CN108200052A - Digital signature method, device and mobile terminal based on mobile terminal - Google Patents
Digital signature method, device and mobile terminal based on mobile terminal Download PDFInfo
- Publication number
- CN108200052A CN108200052A CN201711484493.0A CN201711484493A CN108200052A CN 108200052 A CN108200052 A CN 108200052A CN 201711484493 A CN201711484493 A CN 201711484493A CN 108200052 A CN108200052 A CN 108200052A
- Authority
- CN
- China
- Prior art keywords
- digital signature
- signature
- service
- service application
- signed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses a kind of digital signature method based on mobile terminal, device and mobile terminal, method therein includes:Receive the business datum to be signed that service application or external equipment are sent by digital signature service application;Deployment way with the corresponding digital signature of business datum to be signed is determined according to mobile terminal device environment;Digital signature interface is obtained according to deployment way, treating signature service data using digital signature carries out correspondingly signature processing.The method, apparatus and mobile terminal of the present invention; digital signature is applied and is combined with mobile terminal environment; digital signature is safely stored using software and hardware guard method; using the digital signature deployment scheme of different security levels; one-stop, experience indifference, mobile intelligent terminal digital signature product as safe as possible are provided; safety, easily convenience, the deployment property of digital signature applications are promoted, saves the cost that user buys additional hardware U-shield.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of digital signature method based on mobile terminal, dresses
It puts and mobile terminal.
Background technology
As the movement of InterWorking Equipment and consumption market are increasingly mature, go from strength to strength, safety, which becomes, increasingly causes people
The problem of paying close attention to.2015 to 2016, the account transfer ratio of Web bank dropped to 19%, but as a whole from 35%,
Annual network bank business volume nearly 2,000,000,000,000,000 in 2016, transaction size far more than Mobile banking, wholesale is transferred accounts, complex transaction with
And special mandate business etc. still puts forth effort on personal Internetbank.Therefore, in view of the carrying of the insecurity of Mobile banking and Internet bank USB key
Inconvenience holds and PC ends U-shield was very proposed in 2014 to cellphone shield migration.At present, realize that shield function mainly uses on mobile phone
The modes such as bluetooth Key, audio Key.Based on hard-wired mode, user is needed to buy relevant hardware, needs Mobile banking
Modification relevant interface and the hardware communicate, and cause certain development difficulty and increase user cost.
Invention content
In view of this, the invention solves a technical problem be to provide a kind of digital signature side based on mobile terminal
Method, device and mobile terminal.
According to an aspect of the present invention, a kind of digital signature method based on mobile terminal is provided, including:Receive industry
Business application or external equipment apply the business datum to be signed sent wherein by digital signature service, digital signature service application
For providing unified digital certificate signature interface;It is determined and the business datum phase to be signed according to mobile terminal device environment
The deployment way of corresponding digital signature;Wherein, the deployment way of the digital signature includes:Digital signature
Based on distributed storage mode be stored in digital signature service apply and certificate management system in, digital signature is stored in
In the trusted application TA of TEE systems, digital signature is stored in the Applet of eSE;Institute is obtained according to the deployment way
Digital signature is stated, carrying out correspondingly signature to the business datum to be signed using the digital signature is handled;Institute
It states service application or external equipment and signature handling result is received by digital signature service application.
Optionally, it is described that digital signature interface is obtained according to the deployment way, uses the digital signature
Correspondingly signature processing is carried out to the business datum to be signed to include:The digital certificate is deposited based on distributed storage mode
Storage digital signature service apply and certificate management system in;When carrying out Digital signature service, based on distributed arithmetic mode to institute
It states business datum to be signed and carries out signature operation respectively, the result that will sign is returned to described by the digital signature service application
Service application or external equipment.
Optionally, the digital signature service application stores the first part of the digital certificate, the card inside it
The second part of the digital certificate is stored in book management system;The first part of the digital signature includes:Private key
First part;The second part of the digital signature includes:The second part of private key.
Optionally, it is described that digital signature interface is obtained according to the deployment way, uses the digital signature
Correspondingly signature processing is carried out to the business datum to be signed to include:If the digital signature is stored in digital signature
When in TA, business datum to be signed is sent to the number by the service application or external equipment by digital signature service application
Word signature TA;The digital signature TA is obtained the digital signature stored inside it and is demonstrate,proved based on the digital signature
Book carries out the business datum to be signed signature processing, service application or external equipment and is received by digital signature service application
Signature result.
Optionally, the digital signature service apply for the digital signature be stored in TEE systems it is credible should
Corresponding function is provided with the deployment way in TA;Certificate management system is applied by the digital signature service to the number
The digital signature stored in signature TA is managed, including:Installation, deletes digital signature at update;TAM systems are led to
The digital signature service is crossed using being managed to the digital signature TA, including:Installation, deletes digital signature TA at update.
