The content of the invention
In view of this, this specification one or more embodiment provides a kind of identity identifying method based on safety element SE
And device, it is therefore an objective to reduce influence of the authentication to business.
Specifically, this specification one or more embodiment is achieved by the following technical solution:
First aspect, there is provided a kind of identity identifying method based on safety element SE, methods described include:
The SE initialization requests that client is sent are received, the initialization requests are used to ask the industry for the client-side
Security context in business distribution SE;
It is the business point to SE providers trusted service management platform SEI TSM requests according to the initialization requests
With the auxiliary security domain SSD in the SE as the security context;
The initialization directive that the SEI TSM are returned is received, and the initialization directive is back to the client, with
So that the SSD that the client is carried out according to the initialization directive in SE is divided;
Receive and update request for the key for dividing the successfully SSD, and key is asked to SEI TSM;
Using the safety applications of the key encryption business of SEI TSM distribution, and the safety applications are issued to visitor
Family end, to cause the client that safety applications are arranged on into the SSD.
Second aspect, there is provided a kind of identity identifying method based on safety element SE, methods described is by client executing, institute
Stating client includes:Calling interface module, Authentication Client module and safety element SE, the Authentication Client module and SE positions
In the credible performing environment TEE of the client, methods described includes:
The calling interface module is in the security context in detecting service request distribution SE, at the beginning of sending SE to service end
Beginningization is asked, and it is auxiliary in the traffic assignments SE that the initialization requests, which are used to trigger the service end to SEI TSM requests,
Help security domain SSD;
The calling interface module receives the initialization directive that the service end returns, and the initialization directive is by described
SEI TSM are back to the service end, and by the initialization directive by untrusted environment access SE OMA passages send to
The SE, to cause the SE according to the initialization directive as the delineation of activities SSD;
The calling interface module is sent to the service end updates request for the key for dividing the successfully SSD,
To cause the service end to ask key to the SEI TSM;
The calling interface module receives the industry of the key encryption of SEI TSM distribution described in the use that the service end is sent
The safety applications of business, and safety applications are issued in SSD by OMA passages and installed.
The third aspect, there is provided a kind of identification authentication system based on safety element SE, described device include:
Request reception unit, for receiving the SE initialization requests of client transmission, the initialization requests are used to ask
For the security context in the traffic assignments SE of the client-side;
Initialization request unit, for being described in the traffic assignments to SEI TSM requests according to the initialization requests
Auxiliary security domain SSD in SE is as the security context;
Instruction feedback unit, the initialization directive returned for receiving the SEI TSM, and the initialization directive is returned
The client is back to, to cause the client carries out the SSD in SE according to the initialization directive to divide;
Key updating block, request is updated for the key for dividing the successfully SSD for receiving, and to SEI TSM
Ask key;
Using issuance unit, for the safety applications of the key encryption business using SEI TSM distribution, and by described in
Safety applications are issued to client, to cause the client that safety applications are arranged on into the SSD.
Fourth aspect, there is provided a kind of identification authentication system based on safety element SE, described device include:Calling interface mould
Block, Authentication Client module and safety element SE, the Authentication Client module and SE are located in TEE;The calling interface mould
Block includes:Initialization request unit, instruct retransmission unit, key request unit and using receiving unit;
The initialization request unit, for detect service request distribution SE in security context when, to service end
SE initialization requests are sent, the initialization requests ask to be the traffic assignments for triggering the service end to SEI TSM
Auxiliary security domain SSD in SE;
The instruction retransmission unit, the initialization directive returned for receiving the service end, the initialization directive by
The SEI TSM are back to the service end, and the initialization directive is sent out by untrusted environment access SE OMA passages
The SE is delivered to, to cause the SE according to the initialization directive as the delineation of activities SSD;
The key request unit, updated for being sent to the service end for the key for dividing the successfully SSD
Request, to cause the service end to ask key to the SEI TSM;
Described to apply receiving unit, the key of SEI TSM distribution adds described in the use sent for receiving the service end
The safety applications of close business, and safety applications are issued in SSD by OMA passages and installed.
5th aspect, there is provided a kind of ID authentication device, the equipment includes memory, processor, and is stored in
Following steps are realized on reservoir and the computer instruction that can run on a processor, during the computing device instruction:
The SE initialization requests that client is sent are received, the initialization requests are used to ask the industry for the client-side
Security context in business distribution SE;
It is the business point to SE providers trusted service management platform SEI TSM requests according to the initialization requests
With the auxiliary security domain SSD in the SE as the security context;
The initialization directive that the SEI TSM are returned is received, and the initialization directive is back to the client, with
So that the SSD that the client is carried out according to the initialization directive in SE is divided;
Receive and update request for the key for dividing the successfully SSD, and key is asked to SEI TSM;
Using the safety applications of the key encryption business of SEI TSM distribution, and the safety applications are issued to visitor
Family end, to cause the client that safety applications are arranged on into the SSD.
6th aspect, there is provided a kind of ID authentication device, the equipment includes memory, processor, and is stored in
Following steps are realized on reservoir and the computer instruction that can run on a processor, during the computing device instruction:
In the security context in detecting service request distribution SE, SE initialization requests are sent to service end, it is described first
Beginningization request asks to be the auxiliary security domain SSD in the traffic assignments SE for triggering the service end to SEI TSM;
The initialization directive that the service end returns is received, the initialization directive is back to described by the SEI TSM
Service end, and the initialization directive is sent to the SE by untrusted environment access SE OMA passages, it is described to cause
SE is the delineation of activities SSD according to the initialization directive;
Sent to the service end and update request for the key for dividing the successfully SSD, to cause the service end
Key is asked to the SEI TSM;
The safety applications of the business of the key encryption of SEI TSM distribution described in the use that the service end is sent are received, and
Safety applications are issued in SSD by OMA passages and installed.
The identity identifying method and device based on safety element SE of this specification one or more embodiment, by by right
The service end of business authentication asks to carry out SE initialization so as to SE's according to the initialization requests of client to SEI TSM
Initialize flow all to perform by service end forwarding, which to contribute to the convenient control business stream of third party's business
Amount, avoid because a large amount of requests are caused to initializing failure caused by the larger pressure of SEI TSM sides so that SE security context energy
Initialization is enough smoothly completed, so as to reduce influence of the authentication to business, performs and is ready for follow-up business.
Embodiment
In order that those skilled in the art more fully understand the technical scheme in this specification one or more embodiment,
Below in conjunction with the accompanying drawing in this specification one or more embodiment, to the technology in this specification one or more embodiment
Scheme is clearly and completely described, it is clear that described embodiment is only part of the embodiment, rather than whole realities
Apply example.Based on this specification one or more embodiment, those of ordinary skill in the art are not making creative work premise
Lower obtained every other embodiment, it should all belong to the scope of the application protection.
For the business performed on mobile terminals, in order to ensure the data transmission security in service operation, can use
Digital certificate is signed.Currently, all generally provided on many mobile terminals with safety element SE, SE with chip form, be
Outside malice parsing attack is prevented, data safety is protected, generally there is encryption/decryption logic circuit in the chips.Above-mentioned number
Word certificate can be stored in SE.
By taking some business for operating in mobile terminal as an example, the business is properly termed as third party's business, for example, the 3rd
Square business can be the payment application that certain operates in client, and a safety applications of a payment application can be stored in SE
Applet, safety applications Applet, which can be responsible for paying, applies the business data transmission in running to carry out safety guarantee
Processing, such as, it is encrypted using digital certificate.In one example, user is applied and carries out interactive mode opening the payment
During operation, the application can be triggered and carry out business data transmission, and to transmitting with higher safety
It is required that.So, now can is transmitted after carrying out business datum encryption according to digital certificate by the safety applications in SE.
Digital certificate issuing to SE is realized, usual SE can be SSD corresponding to above-mentioned third party's traffic assignments, and
And safety applications can be downloaded and are installed in the SSD by client, it is necessary to apply and install numeral after user's download safety applications
It could be used after certificate.Digital certificate can be applied for from the safety applications to CA (Certificate Authority), for this
The encrypted transmission of the business datum of third party's business.
Fig. 1 is the application system Organization Chart of the identity identifying method based on SE of the disclosure, the system can apply to
The use of SE issuing digital certificates and certificate, also, with IFAA (internet finance in the system
Authentiation alliance, internet finance authentication alliance) participate in digital certificate issue and using process exemplified by
It is described.As shown in figure 1, the system can include service end 11, client 12 and SEI TSM (Trusted Service
Manager, trusted service management) 13, wherein, service end 11, can in client 12 equivalent to the service end of applying digital certificate
To run third party's business, such as, pay application and operate on smart mobile phone, as the client of applying digital certificate, and SEI
TSM13 can be then the SE providers trusted service management platform in client 12, be responsible for distribution and management SE.
Continuing with referring to Fig. 1, can include in service end 12:CA111, IFAA TSM112 and authentication service end module 113
(IFAA Authenticator Server).Wherein, authentication center CA111 can be an e-business certification center, be negative
Duty is sent and the authoritative institution of managing digital certificate.IFAA TSM112 can be that the safety of third party's business in client should
With Applet provider, Applet life cycle can be responsible for.Authentication service end module 113 can be and client
The Authentication Client module 124 (IFAA Authenticator Client) of 12 sides is corresponding, and digital certificate is completed in common cooperation
The flow such as issue and use.Authentication service end module 113 can communicate with CA111 and IFAA TSM112 respectively.
Client 12 can include:Calling interface module (IFAA SDK, Software Development Kit, software
Development kit) 121, access interface module 122 and credible performing environment TEE (Trusted Execution
Environment)123.Wherein, calling interface module 121 can be for third party's calling service, to trigger the application of digital certificate
Etc. related procedure, such as, when user is using paying using interactive operation to some step, it can trigger and call the calling interface
Module 121, whether digital certificate corresponding to payment application be present in viewing client-side, if so, can then use
Digital certificate carries out the encrypted transmission of business datum, otherwise, can continue through and call the calling interface module 121 to carry out numeral
The application and use of certificate.
Access interface module 122 mainly provides the interface for accessing TEE, and TEE Client therein can be trusted context
Call entry, and OMA passages are the passages that SE is accessed under non-trusted context.Above-mentioned Authentication Client can be included in TEE123
Module 124 and SE125.Authentication Client module 124 can receive the dependent instruction of authentication service end module 113 and according to instruction
Processing, such as, if authentication service end module 113 has issued digital certificate instruction, Authentication Client module 124 can basis
Safety applications in instruction whereabouts SE obtain the required related data that Generates Certificate.Can be used for storage safety in SE125 should
Use Applet.
Can be with by Fig. 1 it can further be seen that in client-side, when accessing SE125 by calling interface module (IFAA SDK) 121
There are two paths, it by OMA channel access SE, the path is by calling TEE without TEE, another paths that one, which is,
Client accesses TEE, and the safety applications gone by the Authentication Client module 124 in TEE in access SE, such as instruction SE carry
Hand over the required data that Generate Certificate.
On the basis of said system framework, the three phases of digital certificate correlation will be introduced respectively as follows:Security context
Initialization, certificate issue process and the use process of certificate.Wherein, before these three stages are described, some are retouched first
The term being related in stating is briefly described, to help understanding.
Term " public private key-pair " can include a pair of the associate encryption keys generated by entity.Public key can be used for public
Function, such as the message of entity to be sent to is encrypted, or for testing the digital signature that should be made by entity
Card.On the other hand, private key can be used for private function, and such as the message received is decrypted or using digital signature.Public key leads to
It can often be authorized by the main body for being referred to as certification authority (CA), public key is stored in database and distributed by certification authority
Give request its any other entity.Private key can typically be maintained in secure storage medium and generally only have entity to know.
" digital signature " can refer to the result based on public private key-pair application algorithm, and this algorithm allows signer to show, and
And allow the authenticity and integrity of authentication checking file.Signer is worked by means of private key, and authentication is by means of public key
Work.This process proves authenticity, the integrality of signature file and the alleged non-repudiation principle of sender, institute
Stating principle does not allow to deny signed content.Other data of certificate or digital signature including signer be known as by
Signer " signature ".
" digital certificate " can including the use of digital signature by public key with associate identity data bind e-file or
Data file.Certificate can include one or more data fields, the legal name of such as identity, the sequence number of certificate, certificate
Effective commencement date and deadline, the related authority of certificate etc..Certificate can include instruction certificate " the effectively starting " of effective first day
Date, and " effectively cut-off " date of instruction certificate effective last day.Certificate, which can also include certificate, includes data
The hash of the data of field.Unless otherwise indicated, each certificate is signed by certificate agency.
Authentication center " CA " can include operable coupling to be calculated to one or more servers of issuing entity certificate
Machine.CA can use CA certificate to prove its identity, and CA certificate includes CA public key.CA can safeguard all certificates that CA is issued
Database, and the list for the certificate being revoked can also be safeguarded.
In a canonical process, entity known to certificate agency from its identity receives the certificate unsigned.Unsign
Certificate includes the hash of public key, one or more data fields and the data in certificate.CA with it is included on CA certificate
The corresponding private key of public key is signed to certificate.Then the certificate of signature can be stored in database by CA, and will signature
Certificate issue to entity.
Safety applications Applet can be the small routine of an applications client for depending on third party's business, such as can be with
It is to depend on the payment applications client webpage write with html language and be embedded, is performed by browser to control.
Secured environment initialization
Before applying and using digital certificate, SSD division, the renewal of key and safety can be carried out on SE should
Download.Flow as shown in Figure 2, the process of initialization is illustrated, can included:
In step 200, third party's business passes through calling interface module initialization SE bad borders.
For example, in system shown in Fig. 1, IFAA clients can be operated on a mobile terminal, such as, Ke Yishi
Run on a smart mobile phone.
" the third party's business " mentioned in this step, for example, it may be the third-party application run on mobile phone, than
Such as, website is applied in website of bank, or the payment of payment mechanism, and this is applied has higher security in some business processings
It is required that, it is necessary to use digital certificate.
In this step, third party's business can call IFAASDK121, start to perform the initialization of security context in SE.Than
Such as, when user is operated in payment using website, when proceeding to the step to be paid the bill, can trigger payment application will make
With digital certificate, IFAASDK121 can be called by now paying application, whether number be present in the mobile terminal where judging
Word certificate.For IFAASDK121, equivalent to the finger for detecting the security context in third party's service request distribution SE
Order.
In step 202, the OMA passages that calling interface module is provided by access interface module, judge current device
Whether SE environment is initialized, and whether SE has been third party's traffic assignments security context.
In this step, as shown in figure 1, IFAA SDK can call access interface module 122 (IFAACLient) to pass through OMA
Channel access SE, to judge whether SSD corresponding to third party's business be present in SE.
In step 204, calling interface module, if no initializtion, it is initial to send SE according to judged result to service end
Change request, the request asks to be the auxiliary security domain SSD in third party's traffic assignments SE for triggering service end to SEI TSM.
In this step, IFAASDK is according to the feedback results of OMA passages, if not yet initial for third party's business in SE
Change security context, then IFAASDK can send SE initialization requests to service end, and SSD divisions, distribution one are carried out to SE with request
SSD corresponding to block is to third party's business in this example.In one example, the industry of third party's business can be carried in the request
Business mark, to represent request for third party's traffic assignments SSD corresponding to the service identification., should from the point of view of system diagram as shown in Figure 1
Initialization requests can be forwarded to IFAA TSM112 with the authentication service end module 113 at being serviced end.
In step 206, IFAATSM asks initialization SSD to SEITSM, and the initialization for receiving SEITSM returns refers to
Order.
In this step, IFAATSM112 can be asked to initialize according to the initialization requests of client to SEITSM13
SSD, the SSD in third party's traffic assignments SE for client-side is asked to pass through service end as security context, the request
Private key signature issues.SEITSM13 can be by examining to the legitimacy of request, and after checking is signed successfully, generation initialization refers to
Order, and return to IFAATSM112.
In a step 208, initialization directive is returned to client by IFAATSM, will be just by OMA passages in client-side
Beginningization instruction is sent to SE, to cause SE according to instruction for third party's delineation of activities SSD.
In this step, shown in system architecture diagram as shown in Figure 1, initialization that IFAATSM112 returns to SEI TSM13
Instruction is sent to client, can be via IFAA SDK --- and OMA channel transfers to SE, SE are this example according to the instruction
Third party's traffic assignments corresponding to SSD.
In step 210, after dividing SSD successes, calling interface module sends the key renewal for the SSD to service end
Request, to cause service end to ask key to SEI TSM.
In this step, after SSD is divided successfully, it is also necessary to key is distributed for the SSD, to establish and the SSD data transfers
Escape way.IFAA SDK can ask key to service end, and the request equally can be by the certificate server mould of service end
Block 113 is forwarded to IFAA TSM112.IFAA TSM112 can ask key, and obtain SEI according to the request to SEI TSM
The initial key of TSM distribution (initial key can be sent by mail under line).
In the step 212, service end can send the safety applications encrypted using key to client.
For example, the IFAATSM112 of service end can be to provide the platform of safety applications, third party's business pair can be provided
The safety applications IFAAApplet answered.IFAATSM112 can utilize the peace of key encryption third party's business of SEI TSM distribution
Full application, and will apply and send to client.For example AES256CBC encryption IFAAAPPLET can be used, and issue.
In step 214, safety applications are issued to SSD installations by client by OMA passages.
In this step, for client after safety applications are received, IFAA SDK can be by OMA passages, by safety applications
The SSD write in SE.By the installation of key and Applet corresponding to above-mentioned SSD divisions, distribution, the 3rd is completed
The secured environment initialization of square business.
The identity identifying method based on SE of this example, by by the service end to business authentication according to the initial of client
Change request, ask to carry out SE initialization to SEI TSM so that the initialization flow to SE is all held by service end forwarding
OK, which to contribute to the convenient control business flow of third party's business, avoids because a large amount of requests are caused to SEI TSM
Initialization failure caused by the larger pressure of side so that SE security contexts can smoothly complete initialization, be held for follow-up business
Row is ready.
The application of digital certificate issues
, can be by safety applications application digital certificate, in case follow-up use after secured environment initialization is completed.Fig. 3 shows
The example flow of applying digital certificate, can include:
In step 300, third party's calling service IFAASDK obtains client device information and certificate mount message, sentences
Disconnected current device whether there is the digital certificate of the third-party business.
For example, after third party's calling service IFAASDK carries out SSD initialization, it may call upon IFAASDK and obtain client
End equipment information and certificate mount message, such as, the end message such as terminal iidentification of the mobile terminal where client, and work as
Whether digital certificate has been mounted with preceding equipment for third party's business.If having there is certificate, subsequent figure 4 can be performed
Shown certificate process for using, if without certificate, the facility information that this step can be utilized to collect continues executing with this example
Subsequent step, for service end application digital certificate, with continued reference to step 302.
In step 302, client sends digital certificate instruction request to service end, and receives the numeral of service end return
Certificate instructs.
For example, third party's calling service IFAASDK sends digital certificate instruction request to service end.Service end can pass through
The instruction of CA service creations digital certificate is called, the instruction is used to indicate IFAA client-sides according to instruction request IFAAApplet
Generate Certificate generation data, and digital certificate instruction can be CRS (Certificate request file, certificate request text
Part) instruction.
CRS instructions are in the path of client-side, system architecture diagram shown in Figure 1, can be via IFAA SDK,
TEE Client are called to send the Authentication Client module into TEE.
In step 304, the Authentication Client module of client instructs according to digital certificate, the safety applications into SSD
Certificates constructing data are obtained, and the certificates constructing data are back to calling interface module.
For example, the Authentication Client module I FAA Authenticator Client in TEE receive digital certificate instruction
Afterwards, it can parse and be assembled into APDU (ApplicationProtocolDataUnit, Application Protocol Data Unit instruction), please
The safety applications IFAAApplet in SE is asked to sign, namely request IFAAApplet Generates Certificate and generates data CRS packets.
IFAAApplet can generate public private key pair, return to the CRS packets after private key signature, the packet can include public key and
The facility information obtained in step 300, the facility information for example can be the unique identifications of mobile phone.Authentication Client module can
So that the certificates constructing data are back into IFAA SDK.
Within step 306, client sends certificates constructing data to service end, to cause service end by the certificates constructing
Data, which send to CA to sign, generates digital certificate.
For example, service end after certificates constructing data are received, can send certificates constructing data to authentication center CA,
The digital certificate that CA generates according to the certificates constructing data signature.It can also include certificate in the digital certificate of CA signature generations
Effective time, the information such as issuing organization.
In step 308, service end sends digital certificate to client, is stored the certificate into SE by client.
In this step, after client receives certificate, IFAA SDK can call TEE Client, via the Authentication Client in TEE
Module, by digital certificate store to safety applications.Subsequent secure application can is using the digital certificate to third party's business
Business datum is transmitted signature.
The identity identifying method based on SE of this example, by using TEE passages in issuing digital certificate, i.e.,
TEEClient --- IFAAAuthenticatorClient in TEE --- SE so that certificate issues process safety more
It is high.
The use of digital certificate
After installation digital certificate is applied for, in process of service execution, the digital certificate can be used to business number
According to transmission be encrypted, to ensure the safe and reliable of data transfer.Fig. 4 illustrates the process for using of digital certificate, such as Fig. 4 institutes
Show, can include:
In step 400, third party's calling service IFAASDK obtains client device information and certificate mount message, sentences
Disconnected current device whether there is the digital certificate of the third-party business, if judged result to exist, sends to service end and signed
Name instruction request.
If for example, certificate has been mounted with it on third party's calling service IFAASDK discovering devices, then third party's business
This certificate can directly be begun to use, i.e. the certificate of this example uses process.In this step, client can be sent out to service end
Signature command is sent to ask, to ask service end to generate signature command.
In step 402, client receives the signature command of service end generation, and the instruction is sent into recognizing into TEE
Demonstrate,prove client modules.
In this step, signature command can be sent to the IFAASDK of client, IFAASDK and recalled by service end
TEEClient, Authentication Client module I FAAAuthenticatorClient signature command being issued in TEE.
In step 404, Authentication Client module is signed according to signature command, instruction safety applications to business datum
Name, and the business datum after signature is back to calling interface module I FAASDK.
In this step, Authentication Client module first can perform local authentication (fingerprint authentication or PIN code to user
Checking), after being verified, safety applications can be asked to sign business datum.Safety applications IFAAApplet can make
The private key corresponding to digital certificate, the business datum of third party's business is encrypted and signed.Business number after signature
According to being back to IFAASDK.
In a step 406, client sends the business datum after signature to service end, and business datum is entered by service end
Row signature verification.
In this step, IFAAApplet returns to signed data, via IFAAAuthenticatorClient and
IFAASDK, send to IFAA service ends.The authentication service end module of IFAA service ends can use public key corresponding to digital certificate
Decrypted signature, with verify whether be client device send data.
The identity identifying method based on SE of this example, used using the process and TEE passages of certificate, is had higher
Security;Also, by issuing digital certificate and use away TEE passages, used with secured environment initialization process
OMA passages separate, and what is walked is different passages, can so cause two kinds of things to be independent of each other.Such as, it is assumed that in client hand
Two third-party applications are run on machine, the two third-party applications are required for calling IFAASDK to perform initialization, downloadable authentication
Process, then, one of application can be initialized using OMA passages, and another application can be entered using TEE passages
Row certificate using or issue, ensure business order carry out.
Each step shown in above method embodiment in flow, its execution sequence are not restricted to suitable in flow chart
Sequence.In addition, the description of each step, it is possible to achieve be software, hardware or its form combined, for example, people in the art
Member can implement these as the form of software code, can be that can realize that the computer of logic function corresponding to the step can
Execute instruction.When it is realized in a manner of software, described executable instruction can store in memory, and by equipment
Computing device.
For example, corresponding to the above method, this specification one or more embodiment provides a kind of ID authentication device simultaneously,
For example the equipment can be server corresponding to IFAA TSM in Fig. 1, the equipment can include processor, memory and
The computer instruction that can be run on a memory and on a processor is stored, the processor is used for by performing the instruction
Realize following steps:The SE initialization requests that client is sent are received, it is the client that the initialization requests, which are used to ask,
Security context in the traffic assignments SE of side;According to the initialization requests, to SE providers trusted service management platform SEI
TSM requests are the auxiliary security domain SSD in SE described in the traffic assignments as the security context;Receive the SEI TSM
The initialization directive of return, and the initialization directive is back to the client, to cause the client according to
Initialization directive carries out the SSD divisions in SE;Receive and update request for the key for dividing the successfully SSD, and to SEI
TSM asks key;Using the safety applications of the key encryption business of SEI TSM distribution, and the safety applications are issued
To client, to cause the client that safety applications are arranged on into the SSD.
For example, corresponding to the above method, this specification one or more embodiment provides a kind of ID authentication device simultaneously,
For example the equipment can be mobile terminal, the equipment can include processor, memory and storage on a memory and can
The computer instruction run on a processor, the processor is by performing the instruction, for realizing following steps:Detecting
When distributing the security context in SE to service request, SE initialization requests are sent to service end, the initialization requests are used to touch
It is auxiliary security domain SSD in the traffic assignments SE to send out service end described to SEI TSM requests;The service end is received to return
Initialization directive, the initialization directive is back to the service end by the SEI TSM, and the initialization directive is led to
The OMA passages for crossing untrusted environment access SE are sent to the SE, to cause the SE according to the initialization directive to be described
Delineation of activities SSD;Sent to the service end and update request for the key for dividing the successfully SSD, to cause the clothes
Key is asked to the SEI TSM in business end;Receive the key encryption of SEI TSM distribution described in the use that the service end is sent
The safety applications of business, and safety applications are issued in SSD by OMA passages and installed.
In order to realize the above method, the disclosure additionally provides a kind of identification authentication system based on SE, and the device can be
Positioned at service end.As shown in figure 5, the device can include:Request reception unit 51, initialization request unit 52, instruction feedback
Unit 53, key updating block 54 and application issuance unit 55.These units can be the service end for being all located at illustrating in Fig. 1
IFAA TSM。
Request reception unit 51, for receiving the SE initialization requests of client transmission, the initialization requests are used for please
Seek the security context in the traffic assignments SE for the client-side;
Initialization request unit 52, for according to the initialization requests, being asked to SEI TSM as the traffic assignments institute
The auxiliary security domain SSD in SE is stated as the security context;
Instruction feedback unit 53, the initialization directive returned for receiving the SEI TSM, and by the initialization directive
The client is back to, to cause the client carries out the SSD in SE according to the initialization directive to divide;
Key updating block 54, request is updated for the key for dividing the successfully SSD for receiving, and to SEI
TSM asks key;
Using issuance unit 55, for the safety applications of the key encryption business using SEI TSM distribution, and by institute
State safety applications and be issued to client, to cause the client that safety applications are arranged on into SSD.
In one example, as shown in fig. 6, the identification authentication system based on SE of this example can also include:Instruction please
Ask unit 61, instruction issuance unit 62, data forwarding unit 63 and certificate retransmission unit 64.These units can be positioned at service
The authentication service end module at end.
Instruction request unit 61, the digital certificate instruction request sent for receiving the client;
Issuance unit 62 is instructed, for being instructed according to the digital certificate instruction request, generation digital certificate, and by described in
Digital certificate instruction is sent to the client, to cause the client to be instructed according to the digital certificate into the SSD
Safety applications obtain certificates constructing data;
Data forwarding unit 63, the certificates constructing data sent for receiving the client, and by the certificate
Generation data are sent to authentication center CA;
Certificate retransmission unit 64, for the digital certificate for generating the CA according to the certificates constructing data signature, hair
The client is delivered to, to cause the client by the digital certificate store in safety applications.
In order to realize the above method, the disclosure additionally provides a kind of identification authentication system based on SE.The device can be
Positioned at client, the device can include calling interface module, Authentication Client module and safety element SE, the certification client
End module and SE are located in TEE;Also, as shown in fig. 7, the calling interface module of the device can include:Initialization requests list
Member 71, instruct retransmission unit 72, key request unit 73 and apply receiving unit 74.
The initialization request unit 71, for detect service request distribution SE in security context when, to service
End sends SE initialization requests, and the initialization requests are asked as the business point for triggering the service end to SEI TSM
With the auxiliary security domain SSD in SE;
The instruction retransmission unit 72, the initialization directive returned for receiving the service end, the initialization directive
The service end, and the OMA passages by the initialization directive by untrusted environment access SE are back to by the SEI TSM
Send to the SE, to cause the SE according to the initialization directive as the delineation of activities SSD;
The key request unit 73, for the service end send for divide successfully the SSD key more
New request, to cause the service end to ask key to the SEI TSM;
The application receiving unit 74, the key distributed using the SEI TSM encryption sent for receiving the service end
Business safety applications, and safety applications are issued in SSD by OMA passages and installed.
In one example, as shown in figure 8, calling interface module can also include:Instruction request unit 81, command reception
Unit 82, data transmission unit 83 and certificate receiving unit 84.
The instruction request unit 81, for sending digital certificate instruction request to the service end;
The instruction reception unit 82, the number returned for receiving the service end according to the digital certificate instruction request
Word certificate is instructed, and digital certificate instruction is sent to the Authentication Client module;
The Authentication Client module, for being instructed according to the digital certificate, the safety applications into the SSD obtain
Certificates constructing data, and the certificates constructing data are back to the data transmission blocks;
The data transmission unit 83, for sending the certificates constructing data to the service end, to cause the clothes
The certificates constructing data are sent to CA to sign by business end generates digital certificate;
The certificate receiving unit 84, the digital certificate returned for receiving the service end, and by the digital certificate
Sent by the Authentication Client module to the safety applications.
In one example, as shown in figure 9, calling interface module can also include:Signature command request unit 91, signature
Instruction reception unit 92 and data transmission unit 93.
The signature command request unit 91, for sending signature command request to the service end;
The signature command receiving unit 92, the label for asking to return according to the signature command for receiving the service end
Name instruction, and the signature command is sent to the Authentication Client module;
The Authentication Client module, for according to the signature command, asking the safety applications according to digital certificate
Business datum is signed, and the business datum after signature is back to data transmission unit;
The data transmission unit 93, for the business datum after signature to be sent to the service end, with by the clothes
End be engaged in business datum progress signature verification.
The device or module that above-described embodiment illustrates, can specifically be realized by computer chip or entity, or by with
The product of certain function is realized.One kind typically realizes that equipment is computer, and the concrete form of computer can be personal meter
Calculation machine, laptop computer, cell phone, camera phone, smart phone, personal digital assistant, media player, navigation are set
It is any several in standby, E-mail receiver/send equipment, game console, tablet PC, wearable device or these equipment
The combination of equipment.
For convenience of description, it is divided into various modules during description apparatus above with function to describe respectively.Certainly, this is being implemented
The function of each module can be realized in same or multiple softwares and/or hardware during specification one or more embodiment.
It should be understood by those skilled in the art that, this specification one or more embodiment can be provided as method, system or
Computer program product.Therefore, this specification one or more embodiment can use complete hardware embodiment, complete software to implement
The form of embodiment in terms of example or combination software and hardware.Moreover, this specification one or more embodiment can be used one
Individual or multiple computer-usable storage mediums for wherein including computer usable program code (include but is not limited to disk storage
Device, CD-ROM, optical memory etc.) on the form of computer program product implemented.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
It should also be noted that, term " comprising ", "comprising" or its any other variant are intended to nonexcludability
Comprising so that process, method, commodity or equipment including a series of elements not only include those key elements, but also wrapping
Include the other element being not expressly set out, or also include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described
Other identical element also be present in the process of element, method, commodity or equipment.
This specification one or more embodiment can computer executable instructions it is general on
Described in hereafter, such as program module.Usually, program module includes performing particular task or realizes particular abstract data type
Routine, program, object, component, data structure etc..Can also put into practice in a distributed computing environment this specification one or
Multiple embodiments, in these DCEs, by being performed by communication network and connected remote processing devices
Task.In a distributed computing environment, the local and remote computer that program module can be located at including storage device is deposited
In storage media.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment stressed is the difference with other embodiment.Adopted especially for data
For collecting equipment or data processing equipment embodiment, because it is substantially similar to embodiment of the method, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
It is above-mentioned that this specification specific embodiment is described.Other embodiments are in the scope of the appended claims
It is interior.In some cases, the action recorded in detail in the claims or step can be come according to different from the order in embodiment
Perform and still can realize desired result.In addition, the process described in the accompanying drawings not necessarily require show it is specific suitable
Sequence or consecutive order could realize desired result.In some embodiments, multitasking and parallel processing be also can
With or be probably favourable.
The preferred embodiment of this specification one or more embodiment is the foregoing is only, not limiting this public affairs
Open, it is all within the spirit and principle of the disclosure, any modification, equivalent substitution and improvements done etc., it should be included in the disclosure
Within the scope of protection.