CN107682159A - The trusted application management method and trusted application management system of a kind of intelligent terminal - Google Patents

The trusted application management method and trusted application management system of a kind of intelligent terminal Download PDF

Info

Publication number
CN107682159A
CN107682159A CN201710946837.9A CN201710946837A CN107682159A CN 107682159 A CN107682159 A CN 107682159A CN 201710946837 A CN201710946837 A CN 201710946837A CN 107682159 A CN107682159 A CN 107682159A
Authority
CN
China
Prior art keywords
management
trusted application
tee
message
management modules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710946837.9A
Other languages
Chinese (zh)
Other versions
CN107682159B (en
Inventor
高雁
成秋良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Ltd By Share Ltd
Beijing WatchData System Co Ltd
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing Watchdata Ltd By Share Ltd
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Watchdata Ltd By Share Ltd, Beijing WatchSmart Technologies Co Ltd filed Critical Beijing Watchdata Ltd By Share Ltd
Priority to CN201710946837.9A priority Critical patent/CN107682159B/en
Publication of CN107682159A publication Critical patent/CN107682159A/en
Application granted granted Critical
Publication of CN107682159B publication Critical patent/CN107682159B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention discloses a kind of trusted application management method of intelligent terminal.Mobile intelligent terminal 1 has TA management modules 4 and TEE management modules 5, and TEE management modules 5 are arranged on the credible performing environments of TEE.TEE management modules 5 establish the escape way 100 of transmission information and instruction by TA management modules 4 and TA management servers 2, information in escape way 100 and instruct the transmission in the form of ciphertext.The trusted application for download is provided with TA management servers 2.TA management modules 4, which are sent, downloads trusted application request, trusted application 21 is downloaded to TEE management modules 5 by TA management servers 2 by escape way 100, for installing or updating.

Description

The trusted application management method and trusted application management system of a kind of intelligent terminal
Technical field
The present invention relates to mobile communication technology, a kind of particularly trusted application management method of intelligent terminal and credible Application management system.
Background technology
The development of mobile communication technology brings the fast development of mobile terminal technology, and mobile intelligent terminal turns into movement The development trend of terminal.Mobile intelligent terminal has no longer been simple voice call instrument, and the popularization of mobile intelligent terminal gives people While bring great convenience, also brought huge potential safety hazard.
TEE (Trusted Execution Environment, credible performing environment) is to solve current intelligent movable Security risk existing for terminal and the technical scheme proposed.TEE constructs one and mobile intelligent terminal operating system (such as Android System) isolation secure operating environment.TEE is that the fail-safe software (trusted application) authorized provides safe performing environment.
Existing based in the technical scheme of credible performing environment, trusted application is preset to the mirror of mobile intelligent terminal As in, or it is preset in the third-party application for calling trusted application.
If trusted application is preset in the mirror image of mobile intelligent terminal, when some trusted application changes, it is necessary to weight The complete mirror image of new issue mobile intelligent terminal.For intelligent terminal manufacturer, the issue workload of intelligent terminal mirror image is huge Greatly, risk is larger.Therefore, the renewal of built-in trusted application is costly.For the end user of mobile intelligent terminal, it is One trusted application of renewal, the complete mobile intelligent terminal mirror image that need to download, takes longer.
If trusted application is preset in third-party application, because trusted application is usually only for single hardware platform The application program of the specific format coding of (such as ARM platforms or Intel platforms), so third-party application is needed according to platform Packing trusted application, the download of trusted application become more complicated.After third-party application is downloaded, trusted application needs to install ability Normal use, it is installed and a complicated process.
It is an object of the invention to provide one kind not against intelligent terminal mirror image and third-party application with regard to that can download and more The trusted application management method and system of new trusted application.
The content of the invention
The first technical scheme of the present invention is a kind of trusted application management system of intelligent terminal, it is characterised in that including, Terminal (1) and TA management servers (2),
The terminal (1) has TA management modules (4), TEE management modules (5) preset or by download installation, described TEE management modules (5) are arranged in credible performing environment, and the TA management modules (4) are used for the download, more for managing trusted application Newly, delete,
The trusted application for download is stored with the TA management servers (2), the trusted application comprises at least can Letter applies mirror image,
The TA management modules (4) send the request for downloading trusted application, or download/renewal of response third-party application please Ask, send the request for downloading trusted application,
The TA management servers (2) are asked according to the download trusted application of the TA management modules (4), by corresponding institute State trusted application (21) and be sent to the terminal (1),
The TEE management modules (5), perform the installation or renewal of the trusted application (21).
Second technical scheme is based on the first technical scheme, it is characterised in that including,
Established between the TEE management modules (5) and the TA management servers (2) by the TA management modules (4) There is escape way (100),
The related information of download, renewal, deletion to the trusted application (21), instruction pass through the escape way (100) transmit.
3rd technical scheme is based on the second technical scheme, it is characterised in that the TEE management modules (5) are using encryption Mode sends message from escape way (100) to TA management servers (2), decrypts the anti-of TA management servers (2) transmission Message, and the content of root feedback message are presented, performs corresponding operation,
The TA management servers (2) decrypt the message that the TEE management modules (5) send, and according in the message Hold, generation feedback message, feedback report is sent from escape way (100) to the TEE management modules (5) by the way of encryption Text.
4th technical scheme is based on the 3rd technical scheme, it is characterised in that the cipher mode uses three-level digital certificate Framework, TA management servers (2) possess root certificate, and the manufacturer of the terminal (1) possesses two level certificate, and the terminal (1) possesses Three-level certificate, the TEE management modules (5) encrypt the message with the root certificate, generate encrypted message, the encrypted message The TA management servers (2), the TA management services are sent to by the escape way (100) with together with the certificate chain Device (2) encrypts the feedback message, generation encryption feedback message, the encryption feedback report with the three-level certificate of the terminal (1) Text is sent to the TEE management modules (5) by the escape way (100).
5th technical scheme is based on the 3rd technical scheme, it is characterised in that the cipher mode uses three-level digital certificate Framework, TA management servers (2) possess root certificate, and the manufacturer of the terminal (1) possesses two level certificate, and the terminal (1) possesses Three-level certificate, the TEE management modules (5) encrypt the message with random number key, generate encrypted message, afterwards using described Root certificate encrypts the random number, and the random number encryption result passes through institute together with the encrypted message and the certificate chain State escape way (100) and be sent to the TA management servers (2), the TA management servers (2) are encrypted with random number key The feedback message, with the three-level certificate encrypted random number of the terminal (1), the random number encryption result and encryption feedback report Text is sent to the TEE management modules (5) by the escape way (100).
6th technical scheme is based on the 4th or the 5th technical scheme, it is characterised in that
The TEE management modules (5) are after completing to encrypt, to the encrypted message and the certificate chain or the random number After encrypted result is signed with the encrypted message and the certificate chain, institute is sent to by the escape way (100) TA management servers (2) are stated, the TA management servers (2) are to the feedback message or the random number encryption result and encryption After feedback message is signed, by the escape way (100), the TEE management modules (5) are sent to.
7th technical scheme is based on the 6th technical scheme, it is characterised in that the TEE management modules (5) are by the institute of download Trusted application is stated, encrypting storing in the credible performing environment or in REE environment.
8th technical scheme is based on the 7th technical scheme, it is characterised in that the TA management modules (4) or TA management The instruction of deletion trusted application is included in the instruction that server (2) is sent,
The TEE management modules (5) are deleted according to the instruction of the deletion trusted application and are arranged on the credible execution ring Trusted application in border.
9th technical scheme is a kind of trusted application management method of intelligent terminal, it is characterised in that is comprised the following steps:
Step 1, the trusted application (21) for download is set in TA management servers (2),
Step 2, TEE management modules (5) are set in the credible performing environment of the terminal (1),
It is step 3, in the terminal (1), preset or by downloading installation TA management modules (4),
Step 4, the TA management modules (4) initiate to download the request of trusted application, or response third-party application download/ Renewal request, sends the request for downloading trusted application,
Step 5, the TA management servers (2) are described credible by corresponding to according to the request for downloading trusted application The terminal (1) is sent to using (21),
Step 6, the TEE management modules (5), perform the installation or renewal of the trusted application (21).
Tenth technical scheme is based on the 9th technical scheme, it is characterised in that in the step 4, the step 5, the TEE Being established between management module (5) and the TA management servers (2) by the TA management modules (4) has escape way (100), The related instruction of download, renewal, deletion to the trusted application (21) and information pass through the escape way (100) and transmitted.
11st technical scheme is based on the tenth technical scheme, it is characterised in that
The step 4 comprises the following steps:
Step 41, the message of generation is encrypted the TEE management modules (5), generates encrypted message, the encryption report The request of download trusted application of the text comprising encryption or the status information of the current state of ciphering terminal (1), installation, renewal Trusted application, the response results information of deletion action;
Step 42, encrypted message is sent to the TA by the TEE management modules (5) by the escape way (100) Management server (2),
The step 5 comprises the following steps:
Step 51, TA management servers (2) the decryption encrypted message, and according to message content, generation feedback message, institute State feedback message and include and obtain the asking of terminal (1) current state, the corresponding trusted application (21), object information,
Step 52, the TA management servers (2) encrypt the feedback message,
Step 53, the TA management servers (2) will encrypt feedback message by the escape way (100) and be sent to institute TEE management modules (5) are stated,
The step 6 comprises the following steps:
Step 61, the TEE management modules (5) decrypt the feedback message of the TA management servers (2), and according to feedback The content of message operates corresponding to performing.
12nd technical scheme is based on the 11st technical scheme, it is characterised in that
In the step 41, the TEE management modules (5) are reported using the root certificate encryption of the TA management servers (2) Text,
In the step 42, the TEE management modules (5) are by the escape way (100) by encrypted message and card Book chain sends jointly to the TA management servers (2),
In the step 51, TA management servers (2) private key pair encryption message corresponding to is decrypted,
In the step 52, the three-level certificate encryption feedback that the TA management servers (2) are possessed using terminal (1) is reported Text,
In the step 53, the TA management servers (2) will be encrypted feedback message by the escape way (100) and be sent out The TEE management modules (5) are given,
In the step 61, private key corresponding to TEE management modules (5) use decrypts the TA management servers (2) Feed back message.
13rd technical scheme is based on the 11st technical scheme, it is characterised in that
In the step 41, the TEE management modules (5) utilize random number key encrypted message, and are managed with the TA The root certificate of server (2) encrypts the random number,
In the step 42, the TEE management modules (5) are by the escape way (100) by encrypted message, random number Encrypted result and certificate chain send jointly to the TA management servers (2),
In the step 51, private key decrypted random number corresponding to TA management servers (2) use, and use random number key Decrypt encrypted message,
In the step 52, the TA management servers (2) use terminal using random number key encryption feedback message (1) the three-level certificate encrypted random number possessed, the random number include random number or TA pipes in the encrypted message that terminal is sent The random number of server (2) oneself generation is managed,
In the step 53, the TA management servers (2) will be encrypted feedback message by the escape way (100) and be sent out The TEE management modules (5) are given,
In the step 61, private key decrypted random number corresponding to TEE management modules (5) use, with random number key solution The close feedback message.
14th technical scheme is based on the 12nd or 13 technical schemes, it is characterised in that
In the step 42, the TEE management modules (5) are to encrypted message and certificate chain or encrypted message, random number After encrypted result and certificate chain are signed, the TA management servers (2) are sent to,
In the step 53, the TA management servers (2) are fed back to encryption feedback message or encrypted random number and encryption After message is signed, the TEE management modules (5) are sent to.
15th technical scheme is based on the 9th to any one of 13rd technical scheme, it is characterised in that
In the step 6, the trusted application (21) of download is arranged on the credible execution by the TEE management modules (5) Environment or the encrypting storing in REE environment.
16th technical scheme is based on the 15th technical scheme, it is characterised in that
In the step 6, the TEE management modules (5) are according to TA management modules (4) or the TA management servers (2) The instruction of the deletion trusted application of transmission, deletes mounted trusted application.
17th technical scheme is based on the 11st technical scheme, it is characterised in that
In the step 41, the status information of the current state includes terminal models, the information of all trusted applications, peace The information of universe;In the step 51, the request of current state including terminal models, the information of all trusted applications are obtained Request.
The effect of the present invention:
Due to trusted application need not be preset in the mirror image or third-party application of terminal, therefore trusted application changes When, terminal (1) can individually download trusted application and be installed or be updated.Due to whole terminal mirror image need not be downloaded, and Need not be packed trusted application according to the hardware platform of terminal, and the download and installation of trusted application become extremely convenient.
In whole downloading process, escape way can be established, makes the instruction in trusted application and downloading process and information By transmitting in an encrypted form, ensure the security of trusted application.
Brief description of the drawings
Fig. 1 is the structural representation of trusted application management system;
Fig. 2 mobile intelligent terminals download the flow chart of trusted application;
Fig. 3 is timing diagram when mobile intelligent terminal downloads trusted application.
Embodiment
Embodiments of the present invention are described in detail below in conjunction with the accompanying drawings.
Fig. 1 is the structural representation of trusted application management system, as shown in figure 1, trusted application management system includes, it is mobile Intelligent terminal (terminal) 1 and TA management servers (trusted application management server) 2.Terminal 1 has preset or pacified by downloading TA management modules 4, the TEE management modules 5 of dress, TEE management modules 5 are arranged in credible performing environment, and TA management modules 4 are run In REE environment, for managing the download, renewal, deletion of the trusted application in mobile intelligent terminal 1.In TA management servers 2 The trusted application for download is stored with, trusted application comprises at least trusted application mirror image.
TA management modules 4, which detect, downloads trusted application request caused by mobile intelligent terminal 1, according to request, send download Corresponding trusted application 21 is sent to the terminal 1, by TEE by the request of trusted application, TA management servers 2 according to request Management module 5, perform installation, renewal or in REE environment by the encrypting storing of trusted application 21.
Trusted application request is downloaded caused by mobile intelligent terminal 1, both can be the finger that user is inputted by man-machine interface Order can also be the request that third-party application 3 is initiated.
Below by taking third-party application as an example, embodiments of the present invention are illustrated.
In the present embodiment, third-party application 3 refer in addition to TA management modules 4 richness perform (REE) environment in The untrusted application program of operation.Can be bank client software (APP) of banking system issue etc. as third-party application 3 User software, trusted application 21 associate with user software, for providing safety guarantee to user sensitive informations such as mobile phone wallets.The Tripartite both can be the software being preset in mobile intelligent terminal 1 using 3, and mobile intelligence can also be installed to by way of download Can terminal 1.
In the present invention, the trusted application associated with third-party application 3 is neither preset at the mirror image of mobile intelligent terminal 1 In, third-party application 3 is not preset at yet.Therefore, there was only third-party application 3 when initial, in mobile intelligent terminal 1 without with the Tripartite applies the trusted application of 3 associations.Trusted application needs to be installed to by way of download in mobile intelligent terminal 1.TA is managed Manage the periodic detection of module 4 or receive the trusted application version information that TA management servers 2 are sent, pass through the trusted application with installation Compare, download trusted application and be updated.In mobile intelligent terminal 1, when having the request for deleting trusted application, TA management modules 4 delete corresponding trusted application.Therefore, TA management modules 4 manage the life cycle of whole trusted application.
After trusted application downloads to mobile intelligent terminal 1, the installation and more of trusted application is performed by TEE management modules 5 Newly.Under the management of TA management modules 4, TEE management modules 5 carry out the deletion of trusted application.
TA management servers 2 provide the download service of trusted application, are at least stored with and the 3rd in TA management servers 2 The trusted application mirror image 21 that Fang Yingyong 3 is associated, when receiving the initiation trusted application download request of third-party application 3, TA management Trusted application mirror image 21 corresponding with third-party application 3 is sent to mobile intelligent terminal 1 by server 2 by escape way 100 In.
In the present invention, the foundation of escape way 100 is realized by way of to information and instruction encryption.For this For invention, escape way is established not necessarily, download and the peace of trusted application can not equally be realized by escape way Dress.
When third-party application 3 sends download request, TA management modules 4 handle the request, obtain the bag name of third-party application, The status information of the equipment such as mobile intelligent terminal model and security domain.Download request information, the bag name of third-party application and After the characteristic informations such as mobile intelligent terminal model are encapsulated by TEE management modules 5, TA management clothes are sent to by TA management modules 4 Business device 2.
Due to carried in the solicited message after encapsulation, the status information of equipment with the related content of escape way 100, therefore only There are the energy of TA management servers 2 resolution request message, the status information of equipment, ensure that the safety of information.
TA management servers 2 parse packaging information, and make corresponding processing according to request data, obtain feedback information. Feedback information includes the request for obtaining equipment current state, either the complete mirror image comprising the trusted application that need to be installed or bag Containing the request for deleting trusted application mirror image, or other information.
TA management servers 2 encapsulate feedback information, again with the content related to escape way 100 in feedback information. Therefore, this packaging information can be parsed by only sending the mobile intelligent terminal 1 of request, ensure that the safety of information.
TA management modules 4 manage the feedback of the information that TA management servers 2 encapsulate to TEE management modules 5, or by TEE The feedback of the information that module 5 encapsulates is to TA management servers 2, until the information that one party feeds back to TA management modules 4 is final Operating result.
As the implementation method of escape way 100, three-level digital certificate framework, TA management services are used in present embodiment Device 2 possesses root certificate, and the manufacturer of mobile intelligent terminal 1 possesses two level certificate, and mobile intelligent terminal 1 possesses three-level certificate.It is mobile Three-level certificate and root certificate are at least stored in 1 in intelligent terminal, root certificate is stored in TA management servers 2.
When TEE management modules 5 are to TA 2 transmission informations of management server, one group of random number is first generated, with this random number key Encrypted message, this group of random number then is encrypted with the root certificate of the TA management servers 2 of storage, encrypted message, random number are added Close result, certificate chain issue TA management servers 2 by escape way 100 together.
Private key elder generation decrypted random number corresponding to the use of TA management servers 2, then it is first with this random number key decrypted message, acquisition Begin in plain text.
During the generation feedback message of TA management servers 2, one group of random number is equally first generated, is encrypted and reported with this random number key Text, this group of random number then is encrypted with the certificate of mobile intelligent terminal 1, encrypted message and random number encryption result are passed through together Escape way 100 feeds back to TA management modules 4.
The random number key that TA management servers 2 are encrypted, it oneself can not also generate, utilize mobile intelligent terminal Random number key in the encrypted message sent is encrypted.
Because between TA management servers 2 and TEE management modules, transmission is ciphertext, transmission information and the safety instructed Passage 100 is escape way.
TEE management modules 5 can also add when sending message to encrypted message and certificate chain or encrypted message, random number After close result and certificate chain are signed, the TA management servers 2 are sent to.Equally, TA management servers 2 also can pair plus After close feedback message or encrypted random number and encryption feedback message are signed, TEE management modules 5 are sent to.At signature Reason, the security of information have obtained further raising.Trusted application mirror image is downloaded and installed below to mobile intelligent terminal Embodiment illustrates.
Fig. 2 is download and the flow chart for installing trusted application mirror image, and Fig. 3 is download and the sequential for installing trusted application mirror image Figure.
As shown in Figure 2,3,
S1, third-party application 3 send installation trusted application request.
Initiate the opportunity of download request, for example during the start of mobile intelligent terminal 1, third-party application 3, which checks whether, to be mounted with The trusted application of association, if be fitted without, initiate download request.When can also be that third-party application 3 uses trusted application, such as Fruit does not have available trusted application, initiates download request.There is no any restriction to the mode of download request.
The processing installation trusted application request of S2, TA management module 4, obtain the bag name of third-party application, mobile intelligent terminal The characteristic informations such as model.The information such as original request message, the bag name of third-party application, mobile intelligent terminal model is sent to TEE Management module 5.Although the information now transmitted is in plain text, because the environment that TEE ducting modules 5 are run is the credible execution rings of TEE Border, therefore, the security of information are guaranteed.
The package request information of S3, TEE management module 5, carry with the phase of escape way 100 inside the Pass in the solicited message after encapsulation Hold.That is, encapsulation when first generate one group of random number, with this random number key encrypted message, then with the TA management servers 2 of storage Root certificate encrypt this group of random number, encrypted message, random number encryption result, certificate chain are issued into TA management servers 2 together. The 1 three-level certificate possessed in mobile intelligent terminal is comprised at least in certificate chain.
S4, TEE management module 5 by packaging information, i.e., by TA managed by the ciphertext installation trusted application request including certificate chain Reason module 4 is sent to TA management servers 2.
Private key parsing packaging information corresponding to the use of S5, TA management server 2, and three that in mobile intelligent terminal 1 is possessed Level certificate preserves in a storage module;Installation trusted application request of the TA management servers 2 in packaging information, produces acquisition The feedback information of equipment current state request;TA management servers 2 encapsulate feedback information, i.e. TA management servers 2 first generate one Group random number, with this random number key encrypted message, then encrypts this group of random number with the three-level certificate of mobile intelligent terminal 1, The content related to escape way has so been carried in feedback information.
Obtaining the feedback information of equipment current state request includes mobile intelligent terminal model, the information of all trusted applications Deng.
S6, TA management server 2 feeds back to encrypted message and random number encryption result by TA management modules 4 together TEE management modules 5.
S7, TEE management module 5 obtains feedback information, that is, obtains mobile intelligent terminal 1 according to current state solicited message Current state information;Encapsulate current state information.Method for packing is identical with S3.
S8, TEE management module 5 sends the encapsulation state information (status request result) of ciphertext by TA management modules 4 To TA management servers 2.
S9, TA management server 2 parses encapsulation state information, obtains the status request object information of plaintext;According to state Request results information, search and mobile intelligent terminal model, the trusted application mirror image matched with current state;TA management servers 2 using method encapsulation trusted application mirror image same S6.
The trusted application mirror image message of ciphertext is sent to TEE management by S10, TA management server 2 by TA management modules 4 Module 5.
S11, TEE management module 5 parses packaging information, obtains trusted application mirror image;And the trusted application mirror image is installed.
Trusted application can be arranged on credible performing environment in, also can in REE environment encrypting storing.
After installation results are sent to third-party application by S12, TEE management module 5 by TA management modules 4, trusted application The download and installation of mirror image terminate.
The variation of the present invention is illustrated below.
As variation, the feedback information in step S5 is in addition to requesting state information, also comprising installation, renewal and response Object information.
The request that equipment current state is obtained in step S5 can also ask the information of security domain (SD).TA management services The trusted application information that device 2 is sent according to mobile intelligent terminal 1, judges whether mobile intelligent terminal 1 can install trusted application, If it could not, send the instruction of installation security domain.At this moment, TEE management modules 5 install security domain according to instruction, download again afterwards Trusted application mirror image.
For the present invention, the step of equipment current state is asked not necessarily, current state can not be also asked, directly Feedback installation or the feedback information deleted.
The step of described in Fig. 2, Fig. 3 is only one kind of embodiment, and the step related to download can have various change, but As long as information is by escape way 100, by TA management servers 2 and the mutual authentication of mobile intelligent terminal 1.
The effect of the present invention:
Mobile intelligent terminal 1 need to network and can directly download trusted application mirror image, due to that need not download whole shifting Dynamic intelligent terminal mirror image, and packed trusted application also without according to the hardware platform of mobile intelligent terminal, trusted application Download and installation becomes extremely convenient, simplify the process of issue trusted application mirror image.Third party can safely, simply issue Trusted application.When trusted application changes, the trusted application mirror image for download can be separately provided.In whole downloading process, TEE It is all to be passed escape way 100 in a manner of ciphertext that information and instruction between management module 5 and TA management servers 2, which are transmitted, Pass, the security of trusted application mirror image is also guaranteed.

Claims (17)

  1. A kind of 1. trusted application management system of intelligent terminal, it is characterised in that including, terminal (1) and TA management servers (2),
    The terminal (1) has TA management modules (4), TEE management modules (5) preset or by download installation, the TEE pipes Reason module (5) is arranged in credible performing environment, and the TA management modules (4) are used to manage the download of trusted application, update, delete Remove,
    The trusted application for download is stored with the TA management servers (2), the trusted application comprises at least credible answer With mirror image,
    The TA management modules (4) send the request for downloading trusted application, or download/renewal request of response third-party application, The request for downloading trusted application is sent,
    The TA management servers (2) are asked according to the download trusted application of the TA management modules (4), can described in by corresponding to Letter is sent to the terminal (1) using (21),
    The TEE management modules (5), perform the installation or renewal of the trusted application (21).
  2. 2. the trusted application management system of intelligent terminal according to claim 1, it is characterised in that including,
    Being established between the TEE management modules (5) and the TA management servers (2) by the TA management modules (4) has peace Full tunnel (100),
    The related information of download, renewal, deletion to the trusted application (21), instruction are passed by the escape way (100) Send.
  3. 3. the trusted application management system of intelligent terminal according to claim 2, it is characterised in that the TEE manages mould Block (5) sends message by the way of encryption from escape way (100) to TA management servers (2), decrypts the TA management clothes The feedback message that business device (2) is sent, and operated accordingly according to the content of feedback message, execution,
    The TA management servers (2) decrypt the message that the TEE management modules (5) send, and according to the message content, it is raw Into feedback message, feedback message is sent from escape way (100) to the TEE management modules (5) by the way of encryption.
  4. 4. the trusted application management system of intelligent terminal according to claim 3, it is characterised in that the cipher mode is adopted With three-level digital certificate framework, TA management servers (2) possess root certificate, and the manufacturer of the terminal (1) possesses two level certificate, institute State terminal (1) and possess three-level certificate, the TEE management modules (5) encrypt the message, generation encryption report with the root certificate Text, the encrypted message are sent to the TA management servers together with the certificate chain by the escape way (100) (2), the TA management servers (2) encrypt the feedback message, generation encryption feedback report with the three-level certificate of the terminal (1) Text, the encryption feedback message are sent to the TEE management modules (5) by the escape way (100).
  5. 5. the trusted application management system of intelligent terminal according to claim 3, it is characterised in that the cipher mode is adopted With three-level digital certificate framework, TA management servers (2) possess root certificate, and the manufacturer of the terminal (1) possesses two level certificate, institute State terminal (1) and possess three-level certificate, the TEE management modules (5) encrypt the message, generation encryption report with random number key Text, encrypt the random number using the root certificate afterwards, the random number encryption result and the encrypted message and described Certificate chain is sent to the TA management servers (2), the TA management servers (2) by the escape way (100) together The feedback message is encrypted with random number key, with the three-level certificate encrypted random number of the terminal (1), the random number encryption As a result the TEE management modules (5) are sent to by the escape way (100) with encryption feedback message.
  6. 6. the trusted application management system of the intelligent terminal according to claim 4 or 5, it is characterised in that
    The TEE management modules (5) are after completing to encrypt, to the encrypted message and the certificate chain or the random number encryption As a result after being signed with the encrypted message and the certificate chain, the TA is sent to by the escape way (100) Management server (2), the TA management servers (2) are fed back to the feedback message or the random number encryption result with encryption After message is signed, by the escape way (100), the TEE management modules (5) are sent to.
  7. 7. the trusted application management system of intelligent terminal according to claim 6, it is characterised in that the TEE manages mould Block (5) is by the trusted application of download, encrypting storing in the credible performing environment or in REE environment.
  8. 8. the trusted application management system of intelligent terminal according to claim 7, it is characterised in that the TA management modules (4) instruction of deletion trusted application or in the instruction of the TA management servers (2) transmission is included,
    The TEE management modules (5) are deleted and are arranged in the credible performing environment according to the instruction of the deletion trusted application Trusted application.
  9. 9. the trusted application management method of a kind of intelligent terminal, it is characterised in that comprise the following steps:
    Step 1, the trusted application (21) for download is set in TA management servers (2),
    Step 2, TEE management modules (5) are set in the credible performing environment of the terminal (1),
    It is step 3, in the terminal (1), preset or by downloading installation TA management modules (4),
    Step 4, the TA management modules (4) initiate to download the request of trusted application, or download/renewal of response third-party application Request, the request for downloading trusted application is sent,
    Step 5, the TA management servers (2) are according to the request of the download trusted application, the trusted application by corresponding to (21) terminal (1) is sent to,
    Step 6, the TEE management modules (5), perform the installation or renewal of the trusted application (21).
  10. 10. the trusted application management method of intelligent terminal according to claim 9, it is characterised in that
    In the step 4, the step 5, by described between the TEE management modules (5) and the TA management servers (2) TA management modules (4), which are established, escape way (100), the related instruction of the download, renewal, deletion to the trusted application (21) Transmitted with information by the escape way (100).
  11. 11. the trusted application management method of intelligent terminal according to claim 10, it is characterised in that
    The step 4 comprises the following steps:
    Step 41, the message of generation is encrypted the TEE management modules (5), generates encrypted message, the encrypted message bag The request of download trusted application containing encryption or the status information of the current state of ciphering terminal (1), install, update it is credible Using the response results information of, deletion action;
    Step 42, encrypted message is sent to the TA by the escape way (100) and managed by the TEE management modules (5) Server (2),
    The step 5 comprises the following steps:
    Step 51, TA management servers (2) the decryption encrypted message, and it is described anti-according to message content, generation feedback message Feedback message, which includes, obtains the asking of terminal (1) current state, the corresponding trusted application (21), object information,
    Step 52, the TA management servers (2) encrypt the feedback message,
    Step 53, the TA management servers (2) by the escape way (100) will encrypt feedback message be sent to it is described TEE management modules (5),
    The step 6 comprises the following steps:
    Step 61, the TEE management modules (5) decrypt the feedback message of the TA management servers (2), and according to feedback message Content perform corresponding to operate.
  12. 12. the trusted application management method of intelligent terminal according to claim 11, it is characterised in that
    In the step 41, the TEE management modules (5) utilize the root certificate encrypted message of the TA management servers (2),
    In the step 42, the TEE management modules (5) are by the escape way (100) by encrypted message and certificate chain The TA management servers (2) are sent jointly to,
    In the step 51, TA management servers (2) private key pair encryption message corresponding to is decrypted,
    In the step 52, message is fed back in the three-level certificate encryption that the TA management servers (2) are possessed using terminal (1),
    In the step 53, the TA management servers (2) will be encrypted feedback message by the escape way (100) and are sent to The TEE management modules (5),
    In the step 61, private key corresponding to TEE management modules (5) use decrypts the feedback of the TA management servers (2) Message.
  13. 13. the trusted application management method of intelligent terminal according to claim 11, it is characterised in that
    In the step 41, the TEE management modules (5) utilize random number key encrypted message, and with the TA management services The root certificate of device (2) encrypts the random number,
    In the step 42, the TEE management modules (5) are by the escape way (100) by encrypted message, random number encryption As a result and certificate chain sends jointly to the TA management servers (2),
    In the step 51, private key decrypted random number corresponding to TA management servers (2) use, and decrypted with random number key Encrypted message,
    In the step 52, the TA management servers (2) are gathered around using random number key encryption feedback message with terminal (1) Some three-level certificate encrypted random numbers, the random number include the random number or TA management services in the encrypted message that terminal is sent The random number of device (2) oneself generation,
    In the step 53, the TA management servers (2) will be encrypted feedback message by the escape way (100) and are sent to The TEE management modules (5),
    In the step 61, private key decrypted random number corresponding to TEE management modules (5) use, institute is decrypted with random number key State feedback message.
  14. 14. the trusted application management method of the intelligent terminal according to claim 12 or 13, it is characterised in that
    In the step 42, the TEE management modules (5) are to encrypted message and certificate chain or encrypted message, random number encryption As a result and after certificate chain signed, the TA management servers (2) are sent to,
    In the step 53, the TA management servers (2) are to encryption feedback message or encrypted random number and encryption feedback message After being signed, the TEE management modules (5) are sent to.
  15. 15. the trusted application management method of the intelligent terminal according to any one of claim 9 to 13, it is characterised in that
    In the step 6, the trusted application (21) of download is arranged on the credible performing environment by the TEE management modules (5) Or the encrypting storing in REE environment.
  16. 16. the trusted application management method of intelligent terminal according to claim 15, it is characterised in that
    In the step 6, the TEE management modules (5) send according to TA management modules (4) or the TA management servers (2) Deletion trusted application instruction, delete mounted trusted application.
  17. 17. the trusted application management method of intelligent terminal according to claim 11, it is characterised in that
    In the step 41, the status information of the current state includes terminal models, the information of all trusted applications, security domain Information;In the step 51, the request of current state including the request for obtaining terminal models, the information of all trusted applications.
CN201710946837.9A 2017-10-12 2017-10-12 Trusted application management method and trusted application management system of intelligent terminal Active CN107682159B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710946837.9A CN107682159B (en) 2017-10-12 2017-10-12 Trusted application management method and trusted application management system of intelligent terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710946837.9A CN107682159B (en) 2017-10-12 2017-10-12 Trusted application management method and trusted application management system of intelligent terminal

Publications (2)

Publication Number Publication Date
CN107682159A true CN107682159A (en) 2018-02-09
CN107682159B CN107682159B (en) 2021-02-02

Family

ID=61140570

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710946837.9A Active CN107682159B (en) 2017-10-12 2017-10-12 Trusted application management method and trusted application management system of intelligent terminal

Country Status (1)

Country Link
CN (1) CN107682159B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108614711A (en) * 2018-04-20 2018-10-02 北京握奇智能科技有限公司 TA mirrored storages method, apparatus and terminal
CN108768973A (en) * 2018-05-16 2018-11-06 北京握奇智能科技有限公司 Trusted application operation requests checking method and trusted application management server
CN109922056A (en) * 2019-02-26 2019-06-21 阿里巴巴集团控股有限公司 Data safety processing method and its terminal, server
CN110717149A (en) * 2019-10-09 2020-01-21 湖南国科微电子股份有限公司 Security architecture, operation method and device thereof, and readable storage medium
CN110830279A (en) * 2018-08-09 2020-02-21 华为技术有限公司 Management method and device for management service
CN110855426A (en) * 2019-11-08 2020-02-28 北京握奇智能科技有限公司 Method for software use authorization
CN111382445A (en) * 2020-03-03 2020-07-07 首都师范大学 Method for providing trusted service by using trusted execution environment system
CN111428281A (en) * 2020-03-25 2020-07-17 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN111740824A (en) * 2020-07-17 2020-10-02 支付宝(杭州)信息技术有限公司 Trusted application management method and device
WO2020231418A1 (en) * 2019-05-15 2020-11-19 Hewlett-Packard Development Company, L.P. Update signals
CN112241284A (en) * 2020-12-16 2021-01-19 支付宝(杭州)信息技术有限公司 Program data updating method, system, device and equipment based on privacy protection
CN113192237A (en) * 2020-01-10 2021-07-30 阿里巴巴集团控股有限公司 Internet of things equipment supporting TEE and REE and method for realizing communication between TEE and REE
WO2022206811A1 (en) * 2021-03-31 2022-10-06 华为云计算技术有限公司 Cloud service system and cloud service-based data processing method
US11496287B2 (en) 2020-08-18 2022-11-08 Seagate Technology Llc Privacy preserving fully homomorphic encryption with circuit verification
US11575501B2 (en) 2020-09-24 2023-02-07 Seagate Technology Llc Preserving aggregation using homomorphic encryption and trusted execution environment, secure against malicious aggregator
WO2023041037A1 (en) * 2021-09-18 2023-03-23 华为云计算技术有限公司 Cloud-technology-based computing node and cloud-technology-based instance management method
CN116382740A (en) * 2023-04-10 2023-07-04 广州锦高信息科技有限公司 Automatic upgrade release system and method for application software

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090318171A1 (en) * 2008-06-18 2009-12-24 Ari Backholm Application Discovery on Mobile Devices
CN103856485A (en) * 2014-02-14 2014-06-11 武汉天喻信息产业股份有限公司 System and method for initializing safety indicator of credible user interface
CN105095696A (en) * 2015-06-25 2015-11-25 三星电子(中国)研发中心 Method, system and apparatus for carrying out safety authentication on application programs
CN105592091A (en) * 2015-12-30 2016-05-18 中国银联股份有限公司 Security application downloading method
CN105591791A (en) * 2015-04-10 2016-05-18 中国银联股份有限公司 Equipment for exchanging security information
CN106102054A (en) * 2016-05-27 2016-11-09 深圳市雪球科技有限公司 A kind of method and communication system that safe unit is carried out safety management

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090318171A1 (en) * 2008-06-18 2009-12-24 Ari Backholm Application Discovery on Mobile Devices
CN103856485A (en) * 2014-02-14 2014-06-11 武汉天喻信息产业股份有限公司 System and method for initializing safety indicator of credible user interface
CN105591791A (en) * 2015-04-10 2016-05-18 中国银联股份有限公司 Equipment for exchanging security information
CN105095696A (en) * 2015-06-25 2015-11-25 三星电子(中国)研发中心 Method, system and apparatus for carrying out safety authentication on application programs
CN105592091A (en) * 2015-12-30 2016-05-18 中国银联股份有限公司 Security application downloading method
CN106102054A (en) * 2016-05-27 2016-11-09 深圳市雪球科技有限公司 A kind of method and communication system that safe unit is carried out safety management

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108614711A (en) * 2018-04-20 2018-10-02 北京握奇智能科技有限公司 TA mirrored storages method, apparatus and terminal
CN108614711B (en) * 2018-04-20 2021-12-10 北京握奇智能科技有限公司 TA mirror image storage method and device and terminal
CN108768973A (en) * 2018-05-16 2018-11-06 北京握奇智能科技有限公司 Trusted application operation requests checking method and trusted application management server
CN110830279A (en) * 2018-08-09 2020-02-21 华为技术有限公司 Management method and device for management service
US11646950B2 (en) 2018-08-09 2023-05-09 Huawei Technologies Co., Ltd. Management service management method and apparatus
CN110830279B (en) * 2018-08-09 2021-09-14 华为技术有限公司 Management method and device for management service
CN109922056A (en) * 2019-02-26 2019-06-21 阿里巴巴集团控股有限公司 Data safety processing method and its terminal, server
US11251976B2 (en) 2019-02-26 2022-02-15 Advanced New Technologies Co., Ltd. Data security processing method and terminal thereof, and server
US11755739B2 (en) 2019-05-15 2023-09-12 Hewlett-Packard Development Company, L.P. Update signals
TWI754219B (en) * 2019-05-15 2022-02-01 美商惠普發展公司有限責任合夥企業 Update signals
WO2020231418A1 (en) * 2019-05-15 2020-11-19 Hewlett-Packard Development Company, L.P. Update signals
CN110717149B (en) * 2019-10-09 2022-03-22 湖南国科微电子股份有限公司 Security architecture, operation method and device thereof, and readable storage medium
CN110717149A (en) * 2019-10-09 2020-01-21 湖南国科微电子股份有限公司 Security architecture, operation method and device thereof, and readable storage medium
CN110855426B (en) * 2019-11-08 2023-04-18 北京握奇智能科技有限公司 Method for software use authorization
CN110855426A (en) * 2019-11-08 2020-02-28 北京握奇智能科技有限公司 Method for software use authorization
CN113192237B (en) * 2020-01-10 2023-04-18 阿里巴巴集团控股有限公司 Internet of things equipment supporting TEE and REE and method for realizing communication between TEE and REE
CN113192237A (en) * 2020-01-10 2021-07-30 阿里巴巴集团控股有限公司 Internet of things equipment supporting TEE and REE and method for realizing communication between TEE and REE
CN111382445B (en) * 2020-03-03 2023-04-07 首都师范大学 Method for providing trusted service by using trusted execution environment system
CN111382445A (en) * 2020-03-03 2020-07-07 首都师范大学 Method for providing trusted service by using trusted execution environment system
CN111428281B (en) * 2020-03-25 2021-06-18 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN113673000B (en) * 2020-03-25 2024-03-08 支付宝(杭州)信息技术有限公司 Method and device for operating trusted program in TEE
CN113673000A (en) * 2020-03-25 2021-11-19 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN111428281A (en) * 2020-03-25 2020-07-17 支付宝(杭州)信息技术有限公司 Operation method and device of trusted program in TEE
CN111740824B (en) * 2020-07-17 2020-11-17 支付宝(杭州)信息技术有限公司 Trusted application management method and device
CN111740824A (en) * 2020-07-17 2020-10-02 支付宝(杭州)信息技术有限公司 Trusted application management method and device
US11496287B2 (en) 2020-08-18 2022-11-08 Seagate Technology Llc Privacy preserving fully homomorphic encryption with circuit verification
US11575501B2 (en) 2020-09-24 2023-02-07 Seagate Technology Llc Preserving aggregation using homomorphic encryption and trusted execution environment, secure against malicious aggregator
CN112241284A (en) * 2020-12-16 2021-01-19 支付宝(杭州)信息技术有限公司 Program data updating method, system, device and equipment based on privacy protection
WO2022206811A1 (en) * 2021-03-31 2022-10-06 华为云计算技术有限公司 Cloud service system and cloud service-based data processing method
WO2023041037A1 (en) * 2021-09-18 2023-03-23 华为云计算技术有限公司 Cloud-technology-based computing node and cloud-technology-based instance management method
CN116382740A (en) * 2023-04-10 2023-07-04 广州锦高信息科技有限公司 Automatic upgrade release system and method for application software
CN116382740B (en) * 2023-04-10 2023-11-14 广州锦高信息科技有限公司 Automatic upgrade release system and method for application software

Also Published As

Publication number Publication date
CN107682159B (en) 2021-02-02

Similar Documents

Publication Publication Date Title
CN107682159A (en) The trusted application management method and trusted application management system of a kind of intelligent terminal
CN104852925B (en) Mobile intelligent terminal anti-data-leakage secure storage, backup method
CN108513704B (en) Remote distribution method and system of terminal master key
CN106411830B (en) The method and mobile terminal for preventing access data to be tampered
CN103856485A (en) System and method for initializing safety indicator of credible user interface
CN103095457A (en) Login and verification method for application program
CN109359472A (en) A kind of data encrypting and deciphering processing method, device and relevant device
CN112910869B (en) Method, device and storage medium for encrypting and decrypting data information
CN108762791A (en) Firmware upgrade method and device
CN107483383A (en) A kind of data processing method, terminal and background server
CN109977685A (en) Web page contents encryption method, encryption device and system
CN104202736A (en) Mobile terminal short message end-to-end encryption method oriented to Android system
CN109670325A (en) A kind of devices and methods therefor of configuration file encryption and decryption
CN109697370A (en) Database data encipher-decipher method, device, computer equipment and storage medium
CN106941403A (en) Secrecy GSM and method based on quantum key
CN112653719A (en) Automobile information safety storage method and device, electronic equipment and storage medium
CN104270377A (en) Safe and general document outgoing system and method
CN108599944A (en) A kind of identifying code short message transparent encryption method based on handset identities
CN104601820A (en) Mobile terminal information protection method based on TF password card
CN112436936A (en) Cloud storage method and system with quantum encryption function
CN105743917A (en) Message transmitting method and terminal
CN110069241A (en) Acquisition methods, device, client device and the server of pseudo random number
CN109120576A (en) Data sharing method and device, computer equipment and storage medium
CN103024734A (en) Encrypting and decrypting method and encrypting and decrypting device for protecting Apk (android package) from being installed by non-authorized mobile phones
CN101242453B (en) A transmission method and system for dual-audio multi-frequency signal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant