CN108282466A - Method, system for providing digital certificate functionality in TEE - Google Patents
Method, system for providing digital certificate functionality in TEE Download PDFInfo
- Publication number
- CN108282466A CN108282466A CN201711484484.1A CN201711484484A CN108282466A CN 108282466 A CN108282466 A CN 108282466A CN 201711484484 A CN201711484484 A CN 201711484484A CN 108282466 A CN108282466 A CN 108282466A
- Authority
- CN
- China
- Prior art keywords
- servers
- tam
- tee
- certificate
- digital certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Abstract
The invention discloses a kind of method, system for providing digital certificate functionality in TEE, method therein includes:TA mount request message is sent to TAM servers, TA is installed in the TEE configured in the terminal by TAM servers;The individualized request of digital certificate is sent to TSM servers, receives the digital certificate that TSM servers issue;It completes after individualizing, TA is correspondingly handled the pending data received based on digital certificate, provides corresponding service.Method, the system of the present invention, it is relatively low to hardware requirement, not needing device configuration has SE chip modules etc., data store and algorithm operation is all realized in TEE, and it is interacted with user by TUI, it can ensure the safety needed for business, convenience, the easy deployment property that can be obviously improved digital certificate functionality provide a great convenience for the popularization of digital certificate scheme in the terminal.
Description
Technical field
The present invention relates to field of information security technology more particularly to a kind of for providing digital certificate functionality in TEE
Method, system.
Background technology
As the movement of InterWorking Equipment and consumption market are increasingly mature, go from strength to strength, safety, which becomes, increasingly causes people
The problem of paying close attention to.Digital certificate technique for bank transaction sign, can be used for content-encrypt, in the terminal for
The business such as bank transaction signature, content-encrypt provide digital certificate service.Generally use two ways at present.1, the side TUI+SE
Formula:Sensitive data is all stored in safety element SE (Secure Element) hardware module, sensitive data includes private key, number
Certificate, sequence number etc., the trusted application TA in TEE mainly provide TUI functions and the channel function of SE, the transaction report that will be received
Text etc. be sent to SE signed, the processing such as encryption and decryption.TEE is
It realizes security target and meet important shareholder simultaneously needs to provide best path.But such offer number
The mode of certificate function is higher to hardware requirement, and device configuration is needed to have SE chip modules.2, it is carried in pure rich operating system REE
For digital certificate functionality, signed to transaction message etc. in REE, the processing such as encryption and decryption, but there are certain safety by REE
Risk, safety are relatively low.
Invention content
In view of this, the invention solves a technical problem be to provide it is a kind of for providing digital certificate in TEE
Method, the system of function.
According to an aspect of the present invention, a kind of system for providing digital certificate functionality in TEE is provided, including:
Credible performing environment TEE is configured in the terminal;Trusted application TA mount request message is sent to TAM servers, passes through institute
It states TAM servers and TA is installed in the TEE;The TA is asked to TSM servers transmission digital certificate is individualized, described in reception
Digital certificate that TSM servers issue simultaneously is stored in the TA;The TA waits locating based on the digital certificate to what is received
Reason data are correspondingly handled.
Alternatively, if it is determined that the TEE supports to create security domain SD, then the TA is being sent to the TAM servers
When mount request message, security domain SD requests to create are sent to the TAM servers, by the TAM servers in the TEE
Middle establishment SD simultaneously installs the TA.
Optionally, rich performing environment REE is configured in the terminal;To operating in the application setting energy of the APP in the REE
Enough system permissions to access to the TEE;The APP carries out data friendship using the TEE client end APs I and TA
Mutually.
Optionally, the TAM servers are applied by the APP and are managed to the TA, including:It installs, update, delete
Except TA;The TA is applied to the TSM servers by the APP and is sent the individualized request of digital certificate, is answered by the APP
The digital certificate issued with the TSM servers are received.
Optionally, in the TAM server dispositions, TAM public private key pairs is generated and sign TAM public key certificate certainly;The TAM
Server signs and issues OEM public key certificate using the private key of the TAM public private key pairs;Wherein, OEM servers use OEM public private key pairs
Private key sign and issue equipment public key certificate;The OEM servers issue equipment public affairs corresponding with the TEE to the mobile terminal
Key certificate and the OEM public key certificate and the TAM public key certificate.
Optionally, the OEM servers to the mobile terminal issue equipment public key certificate corresponding with the TEE with
And the OEM public key certificate and the TAM public key certificate include:If OTA deployment way is used for the TEE, described
The second escape way established the first escape way between TAM servers and the mobile terminal or provided using third party,
In, the mode of establishing of first escape way includes:Escape way is established using whitepack cipher mode;The mobile terminal life
Pass through first escape way or at public private key pair corresponding with the TEE, and by the public key in the public private key pair
Two escape ways are sent to the TAM servers, to generate equipment public key certificate corresponding with the TEE;The TAM clothes
Business device issues equipment corresponding with the TEE by first escape way or the second escape way to the mobile terminal
Public key certificate and OTA public key certificate and the TAM public key certificate.
Optionally, the TSM servers send certificate request to visa service device, from visa service device acquisition and institute
State the individualized corresponding digital certificate of request of digital certificate, wherein the digital certificate includes:Signing certificate, encryption and decryption are public
Private key pair and its public key certificate;The TA receives the digital certificate that the TSM servers are sent, and is based on the digital certificate
Corresponding business processing is carried out to the pending data, including:Signature processing, encryption and decryption processing.
Optionally, the TSM servers obtain initial key corresponding with the TA;It is individualized carrying out digital certificate
When processing, the initial key is changed to device keys by the TSM, and based on the device keys in the TSM servers
Third escape way is established between the mobile terminal;The TSM servers are by the third escape way to the TA
Send sequence number corresponding with business processing and initial p IN codes;The TSM servers are from described in visa service device acquisition
Digital certificate is simultaneously sent by the third escape way to the TA.
Optionally, the TA receives the pending data, and business confirmation message is generated based on the pending data
And the prompt message for prompting input authentication information;The business confirmation message and prompt message are sent to by the TA can
Credit household's interface TUI is shown;It is logical to obtain user after determining that user confirms the business confirmation message by the TA
The authentication information for crossing the TUI inputs waits locating based on the digital certificate after being proved to be successful the authentication information to described
It manages data and carries out corresponding business processing.
According to another aspect of the present invention, a kind of system for providing digital certificate functionality in TEE is provided, including:
Mobile terminal, TAM servers and TSM servers;The mobile terminal is serviced for configuring credible performing environment TEE to TAM
Device sends trusted application TA mount request message, and TA is installed in the TEE by the TAM servers;The TA takes to TSM
Being engaged in, device transmission digital certificate is individualized to ask, and receives the digital certificate that the TSM servers issue and is stored in the TA;Institute
TA is stated correspondingly to handle the pending data received based on the digital certificate.
Optionally, the mobile terminal is used for if it is determined that the TEE supports to create security domain SD, then to the TAM
When server sends the TA mount requests message, security domain SD requests to create are sent to the TAM servers, by described
TAM servers create SD in the TEE and install the TA.
Optionally, the mobile terminal, for configuring rich performing environment REE, to operating in the applications of the APP in the REE
The system permission that can be accessed to the TEE is set, by the APP using TEE client end APs I and the TA into
Row data interaction.
Optionally, the TAM servers are applied by the APP and are managed to the TA, including:It installs, update, delete
Except TA;The TA is applied to the TSM servers by the APP and is sent the individualized request of digital certificate, is answered by the APP
The digital certificate issued with the TSM servers are received.
Optionally, the TAM servers, for when it is disposed, generating TAM public private key pairs and signing TAM public keys certainly
Certificate signs and issues OEM public key certificate using the private key of the TAM public private key pairs;Wherein, the OEM servers use the public and private keys of OEM
To private key sign and issue equipment public key certificate;The OEM servers, it is corresponding with the TEE for being issued to the mobile terminal
Equipment public key certificate and the OEM public key certificate and the TAM public key certificate.
Optionally, the TAM servers, if for using OTA deployment way for the TEE, in itself and the shifting
The second escape way established the first escape way between dynamic terminal or provided using third party, wherein first safety is logical
The mode of establishing in road includes:Escape way is established using whitepack cipher mode;The mobile terminal, for generating and the TEE
Corresponding public private key pair, and the public key in the public private key pair is sent out by first escape way or the second escape way
The TAM servers are given, to generate equipment public key certificate corresponding with the TEE;The TAM servers are additionally operable to lead to
It crosses first escape way or the second escape way and issues equipment public key card corresponding with the TEE to the mobile terminal
Book and OTA public key certificate and the TAM public key certificate.
Optionally, the TSM servers are obtained for sending certificate request to visa service device from the visa service device
It takes and individualizes the corresponding digital certificate of request with the digital certificate, wherein the digital certificate includes:Signing certificate adds
Decrypt public private key pair and its public key certificate;The TA receives the digital certificate that the TSM servers are sent, and is based on the number
Word certificate carries out corresponding business processing to the pending data, including:Signature processing, encryption and decryption processing.
Optionally, the TSM servers, the initial key for obtaining the TA;Carrying out the individualized place of digital certificate
When reason, the initial key is changed to device keys, and based on the device keys in the TSM servers and the movement
Third escape way is established between terminal;By the third escape way sequence corresponding with business processing is sent to the TA
Row number and initial p IN codes;The digital certificate is obtained from the visa service device and by the third escape way to described
TA is sent.
Optionally, the TA receives the pending data, and business confirmation message is generated based on the pending data
And the prompt message for prompting input authentication information;The business confirmation message and prompt message are sent to by the TA can
Credit household's interface TUI is shown;It is logical to obtain user after determining that user confirms the business confirmation message by the TA
The authentication information for crossing the TUI inputs waits locating based on the digital certificate after being proved to be successful the authentication information to described
It manages data and carries out corresponding business processing.
Method, the system for providing digital certificate functionality in TEE of the present invention sends TA installations to TAM servers
Request message installs TA in the TEE configured in the terminal by TAM servers;Digital certificate is sent to TSM servers
Peopleization is asked, and the digital certificate that TSM servers issue is received;It completes after individualizing, TA is waited for based on digital certificate what is received
Processing data are correspondingly handled, and corresponding service is provided;The digital certificate functionality provided in TEE to hardware requirement compared with
Low, not needing device configuration has SE chip modules etc., and data storage and algorithm operation are all realized in TEE, and by TUI with
User interact, it is ensured that the safety needed for business, can be obviously improved mobile terminal digital signature applications convenience,
Easily deployment property provides a great convenience for the popularization of digital certificate scheme in the terminal.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow according to one embodiment of the method for providing digital certificate functionality in TEE of the present invention
Schematic diagram;
Fig. 2 is the portion in one embodiment according to the method for providing digital certificate functionality in TEE of the present invention
Part topology schematic diagram;
Fig. 3 is the TAM in one embodiment according to the method for providing digital certificate functionality in TEE of the present invention
Server architecture schematic diagram;
Fig. 4 is the TSM in one embodiment according to the method for providing digital certificate functionality in TEE of the present invention
Server architecture schematic diagram;
Fig. 5 is the module diagram according to one embodiment of the digital signature system based on mobile terminal of the present invention.
Specific implementation mode
Carry out the various exemplary embodiments of detailed description of the present invention now with reference to attached drawing.It should be noted that:Unless in addition having
Body illustrates that the unlimited system of component and the positioned opposite of step, numerical expression and the numerical value otherwise illustrated in these embodiments is originally
The range of invention.
Simultaneously, it should be appreciated that for ease of description, the size of attached various pieces shown in the drawings is not according to reality
Proportionate relationship draw.
It is illustrative to the description only actually of at least one exemplary embodiment below, is never used as to the present invention
And its application or any restrictions that use.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered as part of specification.
It should be noted that:Similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined, then it need not be further discussed in subsequent attached drawing in a attached drawing.
The embodiment of the present invention can be applied to computer system/server, can be with numerous other general or specialized calculating
System environments or configuration operate together.Suitable for be used together with computer system/server well-known computing system, ring
The example of border and/or configuration includes but not limited to:Smart mobile phone, personal computer system, server computer system, Thin clients
Machine, thick client computer, hand-held or laptop devices, microprocessor-based system, set-top box, programmable consumer electronics, network
PC, little types Ji calculate machine Xi Tong ﹑ large computer systems and the distributed cloud computing technology ring including any of the above described system
Border, etc..
Computer system/server can be in computer system executable instruction (such as journey executed by computer system
Sequence module) general context under describe.In general, program module may include routine, program, target program, component, logic, number
According to structure etc., they execute specific task or realize specific abstract data type.Computer system/server can be with
Implement in distributed cloud computing environment, in distributed cloud computing environment, task is long-range by what is be linked through a communication network
Manage what equipment executed.In distributed cloud computing environment, program module can be positioned at the Local or Remote meter for including storage device
It calculates in system storage medium.
" first " hereinafter, " second " etc. are only used for distinguishing in description, and there is no other special meanings.
Fig. 1 is the flow according to one embodiment of the method for providing digital certificate functionality in TEE of the present invention
Schematic diagram, as shown in Figure 1:
Step 101, credible performing environment TEE is configured in the terminal.
Mobile terminal can be a variety of mobile devices such as smart mobile phone, tablet computer.TEE(Trusted Execution
Environment, credible performing environment) it is a kind of performing environment of isolation, TEE and rich operating system (REE, Rich
Execution Environment) operation parallel, and security service is provided for rich environment, it can be to the software and hardware under rich environment
Secure resources and application program realize that isolation is accessed and protected.TEE by trusted application TA (Trusted Application) with
And trusted operating system Trusted OS (Trusted Operating System) compositions.
Step 102, mobile terminal takes to TAM (Trusted Application Management, trusted application management)
Business device sends trusted application TA mount request message, and TA is installed in TEE by TAM servers.
Step 103, TA sends number card to TSM (Trusted Service Manager, trusted service management) server
The individualized request of book, receives the digital certificate that TSM servers issue and is stored in TA.
Step 104, TA is correspondingly handled the pending data received based on digital certificate.
If it is determined that TEE supports to create security domain SD (Security Domain), then TA peaces are being sent to TAM servers
When filling request message, security domain SD requests to create are sent to TAM servers, SD is created in TEE by TAM servers and is installed
TA。
Mobile terminal configuration has TEE environment, and SD and installation TA are created to TAM server applications.It is mobile whole after TA installations
End can be individualized to TSM server application digital certificates, issues signing certificate and encrypted certificate, completes after individualizing, mobile
Terminal can provide Digital signature service and/or encryption and decryption service.
In one embodiment, if TEE does not support to create SD, TA can be mounted directly.If mobile terminal not with
Its mating TAM server, the mode or mode equivalent therewith that preset TA may be used dispose TA.In personalization process
In, can a certificate only be issued to TA, to only provide a kind of service, more than two certificates can also be issued to TA, led to
It crosses certificates identified and chooses some certificate, corresponding Digital signature service or decryption service etc. are provided.
As shown in Fig. 2, the TA installed in TEE includes:Native TA and Java TA.Java TEE are based on Native
TEE realizes that Native TA are run on Native TEE, and Java TA are run on Java TEE.In TEE environment, Java
TEE is based on Native TEE and realizes, it is two classes of Native TA and Java TA that TA, which is divided to, and Native TA are on Native TEE
Operation, Java TA are run on Java TEE.
Native TA can be arranged side by side with Java TEE, is not associated with mutually.Native TA can also be embedded into Java TEE
Inside exists as the preset TA of Java TEE.Java TEE have TA management functions, are run above for managing
Native TA in Java TA, or embedded Java TEE.Since Java TEE are configured with Java Virtual Machine and Java API,
The Java TA run thereon have compatibility well, and the Java TA after compiling can be in any setting configured with Java TEE
Standby upper operation.
In one embodiment, in REE environment, the TEE Client drivings of bottom are responsible for communicating with TEE, system service
Processing authority problem.APP realizes that SDK encapsulates the operating process of TEE operating processes interface and each server based on SDK
Interface, including TEE service interfaces, TAM service interfaces, TSM service interfaces etc..System service processing rights concerns include:
SELinux permissions in Android, the access limit for driving file, APP are to the access control etc. of TEE.It is configured for system service
There is dysfunction when accessing TEE to avoid APP because lacking relevant SELinux permissions in required SELinux permissions.
TEE Client drivings can be driving document form, drive the read-write operation of file generally will not be to other users
Open, by system service (system user), APP can access driving file.Meanwhile in order to effectively control visits of the APP to TEE
It asks, system service can coordinate with TEE to realize TEE access controls.Mobile terminal can also use equivalent with Java TEE
Other middlewares, to realize the professional platform independence of TA.
If mobile device does not dispose Java TEE or equivalent other middlewares, the TA in TEE environment is
Native TA.If mobile device does not dispose relevant system service, the open relevant SELinux permissions of APP and drive are needed
Dynamic file read-write permission, or by certain means promoted APP permission (such as:It is signed by manufacturer, for APP distribution system
System user role).If APP has passed through required audit (such as will not the other TA of unauthorized access), and has carried out manufacturer's signature,
Then system service can not do TEE access controls.
REE is configured in the terminal, it can be to system that TEE accesses to operating in the applications of the APP in REE setting
Permission, APP carry out data interaction using TEE client end APs I and TA, and can be by wide area network to each server application phase
The service answered.TA is managed for example, TAM servers are applied by APP, including:Installation, update, deletion TA etc..TA passes through
APP is applied to TSM servers and is sent the individualized request of digital certificate, and receiving the number that TSM servers issue by APP applications demonstrate,proves
Book etc..
In one embodiment, it as shown in figure 3, TAM servers are responsible for the management of TA, is provided simultaneously with and signs and issues OEM public keys card
The ability of book and SP public key certificate, and have the ability to manage its SD and TA for SP.When TAM servers are disposed, the public and private keys of TAM are generated
Pair and from sign TAM public key certificate, in this, as root certificate.TAM servers sign and issue OEM public key certificate and SP public keys with TAM private keys
Certificate.
For OEM producing line server disposition modes:OEM producing line servers generate public private key pair, and TAM servers produce for OEM
Line signs and issues public key certificate and provides TAM public key certificate.Mobile terminal generates public private key pair and exports public key, OEM producing line servers
Public key certificate is signed and issued for mobile terminal, and issues OEM public key certificate and TAM public key certificate, it can be by OEM servers to movement
Terminal issues equipment public key certificate corresponding with TEE and OEM public key certificate and TAM public key certificate.
It is root card that mobile terminal, which uses the authentication mode of three-level certificate chain (Certificate Path), TAM public key certificate,
Book, OEM public key certificate or OTA certificates are two level certificates, and device certificate is final stage certificate.If SP entrusts TAM server admins
Its SD and TA, then TAM servers generate SP public private key pairs, and sign for TA mirror images for SP.If SP voluntarily manages SP private keys,
Then TAM servers no longer dispose SP private keys, and only have SP public key certificate.
If necessary to support OTA modes to dispose mobile device, TAM servers also need to generate OTA public private key pairs, and sign and issue
OTA public key certificate.The second peace established the first escape way between TAM servers and mobile terminal or provided using third party
The mode of establishing of full tunnel, the first escape way includes:Escape way is established using whitepack cipher mode.For example, being serviced in TAM
The whitepack encryption library mutually to match is disposed on device and mobile terminal respectively, it is established that the first escape way.Second escape way can
Think that the personal account management passage of bank, the personal account channel of telecom operators, the personal account of mobile device manufacturer are logical
Road etc..
TAM servers generate OTA whitepack encryption libraries, and TAM servers generate OTA public private key pairs and sign and issue OTA public key certificate.
TEE version publishers are by way of safety to TAM server application OTA whitepack encryption libraries.Based on OTA whitepack encryption libraries,
The first escape way is set up between mobile terminal and TAM servers.Mobile terminal generates public private key pair corresponding with TEE,
And the public key in public private key pair is sent to TAM servers by the first escape way or the second escape way, to generate with
The corresponding equipment public key certificate of TEE.TAM servers are that mobile terminal signs and issues equipment public key certificate and by the first escape way
Or second escape way issue OTA public key certificate and TAM public key certificate.
If the TEE in mobile terminal does not support the establishment of SD, TA can be installed under the SD of TEE publishers.Such as
Fruit TEE platforms are not supported to carry out TA pre- individualized, then the initial key of TA can use whitepack encryption library to realize.If TEE is flat
Platform neither supports the establishment of SD, does not also support publisher SD, then TA can be disposed by preset mode, the initial key of TA can
To be realized with whitepack encryption library.
In one embodiment, as shown in figure 4, TSM servers are mainly for the treatment of individualized flow and transaction flow.
TSM servers carry out tissue personal data, recording device root key, the operations such as recording device initial key in deployment.It moves
The equipment decrypted private key of dynamic terminal is used as backup, can be used for restoring the ciphertext data on mobile terminal.Mobile terminal it is initial
Key is used merely as transmission key, and in individualized flow, it is close that initial key can be replaced by the close equipment of a formal machine one
Key.Device keys are used to establish the third escape way between TSM servers and mobile terminal.
TSM servers obtain initial key corresponding with TA, and in the individualized processing of progress digital certificate, TSM will be first
Beginning key is changed to device keys, and third escape way is established between TSM servers and mobile terminal based on device keys,
TSM sends sequence number corresponding with business processing and initial p IN codes by third escape way to TA.In individualized flow
In, public private key pair is generated, PKCS10 certificate requests message is organized and signs, issue PKCS7 certificates, and provide the public and private key of encryption and decryption
Pair and its public key certificate, and issue TUI customization picture.If do not supported using preset mode deployment TA TAM servers
The pre- personalization functions of TA, then can on TSM servers typing whitepack encryption library corresponding with the whitepack encryption library version of TA, with
The effect of alternate device initial key, to set up the escape way between TSM and TA accordingly.
Visa service device is responsible for signing and issuing signing certificate, and provides encryption and decryption public private key pair and its public key certificate, and periodically
Inventory is abrogated to TSM servers notification certificate.If business only supports signing certificate, do not preserved on TSM servers mobile whole
The public and private key of encryption and decryption and public key certificate at end, and without providing encryption and decryption public private key pair and its public key certificate.If not issuing TUI
Picture is customized, then the interfaces TUI on mobile terminal will use acquiescence picture.In order to realize access control of the PIN code to private key, example
It is such as based on PIN code and storage processing is encrypted to private key, PIN code (default value) needs are issued to prior to relevant sensitization data
Mobile terminal, if PIN code does not influence the storage of the sensitive datas such as private key, issuing for PIN code can be delayed.Sequence number, private
The personal datas such as key are generally stored in the permanent objects of TEE, such a if TEE provides RPMB api interfaces
Peopleization data can also store RPMB subregions.
In one embodiment, TSM servers send certificate request to visa service device, obtain and count from visa service device
The individualized corresponding digital certificate of request of word certificate, digital certificate include:Signing certificate, encryption and decryption public private key pair and its public key
Certificate etc..TA receives the digital certificate that TSM servers are sent, and is carried out at corresponding business to pending data based on digital certificate
Reason, including:Signature processing, encryption and decryption processing.
TA receives pending data, generates business confirmation message based on pending data and for prompting input authentication
The prompt message of information.Business confirmation message and prompt message are sent to trusted users interface TUI and shown by TA.TA is true
Determine after user confirms business confirmation message, to obtain the authentication information that user is inputted by TUI, verify to authentication information
After success, corresponding business processing is carried out to pending data based on digital certificate.
In one embodiment, as shown in figure 5, the present invention provide it is a kind of for providing digital certificate functionality in TEE
System, including:Mobile terminal 51, TAM servers 52, TSM servers 54 and visa service device 54.The configuration of mobile terminal 51 can
Believe performing environment TEE, sends trusted application TA mount request message to TAM servers 52, pacified in TEE by TAM servers
Fill TA 511.TA 511 sends the individualized request of digital certificate to TSM servers 53, receives the number that TSM servers 53 issue
Certificate simultaneously stores.TA 511 is correspondingly handled the pending data received based on digital certificate.
Mobile terminal 51 is then sending TA mount requests if it is determined that TEE support establishment security domain SD to TAM servers 52
When message, security domain SD requests to create are sent to TAM servers 52, SD is created in TEE by TAM servers 52 and TA is installed
511。
The TA 511 installed in TEE includes:Native TA and Java TA.It is real that Java TEE are based on Native TEE
Existing, Native TA are run on Native TEE, and Java TA are run on Java TEE.Native TA can be embedded in
In Java TEE, the preset TA as Java TEE;The Java TA run on it and preset TA are carried out by Java TEE
Management.
Mobile terminal 51 configures rich performing environment REE, to operate in the APP in REE using 512 setting can to TEE into
The system permission that row accesses carries out data interaction using 512 by APP using TEE client end APs I and TA 511.TAM servers
52 are managed by APP using 512 couples of TA 511, including:Installation, update, deletion TA etc..TA 511 applies 512 by APP
The individualized request of digital certificate is sent to TSM servers 53, is demonstrate,proved using the number that 511 reception TSM servers 53 issue by APP
Book.
TAM servers 52 generate TAM public private key pairs and from TAM public key certificate is signed, use TAM public affairs when it is disposed
The private key of private key pair signs and issues OEM public key certificate, then issues set corresponding with TEE from OEM servers to mobile terminal 51 again
Standby public key certificate and OEM public key certificate and TAM public key certificate.
If using OTA deployment way, TAM servers 52 to establish the first peace between mobile terminal 51 at it TEE
Full tunnel or the second escape way provided using third party.The mode of establishing of first escape way includes:It is encrypted using whitepack
Mode establishes escape way etc..Mobile terminal 51 generates public private key pair corresponding with TEE, and the public key in public private key pair is led to
It crosses the first escape way or the second escape way is sent to TAM servers 52, to generate equipment public key card corresponding with TEE
Book.TAM servers 52 issue equipment corresponding with TEE by the first escape way or the second escape way to mobile terminal 51
Public key certificate and OTA public key certificate and TAM public key certificate.
TSM servers 53 send certificate request to visa service device 54, are obtained and digital certificate from visa service device 54
The corresponding digital certificate of peopleization request, digital certificate include:Signing certificate, encryption and decryption public private key pair and its public key certificate etc..
TA 511 receives the digital certificate that TSM servers 53 are sent, and is carried out at corresponding business to pending data based on digital certificate
Reason, including:Signature processing, encryption and decryption processing etc..
TSM servers 53 obtain the initial key of mobile terminal 51, will be initial in the individualized processing of progress digital certificate
Key is changed to device keys, and establishes third between TSM servers 53 and mobile terminal 51 based on device keys and lead to safely
Road sends sequence number corresponding with business processing and initial p IN codes by third escape way to TA 511.TSM servers
53 obtain digital certificate from visa service device 54 and are sent to TA 511 by third escape way.
TA 511 receives pending data, generates business confirmation message based on pending data and for prompting input
The prompt message of authentication information.Business confirmation message and prompt message are sent to trusted users interface TUI and shown by TA 511
Show.TA 511 obtains the authentication information that user is inputted by TUI after determining that user confirms business confirmation message,
After being proved to be successful to authentication information, corresponding business processing is carried out to pending data based on digital certificate.
Method, the system for providing digital certificate functionality in TEE in above-described embodiment, sends to TAM servers
TA mount request message installs TA in the TEE configured in the terminal by TAM servers;Number is sent to TSM servers
The individualized request of certificate, receives the digital certificate that TSM servers issue;It completes after individualizing, TA is based on digital certificate to receiving
To pending data correspondingly handled, corresponding service is provided;The digital certificate functionality provided in TEE wants hardware
Ask relatively low, not needing device configuration there are SE chip modules etc., and data storage and algorithm operation are all realized in TEE, and are passed through
TUI is interacted with user, it is ensured that the safety needed for business can be obviously improved mobile terminal digital signature applications just
Victory, easily deployment property, while the cost that user buys additional hardware is saved, it is the popularization of digital certificate scheme in the terminal
It provides a great convenience.
The method and system of the present invention may be achieved in many ways.For example, can by software, hardware, firmware or
Software, hardware, firmware any combinations come realize the present invention method and system.The said sequence of the step of for method is only
In order to illustrate, the step of method of the invention, is not limited to sequence described in detail above, especially says unless otherwise
It is bright.In addition, in some embodiments, also the present invention can be embodied as to record program in the recording medium, these programs include
For realizing machine readable instructions according to the method for the present invention.Thus, the present invention also covers storage for executing according to this hair
The recording medium of the program of bright method.
Description of the invention provides for the sake of example and description, and is not exhaustively or will be of the invention
It is limited to disclosed form.Many modifications and variations are obvious for the ordinary skill in the art.It selects and retouches
It states embodiment and is to more preferably illustrate the principle of the present invention and practical application, and those skilled in the art is enable to manage
Various embodiments with various modifications of the solution present invention to design suitable for special-purpose.
Claims (18)
1. a kind of method for providing digital certificate functionality in TEE, which is characterized in that including:
Credible performing environment TEE is configured in the terminal;
Trusted application TA mount request message is sent to TAM servers, TA is installed in the TEE by the TAM servers;
The TA sends the individualized request of digital certificate to TSM servers, receives digital certificate that the TSM servers issue simultaneously
It stores it in the TA;
The TA is correspondingly handled the pending data received based on the digital certificate.
2. the method as described in claim 1, which is characterized in that further include:
If it is determined that the TEE supports to create security domain SD, then the TA mount requests message is being sent to the TAM servers
When, security domain SD requests to create are sent to the TAM servers, SD is created in the TEE by the TAM servers and is pacified
Fill the TA.
3. method as claimed in claim 2, which is characterized in that further include:
Rich performing environment REE is configured in the terminal;
The system permission that can be accessed to the TEE using setting to operating in the APP in the REE;
The APP carries out data interaction using the TEE client end APs I and TA.
4. method as claimed in claim 3, which is characterized in that further include:
The TAM servers are applied by the APP and are managed to the TA, including:Installation, deletes TA at update;
The TA is applied to the TSM servers by the APP and is sent the individualized request of digital certificate, is answered by the APP
The digital certificate issued with the TSM servers are received.
5. method as claimed in claim 4, which is characterized in that further include:
In the TAM server dispositions, generates TAM public private key pairs and sign TAM public key certificate certainly;
The TAM servers sign and issue OEM public key certificate using the private key of the TAM public private key pairs;
Wherein, OEM servers sign and issue equipment public key certificate using the private key of OEM public private key pairs;
The OEM servers issue equipment public key certificate corresponding with the TEE to the mobile terminal and the OEM is public
Key certificate and the TAM public key certificate.
6. method as claimed in claim 5, which is characterized in that further include:
If using OTA deployment way for the TEE, first is established between the TAM servers and the mobile terminal
Escape way or the second escape way provided using third party, wherein the mode of establishing of first escape way includes:It adopts
Escape way is established with whitepack cipher mode;
The mobile terminal generates public private key pair corresponding with the TEE, and the public key in the public private key pair is passed through institute
It states the first escape way or the second escape way is sent to the TAM servers, to generate equipment corresponding with the TEE
Public key certificate;
The TAM servers by first escape way or the second escape way to the mobile terminal issue with it is described
The corresponding equipment public key certificate of TEE and OTA public key certificate and the TAM public key certificate.
7. method as claimed in claim 2, which is characterized in that further include:
The TSM servers send certificate request to visa service device, are obtained and the digital certificate from the visa service device
The individualized corresponding digital certificate of request, wherein the digital certificate includes:Signing certificate, encryption and decryption public private key pair and its
Public key certificate;
The TA receives the digital certificate that the TSM servers are sent, based on the digital certificate to the pending number
According to the corresponding business processing of progress, including:Signature processing, encryption and decryption processing.
8. the method for claim 7, which is characterized in that further include:
The TSM servers obtain initial key corresponding with the TA;
In the individualized processing of progress digital certificate, the initial key is changed to device keys, and base by the TSM servers
In the device keys third escape way is established between the TSM servers and the mobile terminal;
The TSM sends sequence number corresponding with business processing and initial p IN by the third escape way to the TA
Code;
The TSM servers obtain the digital certificate and by the third escape way to described from the visa service device
TA is sent.
9. the method for claim 7, which is characterized in that further include:
The TA receives the pending data, generates business confirmation message based on the pending data and for prompting
The prompt message of input authentication information;
The business confirmation message and prompt message are sent to trusted users interface TUI and shown by the TA;
The TA obtains user and is recognized by what the TUI was inputted after determining that user confirms the business confirmation message
Information is demonstrate,proved, after being proved to be successful to the authentication information, the pending data is carried out based on the digital certificate corresponding
Business processing.
10. a kind of system for providing digital certificate functionality in TEE, which is characterized in that including:Mobile terminal, TAM services
Device and TSM servers;
The mobile terminal sends trusted application TA mount requests to TAM servers and disappears for configuring credible performing environment TEE
Breath, TA is installed by the TAM servers in the TEE;The TA is asked to TSM servers transmission digital certificate is individualized
It asks, receive the digital certificate that the TSM servers issue and stores it in the TA;The TA is based on the digital certificate
The pending data received is correspondingly handled.
11. system as claimed in claim 10, which is characterized in that
The mobile terminal is used for if it is determined that TEE support establishment security domain SD, then send to the TAM servers
When the TA mount requests message, security domain SD requests to create are sent to the TAM servers, are existed by the TAM servers
SD is created in the TEE and the TA is installed.
12. system as claimed in claim 11, which is characterized in that
The mobile terminal can be to institute to operating in the application settings of the APP in the REE for configuring rich performing environment REE
The system permission that TEE accesses is stated, data interaction is carried out using the TEE client end APs I and TA by the APP.
13. system as claimed in claim 12, which is characterized in that
The TAM servers are applied by the APP and are managed to the TA, including:Installation, deletes TA at update;The TA
The individualized request of digital certificate is sent using to the TSM servers by the APP, described in APP application receptions
The digital certificate that TSM servers issue.
14. system as claimed in claim 13, which is characterized in that
The TAM servers, for when it is disposed, generating TAM public private key pairs and from TAM public key certificate is signed, using institute
The private key for stating TAM public private key pairs signs and issues OEM public key certificate;
Wherein, OEM servers sign and issue equipment public key certificate using the private key of OEM public private key pairs;
The OEM servers, for issuing equipment public key certificate corresponding with the TEE and described to the mobile terminal
OEM public key certificate and the TAM public key certificate.
15. system as claimed in claim 14, which is characterized in that
If the TAM servers are built at it between the mobile terminal for using OTA deployment way for the TEE
Vertical first escape way or the second escape way provided using third party, wherein first escape way establishes mode
Including:Escape way is established using whitepack cipher mode;
The mobile terminal for generating public private key pair corresponding with the TEE, and the public key in the public private key pair is led to
It crosses first escape way or the second escape way is sent to the TAM servers, it is corresponding with the TEE to generate
Equipment public key certificate;
The TAM servers be additionally operable to by first escape way or the second escape way to the mobile terminal issue with
The corresponding equipment public key certificate of the TEE and OTA public key certificate and the TAM public key certificate.
16. system as claimed in claim 11, which is characterized in that
The TSM servers obtain and the number for sending certificate request to visa service device from the visa service device
The individualized corresponding digital certificate of request of certificate, wherein the digital certificate includes:Signing certificate, encryption and decryption public private key pair
And its public key certificate;
The TA receives the digital certificate that the TSM servers are sent, based on the digital certificate to the pending number
According to the corresponding business processing of progress, including:Signature processing, encryption and decryption processing.
17. system as claimed in claim 16, which is characterized in that
The TSM servers, the initial key for obtaining the TA;It, will be described in the individualized processing of progress digital certificate
Initial key is changed to device keys, and is built between the TSM servers and the mobile terminal based on the device keys
Vertical third escape way;By the third escape way to TA transmissions sequence number corresponding with business processing and initially
PIN code;The digital certificate is obtained from the visa service device and is sent to the TA by the third escape way.
18. system as claimed in claim 16, which is characterized in that
The TA receives the pending data, generates business confirmation message based on the pending data and for prompting
The prompt message of input authentication information;The business confirmation message and prompt message are sent to trusted users interface by the TA
TUI is shown;The TA obtains user and passes through the TUI after determining that user confirms the business confirmation message
The authentication information of input, after being proved to be successful to the authentication information, based on the digital certificate to the pending data into
The corresponding business processing of row.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711484484.1A CN108282466B (en) | 2017-12-29 | 2017-12-29 | Method, system for providing digital certificate functionality in a TEE |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711484484.1A CN108282466B (en) | 2017-12-29 | 2017-12-29 | Method, system for providing digital certificate functionality in a TEE |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108282466A true CN108282466A (en) | 2018-07-13 |
CN108282466B CN108282466B (en) | 2021-02-02 |
Family
ID=62802835
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711484484.1A Active CN108282466B (en) | 2017-12-29 | 2017-12-29 | Method, system for providing digital certificate functionality in a TEE |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108282466B (en) |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109492371A (en) * | 2018-10-26 | 2019-03-19 | 中国联合网络通信集团有限公司 | A kind of digital certificate sky forwarding method and device |
CN109766152A (en) * | 2018-11-01 | 2019-05-17 | 华为终端有限公司 | A kind of exchange method and device |
CN110399714A (en) * | 2019-04-10 | 2019-11-01 | 中国银联股份有限公司 | For verifying the method and its system of the trusted user interface authenticity of terminal |
CN110535628A (en) * | 2019-08-29 | 2019-12-03 | 阿里巴巴集团控股有限公司 | The method and device of Secure calculating is carried out by certificate issuance |
WO2020034907A1 (en) * | 2018-08-16 | 2020-02-20 | 腾讯科技(深圳)有限公司 | Authentication information transmission method, key management client and computer device |
CN111245620A (en) * | 2018-11-29 | 2020-06-05 | 北京中金国信科技有限公司 | Mobile security application architecture in terminal and construction method thereof |
US20200275274A1 (en) * | 2019-02-26 | 2020-08-27 | Samsung Electronics Co., Ltd. | Electronic device and method for storing user identification information |
CN112866235A (en) * | 2020-08-28 | 2021-05-28 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
US11038699B2 (en) | 2019-08-29 | 2021-06-15 | Advanced New Technologies Co., Ltd. | Method and apparatus for performing multi-party secure computing based-on issuing certificate |
CN114762290A (en) * | 2019-12-06 | 2022-07-15 | 三星电子株式会社 | Method and electronic device for managing digital key |
CN114762290B (en) * | 2019-12-06 | 2024-04-19 | 三星电子株式会社 | Method and electronic device for managing digital key |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103856485A (en) * | 2014-02-14 | 2014-06-11 | 武汉天喻信息产业股份有限公司 | System and method for initializing safety indicator of credible user interface |
US20150271160A1 (en) * | 2014-03-20 | 2015-09-24 | Oracle International Corporation | System and method for provisioning secrets to an application (ta) on a device |
CN105260663A (en) * | 2015-09-15 | 2016-01-20 | 中国科学院信息工程研究所 | Secure storage service system and method based on TrustZone technology |
CN105429760A (en) * | 2015-12-01 | 2016-03-23 | 神州融安科技(北京)有限公司 | Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment) |
CN105590051A (en) * | 2015-11-18 | 2016-05-18 | 中国银联股份有限公司 | Trusted application generation and installation method used for trusted execution environment |
CN105790938A (en) * | 2016-05-23 | 2016-07-20 | 中国银联股份有限公司 | System and method for generating safety unit key based on reliable execution environment |
CN106102054A (en) * | 2016-05-27 | 2016-11-09 | 深圳市雪球科技有限公司 | A kind of method and communication system that safe unit is carried out safety management |
CN106658350A (en) * | 2015-10-30 | 2017-05-10 | 中国移动通信集团公司 | Method for collaborative management and device thereof |
WO2017208064A1 (en) * | 2016-05-30 | 2017-12-07 | Silverleap Technology Limited | System and method for ensuring system integrity against, and detection of, rollback attacks for stored value data in mobile devices |
-
2017
- 2017-12-29 CN CN201711484484.1A patent/CN108282466B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103856485A (en) * | 2014-02-14 | 2014-06-11 | 武汉天喻信息产业股份有限公司 | System and method for initializing safety indicator of credible user interface |
US20150271160A1 (en) * | 2014-03-20 | 2015-09-24 | Oracle International Corporation | System and method for provisioning secrets to an application (ta) on a device |
CN105260663A (en) * | 2015-09-15 | 2016-01-20 | 中国科学院信息工程研究所 | Secure storage service system and method based on TrustZone technology |
CN106658350A (en) * | 2015-10-30 | 2017-05-10 | 中国移动通信集团公司 | Method for collaborative management and device thereof |
CN105590051A (en) * | 2015-11-18 | 2016-05-18 | 中国银联股份有限公司 | Trusted application generation and installation method used for trusted execution environment |
CN105429760A (en) * | 2015-12-01 | 2016-03-23 | 神州融安科技(北京)有限公司 | Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment) |
CN105790938A (en) * | 2016-05-23 | 2016-07-20 | 中国银联股份有限公司 | System and method for generating safety unit key based on reliable execution environment |
CN106102054A (en) * | 2016-05-27 | 2016-11-09 | 深圳市雪球科技有限公司 | A kind of method and communication system that safe unit is carried out safety management |
WO2017208064A1 (en) * | 2016-05-30 | 2017-12-07 | Silverleap Technology Limited | System and method for ensuring system integrity against, and detection of, rollback attacks for stored value data in mobile devices |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020034907A1 (en) * | 2018-08-16 | 2020-02-20 | 腾讯科技(深圳)有限公司 | Authentication information transmission method, key management client and computer device |
CN109492371B (en) * | 2018-10-26 | 2021-01-26 | 中国联合网络通信集团有限公司 | Digital certificate null sending method and device |
CN109492371A (en) * | 2018-10-26 | 2019-03-19 | 中国联合网络通信集团有限公司 | A kind of digital certificate sky forwarding method and device |
CN109766152B (en) * | 2018-11-01 | 2022-07-12 | 华为终端有限公司 | Interaction method and device |
CN109766152A (en) * | 2018-11-01 | 2019-05-17 | 华为终端有限公司 | A kind of exchange method and device |
US11709929B2 (en) | 2018-11-01 | 2023-07-25 | Huawei Technologies Co., Ltd. | Interaction method and apparatus |
CN111245620B (en) * | 2018-11-29 | 2023-10-27 | 北京中金国信科技有限公司 | Mobile security application architecture in terminal and construction method thereof |
CN111245620A (en) * | 2018-11-29 | 2020-06-05 | 北京中金国信科技有限公司 | Mobile security application architecture in terminal and construction method thereof |
US20200275274A1 (en) * | 2019-02-26 | 2020-08-27 | Samsung Electronics Co., Ltd. | Electronic device and method for storing user identification information |
US11496900B2 (en) * | 2019-02-26 | 2022-11-08 | Samsung Electronics Co., Ltd. | Electronic device and method for storing user identification information |
CN110399714A (en) * | 2019-04-10 | 2019-11-01 | 中国银联股份有限公司 | For verifying the method and its system of the trusted user interface authenticity of terminal |
CN110399714B (en) * | 2019-04-10 | 2023-08-08 | 中国银联股份有限公司 | Method for verifying authenticity of trusted user interface of terminal and system thereof |
US11038699B2 (en) | 2019-08-29 | 2021-06-15 | Advanced New Technologies Co., Ltd. | Method and apparatus for performing multi-party secure computing based-on issuing certificate |
US11228450B2 (en) | 2019-08-29 | 2022-01-18 | Advanced New Technologies Co., Ltd. | Method and apparatus for performing multi-party secure computing based-on issuing certificate |
CN110535628B (en) * | 2019-08-29 | 2020-07-17 | 阿里巴巴集团控股有限公司 | Method and device for performing multi-party security calculation through certificate signing and issuing |
CN110535628A (en) * | 2019-08-29 | 2019-12-03 | 阿里巴巴集团控股有限公司 | The method and device of Secure calculating is carried out by certificate issuance |
CN114762290A (en) * | 2019-12-06 | 2022-07-15 | 三星电子株式会社 | Method and electronic device for managing digital key |
CN114762290B (en) * | 2019-12-06 | 2024-04-19 | 三星电子株式会社 | Method and electronic device for managing digital key |
CN112866235B (en) * | 2020-08-28 | 2023-03-24 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
CN112866235A (en) * | 2020-08-28 | 2021-05-28 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
Also Published As
Publication number | Publication date |
---|---|
CN108282466B (en) | 2021-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108282466A (en) | Method, system for providing digital certificate functionality in TEE | |
US20220417230A1 (en) | Managing credentials of multiple users on an electronic device | |
CA2961916C (en) | Secure processing of data | |
CN105391840B (en) | Automatically create destination application | |
US9210133B2 (en) | Method and system of providing authentication of user access to a computer resource via a mobile device using multiple separate security factors | |
CN104717198B (en) | Oftware updating method and equipment on safety element | |
US11178124B2 (en) | Secure pairing of a processor and a secure element of an electronic device | |
US20060078109A1 (en) | Information processing apparatus, information processing method, and program | |
US10929843B2 (en) | Storage of credential service provider data in a security domain of a secure element | |
EP3430829B1 (en) | Managing program credentials on electronic devices | |
US20150095238A1 (en) | Online payments using a secure element of an electronic device | |
CN108282467B (en) | Application method and system of digital certificate | |
CA3126471A1 (en) | Virtualization and secure processing of data | |
TW202105284A (en) | Provisioning to a digital payment device | |
CN104380652A (en) | Multi-issuer secure element partition architecture for NFC enabled devices | |
CA2568990C (en) | Smart card data transaction system and methods for providing storage and transmission security | |
US20150326545A1 (en) | Secure key rotation for an issuer security domain of an electronic device | |
US20150310432A1 (en) | Secure element architectural services | |
CN103873241B (en) | safety shield, digital certificate management system and method | |
Ahmad et al. | Enhancing the security of mobile applications by using TEE and (U) SIM | |
CN102118745B (en) | Method and device for secure encryption for mobile payment data, and mobile phone | |
KR101795849B1 (en) | Authentication apparatus and method for connectivity of fintech services, and computer program for the same | |
TWI487400B (en) | System and method for over the air provisioning of multi near field communication membership card | |
CN105208031A (en) | Method for authenticating terminal | |
WO2015177574A1 (en) | Provisioning of secure host card emulation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |