CN108718238A - A kind of method and system of universal personal - Google Patents

A kind of method and system of universal personal Download PDF

Info

Publication number
CN108718238A
CN108718238A CN201810447082.2A CN201810447082A CN108718238A CN 108718238 A CN108718238 A CN 108718238A CN 201810447082 A CN201810447082 A CN 201810447082A CN 108718238 A CN108718238 A CN 108718238A
Authority
CN
China
Prior art keywords
instruction stream
interface
tsm
provider tsm
service provider
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810447082.2A
Other languages
Chinese (zh)
Other versions
CN108718238B (en
Inventor
贾建明
刘丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing WatchSmart Technologies Co Ltd filed Critical Beijing WatchSmart Technologies Co Ltd
Priority to CN201810447082.2A priority Critical patent/CN108718238B/en
Publication of CN108718238A publication Critical patent/CN108718238A/en
Application granted granted Critical
Publication of CN108718238B publication Critical patent/CN108718238B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a kind of method and systems of universal personal, are realized by the batch piecemeal delivery method and technology of instruction stream.Pretreatment is added before each personalized services in individualized processing, the mode of extension process is added behind, to be adapted to the differentiation part of compatible different service provider's different applications, accomplish the unification of individualized flow processing, using method and system of the present invention, upper-layer service need to only call individualized interface in sequence, and calling interface and calling sequence need not be changed by subsequently upgrading again when the new application provider of support individualizes flow.

Description

A kind of method and system of universal personal
Technical field
The invention belongs to the aerial hair fastener fields of smart card, and in particular to a kind of personalized method of aerial hair fastener and be System.
Background technology
Believable service management platform (TSM, TrustedService Manager) is based on the more application technologies of card, in fact Space management now is carried out, using the system of access and aerial hair fastener, fusion to security module (SE, Security Element) IC card technology is with big data treatment technology and Cryptography Principles in one.
It is two classes that TSM, which is divided to,:Security module provider TSM (SEI-TSM) and service provider TSM (SP-TSM).SEI-TSM It is responsible for security module provider and safety chip life cycle and security domain management service is provided, and SP-TSM is responsible for service and carries Application life cycles service is provided for quotient.
Since SEI-TSM is different to the authorization privilege pattern in carrier auxiliary security domain, SP-TSM is to auxiliary security domain and auxiliary The application operating permission helped in security domain is also different.Under the entrustment pattern or general mode of SEI-TSM, SP-TSM wants behaviour Make security module, the every APDU instructions issued are required to SEI-TSM and are authorized and verify APDU responses, the calculating of authorization code Dependent on the response of a upper APDU, server-side can only send and receive an APDU with client and instruct every time under this pattern And response results.When could be completed comprising a plurality of instruction in a business, the network interaction of client and server-side can be increased Number, the time overhead of network can seriously affect the processing speed of business, cause user experience bad.
SP-TSM can be related to the download, installation, individualized operation of application in hair fastener process.Since the application of each producer is real Existing difference, individualized operation's directive script is also different, and it is also different to need to execute additional operation before and after the execution of each part, Safety, but the applet of each producer itself generally can be improved in the place addition external authentication operation for being related to sensitive data Internal application solutions mechanism is different, and also different for the place of external authentication and number, eventually leading to individualized flow can add Add the uncertainty of many additional processing and individualized flow.When TSM server-sides need addition is new to answer in follow-up maintenance Used time often adds new individualized flow and supports to increase the support to the individualized flow of new opplication, operation layer meeting Make corresponding change so that entirely individualized flow cannot be uniformly processed.Meanwhile maintenance upgrade causes association to change, and increases dimension Protect cost.
Invention content
In view of the deficiencies in the prior art, the object of the present invention is to provide a kind of method of universal personal and it is System.
The present invention optimizes the individualized process flow issued from the background, reaches the instruction interaction for reducing backstage and card Network connection number optimizes time performance, while the individualized interface on backstage being packaged, uniformly, so as to background service journey Sequence can not change progress upgrading in the case that calling individualizes Interface Flowchart in the later stage, support the individualized of different vendor It realizes.
To achieve the above objectives, the technical solution adopted by the present invention is:
A kind of method of universal personal, includes the following steps:
S1, each personalized services are carried out abstract and are managed using independent interface, the personalized services according to It is secondary to include:Establishment file structure, initialization data generate key pair, calculate P10 signatures, write certificate, the individualized Life Cycle of update Phase state, each personalized services correspond to corresponding instruction stream;
S2, the addition pretreatment interface before each personalized services interface, carry out pretreatment business, each described Extension process interface is added after personalized services interface, is extended processing business, it is each to pre-process business and extension process industry The corresponding corresponding instruction stream of business;
S3, each interface is packaged by personalized services sequence;
S4, each interface, acquisition instruction stream is called to carry out individualized processing successively.
Preferably, it is calling each interface successively, before acquisition instruction stream, instruction stream is subjected to piecemeal processing, each block Including a plurality of instruction.
Preferably, the calculating instructed at next is arranged in the block cut-point of instruction stream progress piecemeal and needs a upper instruction The result of response participates in the position of operation.
Preferably, by instruction stream carry out piecemeal processing the specific steps are:
S11, security module provider TSM use licensing mode to auxiliary security domain, initial close for auxiliary security domain distribution Key;
S12, service provider TSM support licensing mode, the use to security module provider TSM application auxiliary securities domain Initial key or key create-rule are shared with clothes by power, security module provider TSM after being authenticated successfully to service provider TSM Be engaged in provider TSM, and security module provider TSM is monitored the use channel of auxiliary security domain and application, determines whether The service provider TSM authorized is to using the use that accesses;
Instruction stream is divided into every piece by S13, service provider TSM according to described piece of cut-point, is encapsulated per block instruction stream.
A kind of system of universal personal, including following device:Security module, host computer, write-in terminal, security module carry For quotient TSM, service provider TSM, wherein service provider TSM further includes:
Personalized services unit is carried out abstract and is managed using independent interface, each to each personalized services Personalized services correspond to corresponding instruction stream;
Pretreatment unit, addition pretreatment interface, each pretreatment unit correspond to phase before each personalized services interface The instruction stream answered;
Extension process unit adds extension process interface, each extension process unit after each personalized services interface Corresponding corresponding instruction stream,
The host computer calls the pretreatment unit of the service provider TSM, personalized services list successively in sequence Member, extension process unit, acquisition instruction stream are issued to write-in terminal, and write-in terminal carries out security module according to instruction stream a Peopleization processing.
Preferably, personalized services include successively:Establishment file structure, initialization data generate key pair, calculate P10 It signs, write certificate, update individualizes life cycle state.
Preferably, service provider TSM further includes instruction cutting unit, and instruction stream is carried out piecemeal processing, each block packet Containing a plurality of instruction.
Preferably, the calculating instructed at next is arranged in the block cut-point of instruction stream progress piecemeal and needs a upper instruction The result of response participates in the position of operation.
Preferably, the security module provider TSM further includes:
Key Assignment Unit, security module provider TSM use licensing mode to auxiliary security domain, for auxiliary security domain point With initial key;
It authorizes access unit, service provider TSM to support licensing mode, applies for auxiliary peace to security module provider TSM Initial key or key are generated after being authenticated successfully to service provider TSM and are advised by the right to use of universe, security module provider TSM It is then shared with service provider TSM, security module provider TSM is logical to the use in auxiliary security domain and application in write-in terminal Road is monitored, and determines whether that the service provider TSM authorized accesses use to the application in write-in terminal,
When instruction stream is carried out piecemeal processing by described instruction cutting unit, it will be divided into every piece according to block cut-point, encapsulation Per block instruction stream;The host computer will once be issued to write-in terminal for obtaining every block instruction stream per block instruction stream.
Effect of the invention is that:It can using method and system of the present invention:
1) it is unified to reach individualized interface call flow, subsequent upgrade maintenance need not change flow, reduce upgrade maintenance Cost;
2) it realizes instruction stream batch piecemeal to issue, reduces unnecessary network interaction number, optimize time performance, Business execution efficiency is improved, while reducing business since network problem causes the risk of failure.
Description of the drawings
Fig. 1 is the flow chart of the method for the invention;
Fig. 2 is the structure chart of addition pretreatment interface and extension process interface in the present invention;
Fig. 3 is the schematic diagram that each personalized services interface is sequentially called in the present invention;
Fig. 4 is the structure chart of system of the present invention;
Specific implementation mode
The invention will be further described with reference to the accompanying drawings and detailed description.
As shown in Figure 1, the present invention provides a kind of method of universal personal, include the following steps:
S1, each personalized services are abstracted, each personalized services is managed using independent interface, though So the application of each producer is realized different, and individualized directive script is also different, but is totally wrapped successively in personalized services flow Establishment file structure, initialization data are included, key pair is generated, calculates P10 signatures, writes certificate, the individualized life cycle shape of update Several parts such as state.Each personalized services correspond to corresponding instruction stream.
S2, the addition pretreatment interface before each personalized services interface, carry out pretreatment business, in each individual Extension process interface is added after changing business interface, is extended processing business, the part of processing difference each pre-processes business Corresponding instruction stream is corresponded to respectively with extension process business;
S3, each interface is packaged by personalized services sequence;
Specifically, personalized services sequence includes above-mentioned personalized services part, and increase before each personalized services Pretreatment business, increase the part of extension process business after each personalized services, be followed successively by the pretreatment of establishment file structure, Establishment file pattern handling, the processing of establishment file structure extension, and repeated with this by personalized services flow, particular order is as schemed 2, shown in Fig. 3.
S4, each interface acquisition instruction stream is called successively, carry out individualized processing.
Specifically, by after each interface encapsulation, the unified management of each interface, host computer are carried out by service provider TSM Each interface is called, the corresponding instruction stream of each business is organized, instruction stream is transmitted by the interface packets docked with host computer To host computer.
As shown in Fig. 2, giving a kind of personalized services of optimization, pre- place is added before executing each personalized services It manages interface, add extension process interface after executing each personalized services, i.e., each personalized services are according to individualized Business pretreatment, personalized services processing, the sequence execution of personalized services extension process.
In the present embodiment, pre-processes interface and extension process interface is responsible for the part of each manufacturer's differentiation Reason, in the processing for pre-processing with being added as needed on differentiation in extension process, the pretreatment interface and extension process Interface is injected into using the mode of Dynamic injection in system, and follow-up optimization and upgrading only needs to connect in pretreatment interface and extension process It adds and realizes in mouthful, the personalized services flow of each application provider integrated in system is all made of such pattern and carries out Processing, the individualized interface that system is unified call, and it is not necessary to modify interface definition, caller and call flows.It shields The part of each manufacturer's differentiation, the hair fastener flow of compatible each card application provider, is also supplied to host computer unification simultaneously Calling interface.
As shown in figure 3, giving sequence calls each personalized services interface acquisition instruction stream, each individualized industry is handled The schematic diagram of business.It is applied firstly the need of selection, establishes escape way, be then called processing.Call each personalized services Interfacing order is that establishment file structure, initialization data generate key pair, calculate P10 signatures, write certificate, more new individual successively Change several parts such as life cycle state, meanwhile, according to the personalized services pretreatment of each personalized services flow, individualize Business processing, the processing of the sequence calling of personalized services extension process.
In the present embodiment, each interface is being called successively, before acquisition instruction stream, instruction stream is subjected to piecemeal processing, is come Realize that instruction issues and individualized processing, every block instruction stream are instructed comprising a plurality of APDU.
In the present embodiment, the cut-point minimum requirements of instruction stream piecemeal is set as on the operation needs of next APDU instruction The response results that one APDU is instructed participate in the position of operation, and such partitioned mode reduces instruction and issues number, reaches The business operation network interaction number of server-side and client is reduced, time overhead is reduced, optimizes time performance, improves hair fastener Efficiency, while reducing network problem and lead to the risk of service fail, improve user experience.The setting of the minimum requirements of cut-point is It is associated with upper APDU instructions in order to work as next APDU instruction, need an APDU instruction to receive response results participation The operation of next APDU instructions, if upper APDU instructions and next APDU instruction are placed in a block instruction stream at this time Issue together, then next APDU instruction can not normal operation obtain.
In the present embodiment, the cut-point of instruction stream piecemeal can also instruct maximum item number to be split by being arranged, but want The last item of lastblock instruction stream is asked to instruct, i.e., next block instruction stream uncorrelated to first instruction of next block instruction stream First instruction operation, do not need the response results that the last item of lastblock instruction stream instructs and participate in operation, i.e., Must premised on minimum requirements cut-point condition.
In the present embodiment, security module provider TSM (SEI-TSM) uses licensing mode to auxiliary security domain, is authorizing Under pattern, service provider TSM (SP-TSM) is not necessarily to ask security module provider to the APDU instructions that auxiliary security domain operates TSM is authorized and is verified, and support once issues a plurality of instruction, is operated to the application in terminal.
Specifically, in the present invention, by instruction stream carry out piecemeal processing the specific steps are:
S11, security module provider TSM use licensing mode to the auxiliary security domain of terminal, for auxiliary security domain distribution Initial key;
S12, service provider TSM support licensing mode, apply for the auxiliary security domain of terminal in security module provider TSM The right to use, security module provider TSM service provider TSM is authenticated successfully after by initial key or key create-rule point It enjoys and gives service provider TSM, security module provider TSM supervises the use channel in auxiliary security domain and application in terminal Control determines whether that the service provider TSM authorized accesses use to the application in terminal;
Instruction stream is divided into every piece by S13, service provider TSM according to block cut-point, is encapsulated per block instruction stream.
As described in Figure 4, the present invention provides a kind of system of universal personal, including security module, host computer, write-in are eventually End, security module provider TSM, service provider TSM.
In the present embodiment, host computer connection write-in terminal, service provider TSM;Security module provider TSM and service carry It is connected for quotient;Terminal, which is written, has security module interface, while connecting security module provider TSM and service provider TSM; In security module access write-in terminal.
Wherein service provider TSM further includes:
Personalized services unit is abstracted each personalized services, using independent interface to each individualized industry Business is managed, and personalized services include generally establishment file structure, initialization data successively, generate key pair, calculate P10 It signs, write certificate, update individualizes several parts such as life cycle state;Each personalized services correspond to corresponding instruction stream.
Personalized services are the personalized services of each service provider TSM (SP-TSM) to be integrated in system;
Pretreatment unit, the addition pretreatment interface before each personalized services interface, each business that pre-processes correspond to phase The instruction stream answered, the part of processing difference;
Extension process unit adds extension process interface, each extension process business after each personalized services interface Corresponding corresponding instruction stream, the part of processing difference,
In the present embodiment, pre-processes interface and extension process interface is injected into using the mode of Dynamic injection in system, after Continue personalized optimization and upgrading only to need to add realization in pretreatment interface and extension process interface.
Host computer calls the service provider TSM pretreatment units, personalized services unit, extension successively in sequence Processing unit, i.e. call unit interface, acquisition instruction stream are issued to write-in terminal, and write-in terminal is according to instruction stream to safe mould Block carries out individualized processing.
Specifically, host computer calls the pretreatment unit of service provider TSM, of the establishment file structure of progress successively Peopleization business pre-processes, and calls the personalized services unit of service provider TSM, the individualized industry of the establishment file structure of progress Business is handled, the extension process unit of calling service provider TSM, at the personalized services extension of the establishment file structure of progress Reason;The pretreatment unit for then continuing to call service provider TSM, carries out next personalized services pretreatment, repeats above-mentioned Mode.Particular order flow is as shown in Figure 2 and Figure 3.
In the present embodiment, service provider TSM further includes instruction cutting unit, instruction stream is carried out piecemeal processing, each Block includes a plurality of instruction.
In the present embodiment, piecemeal issue instruction stream block cut-point be arranged at next instruct calculating need it is upper one finger The result of response is enabled to participate in the position of operation.
In the present embodiment, the security module provider TSM of system further includes:
Key Assignment Unit, security module provider TSM use licensing mode to the auxiliary security domain in write-in terminal, are Initial key is distributed in auxiliary security domain;
It authorizes access unit, service provider TSM to support licensing mode, applies write-in eventually to security module provider TSM The right to use in the auxiliary security domain in end, security module provider TSM service provider TSM is authenticated successfully after by initial key Or key create-rule is shared with service provider TSM, security module provider TSM in write-in terminal auxiliary security domain and Application is monitored using channel, determine whether the service provider TSM authorized to the application in write-in terminal into Row, which accesses, to be used,
It instructs cutting unit in the instruction stream piecemeal processing for carrying out service provider TSM, will be instructed according to block cut-point Flow point is segmented into every piece, encapsulates per block instruction stream, includes a plurality of instruction per block instruction stream;Host computer is used to obtain every block instruction stream, Write-in terminal will be once issued to per block instruction stream, write-in terminal carries out individualized processing according to instruction stream to security module.
The instruction stream of service provider TSM includes the instruction stream of pretreatment business, the instruction stream of personalized services and expansion Open up the instruction stream of processing business.
It will be understood by those skilled in the art that method and system of the present invention is not limited to institute in specific implementation mode The embodiment stated, specific descriptions above are intended merely to explain the purpose of the present invention, are not intended to limit the present invention.This field skill Art personnel can derive other implementation manners according to the technical scheme of the present invention, and also belong to the scope of the technical innovation of the present invention, this The protection domain of invention is limited by claim and its equivalent.

Claims (9)

1. a kind of method of universal personal, which is characterized in that include the following steps:
S1, each personalized services are carried out abstract and are managed using independent interface, the personalized services wrap successively It includes:Establishment file structure, initialization data generate key pair, calculate P10 signatures, write certificate, the individualized life cycle shape of update State, each personalized services correspond to corresponding instruction stream;
S2, the addition pretreatment interface before each personalized services interface, add after each personalized services interface Add extension process interface, each pretreatment business and extension process business correspond to corresponding instruction stream;
S3, each interface is packaged by personalized services sequence;
S4, each interface, acquisition instruction stream is called to carry out individualized processing successively.
2. a kind of method of universal personal as described in claim 1, it is characterised in that:Each interface is being called successively, is being obtained Before instruction fetch stream, instruction stream is subjected to piecemeal processing, each block includes a plurality of instruction.
3. a kind of method of universal personal as claimed in claim 2, it is characterised in that:It is described that instruction stream is subjected to piecemeal The position that the calculating instructed at next needs the result of upper instruction response to participate in operation is arranged in block cut-point.
4. a kind of method of universal personal as claimed in claim 3, which is characterized in that described to carry out instruction stream at piecemeal Reason the specific steps are:
S11, security module provider TSM use licensing mode to auxiliary security domain, and initial key is distributed for auxiliary security domain;
S12, service provider TSM support licensing mode, apply for the right to use in auxiliary security domain to security module provider TSM, Initial key or key create-rule are shared with service by security module provider TSM after being authenticated successfully to service provider TSM Provider TSM, security module provider TSM are monitored the use channel of auxiliary security domain and application, determine whether The service provider TSM of mandate is to using the use that accesses;
Instruction stream is divided into every piece by S13, service provider TSM according to described piece of cut-point, is encapsulated per block instruction stream.
5. a kind of system of universal personal, including following device:Security module, host computer, write-in terminal, security module provide Quotient TSM, service provider TSM, which is characterized in that service provider TSM further includes:
Personalized services unit is carried out abstract and is managed using independent interface to each personalized services, each personal Change business corresponds to corresponding instruction stream;
Pretreatment unit, addition pretreatment interface, each pretreatment unit correspond to corresponding before each personalized services interface Instruction stream;
Extension process unit, adds extension process interface after each personalized services interface, and each extension process unit corresponds to Corresponding instruction stream,
The host computer calls the pretreatment unit of the service provider TSM, personalized services unit, expands successively in sequence Processing unit is opened up, acquisition instruction stream is issued to write-in terminal, and write-in terminal carries out individualized place according to instruction stream to security module Reason.
6. a kind of system of universal personal as claimed in claim 5, it is characterised in that:The personalized services wrap successively It includes:Establishment file structure, initialization data generate key pair, calculate P10 signatures, write certificate, the individualized life cycle shape of update State.
7. a kind of system of universal personal as claimed in claim 6, it is characterised in that:The service provider TSM is also wrapped Instruction cutting unit is included, instruction stream is subjected to piecemeal processing, each block includes a plurality of instruction.
8. a kind of system of universal personal as claimed in claim 7, it is characterised in that:It is described that instruction stream is subjected to piecemeal The position that the calculating instructed at next needs the result of upper instruction response to participate in operation is arranged in block cut-point.
9. a kind of system of universal personal as claimed in claim 8, which is characterized in that
The security module provider TSM further includes:
Key Assignment Unit, security module provider TSM use licensing mode to auxiliary security domain, just for the distribution of auxiliary security domain Beginning key;
It authorizes access unit, service provider TSM to support licensing mode, applies in write-in terminal to security module provider TSM Auxiliary security domain the right to use, security module provider TSM service provider TSM is authenticated successfully after by initial key or close Key create-rule is shared with service provider TSM, and security module provider TSM is to being written the auxiliary security domain in terminal and application Be monitored using channel, determine whether that the service provider TSM authorized is visited to the application in write-in terminal Ask use,
When instruction stream is carried out piecemeal processing by described instruction cutting unit, instruction stream is divided into every piece according to block cut-point, envelope Dress is per block instruction stream;The host computer will once be issued to write-in terminal for obtaining every block instruction stream per block instruction stream.
CN201810447082.2A 2018-05-11 2018-05-11 Universal personalization method and system Active CN108718238B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810447082.2A CN108718238B (en) 2018-05-11 2018-05-11 Universal personalization method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810447082.2A CN108718238B (en) 2018-05-11 2018-05-11 Universal personalization method and system

Publications (2)

Publication Number Publication Date
CN108718238A true CN108718238A (en) 2018-10-30
CN108718238B CN108718238B (en) 2023-04-18

Family

ID=63899799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810447082.2A Active CN108718238B (en) 2018-05-11 2018-05-11 Universal personalization method and system

Country Status (1)

Country Link
CN (1) CN108718238B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001078020A1 (en) * 2000-04-11 2001-10-18 Visa International Service Association Integrated production of smart cards
CN1407477A (en) * 2001-09-07 2003-04-02 肖志明 Universal high speed IC card issuing apparatus and method
CN103714295A (en) * 2013-12-27 2014-04-09 北京大唐智能卡技术有限公司 Financial integrated circuit card personalized data detecting method and system
CN105592033A (en) * 2014-12-30 2016-05-18 中国银联股份有限公司 Trusted service management system and method
CN206270963U (en) * 2016-08-23 2017-06-20 广东岭南通股份有限公司 A kind of contact intelligent card personalization system and write-in terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001078020A1 (en) * 2000-04-11 2001-10-18 Visa International Service Association Integrated production of smart cards
CN1407477A (en) * 2001-09-07 2003-04-02 肖志明 Universal high speed IC card issuing apparatus and method
CN103714295A (en) * 2013-12-27 2014-04-09 北京大唐智能卡技术有限公司 Financial integrated circuit card personalized data detecting method and system
CN105592033A (en) * 2014-12-30 2016-05-18 中国银联股份有限公司 Trusted service management system and method
CN206270963U (en) * 2016-08-23 2017-06-20 广东岭南通股份有限公司 A kind of contact intelligent card personalization system and write-in terminal

Also Published As

Publication number Publication date
CN108718238B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
US20190044724A1 (en) Key protection for computing platform
CN103548320B (en) The dangerous safety applied on device performs
CN107548499A (en) The technology booted safely for virtual network function
EP1546746A2 (en) Method of and system for testing equipment during manufacturing
CN106127059B (en) The realization of credible password module and method of servicing on a kind of ARM platform
CN107111511B (en) Access control method, device and system
CN109460639A (en) A kind of license authentication control method, device, terminal and storage medium
CN106056017A (en) Intelligent card COS encrypting and downloading system
WO2022165771A1 (en) Virtual electronic card management method and system, security chip, terminal, and storage medium
CN106372496A (en) Method and system for improving payment terminal application security
CN110390184A (en) For executing the method, apparatus and computer program product of application in cloud
CN105975333B (en) The method and device of application program operation control
CN102917351B (en) Method and device for realizing application in user identification card and user identification card
CN103426238B (en) Smart cart issuing system and method based on plug-ins
CN112395568A (en) Interface authority configuration method, device, equipment and storage medium
CN108718238A (en) A kind of method and system of universal personal
US7039952B2 (en) Using patterns to perform personal identification data substitution
CN111970162A (en) Heterogeneous GIS platform service central control system under super-integration framework
CN110109717A (en) A kind of loading control method, device and the computer equipment of Android plug-in unit
CN106940655B (en) Method and terminal for integrating virtual machines based on trusted execution environment
CN106534047A (en) Information transmitting method and apparatus based on Trust application
CN110888646B (en) Deployment method, device, system and storage medium
CN106778193A (en) A kind of client and UI exchange methods
CN107315610A (en) Realize method, device and the computer-readable recording medium of cryptographic function
CN105282180B (en) The processing method and processing device of service authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant