CN108200052B - Digital signature method and device based on mobile terminal and mobile terminal - Google Patents

Digital signature method and device based on mobile terminal and mobile terminal Download PDF

Info

Publication number
CN108200052B
CN108200052B CN201711484493.0A CN201711484493A CN108200052B CN 108200052 B CN108200052 B CN 108200052B CN 201711484493 A CN201711484493 A CN 201711484493A CN 108200052 B CN108200052 B CN 108200052B
Authority
CN
China
Prior art keywords
digital signature
certificate
service application
signed
applet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711484493.0A
Other languages
Chinese (zh)
Other versions
CN108200052A (en
Inventor
秦立仓
李勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Co ltd
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing Watchdata Co ltd
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Watchdata Co ltd, Beijing WatchSmart Technologies Co Ltd filed Critical Beijing Watchdata Co ltd
Priority to CN201711484493.0A priority Critical patent/CN108200052B/en
Publication of CN108200052A publication Critical patent/CN108200052A/en
Application granted granted Critical
Publication of CN108200052B publication Critical patent/CN108200052B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a digital signature method and device based on a mobile terminal and the mobile terminal, wherein the method comprises the following steps: receiving service data to be signed sent by a service application or an external device through a digital signature service application; determining a deployment mode of a digital signature certificate corresponding to service data to be signed according to the environment of the mobile terminal equipment; and acquiring a digital signature certificate interface according to the deployment mode, and correspondingly signing the service data to be signed by using the digital signature certificate. According to the method, the device and the mobile terminal, the digital signature certificate application and the mobile terminal environment are combined, the digital signature certificate is safely stored by using a software and hardware protection method, a digital signature deployment scheme with different security levels is adopted, a one-stop mobile intelligent terminal digital signature product with indifference experience and safety as far as possible is provided, the safety, the convenience and the easiness in deployment of the digital signature application are improved, and the cost for a user to purchase an additional hardware U shield is saved.

Description

Digital signature method and device based on mobile terminal and mobile terminal
Technical Field
The invention relates to the technical field of information security, in particular to a digital signature method and device based on a mobile terminal and the mobile terminal.
Background
As the mobile and consumer markets for interconnected devices become increasingly mature and robust, security becomes an increasing concern. The transfer proportion of online banking in 2015 to 2016 is reduced from 35% to 19%, but in 2016, the online banking transaction amount in 2016 is nearly 2000 trillion, the transaction scale is far larger than that of mobile banking, and large transfer accounts, complex transactions, special authorization services and the like still focus on personal online banking. Therefore, in view of insecurity of mobile banking and inconvenience in carrying of the internet bank U shield, it was proposed in 2014 that the PC-side U shield migrates to the mobile phone shield. At present, the method of implementing the shield function on the mobile phone mainly adopts the modes of Bluetooth Key, audio Key and the like. Based on the hardware implementation mode, a user needs to purchase related hardware, and a mobile banking bank needs to modify a related interface to communicate with the hardware, so that certain development difficulty is caused, and the user cost is increased.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a digital signature method and apparatus based on a mobile terminal, and a mobile terminal.
According to an aspect of the present invention, there is provided a mobile terminal based digital signature method, including: receiving service data to be signed sent by a service application or an external device through a digital signature service application, wherein the digital signature service application is used for providing a uniform digital certificate signature interface; determining a deployment mode of a digital signature certificate corresponding to the service data to be signed according to the environment of the mobile terminal equipment; wherein, the deployment mode of the digital signature certificate comprises: the digital signature certificate is stored in a digital signature service application and certificate management system based on a distributed storage mode, the digital signature certificate is stored in a trusted application TA of a TEE system, and the digital signature certificate is stored in an Applet of an eSE; acquiring the digital signature certificate according to the deployment mode, and correspondingly signing the service data to be signed by using the digital signature certificate; and the service application or the external equipment receives a signature processing result through the digital signature service application.
Optionally, the acquiring a digital signature certificate interface according to the deployment mode, and performing corresponding signature processing on the service data to be signed by using the digital signature certificate include: storing the digital certificate in a digital signature service application and a certificate management system based on a distributed storage mode; and when signature service is carried out, signature operation is respectively carried out on the service data to be signed based on a distributed operation mode, and a signature result is returned to the service application or external equipment through the digital signature service application.
Optionally, the digital signature service application internally stores a first portion of the digital certificate, the certificate management system storing a second portion of the digital certificate; the first portion of the digitally signed certificate comprises: a first portion of a private key; the second portion of the digitally signed certificate comprises: a second portion of the private key.
Optionally, the acquiring a digital signature certificate interface according to the deployment mode, and performing corresponding signature processing on the service data to be signed by using the digital signature certificate include: if the digital signature certificate is stored in the digital signature TA, the service application or the external equipment sends the service data to be signed to the digital signature TA through a digital signature service application; the digital signature TA acquires the digital signature certificate stored in the TA and carries out signature processing on the service data to be signed based on the digital signature certificate, and the service application or the external equipment receives a signature result through the digital signature service application.
Optionally, the digital signature service application provides corresponding functions for a deployment mode that the digital signature certificate is stored in a trusted application TA of the TEE system; the certificate management system manages the digital signature certificate stored in the digital signature TA through the digital signature service application, and comprises the following steps: installing, updating and deleting the digital signature certificate; the TAM system manages the digital signature TA through the digital signature service application, and comprises the following steps: and installing, updating and deleting the digital signature TA.
Optionally, the acquiring a digital signature certificate interface according to the deployment mode, and correspondingly signing the service data to be signed by using the digital signature certificate includes: if the digital signature certificate is stored in the Applet, the digital signature service application provides corresponding functions for the deployment mode of the digital signature certificate stored in the Applet; the service application or the external equipment sends the service data to be signed to the digital signature TA through a digital signature service application; the digital signature TA sends the service data to be signed to the Applet; and the Applet acquires the digital signature certificate stored in the Applet, signs the service data to be signed based on the digital signature certificate, and returns a signature result to the digital signature TA.
Optionally, if the digital signature certificate is stored in the Applet, the business application at the REE side communicates with the Applet to perform digital signature processing; the Applet acquires the digital signature certificate stored in the Applet, signs the service data to be signed sent by the service application at the REE side based on the digital signature certificate, and returns a signature result to the service application at the REE side.
Optionally, the certificate management system manages the digital signature certificate stored in the Applet through the digital signature service application and the digital signature TA, and includes: installing, updating and deleting the digital signature certificate; the TSM system manages the Applet through the digital signature service application and the digital signature TA, and comprises the following steps: and carrying out personalization, and installing, updating and uninstalling the Applet.
According to another aspect of the present invention, there is provided a mobile terminal-based digital signature apparatus, including: the data receiving module is used for receiving service data to be signed sent by a service application or an external device through a digital signature service application; the digital signature service application is used for providing a uniform digital certificate signature interface; the deployment mode selection module is used for determining the deployment mode of the digital signature certificate corresponding to the service data to be signed according to the environment of the mobile terminal equipment; wherein, the deployment mode of the digital signature certificate comprises: the digital signature certificate is stored in a digital signature service application and certificate management system based on a distributed storage mode, the digital signature certificate is stored in a trusted application TA of a TEE system, and the digital signature certificate is stored in an Applet of an eSE; the digital signature service application is used for acquiring the digital signature certificate according to the deployment mode and correspondingly signing the service data to be signed by using the digital signature certificate; and the service application or the external equipment receives a signature processing result through the digital signature service application.
Optionally, storing the digital certificate in a digital signature service application and a certificate management system based on a distributed storage manner; when signature service is carried out, signature operation is respectively carried out on the service data to be signed based on a distributed operation mode; and returning the signature result to the business application or the external equipment through the digital signature service application.
Optionally, the digital signature service application internally stores a first portion of the digital certificate, the certificate management system storing a second portion of the digital certificate; the first portion of the digitally signed certificate comprises: a first portion of a private key; the second portion of the digitally signed certificate comprises: a second portion of the private key.
Optionally, the method further comprises: a digital signature TA; the digital signature service application is configured to send the service data to be signed to the digital signature TA if the digital signature certificate is stored in the digital signature TA; the digital signature TA is configured to obtain the digital signature certificate stored in the TA and perform signature processing on the service data to be signed based on the TA, where the service application or the external device sends the service data to be signed to the digital signature service application, and receives a signature result through the TA.
Optionally, the digital signature service application provides a corresponding function for a deployment manner in which the digital signature certificate is stored in a trusted application TA of the TEE system, and the managing, by the digital signature service application, the digital signature certificate stored in the digital signature TA includes: the installation, update and deletion of the digital signature certificate TAM system manages the digital signature TA through the digital signature service application, and comprises the following steps: and installing, updating and deleting the digital signature TA.
Optionally, the method further comprises: an Applet running in the eSE; the digital signature service application is used for providing corresponding functions for a deployment mode of the digital signature certificate stored in the Applet if the digital signature certificate is stored in the Applet; the service application or the external equipment sends the service data to be signed to the digital signature TA through a digital signature service application; the digital signature TA is used for sending the service data to be signed to the Applet; and the Applet is used for acquiring the digital signature certificate stored in the Applet, signing the service data to be signed based on the digital signature certificate, and returning a signature result to the digital signature TA.
Optionally, if the digital signature certificate is stored in the Applet, the business application at the REE side communicates with the Applet to perform digital signature processing; and the Applet is used for acquiring the digital signature certificate stored in the Applet, signing the service data to be signed sent by the service application at the REE side based on the digital signature certificate, and returning a signing result to the service application at the REE side.
Optionally, the certificate management system manages the digital signature certificate stored in the Applet through the digital signature service application and the digital signature TA, and includes: installing, updating and deleting the digital signature; the TSM system manages the Applet through the digital signature service application and the digital signature TA, and comprises the following steps: and carrying out personalization, and installing, updating and uninstalling the Applet.
According to still another aspect of the present invention, there is provided a mobile terminal including the trusted execution environment mobile terminal-based digital signature apparatus as described above.
According to still another aspect of the present invention, there is provided a mobile terminal-based digital signature apparatus for a trusted execution environment, including: a memory; and a processor coupled to the memory, the processor configured to execute the trusted execution environment mobile terminal-based digital signature method of any of the above, based on instructions stored in the memory.
The digital signature method, the digital signature device and the mobile terminal based on the mobile terminal determine the deployment mode of the digital signature certificate corresponding to the service data to be signed, acquire the digital signature certificate according to the deployment mode, and correspondingly sign the service data to be signed by using the digital signature certificate; combining the digital signature certificate application with the mobile terminal, storing the digital signature certificate safely by using a software and hardware protection method in the mobile terminal, and adopting mobile intelligent terminal digital signature deployment schemes with different security levels according to the system environment of the mobile intelligent terminal of the user to provide a one-stop mobile intelligent terminal digital signature product which is as safe as possible and has no difference in user experience for the user; the safety, convenience and easiness in deployment of the digital signature application of the mobile intelligent terminal can be obviously improved, and meanwhile, the cost for a user to purchase an additional hardware U shield is saved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart illustrating an embodiment of a digital signature method based on a mobile terminal according to the present invention;
fig. 2, fig. 3A and fig. 4 are schematic diagrams of digital signature certificate deployment of a pure soft shield, a TEE shield, an APPLET and a TEE + SE shield, respectively;
fig. 5 is a block diagram illustrating an embodiment of a digital signature device based on a mobile terminal according to the present invention;
fig. 6 is a block diagram illustrating another embodiment of a digital signature device based on a mobile terminal according to the present invention.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the computer system/server include, but are not limited to: smart phones, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, network pcs, minicomputers, mainframe computer systems, distributed cloud computing environments that include any of the above systems, and the like.
The computer system/server may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
The terms "first", "second", and the like are used hereinafter only for descriptive distinction and not for other specific meanings.
Fig. 1 is a flowchart illustrating an embodiment of a digital signature method based on a mobile terminal according to the present invention, as shown in fig. 1:
step 101, receiving service data to be signed sent by a service application or an external device through a digital signature service application, wherein the digital signature service application is used for providing a uniform digital certificate signature interface.
The service application may be a service application in the mobile terminal, such as a service application for shopping, internet banking and the like, and the external device may be a provider server, an internet banking server and the like. The business data to be signed can be transaction data to be signed and the like.
Step 102, determining a deployment mode of a digital signature certificate corresponding to service data to be signed.
The digital signature certificate may be deployed in a variety of ways. For example, the digital signature certificate is stored in the mobile terminal local and certificate management system based on a distributed storage manner, the digital signature certificate is stored in the trusted application TA of the TEE system, the digital signature certificate is stored in the Applet of the eSE, and the like. Digital signature certificates that sign different business data may be deployed in different ways.
The TEE (Trusted Execution Environment) is an isolated Execution Environment, runs in parallel with a Rich operating system (REE), provides security service for the Rich Environment, and can achieve isolated access and protection on software and hardware security resources and application programs in the Rich Environment.
The secure element SE may be a secure module combining software, hardware, and related protocols, and may be embedded with a smart card-level application, such as a UICC, an embedded SE, a pluggable memory card, and the like. An Applet is a program that runs in a SE. A digitally signed certificate is a document containing public key owner information and a public key that is digitally signed by a certificate authority. For example, the simplest digitally signed certificate contains a public key, a name, and a digital signature of a certificate authority.
In one embodiment, the digital signature deployment scheme may be placed in as secure an environment as possible, based on differences in the current system environment. The pure soft shield deployment method comprises the following steps: the digital signature certificate is stored in the mobile terminal application and the certificate management system in a distributed storage mode, and digital signature of user service data is realized together. TEE shield deployment formula: the digital signature certificate is stored in a TA of a TEE system of the mobile terminal, and the TA is called through the mobile intelligent application to finish digital signature of user service data in the TA. TEE + SE shield deployment: the digital signature certificate is stored in an Applet of the mobile terminal SE, TA is called through the application of the mobile terminal, the TA calls the Applet, and digital signature of user service data is completed in the Applet. The following table 1 shows different deployment schemes selected according to different mobile intelligent terminal system environments:
Figure BDA0001534517760000081
Figure BDA0001534517760000091
table 1-deployment scenario table for digitally signed certificates
And 103, acquiring the digital signature certificate according to the deployment mode, and correspondingly signing the service data to be signed by using the digital signature certificate.
And 104, the service application or the external equipment receives a signature processing result through the digital signature service application.
In the digital signature method based on the mobile terminal in the embodiment, no external hardware is added, and digital signature certificate applications with different security levels are realized in the mobile intelligent terminal by adopting different solutions according to the mobile intelligent terminal system environment of the user; the mobile intelligent terminal digital signature deployment schemes with different security levels are adopted, and a one-stop mobile intelligent terminal digital signature product which is as safe as possible and has no difference in user experience is provided for users.
In one embodiment, the digital certificate is stored in the digital signature service application and certificate management system based on a distributed storage manner; when signature service is carried out, signature operation is carried out on the service data to be signed based on a distributed operation mode, and a signature result is returned to the service application or the external equipment.
When the digital signature certificate is determined to be stored in the digital signature service application and the certificate management system based on the distributed storage mode, the digital signature service application stores a first part of the digital signature certificate in the digital signature service application, and the certificate management system stores a second part of the digital signature certificate. The first portion of the digitally signed certificate may include: the first portion of the private key, the second portion of the digitally signed certificate, may comprise: a second portion of the private key.
And the digital signature service application carries out signature processing on the service data to be signed based on the first part and the second part of the digital signature certificate and returns a signature processing result to the service application or the external equipment. For example, during signature, firstly, a password is verified in a digital signature service application, and the first part of the private key is used for signing transaction information for the first time, the digital signature service application sends a signature result to a certificate management system and signs the second part of the private key for the second time, and the digital signature service application returns the finally obtained signature result. The digital signature service application may run in the REE.
For the pure soft-shield deployment mode, as shown in fig. 2, the digital signature service is mainly used for providing a digital signature certificate signature interface, and since the mobile terminal is not secure, the private key is stored in a distributed manner, one part of the private key is stored at the certificate management system end, the other part of the private key is stored in the application of the digital signature service, and the two parts need to be operated together to form a complete signature.
In one embodiment, if the digital signature certificate is stored in the digital signature TA, the digital signature service application sends the traffic data to be signed to the digital signature TA. The digital signature TA acquires a digital signature certificate stored in the TA, signs the service data to be signed based on the digital signature certificate, and returns a signature result to the digital signature service application.
The certificate management system manages the digital signature certificate stored in the digital signature TA through a digital signature service application, and comprises the following steps: install, update, delete, etc. a digitally signed certificate. The TAM (Trusted Application Management) system manages the digital signature TA by a digital signature service Application, and includes: and installing, updating and deleting the digital signature TA.
For the deployment mode of the TEE shield, as shown in fig. 3, for a mobile intelligent terminal supporting the TEE, a digital signature certificate is placed in a TA of the TEE, and management of the TA, including installation, update, deletion and the like, can be completed through a TAM system. Management of digitally signed certificates in a TA, comprising: installation, updating, deletion, etc. may be accomplished through a certificate management system. If the mobile terminal has TEE but no SE, TA is used as a unit for storing and processing the digital signature certificate, if the mobile terminal has SE, the SE is used as a unit for storing and processing the digital signature certificate, and the TA is only used as a communication and TUI display unit.
In one embodiment, as shown in fig. 3A, if the digital signature certificate is stored in the Applet, the digital signature service application sends the service data to be signed to the digital signature TA. And the digital signature TA sends the service data to be signed to the Applet. The Applet acquires the digital signature certificate stored in the Applet, signs the service data to be signed based on the digital signature certificate, and returns the signing result to the digital signature TA. The digital signature TA returns the signature result to the digital signature service application. The digital signature service can be provided in the form of a separate module or in the form of an interface jar. The main purpose is to provide a unified interface to the outside.
If the digital signature certificate is stored in the Applet, the business application at the REE side can also communicate with the Applet to perform digital signature processing. And the Applet acquires the digital signature certificate stored in the Applet, signs the service data to be signed sent by the service application at the REE side based on the digital signature certificate, and returns the signature result to the service application at the REE side.
The certificate management system manages the digital signature certificate stored in the Applet through the digital signature service application and the digital signature TA, and comprises the following steps: install, update, delete, etc. a digitally signed certificate. The TSM (Trusted Service Manager) system manages an Applet by a digital signature Service application and a digital signature TA, and includes: personalization, installation, updating, uninstallation of applets, etc. If the SE exists in the mobile terminal, an Applet is built in the SE, and the unit is located in the most safe layer and used for storing and processing the digital signature certificate.
For the TEE + SE shield deployment, as shown in fig. 4, for a mobile terminal supporting SE, the storage of the digital signature certificate is placed in an Applet application in the SE. The TSM system is used to manage Applet applications in the SE, including personalization, installation, update, uninstallation, and other management. Management of the digitally signed certificate in the Applet, including installation, update, deletion, etc., may be accomplished through a certificate management system. After the certificate management system finishes the deployment of TA and Applet, the digital signature certificate is subjected to management such as personalized related updating and revocation.
In one embodiment, the digital signature service application may provide a variety of functions for the upper business application, such as: certificate management (installation, update, deletion), transaction signing, digital signature certificate password management, acquisition of certificate lists and certificate information, and the like. For a pure soft-shield deployment mode, a part of digital signature certificate is stored in an APK of a digital signature service application, the other part of digital signature certificate is in a certificate management system, and a complete signature can be calculated after the APK and the certificate management system respectively carry out signature on a transaction signature.
For a terminal with a TEE or SE, the digital signature service application mainly communicates with a TA and an Applet to provide a relevant service interface for an upper layer, and the interface provided for an upper layer service application is kept unchanged no matter what form the bottom layer provides the relevant function of a digital signature certificate. For the TSM system, the TAM system, the certificate management system, and the like, the deployment may be combined or may be separate.
The invention can provide an overall solution of the digital signature of the mobile intelligent terminal, comprises a plurality of deployment configurations such as a pure soft shield, a TEE + SE shield and the like, can provide a one-stop integrated interface and undifferentiated user experience, and provides the most applicable security level protection for the mobile intelligent terminals with different software and hardware configurations.
In one embodiment, as shown in fig. 5, the present invention provides a digital signature device 50 based on a mobile terminal, comprising: a data receiving module 51, a deployment mode selection module 52, a digital signature service application 53, a digital signature TA 54, and an Applet 55 running in the SE.
The data receiving module 51 receives service data to be signed sent by a service application or an external device through a digital signature service application 53. The digital signature service application 53 is used to provide a unified digital certificate signing interface. The deployment mode selection module 52 selects the deployment mode of the digital signature certificate corresponding to the service data to be signed according to the environment of the mobile terminal device. The deployment mode of the digital signature certificate comprises the following steps: the digital signature certificate is stored in a digital signature service application and a certificate management system based on a distributed storage mode, the digital signature certificate is stored in a trusted application TA of a TEE system, the digital signature certificate is stored in an Applet of an eSE, and the like. The digital signature service application 53 is configured to obtain a digital signature certificate according to the deployment mode, and perform corresponding signature processing on the service data to be signed by using the digital signature certificate; wherein the business application or the external device receives the signature processing result through the digital signature service application 53.
In one embodiment, the digital signature service application 53 stores the digital certificate in the digital signature service application and certificate management system based on a distributed storage approach. When performing the signature service, the digital signature service application 53 performs signature operation on the service data to be signed based on the distributed operation mode. The signature result is returned to the business application or the external device through the digital signature service application 53. The digital signature service application 53 stores a first part of the digital certificate in its interior, and a second part of the digital certificate in the certificate management system; the first portion of the digitally signed certificate comprises: a first portion of a private key; the second part of the digitally signed certificate comprises: a second portion of the private key.
In one embodiment, the digital signature service application 53 sends the traffic data to be signed to the digital signature TA 54 if a digital signature certificate is stored in the digital signature TA 54. The digital signature TA 54 acquires the digital signature certificate stored therein and performs signature processing on the service data to be signed based on the digital signature certificate. The service application or the external device sends the service data to be signed to the digital signature TA 54 through the digital signature service application 53, and receives the signature result through the digital signature service application 53.
The digital signature service application 53 provides corresponding functionality for the deployment of digitally signed certificates stored in the trusted application TA of the TEE system. The certificate management system manages the digital signature certificate stored in the digital signature TA 54 through the digital signature service application 53, and includes: install, update, delete, etc. a digitally signed certificate. The TAM system manages the digital signature TA 54 through the digital signature service application, and includes: install, update, delete, etc. the digital signature TA.
In one embodiment, if the digitally signed certificate is stored in the Applet 55, the digital signature services application 53 provides corresponding functionality for the deployment of the digitally signed certificate in the Applet. The service application or external device sends the service data to be signed to the digital signature TA 55 through the digital signature service application 53. The digital signature TA 54 sends the service data to be signed to the Applet 55.
The Applet 55 obtains the digital signature certificate stored therein, signs the service data to be signed based on the digital signature certificate, and returns the signature result to the digital signature TA 54. If the digital signature certificate is stored in the Applet 55, the business application on the REE side communicates with the Applet 55 to perform digital signature processing. The Applet 55 obtains the digital signature certificate stored therein, performs signature processing on the service data to be signed sent by the service application at the REE side based on the digital signature certificate, and returns a signature result to the service application at the REE side.
The certificate management system manages the digital signature certificate stored in the Applet 55 through the digital signature service application 53 and the digital signature TA 54, and includes: install, update, delete digital signatures, etc. The TSM system manages the Applet 55 through the digital signature service application and the digital signature TA 54, and includes: personalization, installation, updating, uninstallation of applets, etc.
In one embodiment, the present invention provides a mobile terminal comprising the mobile terminal-based digital signature apparatus as in any of the above embodiments. The mobile terminal comprises a smart phone, a PAD and the like.
Fig. 6 is a block diagram illustrating another embodiment of a digital signature method and apparatus based on a mobile terminal according to the present invention. As shown in fig. 6, the apparatus may include a memory 61, a processor 62, and a communication interface 63. The memory 61 is used for storing instructions, the processor 62 is coupled to the memory 61, and the processor 62 is configured to execute the mobile terminal-based digital signature method implemented above based on the instructions stored in the memory 61. The memory 61 may be a high-speed RAM memory, a nonvolatile memory (NoN-volatile memory), or the like, and the memory 61 may be a memory array. The processor 62 may be a central processing unit CPU or the like.
In the digital signature method, the digital signature device and the mobile terminal based on the mobile terminal in the embodiment, the deployment mode of the digital signature certificate corresponding to the service data to be signed is determined, the digital signature certificate is obtained according to the deployment mode, and the corresponding signature processing is performed on the service data to be signed by using the digital signature certificate; combining the digital signature certificate application with the mobile terminal, storing the digital signature certificate safely by using a software and hardware protection method in the mobile terminal, and digitally signing transaction data by using the digital signature certificate in a safe environment so as to identify the authenticity of the transaction and the identity of a user by a user service background; according to the system environment of the user mobile intelligent terminal, mobile intelligent terminal digital signature deployment schemes with different security levels are adopted, and a one-stop mobile intelligent terminal digital signature product which is indistinguishable in user experience and as safe as possible is provided for a user; the safety, convenience and easiness in deployment of the digital signature application of the mobile intelligent terminal can be obviously improved, and meanwhile, the cost for a user to purchase an additional hardware U shield is saved.
The method and system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims (16)

1. A digital signature method based on a mobile terminal is characterized by comprising the following steps:
receiving service data to be signed sent by a service application or an external device through a digital signature service application, wherein the digital signature service application is used for providing a uniform digital certificate signature interface;
determining a deployment mode of a digital signature certificate corresponding to the service data to be signed according to the environment of the mobile terminal equipment;
wherein, the deployment mode of the digital signature certificate comprises: the digital signature certificate is stored in a digital signature service application and certificate management system based on a distributed storage mode, the digital signature certificate is stored in a trusted application TA of a TEE system, and the digital signature certificate is stored in an Applet of an eSE;
the digital signature certificate is obtained according to the deployment mode, the digital signature certificate is used for correspondingly signing the service data to be signed, when the digital certificate is stored in a digital signature service application and a certificate management system based on a distributed storage mode, signature operation is respectively carried out on the service data to be signed based on a distributed operation mode during signature service, and a signature result is returned to the service application or external equipment through the digital signature service application;
and the service application or the external equipment receives a signature processing result through the digital signature service application.
2. The method of claim 1, wherein the digital signature service application internally stores a first portion of the digital certificate, and wherein the certificate management system stores a second portion of the digital certificate;
the first portion of the digitally signed certificate comprises: a first portion of a private key; the second portion of the digitally signed certificate comprises: a second portion of the private key.
3. The method according to claim 1, wherein the acquiring a digital signature certificate interface according to the deployment manner, and the correspondingly signing the service data to be signed by using the digital signature certificate includes:
if the digital signature certificate is stored in the digital signature TA, the service application or the external equipment sends the service data to be signed to the digital signature TA through a digital signature service application;
the digital signature TA acquires the digital signature certificate stored in the TA and carries out signature processing on the service data to be signed based on the digital signature certificate, and the service application or the external equipment receives a signature result through the digital signature service application.
4. The method of claim 3, further comprising:
the digital signature service application provides corresponding functions for the deployment mode of the digital signature certificate stored in the trusted application TA of the TEE system; the certificate management system manages the digital signature certificate stored in the digital signature TA through the digital signature service application, and comprises the following steps: installing, updating and deleting the digital signature certificate;
the TAM system manages the digital signature TA through the digital signature service application, and comprises the following steps: and installing, updating and deleting the digital signature TA.
5. The method according to claim 1, wherein the acquiring a digital signature certificate interface according to the deployment manner, and the correspondingly signing the service data to be signed by using the digital signature certificate includes:
if the digital signature certificate is stored in the Applet, the digital signature service application provides corresponding functions for the deployment mode of the digital signature certificate stored in the Applet; the service application or the external equipment sends the service data to be signed to the digital signature TA through a digital signature service application; the digital signature TA sends the service data to be signed to the Applet;
and the Applet acquires the digital signature certificate stored in the Applet, signs the service data to be signed based on the digital signature certificate, and returns a signature result to the digital signature TA.
6. The method of claim 1, further comprising:
if the digital signature certificate is stored in the Applet, the business application at the REE side communicates with the Applet to perform digital signature processing; the Applet acquires the digital signature certificate stored in the Applet, signs the service data to be signed sent by the service application at the REE side based on the digital signature certificate, and returns a signature result to the service application at the REE side.
7. The method of claim 5, further comprising:
the certificate management system manages the digital signature certificate stored in the Applet through the digital signature service application and the digital signature TA, and comprises the following steps: installing, updating and deleting the digital signature certificate;
the TSM system manages the Applet through the digital signature service application and the digital signature TA, and comprises the following steps: and carrying out personalization, and installing, updating and uninstalling the Applet.
8. A digital signature device based on a mobile terminal is characterized by comprising:
the data receiving module is used for receiving service data to be signed sent by a service application or an external device through a digital signature service application; the digital signature service application is used for providing a uniform digital certificate signature interface;
the deployment mode selection module is used for selecting the deployment mode of the digital signature certificate corresponding to the service data to be signed according to the environment of the mobile terminal equipment; wherein, the deployment mode of the digital signature certificate comprises: the digital signature certificate is stored in a digital signature service application and certificate management system based on a distributed storage mode, the digital signature certificate is stored in a trusted application TA of a TEE system, and the digital signature certificate is stored in an Applet of an eSE;
the digital signature service application is used for acquiring the digital signature certificate according to the deployment mode, correspondingly signing the service data to be signed by using the digital signature certificate, and respectively carrying out signature operation on the service data to be signed based on a distributed operation mode when carrying out signature service if the digital certificate is stored in the digital signature service application and the certificate management system based on a distributed storage mode; returning the signature result to the business application or the external equipment through the digital signature service application; and the service application or the external equipment receives a signature processing result through the digital signature service application.
9. The apparatus of claim 8,
the digital signature service application internally storing a first portion of the digital certificate, the certificate management system storing a second portion of the digital certificate; the first portion of the digitally signed certificate comprises: a first portion of a private key; the second portion of the digitally signed certificate comprises: a second portion of the private key.
10. The apparatus of claim 8, further comprising: a digital signature TA;
the digital signature service application is configured to send the service data to be signed to the digital signature TA if the digital signature certificate is stored in the digital signature TA;
the digital signature TA is used for acquiring the digital signature certificate stored in the TA and carrying out signature processing on the service data to be signed based on the digital signature certificate;
and the service application or the external equipment sends the service data to be signed to the digital signature service application and receives a signature result through the digital signature service application.
11. The apparatus of claim 10,
the digital signature service application provides corresponding functions for the deployment mode of the digital signature certificate stored in the trusted application TA of the TEE system; the certificate management system manages the digital signature certificate stored in the digital signature TA through the digital signature service application, and comprises the following steps: installing, updating and deleting the digital signature certificate;
the TAM system manages the digital signature TA through the digital signature service application, and comprises the following steps: and installing, updating and deleting the digital signature TA.
12. The apparatus of claim 8, further comprising: an Applet running in the eSE;
the digital signature service application is used for providing corresponding functions for a deployment mode of the digital signature certificate stored in the Applet if the digital signature certificate is stored in the Applet; the service application or the external equipment sends the service data to be signed to the digital signature TA through a digital signature service application;
the digital signature TA is used for sending the service data to be signed to the Applet;
and the Applet is used for acquiring the digital signature certificate stored in the Applet, signing the service data to be signed based on the digital signature certificate, and returning a signature result to the digital signature TA.
13. The apparatus of claim 8, further comprising:
if the digital signature certificate is stored in the Applet, the business application at the REE side communicates with the Applet to perform digital signature processing;
and the Applet is used for acquiring the digital signature certificate stored in the Applet, signing the service data to be signed sent by the service application at the REE side based on the digital signature certificate, and returning a signing result to the service application at the REE side.
14. The apparatus of claim 12,
the certificate management system manages the digital signature certificate stored in the Applet through the digital signature service application and the digital signature TA, and comprises the following steps: installing, updating and deleting the digital signature;
the TSM system manages the Applet through the digital signature service application and the digital signature TA, and comprises the following steps: and carrying out personalization, and installing, updating and uninstalling the Applet.
15. A mobile terminal, characterized by:
comprising a mobile terminal based digital signature device according to any of the claims 8 to 14.
16. A digital signature device based on a mobile terminal is characterized by comprising:
a memory; and a processor coupled to the memory, the processor configured to execute the mobile terminal-based digital signature method of any one of claims 1 to 7 based on instructions stored in the memory.
CN201711484493.0A 2017-12-29 2017-12-29 Digital signature method and device based on mobile terminal and mobile terminal Active CN108200052B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711484493.0A CN108200052B (en) 2017-12-29 2017-12-29 Digital signature method and device based on mobile terminal and mobile terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711484493.0A CN108200052B (en) 2017-12-29 2017-12-29 Digital signature method and device based on mobile terminal and mobile terminal

Publications (2)

Publication Number Publication Date
CN108200052A CN108200052A (en) 2018-06-22
CN108200052B true CN108200052B (en) 2021-02-02

Family

ID=62586742

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711484493.0A Active CN108200052B (en) 2017-12-29 2017-12-29 Digital signature method and device based on mobile terminal and mobile terminal

Country Status (1)

Country Link
CN (1) CN108200052B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108629583A (en) * 2018-04-16 2018-10-09 上海分赋信息科技有限公司 Mapped system and correlation method of the digital asset on mapping chain are realized based on distributed computing technology
CN109409137B (en) * 2018-11-21 2021-06-29 北京握奇智能科技有限公司 Method and system for loading external resources in TEE environment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231729A (en) * 2011-05-18 2011-11-02 浪潮集团山东通用软件有限公司 Method for supporting various CA (Certification Authority) identity authentications
CN103034789A (en) * 2012-12-10 2013-04-10 山东中创软件商用中间件股份有限公司 Bundle deployment methodnd device and security framework
CN103237235A (en) * 2013-03-18 2013-08-07 中国科学院信息工程研究所 Method and system for realizing identity authentication on Cloud TV terminals
CN105871840A (en) * 2016-03-30 2016-08-17 恒宝股份有限公司 Certificate management method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090307486A1 (en) * 2008-06-09 2009-12-10 Garret Grajek System and method for secured network access utilizing a client .net software component

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231729A (en) * 2011-05-18 2011-11-02 浪潮集团山东通用软件有限公司 Method for supporting various CA (Certification Authority) identity authentications
CN103034789A (en) * 2012-12-10 2013-04-10 山东中创软件商用中间件股份有限公司 Bundle deployment methodnd device and security framework
CN103237235A (en) * 2013-03-18 2013-08-07 中国科学院信息工程研究所 Method and system for realizing identity authentication on Cloud TV terminals
CN105871840A (en) * 2016-03-30 2016-08-17 恒宝股份有限公司 Certificate management method and system

Also Published As

Publication number Publication date
CN108200052A (en) 2018-06-22

Similar Documents

Publication Publication Date Title
US9294550B2 (en) Efficient data transfer for cloud storage by centralized management of access tokens
CN110086609B (en) Method for safely backing up and safely recovering data and electronic equipment
KR100668561B1 (en) Method of remotely controlling a portable terminal
CN106937274B (en) Profile switching method and device based on EUICC
CN108282466B (en) Method, system for providing digital certificate functionality in a TEE
WO2009066920A2 (en) Mobile terminal and associated storage devices having web servers, and method for controlling the same
CN109460373A (en) A kind of data sharing method, terminal device and storage medium
US8213991B2 (en) Mobile terminal, associated storage devices and methods of using the same
WO2019210759A1 (en) Virtual card generating method, user terminal, and token server
CN110795737A (en) Method and terminal equipment for upgrading service application range of electronic identity card
CN105792347A (en) Network registering method and mobile terminal
CN108200052B (en) Digital signature method and device based on mobile terminal and mobile terminal
CN108469962B (en) Mobile terminal based on mobile phone shield and mobile phone shield management method
CN112468409A (en) Access control method, device, computer equipment and storage medium
TWI270284B (en) Method and system for downloading and authenticating digital copyright
US11272370B2 (en) Method for managing profiles in embedded universal integrated circuit cards
CN107924516B (en) Payment authentication method and device of mobile terminal and mobile terminal
CN108737402B (en) Mobile terminal safety protection method and device
CN106685945B (en) Service request processing method, service handling number verification method and terminal thereof
CN113706138B (en) Payment method, device, equipment and storage medium based on digital currency hard wallet
CN103152724B (en) A kind of method and system of hardware lock SIM
US20170024709A1 (en) Information processing apparatus, program, and information processing system
CN110602700B (en) Seed key processing method and device and electronic equipment
CN108667647B (en) Method and device for setting device parameters and server
CN103052060B (en) A kind of method and a kind of mobile terminal for improving information of mobile terminal safety

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant