CN108282466B - Method, system for providing digital certificate functionality in a TEE - Google Patents

Method, system for providing digital certificate functionality in a TEE Download PDF

Info

Publication number
CN108282466B
CN108282466B CN201711484484.1A CN201711484484A CN108282466B CN 108282466 B CN108282466 B CN 108282466B CN 201711484484 A CN201711484484 A CN 201711484484A CN 108282466 B CN108282466 B CN 108282466B
Authority
CN
China
Prior art keywords
server
tee
tam
digital certificate
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711484484.1A
Other languages
Chinese (zh)
Other versions
CN108282466A (en
Inventor
成秋良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Co ltd
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing Watchdata Co ltd
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Watchdata Co ltd, Beijing WatchSmart Technologies Co Ltd filed Critical Beijing Watchdata Co ltd
Priority to CN201711484484.1A priority Critical patent/CN108282466B/en
Publication of CN108282466A publication Critical patent/CN108282466A/en
Application granted granted Critical
Publication of CN108282466B publication Critical patent/CN108282466B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a method and a system for providing a digital certificate function in a TEE, wherein the method comprises the following steps: sending a TA installation request message to a TAM server, and installing the TA in a TEE configured in the mobile terminal through the TAM server; sending a digital certificate personalization request to a TSM server, and receiving a digital certificate issued by the TSM server; after personalization is completed, the TA carries out corresponding processing on the received data to be processed based on the digital certificate, and provides corresponding services. The method and the system have low requirements on hardware, equipment is not required to be configured with an SE chip module and the like, data storage and algorithm operation are realized in the TEE, and the TUI is interacted with the user, so that the safety required by the service can be ensured, the convenience and the easiness in deployment of the digital certificate function can be obviously improved, and great convenience is provided for the popularization of the digital certificate scheme in the mobile terminal.

Description

Method, system for providing digital certificate functionality in a TEE
Technical Field
The invention relates to the technical field of information security, in particular to a method and a system for providing a digital certificate function in a TEE.
Background
As the mobile and consumer markets for interconnected devices become increasingly mature and robust, security becomes an increasing concern. The digital certificate technology is used for bank transaction signature and content encryption, and digital certificate services are provided for businesses such as bank transaction signature and content encryption in the mobile terminal. Two approaches are currently commonly used. 1. TUI + SE mode: sensitive data are stored in a Secure Element (SE) (secure element) hardware module, the sensitive data comprise a private key, a digital certificate, a serial number and the like, a Trusted Application (TA) in the TEE mainly provides a TUI function and a channel function of the SE, and received transaction messages and the like are sent to the SE for signature, encryption, decryption and other processing. The TEE is system software based on an ARM chip TrustZone mechanism, and provides an optimal path for realizing a safety target and meeting the requirements of important interest-related parties. However, this approach to providing digital certificate functionality is hardware intensive, requiring the device to be configured with an SE chip module. 2. The method provides a digital certificate function in a pure rich operating system (REE), and processes such as signature, encryption and decryption are carried out on transaction messages and the like in the REE, but certain security risks exist in the REE, and the security is low.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method and system for providing digital certificate function in TEE.
According to one aspect of the present invention, there is provided a system for providing digital certificate functionality in a TEE, comprising: configuring a Trusted Execution Environment (TEE) in the mobile terminal; sending a trusted application TA installation request message to a TAM server, and installing a TA in the TEE through the TAM server; the TA sends a digital certificate personalization request to a TSM server, receives a digital certificate issued by the TSM server and stores the digital certificate in the TA; and the TA carries out corresponding processing on the received data to be processed based on the digital certificate.
Optionally, if it is determined that the TEE supports creating a security domain SD, sending a security domain SD creation request to the TAM server, creating a SD in the TEE and installing the TA through the TAM server, when sending the TA install request message to the TAM server.
Optionally, configuring a rich execution environment REE in the mobile terminal; setting system permission capable of accessing the TEE for the APP running in the REE; and the APP uses a TEE client API to perform data interaction with the TA.
Optionally, the managing, by the TAM server, the TA by the APP application includes: installing, updating and deleting the TA; and the TA sends a digital certificate personalization request to the TSM through the APP, and receives a digital certificate issued by the TSM through the APP.
Optionally, when the TAM server is deployed, generating a TAM public and private key pair and signing a TAM public key certificate by itself; the TAM server signs an OEM public key certificate by using a private key of the TAM public and private key pair; wherein, the OEM server uses a private key of an OEM public and private key pair to sign and issue a device public key certificate; and the OEM server issues a device public key certificate corresponding to the TEE, the OEM public key certificate and the TAM public key certificate to the mobile terminal.
Optionally, the issuing, by the OEM server, the device public key certificate corresponding to the TEE and the OEM public key certificate and the TAM public key certificate to the mobile terminal includes: if the TEE adopts an OTA deployment mode, a first secure channel is established between the TAM server and the mobile terminal or a second secure channel provided by a third party is used, wherein the establishment mode of the first secure channel comprises the following steps: establishing a secure channel by adopting a white box encryption mode; the mobile terminal generates a public and private key pair corresponding to the TEE, and sends a public key in the public and private key pair to the TAM server through the first secure channel or the second secure channel so as to generate a device public key certificate corresponding to the TEE; and the TAM server issues an equipment public key certificate corresponding to the TEE, an OTA public key certificate and the TAM public key certificate to the mobile terminal through the first secure channel or the second secure channel.
Optionally, the TSM server sends a certificate application to a visa server, and obtains a digital certificate corresponding to the digital certificate personalization request from the visa server, where the digital certificate includes: signing a certificate, encrypting and decrypting a public and private key pair and a public key certificate thereof; the TA receives the digital certificate sent by the TSM server, and performs corresponding service processing on the data to be processed based on the digital certificate, including: signature processing and encryption and decryption processing.
Optionally, the TSM server obtains an initial key corresponding to the TA; when the digital certificate personalization processing is carried out, the TSM changes the initial key into a device key, and a third secure channel is established between the TSM server and the mobile terminal based on the device key; the TSM server sends a serial number and an initial PIN code corresponding to service processing to the TA through the third secure channel; and the TSM server acquires the digital certificate from the visa server and sends the digital certificate to the TA through the third secure channel.
Optionally, the TA receives the data to be processed, and generates service confirmation information and prompt information for prompting to input authentication information based on the data to be processed; the TA sends the service confirmation information and the prompt information to a trusted user interface TUI for displaying; and the TA acquires the authentication information input by the user through the TUI after determining that the user confirms the service confirmation information, and performs corresponding service processing on the data to be processed based on the digital certificate after successfully verifying the authentication information.
According to another aspect of the present invention, there is provided a system for providing digital certificate functionality in a TEE, comprising: the system comprises a mobile terminal, a TAM server and a TSM server; the mobile terminal is used for configuring a Trusted Execution Environment (TEE), sending a Trusted Application (TA) installation request message to a TAM server, and installing a TA in the TEE through the TAM server; the TA sends a digital certificate personalization request to a TSM server, receives a digital certificate issued by the TSM server and stores the digital certificate in the TA; and the TA carries out corresponding processing on the received data to be processed based on the digital certificate.
Optionally, the mobile terminal is configured to, if it is determined that the TEE supports creation of a security domain SD, send a security domain SD creation request to the TAM server when sending the TA install request message to the TAM server, create a SD in the TEE through the TAM server, and install the TA.
Optionally, the mobile terminal is configured to configure a rich execution environment REE, set a system permission that can access the TEE for an APP application running in the REE, and perform data interaction with the TA through the APP application using a TEE client API.
Optionally, the managing, by the TAM server, the TA by the APP application includes: installing, updating and deleting the TA; and the TA sends a digital certificate personalization request to the TSM through the APP, and receives a digital certificate issued by the TSM through the APP.
Optionally, the TAM server is configured to generate a TAM public and private key pair and sign a TAM public key certificate by itself when the TAM server is deployed, and issue an OEM public key certificate using a private key of the TAM public and private key pair; wherein the OEM server issues a device public key certificate using a private key of an OEM public-private key pair; and the OEM server is used for issuing the equipment public key certificate corresponding to the TEE, the OEM public key certificate and the TAM public key certificate to the mobile terminal.
Optionally, the TAM server is configured to establish a first secure channel between the TEE and the mobile terminal or use a second secure channel provided by a third party if an OTA deployment manner is adopted for the TEE, where the establishment manner of the first secure channel includes: establishing a secure channel by adopting a white box encryption mode; the mobile terminal is used for generating a public and private key pair corresponding to the TEE and sending a public key in the public and private key pair to the TAM server through the first secure channel or the second secure channel so as to generate a device public key certificate corresponding to the TEE; the TAM server is further used for issuing an equipment public key certificate corresponding to the TEE, an OTA public key certificate and the TAM public key certificate to the mobile terminal through the first secure channel or the second secure channel.
Optionally, the TSM server is configured to send a certificate application to a visa server, and obtain a digital certificate corresponding to the digital certificate personalization request from the visa server, where the digital certificate includes: signing a certificate, encrypting and decrypting a public and private key pair and a public key certificate thereof; the TA receives the digital certificate sent by the TSM server, and performs corresponding service processing on the data to be processed based on the digital certificate, including: signature processing and encryption and decryption processing.
Optionally, the TSM server is configured to obtain an initial key of the TA; when the digital certificate personalization processing is carried out, replacing the initial secret key with a device secret key, and establishing a third secure channel between the TSM server and the mobile terminal based on the device secret key; sending a serial number and an initial PIN code corresponding to service processing to the TA through the third secure channel; and acquiring the digital certificate from the visa server and sending the digital certificate to the TA through the third secure channel.
Optionally, the TA receives the data to be processed, and generates service confirmation information and prompt information for prompting to input authentication information based on the data to be processed; the TA sends the service confirmation information and the prompt information to a trusted user interface TUI for displaying; and the TA acquires the authentication information input by the user through the TUI after determining that the user confirms the service confirmation information, and performs corresponding service processing on the data to be processed based on the digital certificate after successfully verifying the authentication information.
The invention provides a method and a system for providing a digital certificate function in a TEE.A TA installation request message is sent to a TAM server, and the TA is installed in the TEE configured in a mobile terminal through the TAM server; sending a digital certificate personalization request to a TSM server, and receiving a digital certificate issued by the TSM server; after personalization is completed, the TA carries out corresponding processing on the received data to be processed based on the digital certificate, and provides corresponding services; the digital certificate function provided in the TEE has low requirements on hardware, equipment is not required to be configured with an SE chip module and the like, data storage and algorithm operation are realized in the TEE, and the TUI interacts with a user, so that the safety required by a service can be ensured, the convenience and the easiness in deployment of the digital signature application of the mobile terminal can be obviously improved, and great convenience is provided for the popularization of a digital certificate scheme in the mobile terminal.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a flow diagram illustrating one embodiment of a method for providing digital certificate functionality in a TEE in accordance with the present invention;
FIG. 2 is a component topology diagram in one embodiment of a method for providing digital certificate functionality in a TEE in accordance with the present invention;
FIG. 3 is a schematic diagram of a TAM server architecture in one embodiment of a method for providing digital certificate functionality in a TEE in accordance with the present invention;
FIG. 4 is a schematic diagram of a TSM server architecture in one embodiment of a method for providing digital certificate functionality in a TEE in accordance with the present invention;
fig. 5 is a block diagram of an embodiment of a digital signature system based on a mobile terminal according to the present invention.
Detailed Description
Various exemplary embodiments of the present invention will now be described in detail with reference to the accompanying drawings. It should be noted that: the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present invention unless specifically stated otherwise.
Meanwhile, it should be understood that the sizes of the respective portions shown in the drawings are not drawn in an actual proportional relationship for the convenience of description.
The following description of at least one exemplary embodiment is merely illustrative in nature and is in no way intended to limit the invention, its application, or uses.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, further discussion thereof is not required in subsequent figures.
Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the computer system/server include, but are not limited to: smart phones, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, microprocessor-based systems, set-top boxes, programmable consumer electronics, network pcs, minicomputers, mainframe computer systems, distributed cloud computing environments that include any of the above systems, and the like.
The computer system/server may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, etc. that perform particular tasks or implement particular abstract data types. The computer system/server may be practiced in distributed cloud computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.
The terms "first", "second", and the like are used hereinafter only for descriptive distinction and not for other specific meanings.
Fig. 1 is a flow diagram of one embodiment of a method for providing digital certificate functionality in a TEE in accordance with the present invention, as shown in fig. 1:
step 101, configuring a trusted execution environment TEE in the mobile terminal.
The mobile terminal can be a plurality of mobile devices such as a smart phone and a tablet computer. The TEE (Trusted Execution Environment) is an isolated Execution Environment, runs in parallel with a Rich operating system (REE), provides security service for the Rich Environment, and can achieve isolated access and protection on software and hardware security resources and application programs in the Rich Environment. The TEE is composed of a Trusted application ta (Trusted application) and a Trusted Operating System Trusted OS (Trusted Operating System).
Step 102, the mobile terminal sends a Trusted Application TA installation request message to a TAM (Trusted Application Management) server, and installs the TA in the TEE through the TAM server.
Step 103, the TA sends a digital certificate personalization request to a TSM (Trusted Service Manager), receives a digital certificate sent by the TSM server, and stores the digital certificate in the TA.
And 104, the TA correspondingly processes the received data to be processed based on the digital certificate.
If the TEE is determined to support creation of a security domain SD (Security domain), when a TA installation request message is sent to the TAM server, a security domain SD creation request is sent to the TAM server, and the SD is created in the TEE and the TA is installed through the TAM server.
The mobile terminal is configured with a TEE environment and applies for creating an SD and installing a TA to the TAM server. After TA installation, the mobile terminal can apply digital certificate personalization to the TSM server, issue a signature certificate and an encryption certificate, and after personalization is completed, the mobile terminal can provide signature service and/or encryption and decryption service.
In one embodiment, the TA may be installed directly if the TEE does not support creating the SD. If the mobile terminal does not have a TAM server matched with the mobile terminal, the TA can be deployed in a mode of presetting the TA or a mode equivalent to the TA. In the personalization process, only one certificate can be issued to the TA, so that only one service is provided, or more than two certificates can be issued to the TA, a certain certificate is selected through the certificate identification, and a corresponding signature service or decryption service and the like are provided.
As shown in fig. 2, the TA installed in the TEE includes: native TA and Java TA. Java TEE is implemented based on Native TEE, Native TA runs on Native TEE, and Java TA runs on Java TEE. In the TEE environment, Java TEE is realized based on Native TEE, TA is divided into Native TA and Java TA, Native TA runs on Native TEE, and Java TA runs on Java TEE.
Native TA can be collocated with Java TEE, independent of each other. Native TAs may also be embedded inside Java TEE, existing as Java TEE's default TAs. The Java TEE has TA management functions for managing Java TAs running thereon or Native TAs embedded in the Java TEE. Since the Java TEE is configured with a Java virtual machine and a Java API, the Java TA running on the Java TEE has good compatibility, and the compiled Java TA can run on any equipment configured with the Java TEE.
In one embodiment, in the REE environment, the underlying TEE Client driver is responsible for communicating with the TEE, and the system services handle the privilege issues. The APP is realized based on the SDK, and the SDK encapsulates the TEE operation flow interface and the operation flow interfaces of the servers, including a TEE service interface, a TAM service interface, a TSM service interface and the like. The authority problem handled by the system service includes: SELinux permission in Android, read-write permission of drive files, access control of APP to TEE and the like. And configuring the required SELinux authority for the system service so as to avoid the occurrence of abnormal functions caused by the lack of the relevant SELinux authority when the APP accesses the TEE.
The TEE Client driver can be in a driver file form, the read-write operation of the driver file is generally not open to other users, and the APP can access the driver file through system service (system users). Meanwhile, in order to effectively control the APP to the TEE, the system service can be matched with the TEE to realize TEE access control. The mobile terminal may also adopt other middleware equivalent to Java TEE to implement the cross-platform nature of TA.
If the mobile device does not deploy Java TEE or equivalent other middleware, the TA in the TEE environment is Native TA. If the mobile device does not deploy the related system service, the related SELinux authority and the read-write authority of the drive file of the APP need to be opened, or the authority of the APP needs to be promoted by a certain means (for example, a system user role is allocated to the APP by a manufacturer signature). If the APP passes the required audit (e.g., does not illegally access other TAs) and is vendor signed, the system service may not take TEE access control.
Configuring REE in the mobile terminal, setting a system permission capable of accessing the TEE for the APP running in the REE, carrying out data interaction between the APP and the TA by using a TEE client API, and applying for corresponding services from each server through a wide area network. For example, the TAM server manages the TA through the APP application, including: install, update, delete TAs, etc. The TA sends a digital certificate personalization request to the TSM server through the APP, and receives a digital certificate issued by the TSM server through the APP.
In one embodiment, as shown in fig. 3, the TAM server is responsible for the management of the TAs, with the ability to issue OEM public key certificates and SP public key certificates, and with the ability to manage its SD and TA in place of the SP. When the TAM server is deployed, a TAM public and private key pair is generated and a TAM public key certificate is signed by the TAM public key pair as a root certificate. The TAM server issues the OEM public key certificate and the SP public key certificate by using the TAM private key.
For an OEM production line server deployment mode: and the OEM production line server generates a public and private key pair, and the TAM server signs and issues a public key certificate and a TAM public key certificate for the OEM production line. The method comprises the steps that a public and private key pair is generated by a mobile terminal and a public key is exported, an OEM production line server issues a public key certificate for the mobile terminal, the OEM public key certificate and a TAM public key certificate are issued, and an equipment public key certificate corresponding to TEE, the OEM public key certificate and the TAM public key certificate can be issued to the mobile terminal through the OEM server.
The mobile terminal adopts a three-level Certificate chain (Certificate Path) authentication mode, the TAM public key Certificate is a root Certificate, the OEM public key Certificate or the OTA Certificate is a second-level Certificate, and the equipment Certificate is a last-level Certificate. If the SP entrusts the TAM server to manage the SD and TA, the TAM server generates a SP public and private key pair and signs the TA image instead of the SP. If the SP manages the SP private key by itself, the TAM server does not deploy the SP private key any more, but only stores the SP public key certificate.
If the mobile equipment needs to be deployed in a mode of supporting OTA, the TAM server also needs to generate an OTA public and private key pair and issue an OTA public key certificate. Establishing a first secure channel between the TAM server and the mobile terminal or using a second secure channel provided by a third party, wherein the establishing mode of the first secure channel comprises the following steps: and establishing a secure channel by adopting a white box encryption mode. For example, white-box encryption libraries which are matched with each other are respectively deployed on the TAM server and the mobile terminal, and a first secure channel is established. The second secure channel may be a personal account management channel of a bank, a personal account channel of a telecommunications carrier, a personal account channel of a mobile device vendor, and so on.
The TAM server generates an OTA white box encryption library, and generates an OTA public and private key pair and issues an OTA public key certificate. The TEE version publisher applies for the OTA white-box encryption library from the TAM server in a secure manner. And establishing a first security channel between the mobile terminal and the TAM server based on the OTA white-box encryption library. And the mobile terminal generates a public and private key pair corresponding to the TEE, and sends a public key in the public and private key pair to the TAM server through the first secure channel or the second secure channel so as to generate a device public key certificate corresponding to the TEE. And the TAM server issues an equipment public key certificate for the mobile terminal and issues the OTA public key certificate and the TAM public key certificate through the first secure channel or the second secure channel.
If the TEE in the mobile terminal does not support creation of SD, the TA may be installed under SD of the TEE issuer. If the TEE platform does not support pre-personalization of the TA, the initial key for the TA may be implemented with a white-box encryption library. If the TEE platform does not support creation of the SD nor the issuer SD, the TA may be deployed in a preset manner, and the initial key of the TA may be implemented by a white-box encryption library.
In one embodiment, as shown in FIG. 4, the TSM server is primarily used to process personalization flow and transaction flow. When the TSM server is deployed, operations such as organizing personalized data, inputting a device root key and inputting a device initial key are performed. The device decryption private key of the mobile terminal is used as a backup and can be used for recovering the ciphertext data on the mobile terminal. The initial key of the mobile terminal is used only as a transmission key, and in the personalization process, the initial key is replaced by a formal one-secret device key. The device key is used to establish a third secure channel between the TSM server and the mobile terminal.
The TSM server obtains an initial key corresponding to the TA, when digital certificate personalization processing is carried out, the TSM replaces the initial key with an equipment key, a third safety channel is established between the TSM server and the mobile terminal based on the equipment key, and the TSM sends a serial number and an initial PIN code corresponding to business processing to the TA through the third safety channel. In the personalization process, a public and private key pair is generated, a PKCS10 certificate application message is organized and signed, a PKCS7 certificate is issued, the public and private key pair and a public key certificate thereof are encrypted and decrypted, and a TUI customized picture is issued. If a preset mode is adopted to deploy the TA or the TAM server does not support the TA pre-personalization function, a white-box encryption library corresponding to the white-box encryption library version of the TA can be recorded on the TSM server to replace the function of the initial key of the equipment, so that a secure channel between the TSM and the TA is established.
The visa server is responsible for signing and issuing a signature certificate, issuing an encryption and decryption public and private key pair and a public key certificate thereof, and periodically reporting a certificate revocation list to the TSM server. If the service only supports the signature certificate, the encryption and decryption public and private keys and the public key certificate of the mobile terminal are not stored on the TSM server, and the encryption and decryption public and private key pair and the public key certificate thereof do not need to be issued. If the TUI customized picture is not issued, the TUI interface on the mobile terminal adopts a default picture. In order to realize access control of the PIN code on the private key, for example, the private key is encrypted and stored based on the PIN code, the PIN code (default value) needs to be issued to the mobile terminal in preference to relevant sensitive data, and if the PIN code does not affect storage of sensitive data such as the private key, issuing of the PIN code may be delayed. Personalization data such as serial numbers, private keys, etc. are typically stored in a persistent object of the TEE, and if the TEE provides an RPMB API interface, such personalization data may also be stored to the RPMB partition.
In one embodiment, the TSM server sends a certificate application to the visa server, and obtains a digital certificate corresponding to the digital certificate personalization request from the visa server, the digital certificate comprising: signature certificate, public and private key pair for encryption and decryption, public key certificate thereof and the like. The TA receives the digital certificate sent by the TSM server, and performs corresponding business processing on data to be processed based on the digital certificate, wherein the business processing comprises the following steps: signature processing and encryption and decryption processing.
And the TA receives the data to be processed, and generates service confirmation information and prompt information for prompting to input authentication information based on the data to be processed. And the TA sends the service confirmation information and the prompt information to the trusted user interface TUI for displaying. And the TA acquires the authentication information input by the user through the TUI after determining that the user confirms the service confirmation information, and performs corresponding service processing on the data to be processed based on the digital certificate after successfully verifying the authentication information.
In one embodiment, as shown in fig. 5, the present invention provides a system for providing digital certificate functionality in a TEE, comprising: a mobile terminal 51, a TAM server 52, a TSM server 54, and a visa server 54. The mobile terminal 51 configures a trusted execution environment TEE, sends a trusted application TA install request message to the TAM server 52, and installs the TA 511 in the TEE through the TAM server. TA 511 sends a digital certificate personalization request to TSM server 53, receives a digital certificate issued by TSM server 53, and stores the digital certificate. TA 511 processes the received data to be processed accordingly based on the digital certificate.
If the mobile terminal 51 determines that the TEE supports creating the security domain SD, it sends a security domain SD creation request to the TAM server 52, creates an SD in the TEE through the TAM server 52 and installs the TA 511, while sending a TA install request message to the TAM server 52.
TA 511 installed in TEE includes: native TA and Java TA. Java TEE is implemented based on Native TEE, Native TA runs on Native TEE, and Java TA runs on Java TEE. Native TA can be embedded into the Java TEE to be used as the preset TA of the Java TEE; java TA and Preset TA running thereon are managed through Java TEE.
The mobile terminal 51 configures a rich execution environment REE, sets a system permission capable of accessing the TEE for the APP application 512 running in the REE, and performs data interaction with the TA 511 by using a TEE client API through the APP application 512. The TAM server 52 manages the TA 511 through the APP application 512, including: install, update, delete TAs, etc. TA 511 sends a digital certificate personalization request to TSM server 53 through APP application 512, and receives a digital certificate issued by TSM server 53 through APP application 511.
When the TAM server 52 is deployed, it generates a TAM public and private key pair and signs a TAM public key certificate by itself, signs an OEM public key certificate using a private key of the TAM public and private key pair, and then issues an equipment public key certificate corresponding to the TEE, the OEM public key certificate, and the TAM public key certificate to the mobile terminal 51.
If OTA deployment is used for TEE, the TAM server 52 establishes a first secure channel between it and the mobile terminal 51 or uses a second secure channel provided by a third party. The establishment mode of the first secure channel comprises the following steps: and establishing a secure channel by adopting a white box encryption mode, and the like. The mobile terminal 51 generates a public and private key pair corresponding to the TEE, and sends a public key in the public and private key pair to the TAM server 52 through the first secure channel or the second secure channel, so as to generate a device public key certificate corresponding to the TEE. The TAM server 52 issues the device public key certificate corresponding to the TEE, the OTA public key certificate and the TAM public key certificate to the mobile terminal 51 through the first secure channel or the second secure channel.
TSM server 53 sends a certificate request to visa server 54, and obtains a digital certificate corresponding to the digital certificate personalization request from visa server 54, where the digital certificate includes: signature certificate, public and private key pair for encryption and decryption, public key certificate thereof and the like. The TA 511 receives the digital certificate sent by the TSM server 53, and performs corresponding service processing on the data to be processed based on the digital certificate, including: signature processing, encryption and decryption processing and the like.
The TSM server 53 obtains the initial key of the mobile terminal 51, changes the initial key to the device key when performing digital certificate personalization processing, establishes a third secure channel between the TSM server 53 and the mobile terminal 51 based on the device key, and sends the serial number and the initial PIN code corresponding to the service processing to the TA 511 through the third secure channel. TSM server 53 obtains the digital certificate from visa server 54 and sends it to TA 511 via a third secure channel.
TA 511 receives the data to be processed, and generates service confirmation information and prompt information for prompting to input authentication information based on the data to be processed. TA 511 sends the service confirmation information and the prompt information to the trusted user interface TUI for display. After determining that the user confirms the service confirmation information, the TA 511 acquires the authentication information input by the user through the TUI, and performs corresponding service processing on the data to be processed based on the digital certificate after successfully verifying the authentication information.
In the method and system for providing the digital certificate function in the TEE in the above embodiments, a TA installation request message is sent to the TAM server, and the TA is installed in the TEE configured in the mobile terminal through the TAM server; sending a digital certificate personalization request to a TSM server, and receiving a digital certificate issued by the TSM server; after personalization is completed, the TA carries out corresponding processing on the received data to be processed based on the digital certificate, and provides corresponding services; the digital certificate function provided in the TEE has low requirements on hardware, equipment is not required to be configured with an SE chip module and the like, data storage and algorithm operation are realized in the TEE, and the TUI interacts with a user, so that the safety required by a service can be ensured, the convenience and easiness in deployment of digital signature application of the mobile terminal can be obviously improved, the cost for the user to purchase additional hardware is saved, and great convenience is provided for popularization of a digital certificate scheme in the mobile terminal.
The method and system of the present invention may be implemented in a number of ways. For example, the methods and systems of the present invention may be implemented in software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustrative purposes only, and the steps of the method of the present invention are not limited to the order specifically described above unless specifically indicated otherwise. Furthermore, in some embodiments, the present invention may also be embodied as a program recorded in a recording medium, the program including machine-readable instructions for implementing a method according to the present invention. Thus, the present invention also covers a recording medium storing a program for executing the method according to the present invention.
The description of the present invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the invention in the form disclosed. Many modifications and variations will be apparent to practitioners skilled in this art. The embodiment was chosen and described in order to best explain the principles of the invention and the practical application, and to enable others of ordinary skill in the art to understand the invention for various embodiments with various modifications as are suited to the particular use contemplated.

Claims (10)

1. A method for providing digital certificate functionality in a TEE, comprising:
configuring a Trusted Execution Environment (TEE) in the mobile terminal;
sending a trusted application TA installation request message to a TAM server, and installing a TA in the TEE through the TAM server;
the TA sends a digital certificate personalization request to a TSM server, receives a digital certificate issued by the TSM server and stores the digital certificate in the TA;
the TA carries out corresponding processing on the received data to be processed based on the digital certificate;
if the TEE is determined to support creation of a security domain SD, sending a security domain SD creation request to the TAM server when the TA installation request message is sent to the TAM server, creating a SD in the TEE through the TAM server and installing the TA;
configuring a rich execution environment REE in a mobile terminal, setting a system permission capable of accessing the TEE for an APP running in the REE, and performing data interaction between the APP and the TA by using a TEE client API;
the TAM server manages the TA through the APP, and comprises the following steps: installing, updating and deleting the TA;
the TA sends a digital certificate personalization request to the TSM through the APP, and receives a digital certificate issued by the TSM through the APP;
when the TAM server is deployed, generating a TAM public and private key pair and signing a TAM public key certificate by itself;
the TAM server signs an OEM public key certificate by using a private key of the TAM public and private key pair;
wherein, the OEM server uses a private key of an OEM public and private key pair to sign and issue a device public key certificate;
and the OEM server issues a device public key certificate corresponding to the TEE, the OEM public key certificate and the TAM public key certificate to the mobile terminal.
2. The method of claim 1, further comprising:
if the TEE adopts an OTA deployment mode, a first secure channel is established between the TAM server and the mobile terminal or a second secure channel provided by a third party is used, wherein the establishment mode of the first secure channel comprises the following steps: establishing a secure channel by adopting a white box encryption mode;
the mobile terminal generates a public and private key pair corresponding to the TEE, and sends a public key in the public and private key pair to the TAM server through the first secure channel or the second secure channel so as to generate a device public key certificate corresponding to the TEE;
and the TAM server issues an equipment public key certificate corresponding to the TEE, an OTA public key certificate and the TAM public key certificate to the mobile terminal through the first secure channel or the second secure channel.
3. The method of claim 1, further comprising:
the TSM server sends a certificate application to a visa server, and a digital certificate corresponding to the digital certificate personalization request is acquired from the visa server, wherein the digital certificate comprises: signing a certificate, encrypting and decrypting a public and private key pair and a public key certificate thereof;
the TA receives the digital certificate sent by the TSM server, and performs corresponding service processing on the data to be processed based on the digital certificate, including: signature processing and encryption and decryption processing.
4. The method of claim 3, further comprising:
the TSM server acquires an initial key corresponding to the TA;
when the digital certificate personalization processing is carried out, the TSM server changes the initial key into a device key, and a third secure channel is established between the TSM server and the mobile terminal based on the device key;
the TSM sends a serial number and an initial PIN code corresponding to service processing to the TA through the third secure channel;
and the TSM server acquires the digital certificate from the visa server and sends the digital certificate to the TA through the third secure channel.
5. The method of claim 3, further comprising:
the TA receives the data to be processed, and generates service confirmation information and prompt information for prompting to input authentication information based on the data to be processed;
the TA sends the service confirmation information and the prompt information to a trusted user interface TUI for displaying;
and the TA acquires the authentication information input by the user through the TUI after determining that the user confirms the service confirmation information, and performs corresponding service processing on the data to be processed based on the digital certificate after successfully verifying the authentication information.
6. A system for providing digital certificate functionality in a TEE, comprising: the system comprises a mobile terminal, a TAM server and a TSM server;
the mobile terminal is used for configuring a Trusted Execution Environment (TEE), sending a Trusted Application (TA) installation request message to a TAM server, and installing a TA in the TEE through the TAM server; the TA sends a digital certificate personalization request to a TSM server, receives a digital certificate issued by the TSM server and stores the digital certificate in the TA; the TA carries out corresponding processing on the received data to be processed based on the digital certificate;
the mobile terminal is configured to send a security domain SD creation request to the TAM server when sending the TA installation request message to the TAM server if it is determined that the TEE supports creating a security domain SD, create an SD in the TEE through the TAM server, and install the TA;
the mobile terminal is used for configuring a rich execution environment REE, setting a system permission capable of accessing the TEE for an APP running in the REE, and performing data interaction with the TA by using a TEE client API through the APP;
the TAM server manages the TA through the APP, and comprises the following steps: installing, updating and deleting the TA; the TA sends a digital certificate personalization request to the TSM through the APP, and receives a digital certificate issued by the TSM through the APP;
the TAM server is used for generating a TAM public and private key pair and signing a TAM public key certificate by itself when the TAM server is deployed, and signing and issuing an OEM public key certificate by using a private key of the TAM public and private key pair;
wherein, the OEM server uses a private key of an OEM public and private key pair to sign and issue a device public key certificate;
and the OEM server is used for issuing the equipment public key certificate corresponding to the TEE, the OEM public key certificate and the TAM public key certificate to the mobile terminal.
7. The system of claim 6,
the TAM server is configured to establish a first secure channel between the TEE and the mobile terminal or use a second secure channel provided by a third party if an OTA deployment method is adopted for the TEE, where the establishment method of the first secure channel includes: establishing a secure channel by adopting a white box encryption mode;
the mobile terminal is used for generating a public and private key pair corresponding to the TEE and sending a public key in the public and private key pair to the TAM server through the first secure channel or the second secure channel so as to generate a device public key certificate corresponding to the TEE;
the TAM server is further used for issuing an equipment public key certificate corresponding to the TEE, an OTA public key certificate and the TAM public key certificate to the mobile terminal through the first secure channel or the second secure channel.
8. The system of claim 6,
the TSM server is configured to send a certificate application to a visa server, and obtain a digital certificate corresponding to the digital certificate personalization request from the visa server, where the digital certificate includes: signing a certificate, encrypting and decrypting a public and private key pair and a public key certificate thereof;
the TA receives the digital certificate sent by the TSM server, and performs corresponding service processing on the data to be processed based on the digital certificate, including: signature processing and encryption and decryption processing.
9. The system of claim 8,
the TSM server is used for acquiring an initial key of the TA; when the digital certificate personalization processing is carried out, replacing the initial secret key with a device secret key, and establishing a third secure channel between the TSM server and the mobile terminal based on the device secret key; sending a serial number and an initial PIN code corresponding to service processing to the TA through the third secure channel; and acquiring the digital certificate from the visa server and sending the digital certificate to the TA through the third secure channel.
10. The system of claim 8,
the TA receives the data to be processed, and generates service confirmation information and prompt information for prompting to input authentication information based on the data to be processed; the TA sends the service confirmation information and the prompt information to a trusted user interface TUI for displaying; and the TA acquires the authentication information input by the user through the TUI after determining that the user confirms the service confirmation information, and performs corresponding service processing on the data to be processed based on the digital certificate after successfully verifying the authentication information.
CN201711484484.1A 2017-12-29 2017-12-29 Method, system for providing digital certificate functionality in a TEE Active CN108282466B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711484484.1A CN108282466B (en) 2017-12-29 2017-12-29 Method, system for providing digital certificate functionality in a TEE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711484484.1A CN108282466B (en) 2017-12-29 2017-12-29 Method, system for providing digital certificate functionality in a TEE

Publications (2)

Publication Number Publication Date
CN108282466A CN108282466A (en) 2018-07-13
CN108282466B true CN108282466B (en) 2021-02-02

Family

ID=62802835

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711484484.1A Active CN108282466B (en) 2017-12-29 2017-12-29 Method, system for providing digital certificate functionality in a TEE

Country Status (1)

Country Link
CN (1) CN108282466B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109040088B (en) * 2018-08-16 2022-02-25 腾讯科技(深圳)有限公司 Authentication information transmission method, key management client and computer equipment
CN109492371B (en) * 2018-10-26 2021-01-26 中国联合网络通信集团有限公司 Digital certificate null sending method and device
CN109766152B (en) * 2018-11-01 2022-07-12 华为终端有限公司 Interaction method and device
CN111245620B (en) * 2018-11-29 2023-10-27 北京中金国信科技有限公司 Mobile security application architecture in terminal and construction method thereof
KR20200104043A (en) * 2019-02-26 2020-09-03 삼성전자주식회사 Electronic device for storing user identification information and method thereof
CN110399714B (en) * 2019-04-10 2023-08-08 中国银联股份有限公司 Method for verifying authenticity of trusted user interface of terminal and system thereof
US11038699B2 (en) 2019-08-29 2021-06-15 Advanced New Technologies Co., Ltd. Method and apparatus for performing multi-party secure computing based-on issuing certificate
CN110535628B (en) * 2019-08-29 2020-07-17 阿里巴巴集团控股有限公司 Method and device for performing multi-party security calculation through certificate signing and issuing
CN114762290B (en) * 2019-12-06 2024-04-19 三星电子株式会社 Method and electronic device for managing digital key
CN112866235B (en) * 2020-08-28 2023-03-24 支付宝(杭州)信息技术有限公司 Data processing method, device and equipment
CN114969711A (en) * 2022-05-13 2022-08-30 北京百度网讯科技有限公司 Security authentication method, electronic device and storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856485A (en) * 2014-02-14 2014-06-11 武汉天喻信息产业股份有限公司 System and method for initializing safety indicator of credible user interface
CN105260663A (en) * 2015-09-15 2016-01-20 中国科学院信息工程研究所 Secure storage service system and method based on TrustZone technology
CN105429760A (en) * 2015-12-01 2016-03-23 神州融安科技(北京)有限公司 Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment)
CN105590051A (en) * 2015-11-18 2016-05-18 中国银联股份有限公司 Trusted application generation and installation method used for trusted execution environment
CN105790938A (en) * 2016-05-23 2016-07-20 中国银联股份有限公司 System and method for generating safety unit key based on reliable execution environment
CN106102054A (en) * 2016-05-27 2016-11-09 深圳市雪球科技有限公司 A kind of method and communication system that safe unit is carried out safety management
CN106658350A (en) * 2015-10-30 2017-05-10 中国移动通信集团公司 Method for collaborative management and device thereof
WO2017208064A1 (en) * 2016-05-30 2017-12-07 Silverleap Technology Limited System and method for ensuring system integrity against, and detection of, rollback attacks for stored value data in mobile devices

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9331988B2 (en) * 2014-03-20 2016-05-03 Oracle International Corporation System and method for provisioning secrets to an application (TA) on a device

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103856485A (en) * 2014-02-14 2014-06-11 武汉天喻信息产业股份有限公司 System and method for initializing safety indicator of credible user interface
CN105260663A (en) * 2015-09-15 2016-01-20 中国科学院信息工程研究所 Secure storage service system and method based on TrustZone technology
CN106658350A (en) * 2015-10-30 2017-05-10 中国移动通信集团公司 Method for collaborative management and device thereof
CN105590051A (en) * 2015-11-18 2016-05-18 中国银联股份有限公司 Trusted application generation and installation method used for trusted execution environment
CN105429760A (en) * 2015-12-01 2016-03-23 神州融安科技(北京)有限公司 Method and system for identity verification of digital certificate based on TEE (Trusted Execution Environment)
CN105790938A (en) * 2016-05-23 2016-07-20 中国银联股份有限公司 System and method for generating safety unit key based on reliable execution environment
CN106102054A (en) * 2016-05-27 2016-11-09 深圳市雪球科技有限公司 A kind of method and communication system that safe unit is carried out safety management
WO2017208064A1 (en) * 2016-05-30 2017-12-07 Silverleap Technology Limited System and method for ensuring system integrity against, and detection of, rollback attacks for stored value data in mobile devices

Also Published As

Publication number Publication date
CN108282466A (en) 2018-07-13

Similar Documents

Publication Publication Date Title
CN108282466B (en) Method, system for providing digital certificate functionality in a TEE
CN108282467B (en) Application method and system of digital certificate
US7809949B2 (en) Configuration of a computing device in a secure manner
CN104717198B (en) Oftware updating method and equipment on safety element
EP2909786B1 (en) Controlling mobile device access to secure data
US9904557B2 (en) Provisioning of operating systems to user terminals
CA2881539C (en) Secure app ecosystem with key and data exchange according to enterprise information control policy
US20200067896A1 (en) Data operations using a proxy encryption key
WO2020192698A1 (en) Data secure backup and secure recovery methods, and electronic device
US20150134953A1 (en) Method and apparatus for offering cloud-based hsm services
US20080065550A1 (en) Certified deployment of applications on terminals
EP1998269A1 (en) Program execution control system, execution control method, execution control computer program
CN103858130A (en) Method, apparatus and terminal for administration of permission
TW201539242A (en) On-board applet migration
US8953796B2 (en) Techniques for accessing features of a hardware adapter
CN104462965A (en) Method for verifying integrity of application program and network device
CN104854561A (en) Application wrapping for application management framework
CN110362990A (en) Using the security processing of installation, apparatus and system
CN111274611A (en) Data desensitization method, device and computer readable storage medium
CN107566413B (en) Smart card security authentication method and system based on data short message technology
US20140059341A1 (en) Creating and accessing encrypted web based content in hybrid applications
CN111404706B (en) Application downloading method, secure element, client device and service management device
US10841287B2 (en) System and method for generating and managing a key package
CN106156607B (en) SElinux secure access method and POS terminal
Ahmad et al. Enhancing the security of mobile applications by using TEE and (U) SIM

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant