RAM) (6 to 16kbit), an electrically erasable programmable memory (EEPROM) (12 to 256kbit), and a serial communication unit.

In view of the above hardware module, a Secure Element (SE) is also deployed in the user identity card, and the SE generally consists of a chip with high performance and security level. In the SE, a Trusted Execution Environment (TEE), a Public Key Infrastructure (PKI) factor and a bluetooth module are included, and an Application (APP) in the TEE is called a Trusted Application (TA), and the PKI factor includes a key pair and a certificate. The TEE is an independent operating system, runs in the SE, is used for providing a safe running environment, and runs the APP with higher requirements on the safety level. The TA runs in a TEE security environment, supporting higher security level operations such as biometric alignment and signature. The PKI factor is a personal authentication factor in authentication operations, such as certificate and public-private key peering.

The terminal device may be regarded as a User Equipment (UE), and the terminal device may be a mobile phone, a tablet computer, a notebook computer, and the like, which is not limited herein.

The terminal device includes an input device and an output device, which may be collectively referred to as external devices, wherein the input device includes but is not limited to a keyboard, a mouse, a pen input device, a scanner, a digital camera, a digital video camera, etc., and the output device includes but is not limited to a display, a printer, an optical disk recorder, etc.

In view of the above hardware modules, a Rich Execution Environment (REE), a Trusted Driver (TD), and a bluetooth module are also deployed in the terminal device. Here, the REE is an operating system of a general terminal device, and the terminal device operates in this environment for most of the time. REE includes APP and TEE Application Programming Interfaces (APIs), which provide a unique channel for communication with TEE, and can be called by APP for interaction with TEE. The TD runs on the bottom layer of the operating system, provides an interface for controlling external equipment of the terminal equipment through a Bluetooth channel, and has an authentication relation with the TEE and can only be called by the TEE.

Referring to fig. 2, a method for security authentication according to an embodiment of the present invention is described as follows:

101. a terminal device in the security authentication system sends a security authentication request to a user identity identification card, wherein the security authentication request is sent to the terminal device by a server, and a Trusted Execution Environment (TEE) is built in the user identity identification card;

in this embodiment, the security authentication system includes a terminal device and a user identification card, and first, when a user inserts the user identification card into the terminal device and starts up, a TEE running on a main control chip of the terminal device is started, and a TEE running on an SE chip of the user identification card is also started. At this time, the user can log in the APP on the terminal device to perform an operation, which requires the server to authenticate the identity of the user, that is, the server sends a security authentication request to the terminal device.

102. When the security authentication request passes, the user identity identification card receives data to be authenticated, which is sent by the terminal equipment, through a trusted application program, wherein the trusted application program runs in a TEE (trusted enhanced environment) built in the user identity identification card;

in this embodiment, for convenience of introduction, please refer to fig. 3 and fig. 4, where fig. 3 is a schematic internal structure diagram of a user identification card in an embodiment of the present invention, and fig. 4 is a schematic internal structure diagram of a terminal device in an embodiment of the present invention, and the internal structure of the user identification card and the internal structure of the terminal device shown in the drawings are only schematic and should not be construed as limiting the present invention.

When the security authentication request between the server and the terminal equipment passes, the terminal equipment communicates with the TEE in the user identity identification card through the TEE API, and sends the data to be authenticated to the user identity identification card.

It is understood that the data to be authenticated may be account number, account name, amount of money, etc. transferred, and is not limited herein.

103. The user identity identification card calls a trusted driver in the terminal equipment and controls external equipment of the terminal equipment by using the trusted driver, wherein the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment, and the trusted driver and the TEE have a unique calling relationship;

in this embodiment, after receiving the data to be authenticated, the TEE in the user identity card calls the TD in the terminal device through the TEE, because the TD and the TEE have a unique calling relationship, the TD can only be called by the TEE, and once the TD in the terminal device is called, it indicates that the operation of the terminal device is not performed in the REE, but performed in the TEE. When the user identity identification card calls the TD, the external equipment of the terminal equipment can be controlled through the TD, and the terminal equipment displays a related operation interface popped up under the TEE. The verification information and the authentication confirmation result input by the user can be returned to the user identification card through the TD, and authentication operation is carried out according to the result.

It can be understood that, when the user identification card is inserted into the terminal device, the terminal device operating system detects the insertion of the user identification card, and pops up a dialog box to request the upgrade of the terminal device operating system, namely, the TD is provided to the terminal device manufacturer in a software form to implement the installation of the TD, and the TD is installed at the bottom layer of the terminal device operating system.

104. The user identity identification card carries out authentication operation on data to be authenticated by utilizing external equipment of the terminal equipment so as to obtain an authentication result;

in this embodiment, the TEE in the user identification card receives the relevant data input by the user through the external device of the terminal device, and authenticates the data to be authenticated by using the relevant data, specifically including security operations such as signature and digest.

Specifically, the related data is first transmitted to the TA, a series of execution instructions are packaged in the TA, the PKI factors in the SE are accessed through the series of execution instructions, and then the authentication operation is performed by comparing the related data with the PKI factors. If the comparison is consistent, the authentication result is "1", namely, the authentication is passed, otherwise, if the authentication result is "0", the authentication is not passed.

105. And the user identity identification card sends an authentication result to the terminal equipment.

In this embodiment, after obtaining the authentication result, the user identification card may send the authentication result to the terminal device. And the terminal equipment receives the authentication result, then restores the operating system from the TEE to the REE, and meanwhile, the terminal equipment also needs to return the authentication result to the server so that the server can perform corresponding authentication.

Optionally, on the basis of the embodiment corresponding to fig. 3, in a first optional embodiment of the method for security authentication provided in the embodiment of the present invention, before the user identity card invokes a trusted driver in the terminal device and controls an external device of the terminal device by using the trusted driver, the method may further include:

the user identity card authenticates with the trusted driver through the trusted application program;

and if the authentication is passed, the user identity identification card and the terminal equipment both determine that the trusted driver and the TEE have the unique calling relationship.

In this embodiment, the TEE in the user id card needs to authenticate with the TD to determine the unique calling relationship between the TEE and the TD.

Specifically, the TD includes a root key public key, which is provided by a manufacturer and is a unique identifier for proving the identity of the manufacturer, and in addition, a device public and private key is generated inside the user id card and is used for proving the uniqueness of the user id card. The user identification card contains a device public-private key pair and a V1 value encrypted by the root key to the device public key. The authentication process between the TD and the user identity identification card is as follows:

step 1, when a user identity identification card needs to call a TD to control external equipment of terminal equipment, the TA sends a call request to the TD to request to call the TD in the terminal equipment;

step 2, the TD returns an instruction of requiring authentication to the user identity identification card, so that the authentication is required, the purpose of the authentication is to authenticate the identity of the user identity identification card, and the TD cannot be called at will;

step 3, the TA sends the V1 value stored by the SE in the user identity card to the TD;

step 4, the TD can decrypt the V1 by using the root key public key stored by the TD to obtain the device public key;

step 5, in addition, the TD generates a random number RAND1 and sends the random number RAND1 to the TA in the user identity card;

step 6, the TA encrypts the random number RAND1 by using an equipment private key and returns the encrypted random number RAND1 to the TD;

step 7, the TD decrypts by using the device public key obtained in the step 4 to obtain a random number RAND2, then compares the random number RAND1 with the random number RAND2, if the random number RAND1 is consistent with the random number RAND2, the authentication is determined to be passed, the authentication is completed, and the TD is determined to be called by the TEE;

step 8, the TD can further generate a session key, and transmits a ciphertext to the TA after encrypting by using the equipment public key;

and 9, the TA decrypts the session key ciphertext in the step 8 by using the device private key and obtains a session key, so that the TA and the TEE finish the negotiation of the session key, and the TD and the TEE can realize the secure interaction of data by using the session key.

In summary, in the embodiments of the present invention, before the user id card invokes the trusted driver in the terminal device and controls the external device of the terminal device by using the trusted driver, the user id card may also perform authentication through TA and TD, and if the authentication is passed, both the user id card and the terminal device determine that TD and TEE have a unique invoking relationship. Through the mode, the TD can be determined to be only called by the TEE of the user identity identification card, so that the TD can call the external equipment of the terminal equipment, and the operation of the external equipment is transmitted back to the user identity identification card through the TD, and the safety and the reliability of information input are ensured.

Optionally, on the basis of the embodiment corresponding to fig. 3, in a second optional embodiment of the method for security authentication provided in the embodiment of the present invention, after the user identity card invokes a trusted driver in the terminal device, and controls an external device of the terminal device by using the trusted driver, the method may further include:

the method comprises the steps that an external device of a user identity identification card control terminal device displays a first target interface under a TEE, wherein the first target interface is used for receiving verification information input by a user, and the verification information comprises a personal identification number PIN and/or user fingerprint information.

In this embodiment, the user identification card controls the external device of the terminal device by using the TD, that is, the TEE controls the screen of the terminal device by using the TD, and pops up a first target interface in the screen, where the first target interface may be a password box or an information entry box, for the user to perform a corresponding operation.

Specifically, before the user inputs information, the terminal device pops up a first target interface under the TEE, and the user can input a PIN code of the user identification card and/or user fingerprint information in the first target interface, wherein it can be understood that the PIN code and the fingerprint information have uniqueness.

Wherein, the PIN code is also the personal identification code of the user identification card. The PIN code of the terminal equipment is a safety measure for protecting the user identification card, so that the user identification card is prevented from being stolen by others. The fingerprint information refers to image data that is stored in a certain way so that the user can browse, review or compare and analyze the image data when necessary.

It should be noted that, in addition to inputting the PIN code and/or the user fingerprint information in the first target interface, in practical applications, a preset password, or iris information, or facial feature information, etc. may be input in the first target interface, which is not limited herein.

Secondly, in the embodiment of the present invention, after the user id card controls the external device through the TD of the terminal device, the terminal device displays the first target interface under the TEE, and the user inputs corresponding verification information on the first target interface, where the verification information includes a PIN code or user fingerprint information. Through the mode, the user can input the verification information related to the self safety information under the more safe TEE, so that the safety and the reliability of the scheme are improved.

Optionally, on the basis of the second embodiment corresponding to fig. 3, in a third optional embodiment of the method for security authentication provided in the embodiment of the present invention, after the external device of the user id card control terminal device displays the first target interface under the TEE, the method may further include:

the user identity identification card receives verification information sent by the trusted driver;

and if the verification information meets the preset condition, the user identity identification card controls the external equipment of the terminal equipment to display a second target interface under the TEE, wherein the second target interface is used for displaying the information to be confirmed of the user and receiving the authentication confirmation information input by the user.

In this embodiment, after the user inputs the verification information through the external device in the TEE environment, for example, the PIN code and/or the user fingerprint information, the verification information is verified first, and a specific verification method may be that, if the PIN code input by the user a is 1234 and the PIN code stored in the SE of the user identification card is 1234, the two are considered to be successfully matched, and it is determined that the verification information satisfies the preset condition, at this time, the user identification card controls the external device of the terminal device to display a second target interface under the TEE, and the second target interface may be a confirmation display return frame.

Therefore, the terminal device can complete the confirmation of the authentication information by means of external devices (such as a display screen and keys of the terminal device) under the security environment of the TEE, thereby realizing the authentication process.

In the embodiment of the present invention, after the user identification card controls the external device to display the first target interface under the TEE, the user identification card may receive the verification information sent by the TD, and if the verification information meets the preset condition, the user identification card controls the external device of the terminal device to display a second target interface under the TEE, where the second target interface is used to display the information to be confirmed by the user and receive the authentication confirmation information input by the user. By the mode, the user can further input the authentication confirmation information, namely, the complete authentication process also adds the factor of artificial confirmation, thereby enhancing the reliability and the safety of the scheme.

Optionally, on the basis of the third embodiment corresponding to fig. 3, in a fourth optional embodiment of the method for secure authentication provided in the embodiment of the present invention, the performing, by the user identification card, an authentication operation on data to be authenticated by using an external device of the terminal device may include:

the user identity identification card receives authentication confirmation information sent by the terminal equipment through the trusted driver;

and the user identity identification card carries out authentication operation on the data to be authenticated according to the authentication confirmation information.

In this embodiment, how the user id card performs the authentication operation will be described. First, the user identification card receives authentication confirmation information sent by the terminal device through the trusted driver, and in general, the authentication confirmation information may be "confirmation pass" or "confirmation fail". And then, the user identity identification card carries out authentication operation on the data to be authenticated according to the authentication confirmation information, and finally, an authentication result is obtained.

Specifically, assuming that the authentication confirmation information is "confirmation pass", the user identification card may directly perform an authentication operation on the data to be authenticated. On the contrary, if the authentication confirmation information is 'confirmation failure', the user identification card does not perform the authentication operation on the data to be authenticated any more.

Further, in the embodiment of the present invention, the user identification card first receives authentication confirmation information sent by the terminal device through the trusted driver, and then performs an authentication operation on data to be authenticated according to the authentication confirmation information. Through the mode, the user identity identification card can authenticate the data to be authenticated by combining the authentication confirmation information input by the user, so that an authentication environment with high security level is provided, and the security authentication environment can be realized where the user identity identification card is located even if the terminal equipment is replaced.

Optionally, on the basis of the embodiment corresponding to fig. 3, in a fifth optional embodiment of the method for security authentication provided in the embodiment of the present invention, sending the authentication result to the terminal device by the user identity card may include:

the user identity identification card sends an authentication result to the terminal equipment in a preset communication mode, wherein the preset communication mode comprises at least one of Bluetooth, Near Field Communication (NFC) technology, wireless fidelity (WiFi) and Radio Frequency (RF) technology;

and the terminal equipment sends the authentication result to the server.

In this embodiment, the user identity card may send the authentication result to the terminal device by using a preset communication mode, where the preset communication mode mainly includes at least one of bluetooth, Near Field Communication (NFC) technology, wireless fidelity (WiFi) and Radio Frequency (RF) technology.

Bluetooth is a wireless technology standard, and can realize short-distance data exchange among fixed equipment, mobile equipment and a building personal area network. Bluetooth is a standard wireless communication protocol, and is based on a transceiver chip with low equipment cost, short transmission distance and low power consumption.

The basis of NFC is Radio Frequency Identification (RFID) and interconnection technology. NFC is a short-range high-frequency radio technology, combines the functions of an inductive card reader, an inductive card and point-to-point on a single chip, and can perform identification and data exchange with compatible devices over short distances.

WiFi is a technology that allows an electronic device to connect to a wireless local area network, which is typically password protected, but may be open, thus allowing any device within range of the wireless local area network to connect.

RF is a high frequency alternating current variable electromagnetic wave, which can propagate in the air and be reflected by the ionosphere at the outer edge of the atmosphere to form a long distance transmission capability, and we refer to the high frequency electromagnetic wave with long distance transmission capability as RF. RF technology is widely used in the field of wireless communications, and cable television systems use radio frequency transmission.

It is understood that in practical applications, 8716 communication protocol may also be employed.

In addition, in the embodiment of the invention, the user identification card and the terminal equipment can communicate in various modes, such as Bluetooth, NFC and RF technologies, and different communication modes have respective advantages. By the method, the flexibility and the practicability of the scheme are increased.

Optionally, on the basis of any one of the first to sixth embodiments corresponding to fig. 3 and fig. 3, in a seventh optional embodiment of the method for secure authentication provided in the embodiment of the present invention, after the user identity card sends the authentication result to the terminal device, the method may further include:

the user identity recognition card sends a peripheral equipment releasing control instruction to a trusted driver of the terminal equipment through a trusted application program, so that the trusted driver stops controlling the external equipment of the terminal equipment according to the peripheral equipment releasing control instruction; or the like, or, alternatively,

and when the user identity identification card receives the authentication confirmation information sent by the trusted driver, the user identity identification card and the terminal equipment determine that the trusted driver automatically stops controlling the external equipment of the terminal equipment.

In this embodiment, after the user id card sends the authentication result to the terminal device, the terminal device may recover from the TEE to the REE, and the user id card may return the control right to the external device to the terminal device. Two ways of handing over control will be described below.

Firstly, passively returning control power;

the user identity identification card can send a peripheral control releasing instruction to the TD of the terminal equipment through the TA, after the TD receives the peripheral control releasing instruction, the TD stops being continuously called by the TEE, namely the TEE gives out the control right of the external equipment, and the terminal equipment is switched from the TEE to the REE to continuously operate.

Secondly, actively returning the control right;

when the user identity identification card receives the authentication confirmation information sent by the TD, the TEE in the user identity identification card automatically releases the control right, namely, the control on the external equipment is automatically stopped, and the terminal equipment is switched from the TEE to the REE to continue to operate.

Furthermore, in the embodiment of the present invention, after the authentication operation is completed between the user identification card and the terminal device, the user identification card may release the control of the external device, so that the terminal device recovers the REE operating system. Through the mode, the terminal equipment can recover the control right of the terminal equipment, and the user identity identification card is changed from the master equipment to the slave equipment, so that the operability and the practicability of the scheme are improved.

Referring to fig. 5, fig. 5 is a schematic view of an embodiment of a user identification card according to an embodiment of the present invention, where the user identification card is applied to a security authentication system, the security authentication system further includes a terminal device, where the user identification card has a TEE built in, and the user identification card 20 includes:

a receiving module 201, configured to receive a security authentication request initiated by the terminal device, where the security authentication request is sent to the terminal device by a server;

the receiving module 201 is further configured to receive, when the security authentication request passes, data to be authenticated sent by the terminal device through a trusted application program, where the trusted application program runs in the TEE built in the user identity card;

the control module 202 is configured to invoke a trusted driver in the terminal device, and control an external device of the terminal device by using the trusted driver, where the trusted driver is located at a bottom layer of an operating system of the terminal device, and the trusted driver and the TEE have a unique invoking relationship;

an authentication module 203, configured to perform an authentication operation on the data to be authenticated received by the receiving module by using the external device of the terminal device controlled by the control module 202, so as to obtain an authentication result, and send the authentication result to the terminal device.

In this embodiment, the user identity identification card is applied to a security authentication system, the security authentication system further includes a terminal device, wherein the user identity identification card has a built-in TEE, the receiving module 201 receives a security authentication request initiated by the terminal device, the security authentication request is sent to the terminal device by a server, when the security authentication request passes, the receiving module 201 receives data to be authenticated sent by the terminal device through a trusted application program, wherein the trusted application program runs in the built-in TEE of the user identity identification card, the control module 202 invokes a trusted driver in the terminal device and controls an external device of the terminal device by using the trusted driver, the trusted driver is located at a bottom layer of an operating system of the terminal device, and a unique invoking relationship is provided between the trusted driver and the TEE, the authentication module 203 utilizes the external device of the terminal device controlled by the control module 202, and performing authentication operation on the data to be authenticated received by the receiving module to obtain an authentication result, and sending the authentication result to the terminal equipment.

In the embodiment of the invention, the user identity identification card is provided, the TEE with higher safety can be arranged in the user identity identification card, and the user identity identification card controls the terminal equipment to be switched from the rich execution environment operating system to the TEE operating system, so that the terminal equipment can also complete the authentication process under the TEE operating system.

Optionally, on the basis of the embodiment corresponding to fig. 5, please refer to fig. 6, in another embodiment of the user identification card 20 provided in the embodiment of the present invention, the user identification card 20 further includes a determining module 204;

the authentication module 203 is further configured to authenticate the trusted driver through the trusted application before the control module 202 invokes the trusted driver in the terminal device and controls the external device of the terminal device by using the trusted driver;

the determining module 204 is configured to determine that the trusted driver and the TEE have a unique calling relationship if the authenticating module 203 determines that the authentication passes.

Secondly, in the embodiment of the invention, before the user identity identification card calls the trusted driver in the terminal equipment and utilizes the trusted driver to control the external equipment of the terminal equipment, the user identity identification card can be authenticated through TA and TD, and if the authentication is passed, the user identity identification card and the terminal equipment both determine that the TD and the TEE have the unique calling relation. Through the mode, the TD can be determined to be only called by the TEE of the user identity identification card, so that the TD can call the external equipment of the terminal equipment, and the operation result of the external equipment is transmitted back to the user identity identification card through the TD, and the safety and the reliability of information input are ensured.

Optionally, on the basis of the embodiment corresponding to fig. 5, in another embodiment of the user identification card 20 provided in the embodiment of the present invention,

the control module 202 is further configured to, after invoking a trusted driver in the terminal device and controlling an external device of the terminal device by using the trusted driver, control the external device of the terminal device to display a first target interface under a TEE, where the first target interface is used to receive verification information input by a user, and the verification information includes a personal identification number PIN and/or user fingerprint information.

Alternatively, on the basis of the embodiment corresponding to fig. 6, in another embodiment of the server 20 provided in the embodiment of the present invention,

the receiving module 201 is further configured to receive the verification information sent by the trusted driver after the control module 202 controls an external device of the terminal device to display a first target interface under a TEE;

the control module 202 is further configured to control an external device of the terminal device to display a second target interface under the TEE if the verification information received by the receiving module 201 meets a preset condition, where the second target interface is used to display information to be confirmed by a user and receive authentication confirmation information input by the user.

In the embodiment of the present invention, after the user identification card controls the external device to display the first target interface under the TEE, the user identification card may receive the verification information sent by the TD, and if the verification information meets the preset condition, the user identification card controls the external device of the terminal device to display a second target interface under the TEE, where the second target interface is used to display the information to be confirmed by the user and receive the authentication confirmation information input by the user. For example, in the transfer transaction process, the second interface displays the received data to be authenticated in a display screen of the terminal peripheral for the user to confirm, and clicks the virtual button on the interface after the user confirms.

By the mode, the user can further input the authentication confirmation information, namely, the complete authentication process also adds the factor of artificial confirmation, thereby enhancing the reliability and the safety of the scheme.

Alternatively, on the basis of the embodiment corresponding to fig. 6, in another embodiment of the user identification card 20 provided in the embodiment of the present invention,

the authentication module 203 is specifically configured to receive the authentication confirmation information sent by the trusted driver;

the authentication module 203 is specifically configured to send the authentication result to the terminal device by using a preset communication manner, so that the terminal device sends the authentication result to the server, where the preset communication manner includes at least one of bluetooth, a Near Field Communication (NFC) technology, wireless fidelity (WiFi) technology, and a radio frequency RF technology.

Optionally, on the basis of the embodiment corresponding to fig. 5 or fig. 6, please refer to fig. 7, in another embodiment of the user identification card 20 provided in the embodiment of the present invention, the user identification card further includes a sending module 205;

the sending module 205 is configured to send a peripheral control releasing instruction to the trusted driver through the trusted application after the authentication module 203 sends the authentication result to the terminal device, so that the trusted driver stops controlling the external device of the terminal device according to the peripheral control releasing instruction;

or the like, or, alternatively,

the determining module 204 is configured to determine that the trusted driver automatically stops controlling the external device of the terminal device when receiving the authentication confirmation information sent by the trusted driver.

Having described the user identification card in the present invention, the following describes the terminal device in the present invention in detail, please refer to fig. 8, fig. 8 is a schematic diagram of an embodiment of the terminal device in the embodiment of the present invention, the terminal device is applied to a security authentication system, the security authentication system further includes the user identification card, wherein the user identification card is internally provided with a TEE, and the terminal device 30 includes:

a sending module 301, configured to send a security authentication request to the user identity card, where the security authentication request is sent to the terminal device by a server;

the sending module 301 is further configured to send data to be authenticated to a trusted application program in the user identity card when the security authentication request passes, where the trusted application program runs in the TEE built in the user identity card;

a control module 302, configured to control an external device of the terminal device through a trusted driver, where the trusted driver is called by the user identity card, the trusted driver is located at a bottom layer of an operating system of the terminal device, and the trusted driver and the TEE have a unique calling relationship;

a receiving module 303, configured to receive an authentication result sent by the user identity card, where the authentication result is obtained after the user identity card performs an authentication operation on the data to be authenticated, which is sent by the sending module.

In this embodiment, the terminal device is applied to a security authentication system, which further includes a user identity identification card, where the user identity identification card has a TEE built therein, and the sending module 301 sends a security authentication request to the user identity identification card, where the security authentication request is sent by a server to the terminal device, and when the security authentication request passes, the sending module 301 sends data to be authenticated to a trusted application program in the user identity identification card, where the trusted application program runs in the TEE built in the user identity identification card, and the control module 302 controls an external device of the terminal device through a trusted driver, where the trusted driver is called by the user identity identification card, the trusted driver is located at a bottom layer of an operating system of the terminal device, and there is a unique calling relationship between the trusted driver and the TEE, the receiving module 303 receives an authentication result sent by the user identification card, where the authentication result is obtained after the user identification card performs an authentication operation on the data to be authenticated sent by the sending module.

In the embodiment of the invention, the terminal equipment is provided, the TEE with higher safety can be arranged in the user identity identification card, and the user identity identification card controls the terminal equipment to be switched from the rich execution environment operating system to the TEE operating system, so that the terminal equipment can also complete the authentication process under the TEE operating system.

Optionally, on the basis of the embodiment corresponding to fig. 8, please refer to fig. 9, in another embodiment of the terminal device 30 provided in the embodiment of the present invention, the terminal device 30 further includes an authentication module 304 and a determination module 305;

the authentication module 304 is configured to authenticate the trusted application program through a trusted driver before the control module 302 controls an external device of the terminal device through the trusted driver;

the determining module 305 is configured to determine that the trusted driver and the TEE have a unique calling relationship if the authenticating module 304 determines that the authentication passes.

Secondly, in the embodiment of the invention, before the user identity identification card calls the trusted driver in the terminal equipment and utilizes the trusted driver to control the external equipment of the terminal equipment, the user identity identification card can be authenticated through TA and TD, and if the authentication is passed, the user identity identification card and the terminal equipment both determine that the TD and the TEE have the unique calling relation. Through the mode, the TD can be determined to be only called by the TEE of the user identity identification card, so that the TD can call the external equipment of the terminal equipment, and the operation of the external equipment is transmitted back to the user identity identification card through the TD, and the safety and the reliability of information input are ensured.

Optionally, on the basis of the embodiment corresponding to fig. 8, please refer to fig. 10, in another embodiment of the terminal device 30 provided in the embodiment of the present invention, the terminal device 30 further includes a display module 306;

the display module 306 is configured to display a first target interface under a TEE after the control module 302 controls the external device of the terminal device through a trusted driver, where the first target interface is configured to receive authentication information input by a user, and the authentication information includes a personal identification number PIN and/or user fingerprint information.

Optionally, on the basis of the embodiment corresponding to fig. 10, in another embodiment of the terminal device 30 provided in the embodiment of the present invention,

the sending module 301 is further configured to send the verification information to the user identity card through the trusted driver after the displaying module 306 displays the first target interface under the TEE;

the display module 306 is further configured to display a second target interface under the TEE if the verification information sent by the sending module 301 meets a preset condition, where the second target interface is used to display information to be confirmed of a user and receive authentication confirmation information input by the user.

the sending module 301 is further configured to send authentication confirmation information to the user identity identification card through the trusted driver after the displaying module 306 displays a second target interface under the TEE, so that the user identity identification card performs an authentication operation on the data to be authenticated according to the authentication confirmation information.

Optionally, on the basis of the embodiment corresponding to fig. 8, in another embodiment of the terminal device 30 provided in the embodiment of the present invention,

the receiving module 303 is specifically configured to receive the authentication result sent by the user identity card by using a preset communication mode, so that the terminal device sends the authentication result to the server, where the preset communication mode includes at least one of bluetooth, a near field communication NFC technology, WiFi and RF technology.

Optionally, on the basis of the embodiment corresponding to fig. 8 or fig. 9, please refer to fig. 11, in another embodiment of the terminal device 30 provided in the embodiment of the present invention, the terminal device 20 further includes a stopping module;

the stopping module 307 is configured to receive, by the trusted driver, a release control peripheral instruction sent by the trusted application after the receiving module 303 receives the authentication result sent by the user identity identification card, where the release control peripheral instruction is used to instruct the trusted driver to stop controlling the external device of the terminal device;

or the like, or, alternatively,

Fig. 12 is a schematic structural diagram of the user identification card 40 according to the embodiment of the present invention. The user identification card 40 may include an input module 410, an output module 420, a processor 430, and a memory 440.

The input module 410 and the output module 420 have a communication function, the communication mode includes at least one of bluetooth, NFC technology, WiFi and RF technology, the input module 410 is used for receiving information or data, and the output module 420 is used for transmitting information or data.

Memory 440 may include both read-only memory and random-access memory, and provides instructions and data to processor 430. A portion of memory 440 may also include non-volatile random access memory (NVRAM).

Memory 440 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof:

and (3) operating instructions: including various operational instructions for performing various operations.

Operating the system: including various system programs for implementing various basic services and for handling hardware-based tasks.

In the embodiment of the present invention, the processor 430 is configured to:

the control input module 410 receives a security authentication request initiated by the terminal device, wherein the security authentication request is sent to the terminal device by a server;

when the security authentication request passes, receiving data to be authenticated sent by the terminal device through a trusted application program control input module 410, wherein the trusted application program runs in the TEE built in the user identity identification card;

and authenticating the data to be authenticated by using external equipment of the terminal equipment to obtain an authentication result, and controlling an output module 420 to send the authentication result to the terminal equipment.

Optionally, the processor 430 is further configured to perform the following steps:

authenticating with the trusted driver through the trusted application;

the control input module 410 receives the verification information sent by the trusted driver;

Optionally, the processor 430 is specifically configured to perform the following steps:

the control input module 410 receives the authentication confirmation information sent by the trusted driver;

the control output module 420 sends the authentication result to the terminal device in a preset communication mode so that the terminal device sends the authentication result to the server, wherein the preset communication mode includes at least one of bluetooth, Near Field Communication (NFC) technology, wireless fidelity (WiFi) and Radio Frequency (RF) technology.

the control output module 420 sends a release control peripheral instruction to the trusted driver through the trusted application program, so that the trusted driver stops controlling the external device of the terminal device according to the release control peripheral instruction;

or the like, or, alternatively,

The processor 430 controls the operation of the user identification card 40, and the processor 430 may also be referred to as a CPU. Memory 440 may include both read-only memory and random-access memory, and provides instructions and data to processor 430. A portion of memory 440 may also include NVRAM. In a specific application, the various components of the SIM card 40 are coupled together by a bus system 450, wherein the bus system 450 may include a power bus, a control bus, a status signal bus, etc., in addition to a data bus. For clarity of illustration, however, the various buses are designated in the figure as the bus system 450.

The method disclosed in the above embodiments of the present invention may be applied to the processor 430, or implemented by the processor 430. Processor 430 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 430. The processor 430 may be a general-purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, or discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 440, and the processor 430 reads the information in the memory 440 and performs the steps of the above method in combination with the hardware thereof.

The related description of fig. 12 can be understood with reference to the related description and effects of the method portion of fig. 2, and will not be described in detail herein.

As shown in fig. 13, for convenience of description, only the parts related to the embodiment of the present invention are shown, and details of the specific technology are not disclosed, please refer to the method part in the embodiment of the present invention. The terminal may be any terminal device including a mobile phone, a tablet computer, a Personal Digital Assistant (PDA), a point of sale (POS), a vehicle-mounted computer, and the like, taking the terminal device as the mobile phone as an example:

fig. 13 is a block diagram showing a partial structure of a cellular phone related to a terminal device provided in an embodiment of the present invention. Referring to fig. 13, the handset includes: radio Frequency (RF) circuitry 510, memory 520, input unit 530, display unit 540, sensor 550, audio circuitry 560, wireless fidelity (WiFi) module 570, processor 580, and power supply 590. Those skilled in the art will appreciate that the handset configuration shown in fig. 13 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.

The following describes each component of the mobile phone in detail with reference to fig. 13:

RF circuit 510 may be used for receiving and transmitting signals during information transmission and reception or during a call, and in particular, for processing downlink information of a base station after receiving the downlink information to processor 580; in addition, the data for designing uplink is transmitted to the base station. In general, RF circuitry 510 includes, but is not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, RF circuit 510 may also communicate with networks and other devices via wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to global system for mobile communications (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), email, Short Message Service (SMS), etc.

The memory 520 may be used to store software programs and modules, and the processor 580 executes various functional applications and data processing of the mobile phone by operating the software programs and modules stored in the memory 520. The memory 520 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required by at least one function (such as a sound playing function, an image playing function, etc.), and the like; the storage data area may store data (such as audio data, a phonebook, etc.) created according to the use of the cellular phone, and the like. Further, the memory 520 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid state storage device.

The input unit 530 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the cellular phone. Specifically, the input unit 530 may include a touch panel 531 and other input devices 532. The touch panel 531, also called a touch screen, can collect touch operations of a user on or near the touch panel 531 (for example, operations of the user on or near the touch panel 531 by using any suitable object or accessory such as a finger or a stylus pen), and drive the corresponding connection device according to a preset program. Alternatively, the touch panel 531 may include two parts, a touch detection device and a touch controller. The touch detection device detects the touch direction of a user, detects a signal brought by touch operation and transmits the signal to the touch controller; the touch controller receives touch information from the touch sensing device, converts the touch information into touch point coordinates, and sends the touch point coordinates to the processor 580, and can receive and execute commands sent by the processor 580. In addition, the touch panel 531 may be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. The input unit 530 may include other input devices 532 in addition to the touch panel 531. In particular, other input devices 532 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), a trackball, a mouse, a joystick, and the like.

The display unit 540 may be used to display information input by the user or information provided to the user and various menus of the mobile phone. The display unit 540 may include a display panel 541, and optionally, the display panel 541 may be configured in the form of a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), or the like. Further, the touch panel 531 may cover the display panel 541, and when the touch panel 531 detects a touch operation on or near the touch panel 531, the touch panel is transmitted to the processor 580 to determine the type of the touch event, and then the processor 580 provides a corresponding visual output on the display panel 541 according to the type of the touch event. Although the touch panel 531 and the display panel 541 are shown as two separate components in fig. 13 to implement the input and output functions of the mobile phone, in some embodiments, the touch panel 531 and the display panel 541 may be integrated to implement the input and output functions of the mobile phone.

The handset may also include at least one sensor 550, such as a light sensor, motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 541 according to the brightness of ambient light, and the proximity sensor may turn off the display panel 541 and/or the backlight when the mobile phone is moved to the ear. As one of the motion sensors, the accelerometer sensor can detect the magnitude of acceleration in each direction (generally, three axes), can detect the magnitude and direction of gravity when stationary, and can be used for applications of recognizing the posture of a mobile phone (such as horizontal and vertical screen switching, related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer and tapping), and the like; as for other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, and an infrared sensor, which can be configured on the mobile phone, further description is omitted here.

Audio circuitry 560, speaker 561, and microphone 562 may provide an audio interface between a user and a cell phone. The audio circuit 560 may transmit the electrical signal converted from the received audio data to the speaker 561, and convert the electrical signal into a sound signal by the speaker 561 for output; on the other hand, the microphone 562 converts the collected sound signals into electrical signals, which are received by the audio circuit 560 and converted into audio data, which are then processed by the audio data output processor 580, and then passed through the RF circuit 510 to be sent to, for example, another cellular phone, or output to the memory 520 for further processing.

WiFi belongs to short distance wireless transmission technology, and the mobile phone can help the user to send and receive e-mail, browse web pages, access streaming media, etc. through the WiFi module 570, which provides wireless broadband internet access for the user. Although fig. 13 shows the WiFi module 570, it is understood that it does not belong to the essential constitution of the handset, and may be omitted entirely as needed within the scope not changing the essence of the invention.

The processor 580 is a control center of the mobile phone, connects various parts of the entire mobile phone by using various interfaces and lines, and performs various functions of the mobile phone and processes data by operating or executing software programs and/or modules stored in the memory 520 and calling data stored in the memory 520, thereby performing overall monitoring of the mobile phone. Alternatively, processor 580 may include one or more processing units; optionally, processor 580 may integrate an application processor, which handles primarily the operating system, user interface, applications, etc., and a modem processor, which handles primarily the wireless communications. It will be appreciated that the modem processor described above may not be integrated into processor 580.

The handset also includes a power supply 590 (e.g., a battery) for powering the various components, which may optionally be logically connected to the processor 580 via a power management system, such that the power management system may be used to manage charging, discharging, and power consumption.

Although not shown, the mobile phone may further include a camera, a bluetooth module, etc., which are not described herein.

In this embodiment of the present invention, the processor 580 included in the terminal device further has the following functions:

Optionally, the processor 580 is further configured to perform the following steps:

authenticating with the trusted application through the trusted driver;

Optionally, the processor 580 is specifically configured to perform the following steps:

or the like, or, alternatively,

In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product.

Referring to fig. 14, fig. 14 is a schematic diagram of an embodiment of a security authentication system according to an embodiment of the present invention, where the security authentication system includes a terminal device 602 and a user identification card 601, where the user identification card 601 has a built-in trusted execution environment TEE, and the system includes:

the terminal device 602 receives a security authentication request sent by a server;

the terminal device 602 sends a security authentication request to the user identification card 601;

when the security authentication request passes, the user identity identification card 601 receives data to be authenticated, which is sent by the terminal device 602, through a trusted application program, wherein the trusted application program runs in a TEE built in the user identity identification card;

the user identity identification card 601 calls a trusted driver in the terminal equipment 602, and controls external equipment of the terminal equipment 602 by using the trusted driver, wherein the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment 602, and the trusted driver and the TEE have a unique calling relationship;

the user id card 601 performs an authentication operation on data to be authenticated by using an external device of the terminal device 602 to obtain an authentication result, and sends the authentication result to the terminal device 602.

The embodiment of the invention provides a security authentication system, which comprises a terminal device and a user identity identification card, wherein the user identity identification card is internally provided with a trusted execution environment TEE, the user identity identification card receives a security authentication request initiated by the terminal device, the security authentication request is sent to the terminal device by a server, when the security authentication request passes, the user identity identification card can receive data to be authenticated sent by the terminal device through a trusted application program, the trusted application program runs in the TEE internally arranged in the user identity identification card, then the user identity identification card calls a trusted driver in the terminal device and controls an external device of the terminal device by utilizing the trusted driver, the trusted driver is positioned at the bottom layer of an operating system of the terminal device, and the trusted driver and the TEE have a unique calling relationship, and finally, and the user identity identification card carries out authentication operation on the data to be authenticated by using external equipment of the terminal equipment so as to obtain an authentication result, and sends the authentication result to the terminal equipment. In this way, place the TEE who has higher security in the user identity identification card in, control terminal equipment by this user identity identification card and switch into TEE operating system from rich execution environment operating system for terminal equipment also can accomplish the authentication flow under TEE operating system, and like this, the user only need adopt the lower user identity identification card of change frequency can make terminal equipment also can realize safety certification under the TEE, thereby promotes the practicality and the security of scheme.

The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website, computer, server, or data center to another website, computer, server, or data center via wire (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL), or wireless (e.g., infrared, wireless, microwave, etc.), the computer readable storage medium may be any available medium that a computer can store or a data storage device including one or more available media integrated servers, data centers, etc., the available media may be magnetic media (e.g., floppy disks, hard disks, tapes), optical media (e.g., digital versatile disks, DVD), or a semiconductor medium (e.g., a Solid State Disk (SSD)), etc.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.

The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a U disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk.

The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A method for security authentication is applied to a security authentication system, and the security authentication system comprises a terminal device and a user identity identification card, wherein the user identity identification card is internally provided with a Trusted Execution Environment (TEE), and the method comprises the following steps:

the user identity identification card receives a security authentication request initiated by the terminal equipment, wherein the security authentication request is sent to the terminal equipment by a server;

2. The method of claim 1, wherein before invoking the trusted driver in the terminal device and controlling the external device of the terminal device with the trusted driver, the method further comprises:

authenticating with the trusted driver through the trusted application;

3. The method of claim 1, wherein after invoking the trusted driver in the terminal device and controlling the external device of the terminal device using the trusted driver, the method further comprises:

4. The method of claim 3, wherein after the external device controlling the terminal device presents the first target interface under the TEE, the method further comprises:

receiving the verification information sent by the trusted driver;

5. The method according to claim 4, wherein the performing the authentication operation on the data to be authenticated by using an external device of the terminal device comprises:

6. The method of claim 1, wherein the sending the authentication result to the terminal device comprises:

7. The method according to any one of claims 1 to 6, wherein after sending the authentication result to the terminal device, the method further comprises:

or the like, or, alternatively,

8. A method for security authentication is applied to a security authentication system, and the security authentication system comprises a terminal device and a user identity identification card, wherein the user identity identification card is internally provided with a Trusted Execution Environment (TEE), and the method comprises the following steps:

the terminal equipment sends a security authentication request to the user identity identification card, wherein the security authentication request is sent to the terminal equipment by a server;

when the security authentication request passes, the terminal equipment sends data to be authenticated to a trusted application program in the user identity identification card, wherein the trusted application program runs in the TEE built in the user identity identification card;

the terminal equipment controls external equipment of the terminal equipment through a trusted driver, wherein the trusted driver is called by the user identity identification card, the trusted driver is positioned at the bottom layer of an operating system of the terminal equipment, and the trusted driver and the TEE have a unique calling relationship;

and the terminal equipment receives an authentication result sent by the user identity identification card, wherein the authentication result is obtained after the user identity identification card carries out authentication operation on the data to be authenticated.

9. The method of claim 8, wherein prior to controlling the external device of the terminal device via the trusted driver, the method further comprises:

authenticating with the trusted application through the trusted driver;

10. The method of claim 8, wherein after controlling the external device of the terminal device through the trusted driver, the method further comprises:

11. The method of claim 10, wherein after presenting the first target interface under the TEE, the method further comprises:

12. The method of claim 11, wherein after presenting the second target interface under the TEE, the method further comprises:

13. A user identification card is applied to a security authentication system, the security authentication system further comprises a terminal device, wherein a Trusted Execution Environment (TEE) is built in the user identification card, and the user identification card comprises:

14. The terminal device is applied to a security authentication system, the security authentication system further comprises a user identity identification card, wherein the user identity identification card is internally provided with a Trusted Execution Environment (TEE), and the terminal device comprises:

15. A computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform the method of any one of claims 1-12.