Optionally, it is described that digital signature interface is obtained according to the deployment way, use the digital signature
Correspondingly signature processing is carried out to the business datum to be signed to include:If the digital signature is stored in described
When in Applet, the digital signature service applies the deployment way being stored in for the digital signature in Applet to carry
For corresponding function;The service application or external equipment send out the business datum to be signed by digital signature service application
Give the digital signature TA;The business datum to be signed is sent to the Applet by the digital signature TA;It is described
Applet obtains the digital signature stored inside it and is based on the digital signature to the industry to be signed
Business data carry out signature processing, and signature result is returned the digital signature TA.
Optionally, if the digital signature is stored in the Applet, the service application of REE sides and described
Applet communications are digitally signed processing;Wherein, the digital signature that the Applet acquisitions store inside it
And signature processing is carried out based on the business datum to be signed that the digital signature sends the service application of REE sides, and will
Signature result returns to the service application of REE sides.
Optionally, certificate management system is applied by the digital signature service and the digital signature TA is to described
The digital signature stored in Applet is managed, including:Installation, deletes digital signature at update;TSM systems are led to
The digital signature service is crossed to be managed the Applet using with the digital signature TA, including:It is individualized, is pacified
Dress, update, unloading Applet.
According to another aspect of the present invention, a kind of digital signature device based on mobile terminal is provided, including:Data receiver
Module, for receiving the business datum to be signed that service application or external equipment are sent by digital signature service application;Wherein,
Digital signature service is applied to provide unified digital certificate signature interface;Deployment way selecting module, according to mobile terminal
Facility environment determines the deployment way with the corresponding digital signature of business datum to be signed;Wherein, the number
The deployment way of signing certificate includes:Digital signature based on distributed storage mode be stored in digital signature service apply and
In certificate management system, digital signature is stored in the trusted application TA of TEE systems, digital signature is stored in eSE
Applet in;Digital signature service application, for obtaining the digital signature according to the deployment way, using described
Digital signature carries out correspondingly signature to the business datum to be signed and handles;Wherein, the service application or outside are set
It is standby that signature handling result is received by digital signature service application.
Optionally, the digital certificate is stored in digital signature service based on distributed storage mode to apply and certificate pipe
In reason system;When carrying out Digital signature service, signed respectively to the business datum to be signed based on distributed arithmetic mode
Operation;Signature result is returned into the service application or external equipment by the digital signature service application.
Optionally, the digital signature service application stores the first part of the digital certificate, the card inside it
The second part of the digital certificate is stored in book management system;The first part of the digital signature includes:Private key
First part;The second part of the digital signature includes:The second part of private key.
Optionally, it further includes:Digital signature TA;The digital signature service application, if demonstrate,proved for the digital signature
When book is stored in the digital signature TA, the business datum to be signed is sent to the digital signature TA;The number
Sign TA, for obtaining the digital signature stored inside it and waiting to sign to described based on the digital signature
Ring service data carry out signature processing, wherein, the business datum to be signed is sent to by the service application or external equipment
The digital signature service application, and signature result is received by digital signature service application.
Optionally, the digital signature service apply for the digital signature be stored in TEE systems it is credible should
Corresponding function is provided with the deployment way in TA, is applied by the digital signature service to being stored in the digital signature TA
Digital signature be managed, including:Installation, update, deletion digital signature TAM systems pass through the digital signature
It is served by being managed the digital signature TA, including:Installation, deletes digital signature TA at update.
Optionally, it further includes:Operate in the Applet in eSE;The digital signature service application, if for the number
When word signing certificate is stored in the Applet, the digital signature service is applied and the digital signature is stored in
Deployment way in Applet provides corresponding function;The service application or external equipment lead to the business datum to be signed
It crosses digital signature service application and is sent to the digital signature TA;The digital signature TA, for by the business number to be signed
According to being sent to the Applet;The Applet, for obtaining the digital signature stored inside it and being based on institute
It states digital signature and signature processing is carried out to the business datum to be signed, and signature result is returned into the digital signature
TA。
Optionally, if the digital signature is stored in the Applet, the service application of REE sides and described
Applet communications are digitally signed processing;The Applet, for obtaining the digital signature stored inside it
And signature processing is carried out based on the business datum to be signed that the digital signature sends the service application of REE sides, and will
Signature result returns to the service application of REE sides.
Optionally, certificate management system is applied by the digital signature service and the digital signature TA is to described
The digital signature stored in Applet is managed, including:Installation, deletes digital signature at update;TSM systems pass through institute
Digital signature service is stated to be managed the Applet using with the digital signature TA, including:It is individualized, installation,
Update, unloading Applet.
According to another aspect of the invention, a kind of mobile terminal is provided, is based on including credible performing environment as described above
The digital signature device of mobile terminal.
In accordance with a further aspect of the present invention, a kind of digital signature device of the credible performing environment based on mobile terminal is provided,
Including:Memory;And the processor of the memory is coupled to, the processor is configured as being based on being stored in the storage
Instruction in device performs as above digital signature method of the credible performing environment of any one of them based on mobile terminal.
The digital signature method based on mobile terminal, device and the mobile terminal of the present invention determines and business to be signed
The deployment way of the corresponding digital signature of data obtains digital signature according to deployment way, uses digital signature
Certificate treats signature service data and carries out correspondingly signature processing;Digital signature is applied and is combined with mobile terminal, profit
Digital signature is safely stored with the software and hardware guard method in mobile terminal, according to the system of user's mobile intelligent terminal
Environment using the mobile intelligent terminal digital signature deployment scheme of different security levels, provides one-stop, user experience to the user
Indifference, mobile intelligent terminal digital signature product as safe as possible;Mobile intelligent terminal number label can be obviously improved
The safety of name application, easily convenience, deployment property, while save the cost that user buys additional hardware U-shield.
Description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention, for those of ordinary skill in the art, without having to pay creative labor, may be used also
To obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow diagram according to one embodiment of the digital signature method based on mobile terminal of the present invention;
Fig. 2, Fig. 3, Fig. 3 A and Fig. 4 are respectively the digital signature portion of pure soft shield, TEE shields, APPLET and TEE+SE shields
The schematic diagram of management side formula;
Fig. 5 is the module diagram according to one embodiment of the digital signature device based on mobile terminal of the present invention;
Fig. 6 is to be illustrated according to the module of another embodiment of the digital signature device based on mobile terminal of the present invention
Figure.
Specific embodiment
Carry out the various exemplary embodiments of detailed description of the present invention now with reference to attached drawing.It should be noted that:Unless in addition have
Body illustrates that the unlimited system of component and the positioned opposite of step, numerical expression and the numerical value otherwise illustrated in these embodiments is originally
The range of invention.
Simultaneously, it should be appreciated that for ease of description, the size of the various pieces shown in attached drawing is not according to reality
Proportionate relationship draw.
It is illustrative to the description only actually of at least one exemplary embodiment below, is never used as to the present invention
And its application or any restrictions that use.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered as part of specification.
It should be noted that:Similar label and letter represents similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined in a attached drawing, then in subsequent attached drawing does not need to that it is further discussed.
The embodiment of the present invention can be applied to computer system/server, can be with numerous other general or specialized calculating
System environments or configuration operate together.Suitable for be used together with computer system/server well-known computing system, ring
The example of border and/or configuration includes but not limited to:Smart mobile phone, personal computer system, server computer system, Thin clients
Machine, thick client computer, hand-held or laptop devices, the system based on microprocessor, set-top box, programmable consumer electronics, network
PC, little types Ji calculate machine Xi Tong ﹑ large computer systems and the distributed cloud computing technology ring including any of the above described system
Border, etc..
Computer system/server can be in computer system executable instruction (such as journey performed by computer system
Sequence module) general linguistic context under describe.In general, program module can include routine, program, target program, component, logic, number
According to structure etc., they perform specific task or realize specific abstract data type.Computer system/server can be with
Implement in distributed cloud computing environment, in distributed cloud computing environment, task is long-range by what is be linked through a communication network
Manage what equipment performed.In distributed cloud computing environment, program module can be located at the Local or Remote meter for including storage device
It calculates in system storage medium.
" first " hereinafter, " second " etc. are only used for distinguishing in description, and there is no other special meanings.
Flow diagrams of the Fig. 1 for one embodiment of the digital signature method based on mobile terminal according to the present invention,
As shown in Figure 1:
Step 101, the business to be signed that service application or external equipment are sent by digital signature service application is received
Data, digital signature service are applied to provide unified digital certificate signature interface.
Service application can be the service application in mobile terminal, such as service applications such as shopping, Internetbank etc., external equipment
Can be electric business server, ebanking server etc..Business datum to be signed can be transaction data to be signed etc..
Step 102, the deployment way with the corresponding digital signature of business datum to be signed is determined.
The deployment way of digital signature can there are many.For example, digital signature is based on distributed storage mode
It is stored in mobile terminal local and certificate management system, digital signature is stored in the trusted application TA of TEE systems, number
The Applet that word signing certificate is stored in eSE is medium.The digital signature signed for different business datums can be with
There is different deployment way.
TEE (Trusted Execution Environment, credible performing environment) is a kind of performing environment of isolation,
TEE is run parallel with rich operating system (REE, Rich Execution Environment), and provides safety clothes for rich environment
Business can realize that isolation is accessed and protected to the software and hardware secure resources and application program under rich environment.
Safety element SE can be the security module that software and hardware and related protocol combine, and can be embedded in the smart card grade used should
With program, such as UICC, embedded SE, pluggable RAM card.Applet is a kind of program operated in SE.Digital signature is demonstrate,proved
Book is a file comprising public-key cryptography owner information and public-key cryptography through certificate authority digital signature.Example
Such as, simplest digital signature includes the digital signature of a public-key cryptography, title and certificate authority.
In one embodiment, digital signature deployment scheme can be placed into as far as possible according to the difference of current system environment
In the environment of safety.Pure soft shield deployment way:Digital signature is stored in mobile terminal using distributed storage mode should
With in certificate management system, common realization is to the digital signature of user service data.TEE shield deployment way:Digital signature is demonstrate,proved
Book is stored in the TA of mobile terminal TEE systems, by intelligent movable application call TA, is completed in TA to user service data
Digital signature.TEE+SE shield deployment way:Digital signature is stored in the Applet of mobile terminal SE, by mobile whole
Application call TA, TA is held to call Applet, the digital signature to user service data is completed in Applet.According to different shiftings
The different deployment scheme of dynamic intelligent terminal system environmental selection is as shown in table 1 below:
The deployment scheme table of table 1- digital signatures
Step 103, digital signature is obtained according to deployment way, signature service data is treated using digital signature
Correspondingly signature is carried out to handle.
Step 104, the service application or external equipment receive signature processing knot by digital signature service application
Fruit.
The digital signature method based on mobile terminal in above-described embodiment, does not increase any external hardware, according to user
Mobile intelligent terminal system environments, using different solutions, different security levels are realized in mobile intelligent terminal
Digital signature application;Using the mobile intelligent terminal digital signature deployment scheme of different security levels, one is provided to the user
Standing posture, user experience indifference, mobile intelligent terminal digital signature product as safe as possible.
In one embodiment, digital certificate is stored in digital signature service application and card based on distributed storage mode
In book management system;When carrying out Digital signature service, signature service data are treated based on distributed arithmetic mode and are signed respectively
Signature result is returned to service application or external equipment by operation.
When determine digital signature based on distributed storage mode be stored in digital signature service application and certificate management
When in system, digital signature service application stores the first part of digital signature inside it, is deposited in certificate management system
Store up the second part of digital signature.The first part of digital signature can include:The first part of private key, number label
The second part of name certificate can include:The second part of private key.
Digital signature service treats signature service data using the first part based on digital signature and second part
Signature processing is carried out, and signature handling result is returned into service application or external equipment.First based on digital signature
Point and second part treat signature service data carry out signature processing existing signature processing method may be used, for example, signature
When first digital signature service application in verification password and with the first part of private key Transaction Information is done for the first time sign, number
The second part that result of signing is sent certificate management system private key by Digital signature service application does second of signature, digital signature clothes
Business application returns to the signature result finally obtained.Digital signature service application may operate in REE.
For pure soft shield deployment way, as shown in Fig. 2, digital signature service is mainly used for providing digital signature signature
Interface, since mobile terminal is dangerous, so private key distribution is stored, a part is stored in certificate management system end, another
Part is stored in digital signature service application, needs the common operation of the two that can just form full signature.
In one embodiment, if digital signature is stored in digital signature TA, digital signature service application
Business datum to be signed is sent to digital signature TA.The digital signature and base that digital signature TA acquisitions store inside it
Signature service data are treated in digital signature and carry out signature processing, and signature result is returned into digital signature service application.
Certificate management system is applied by digital signature service and the digital signature stored in digital signature TA is carried out
Management, including:Installation, deletes digital signature etc. at update.(Trusted Application Management, can by TAM
Letter application management) system by digital signature service using being managed to digital signature TA, including:Installation, deletes number at update
Word signature TA.
For TEE shield deployment way, as shown in figure 3, the mobile intelligent terminal for supporting TEE, by digital signature
It is placed in the TA of TEE, installation, update are included for the management of TA, deleted etc., it can be completed by TAM systems.For in TA
Digital signature management, including:Installation, update, deletion etc., can be completed by certificate management system.Mobile terminal
In if there is TEE is without SE, then preservations and processing unit of the TA as digital signature, if there is SE, then SE is as protecting
The unit of digital signature is deposited and handles, then TA is only used as communication, TUI display units.
In one embodiment, as shown in Figure 3A, if digital signature is stored in Applet, digital signature clothes
Business datum to be signed is sent to digital signature TA by business application.Business datum to be signed is sent to by digital signature TA
Applet.Applet obtains the digital signature stored inside it and treats signature service data based on digital signature
Signature processing is carried out, and signature result is returned into digital signature TA.Digital signature TA will sign result return digital signature service
Using.Digital signature service can both be provided in the form of a standalone module, can also be provided in the form of interface jar.It is main
Syllabus is exactly external offer unified interface.
If digital signature is stored in Applet, the service application of REE sides can also communicate with Applet to be carried out
Digital signature processing.The Applet digital signatures that store inside it of acquisition and based on digital signature to REE sides
The business datum to be signed that service application is sent carries out signature processing, and result of signing is returned to the service application of REE sides.
Certificate management system is applied by digital signature service and digital signature TA is to the digital signature that is stored in Applet
Certificate is managed, including:Installation, deletes digital signature etc. at update.(Trusted Service Manager, can by TSM
Letter application service management) system is applied by digital signature service and digital signature TA is managed Applet, including:It carries out
It is individualized, installation, update, unloading Applet etc..If there is SE in mobile terminal, the built-in Applet in SE, the unit position
In most safe floor, for preserving and handling digital signature.
For TEE+SE shield deployment way, as shown in figure 4, the mobile terminal for supporting SE, by digital signature
It preserves in the Applet applications being placed into SE.TSM systems are used to manage the Applet applications in SE, including being individualized,
The management such as installation, update, unloading.Management for the digital signature in Applet, can including installing, updating, deleting
To be completed by certificate management system.Certificate management system carries out digital signature after the deployment for completing TA, Applet
Personalized relevant updates such as abrogate at the management.
In one embodiment, digital signature service application can be example there are many functions that upper-layer service application provides
Such as:Certificate management (installation, is deleted at update), digital signature password management, obtains list of cert and certificate at trading signature
Information etc..For pure soft shield deployment way, using preserving part number signing certificate in the APK applied in digital signature service,
Another part digital signature in certificate management system, for trading signature need APK and certificate management system respectively into
Full signature could be calculated after row signature.
For having the terminal of TEE or SE, digital signature service application is main and TA and Applet communicates, and phase is provided for upper strata
Service interface is closed, no matter bottom provides digital signature correlation function in what manner, upper-layer service application offer is connect
Mouth remains unchanged.For TSM systems, TAM systems, certificate management system etc., deployment can be merged, can also be disposed respectively.
The present invention is capable of providing the total solution of mobile intelligent terminal digital signature, include pure soft shield, TEE shields,
A variety of deployment configurations such as TEE+SE shields can provide one-stop integrated interface, indiscriminate user experience, match for different soft and hard part
The mobile intelligent terminal put provides the protection of its most suitably used security level.
In one embodiment, as shown in figure 5, the present invention provides a kind of digital signature device 50 based on mobile terminal,
Including:Data reception module 51, deployment way selecting module 52, digital signature service are using 53, digital signature TA 54 and operation
Applet 55 in SE.
Data reception module 51 receive service application or external equipment hair by digital signature service using 53 send wait to sign
Ring service data.Digital signature service is used to provide unified digital certificate signature interface using 53.Deployment way selecting module
52 according to mobile terminal device environmental selection and the deployment way of the corresponding digital signature of business datum to be signed.Number
The deployment way of signing certificate includes:Digital signature based on distributed storage mode be stored in digital signature service apply and
In certificate management system, digital signature is stored in the trusted application TA of TEE systems, digital signature is stored in eSE
Applet it is medium.Digital signature service is used to obtain digital signature according to deployment way using 53, uses digital signature
Certificate treats signature service data and carries out correspondingly signature processing;Wherein, service application or external equipment are taken by digital signature
Business receives handling result of signing using 53.
In one embodiment, digital certificate is stored in number by digital signature service using 53 based on distributed storage mode
Word Digital signature service apply and certificate management system in.When carrying out Digital signature service, digital signature service is using 53 based on distribution
Operation mode treats signature service data and carries out signature operation respectively.Signature result is returned to by digital signature service using 53
Service application or external equipment.Digital signature service is using the first part of 53 digital certificates inside it, certificate management
The second part of digital certificate in system;The first part of digital signature includes:The first part of private key;Number label
The second part of name certificate includes:The second part of private key.
In one embodiment, if digital signature is stored in digital signature TA 54, digital signature service should
Business datum to be signed is sent to digital signature TA 54 with 53.Digital signature TA 54 obtains the number label stored inside it
Name certificate simultaneously treats signature service data based on digital signature and carries out signature processing.Service application or external equipment will be waited to sign
Ring service data are sent to digital signature TA 54 by digital signature service using 53, are connect by digital signature service using 53
Receive signature result.
Digital signature service is stored in digital signature using 53 the deployment side in the trusted application TA of TEE systems
Formula provides corresponding function.Certificate management system is by digital signature service using the number stored in 53 couples of digital signature TA 54
Word signing certificate is managed, including:Installation, deletes digital signature etc. at update.TAM systems pass through digital signature service
It is managed using to digital signature TA 54, including:Installation, deletes digital signature TA etc. at update.
In one embodiment, if digital signature is stored in Applet 55, digital signature service applies 53
The deployment way being stored in for digital signature in Applet provides corresponding function.Service application or external equipment will be treated
Signature service data are sent to digital signature TA 55 by digital signature service using 53.Digital signature TA 54 is by industry to be signed
Business data are sent to Applet 55.
Applet 55 obtains the digital signature stored inside it and treats signature service based on digital signature
Data carry out signature processing, and signature result is returned digital signature TA 54.If digital signature is stored in Applet
In 55, service application and Applet 55 communication of REE sides are digitally signed processing.Applet 55 is obtained to be stored inside it
Digital signature and signed based on the business datum to be signed that digital signature sends the service applications of REE sides
It handles, and result of signing is returned to the service application of REE sides.
Certificate management system is by digital signature service using 53 and digital signature TA 54 to storing in Applet 55
Digital signature is managed, including:Installation, deletes digital signature etc. at update.TSM systems should by digital signature service
Applet 55 is managed with digital signature TA 54, including:It is individualized, installs, updates, unloading Applet etc..
In one embodiment, the present invention provides a kind of mobile terminal, including in as above any embodiment based on movement
The digital signature device of terminal.Mobile terminal includes smart mobile phone, PAD etc..
Fig. 6 is to be shown according to the module of another embodiment of the digital signature method device based on mobile terminal of the present invention
It is intended to.As shown in fig. 6, the device may include memory 61, processor 62, communication interface 63.Memory 61 for storing instruction,
Processor 62 is coupled to memory 61, and the instruction that processor 62 is configured as storing based on memory 61, which performs, realizes above-mentioned base
In the digital signature method of mobile terminal.Memory 61 can be high-speed RAM memory, nonvolatile memory (NoN-
Volatile memory) etc., memory 61 can also be memory array.Processor 62 can be central processor CPU etc..
The digital signature method based on mobile terminal, device and mobile terminal in above-described embodiment are determined with waiting to sign
The deployment way of the corresponding digital signature of ring service data obtains digital signature according to deployment way, uses number
Word signing certificate treats signature service data and carries out correspondingly signature processing;Digital signature is applied and is mutually tied with mobile terminal
It closes, digital signature is safely stored, and in a secure environment with number using the software and hardware guard method in mobile terminal
Signing certificate does digital signature to transaction data, differentiates the authenticity of transaction and user identity for customer service backstage;According to
The system environments of user's mobile intelligent terminal using the mobile intelligent terminal digital signature deployment scheme of different security levels, is
User provides one-stop, user experience indifference, mobile intelligent terminal digital signature product as safe as possible;It can be significant
Safety, easily convenience, the deployment property of mobile intelligent terminal digital signature applications are promoted, while saves user and buys additional hardware
The cost of U-shield.
The method and system of the present invention may be achieved in many ways.For example, can by software, hardware, firmware or
Software, hardware, firmware any combinations come realize the present invention method and system.The said sequence of the step of for method is only
In order to illustrate, the step of method of the invention, is not limited to sequence described in detail above, especially says unless otherwise
It is bright.In addition, in some embodiments, the present invention can be also embodied as recording program in the recording medium, these programs include
It is used to implement machine readable instructions according to the method for the present invention.Thus, the present invention also covering storage is for execution according to this hair
The recording medium of the program of bright method.
Description of the invention provides for the sake of example and description, and is not exhaustively or will be of the invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches
It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those of ordinary skill in the art is enable to manage
The solution present invention is so as to design the various embodiments with various modifications suitable for special-purpose.
Claims (18)
1. a kind of digital signature method based on mobile terminal, which is characterized in that including:
The business datum to be signed that service application or external equipment are sent by digital signature service application is received, wherein, number
Word Digital signature service is applied to provide unified digital certificate signature interface;
Deployment side with the corresponding digital signature of business datum to be signed is determined according to mobile terminal device environment
Formula;
Wherein, the deployment way of the digital signature includes:Digital signature is stored in based on distributed storage mode
Digital signature service apply and certificate management system in, digital signature be stored in the trusted application TA of TEE systems, number
Signing certificate is stored in the Applet of eSE;
The digital signature is obtained according to the deployment way, using the digital signature to the business to be signed
Data carry out correspondingly signature and handle;
The service application or external equipment receive signature handling result by digital signature service application.
2. the method as described in claim 1, which is characterized in that described to be connect according to deployment way acquisition digital signature
Mouthful, correspondingly signature processing is carried out to the business datum to be signed using the digital signature and is included:
By the digital certificate based on distributed storage mode be stored in digital signature service apply and certificate management system in;
When carrying out Digital signature service, signature operation is carried out to the business datum to be signed based on distributed arithmetic mode respectively, will be signed
As a result the service application or external equipment are returned to by the digital signature service application.
3. method as claimed in claim 2, which is characterized in that the digital signature service application stores the number inside it
The first part of certificate stores the second part of the digital certificate in the certificate management system;
The first part of the digital signature includes:The first part of private key;The second part of the digital signature
Including:The second part of private key.
4. method as described in claim 1, which is characterized in that described to be connect according to deployment way acquisition digital signature
Mouthful, correspondingly signature processing is carried out to the business datum to be signed using the digital signature and is included:
If the digital signature is stored in digital signature TA, the service application or external equipment are by industry to be signed
Business data are sent to the digital signature TA by digital signature service application;
The digital signature TA obtains the digital signature stored inside it and is based on the digital signature pair
The business datum to be signed carries out signature processing, service application or external equipment and receives signature by digital signature service application
As a result.
5. method as claimed in claim 4, which is characterized in that further include:
The digital signature service applies the deployment being stored in for the digital signature in the trusted application TA of TEE systems
Mode provides corresponding function;Certificate management system is applied by the digital signature service to being stored in the digital signature TA
Digital signature be managed, including:Installation, deletes digital signature at update;
TAM systems are applied by the digital signature service and the digital signature TA are managed, including:It installs, update, delete
Except digital signature TA.
6. method as described in claim 1, which is characterized in that described to be connect according to deployment way acquisition digital signature
Mouthful, correspondingly signature processing is carried out to the business datum to be signed using the digital signature and is included:
If the digital signature is stored in the Applet, the digital signature service is applied for the number
The deployment way that signing certificate is stored in Applet provides corresponding function;The service application or external equipment are treated described
Signature service data are sent to the digital signature TA by digital signature service application;The digital signature TA waits to sign by described
Ring service data are sent to the Applet;
The Applet obtains the digital signature stored inside it and is based on the digital signature to described
Business datum to be signed carries out signature processing, and signature result is returned the digital signature TA.
7. method as described in claim 1, which is characterized in that further include:
If the digital signature is stored in the Applet, the service application of REE sides and the Applet communicate into
The processing of row digital signature;Wherein, the Applet obtains the digital signature stored inside it and is based on the number
The business datum to be signed that word signing certificate sends the service application of REE sides carries out signature processing, and signature result is returned
To the service application of REE sides.
8. method as claimed in claim 6, which is characterized in that further include:
Certificate management system is applied by the digital signature service and the digital signature TA is to storing in the Applet
Digital signature is managed, including:Installation, deletes digital signature at update;
TSM systems are applied by the digital signature service and the digital signature TA is managed the Applet, including:
It is individualized, installs, updates, unloads Applet.
9. a kind of digital signature device based on mobile terminal, which is characterized in that including:
Data reception module, for receiving the industry to be signed that service application or external equipment are sent by digital signature service application
Business data;Wherein, digital signature service is applied to provide unified digital certificate signature interface;
Deployment way selecting module, for corresponding according to mobile terminal device environmental selection and the business datum to be signed
The deployment way of digital signature;Wherein, the deployment way of the digital signature includes:Digital signature is based on dividing
Cloth storage mode be stored in digital signature service apply and certificate management system in, digital signature be stored in TEE systems
Trusted application TA in, digital signature is stored in the Applet of eSE;
Digital signature service application for obtaining the digital signature according to the deployment way, is signed using the number
Name certificate carries out correspondingly signature to the business datum to be signed and handles;Wherein, the service application or external equipment pass through
The digital signature service application receives signature handling result.
10. device as claimed in claim 9, which is characterized in that
The digital signature service application, for the digital certificate to be stored in digital signature clothes based on distributed storage mode
In business application and certificate management system;When carrying out Digital signature service, based on distributed arithmetic mode to the business number to be signed
According to carrying out signature operation respectively;Signature result is returned into the service application or outside by the digital signature service application
Equipment.
11. device as claimed in claim 10, which is characterized in that
Digital signature service application stores the first part of the digital certificate inside it, in the certificate management system
Store the second part of the digital certificate;The first part of the digital signature includes:The first part of private key;It is described
The second part of digital signature includes:The second part of private key.
12. device as claimed in claim 9, which is characterized in that further include:Digital signature TA;
The digital signature service application, will if stored in the digital signature TA for the digital signature
The business datum to be signed is sent to the digital signature TA;
The digital signature TA, for obtaining the digital signature stored inside it and being demonstrate,proved based on the digital signature
Book carries out signature processing to the business datum to be signed;
Wherein, the business datum to be signed is sent to the digital signature service and answered by the service application or external equipment
With, and signature result is received by digital signature service application.
13. device as claimed in claim 12, which is characterized in that
The digital signature service applies the deployment being stored in for the digital signature in the trusted application TA of TEE systems
Mode provides corresponding function;Certificate management system is applied by the digital signature service to being stored in the digital signature TA
Digital signature be managed, including:Installation, deletes digital signature at update;
TAM systems are applied by the digital signature service and the digital signature TA are managed, including:It installs, update, delete
Except digital signature TA.
14. device as claimed in claim 9, which is characterized in that further include:Operate in the Applet in eSE;
The digital signature service application, if stored in the Applet for the digital signature, the number
Word Digital signature service applies the deployment way being stored in for the digital signature in Applet to provide corresponding function;It is described
The business datum to be signed is sent to the digital signature by service application or external equipment by digital signature service application
TA;
The digital signature TA, for the business datum to be signed to be sent to the Applet;
The Applet, for obtaining the digital signature stored inside it and being based on the digital signature pair
The business datum to be signed carries out signature processing, and signature result is returned the digital signature TA.
15. device as claimed in claim 9, which is characterized in that further include:
If the digital signature is stored in the Applet, the service application of REE sides and the Applet communicate into
The processing of row digital signature;
The Applet, for obtaining the digital signature stored inside it and being based on the digital signature pair
The business datum to be signed that the service application of REE sides is sent carries out signature processing, and result of signing is returned to the business of REE sides
Using.
16. device as claimed in claim 14, which is characterized in that
Certificate management system is applied by the digital signature service and the digital signature TA is to storing in the Applet
Digital signature is managed, including:Installation, deletes digital signature at update;
TSM systems are applied by the digital signature service and the digital signature TA is managed the Applet, including:
It is individualized, installs, updates, unloads Applet.
17. a kind of mobile terminal, it is characterised in that:
Including such as digital signature device of claim 9 to 16 any one of them based on mobile terminal.
18. a kind of digital signature device based on mobile terminal, which is characterized in that including:
Memory;And the processor of the memory is coupled to, the processor is configured as being based on being stored in the storage
Instruction in device performs such as the digital signature method described in any item of the claim 1 to 8 based on mobile terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711484493.0A CN108200052B (en) | 2017-12-29 | 2017-12-29 | Digital signature method and device based on mobile terminal and mobile terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711484493.0A CN108200052B (en) | 2017-12-29 | 2017-12-29 | Digital signature method and device based on mobile terminal and mobile terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108200052A true CN108200052A (en) | 2018-06-22 |
| CN108200052B CN108200052B (en) | 2021-02-02 |
Family
ID=62586742
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711484493.0A Active CN108200052B (en) | 2017-12-29 | 2017-12-29 | Digital signature method and device based on mobile terminal and mobile terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108200052B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109409137A (en) * | 2018-11-21 | 2019-03-01 | 北京握奇智能科技有限公司 | A kind of method and system loading external resource in TEE environment |
| WO2019200765A1 (en) * | 2018-04-16 | 2019-10-24 | 上海分赋信息科技有限公司 | System and corresponding method for realizing mapping of digital asset on mapping chain based on distributed technique |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090307486A1 (en) * | 2008-06-09 | 2009-12-10 | Garret Grajek | System and method for secured network access utilizing a client .net software component |
| CN102231729A (en) * | 2011-05-18 | 2011-11-02 | 浪潮集团山东通用软件有限公司 | Method for supporting various CA (Certification Authority) identity authentications |
| CN103034789A (en) * | 2012-12-10 | 2013-04-10 | 山东中创软件商用中间件股份有限公司 | Bundle deployment methodnd device and security framework |
| CN103237235A (en) * | 2013-03-18 | 2013-08-07 | 中国科学院信息工程研究所 | Method and system for realizing identity authentication on Cloud TV terminals |
| CN105871840A (en) * | 2016-03-30 | 2016-08-17 | 恒宝股份有限公司 | Certificate management method and system |
-
2017
- 2017-12-29 CN CN201711484493.0A patent/CN108200052B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090307486A1 (en) * | 2008-06-09 | 2009-12-10 | Garret Grajek | System and method for secured network access utilizing a client .net software component |
| CN102231729A (en) * | 2011-05-18 | 2011-11-02 | 浪潮集团山东通用软件有限公司 | Method for supporting various CA (Certification Authority) identity authentications |
| CN103034789A (en) * | 2012-12-10 | 2013-04-10 | 山东中创软件商用中间件股份有限公司 | Bundle deployment methodnd device and security framework |
| CN103237235A (en) * | 2013-03-18 | 2013-08-07 | 中国科学院信息工程研究所 | Method and system for realizing identity authentication on Cloud TV terminals |
| CN105871840A (en) * | 2016-03-30 | 2016-08-17 | 恒宝股份有限公司 | Certificate management method and system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019200765A1 (en) * | 2018-04-16 | 2019-10-24 | 上海分赋信息科技有限公司 | System and corresponding method for realizing mapping of digital asset on mapping chain based on distributed technique |
| CN109409137A (en) * | 2018-11-21 | 2019-03-01 | 北京握奇智能科技有限公司 | A kind of method and system loading external resource in TEE environment |
| CN109409137B (en) * | 2018-11-21 | 2021-06-29 | 北京握奇智能科技有限公司 | Method and system for loading external resources in TEE environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108200052B (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10051567B2 (en) | System, method and article of manufacture to conserve power in a mobile device by temporarily displaying a scanning code over a portion of a lock screen wallpaper without unlocking a mobile device | |
| US11615382B2 (en) | Devices, systems, and methods for securing and transacting cryptocurrency assets | |
| US20040267688A1 (en) | Method of user data entry, at a terminal, for communication to a remote destination | |
| US20090282345A1 (en) | Interaction between web pages and local applications | |
| US9104855B2 (en) | Dynamic secure login authentication | |
| CN105243407B (en) | Read and write the method and device of smart card | |
| WO2016127407A1 (en) | Account information management method and apparatus | |
| US11893530B2 (en) | Automated storage retrieval system connection and communication protocol | |
| WO2014012407A1 (en) | Payment method and device | |
| CN110399561A (en) | Information recommendation method, information recommending apparatus and electronic equipment | |
| CN107451244A (en) | File naming method, mobile terminal and computer-readable recording medium | |
| CN107018115A (en) | Account treating method and apparatus | |
| US10565408B2 (en) | Shopping cart with an RFID interface and associated systems and methods | |
| CN108022096A (en) | A kind of method of mobile payment, device, terminal and readable storage medium storing program for executing | |
| CN108200052A (en) | Digital signature method, device and mobile terminal based on mobile terminal | |
| CN109074588A (en) | Payment devices registration in the popularization of link | |
| CN107609953A (en) | The quick treating method and apparatus of order | |
| CN104468635B (en) | The user right step-up authentication method and system of the network platform | |
| CN108737402A (en) | Mobile terminal safety means of defence and device | |
| CN104954547B (en) | Management server, data processing method and communication terminal | |
| CN110209339A (en) | A kind of management method of memory space, safety element and terminal | |
| ES2725456T3 (en) | Emulation module of at least one payment card, procedure, payment device, computer program product and corresponding storage medium | |
| CN106599724B (en) | Method and system for accessing sector data of smart card | |
| US20150074105A1 (en) | Mobile application data storage allocation | |
| CN106372880B (en) | Real estate safety transaction method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |