CN109040147A - A kind of method and system of the encryption and decryption based on TEE+SE - Google Patents

A kind of method and system of the encryption and decryption based on TEE+SE Download PDF

Info

Publication number
CN109040147A
CN109040147A CN201811280683.5A CN201811280683A CN109040147A CN 109040147 A CN109040147 A CN 109040147A CN 201811280683 A CN201811280683 A CN 201811280683A CN 109040147 A CN109040147 A CN 109040147A
Authority
CN
China
Prior art keywords
security module
data
channel
instruction
connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811280683.5A
Other languages
Chinese (zh)
Other versions
CN109040147B (en
Inventor
李勃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Watchdata Ltd By Share Ltd
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing Watchdata Ltd By Share Ltd
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Watchdata Ltd By Share Ltd, Beijing WatchSmart Technologies Co Ltd filed Critical Beijing Watchdata Ltd By Share Ltd
Priority to CN201811280683.5A priority Critical patent/CN109040147B/en
Publication of CN109040147A publication Critical patent/CN109040147A/en
Application granted granted Critical
Publication of CN109040147B publication Critical patent/CN109040147B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]

Abstract

The present invention provides a kind of method and systems of encryption and decryption based on TEE+SE, the described method comprises the following steps: SE security module receives the instruction and data from first passage or second channel, and label S1 is carried out to channel source, wherein, the first passage is connected between TEE safe unit and the SE security module, and the second channel is connected between rich OS unit and the SE security module;The SE security module obtains label, to obtain source-information S2;The described instruction and data of the SE security module processing separate sources simultaneously distinguish permission S3.Technical solution of the present invention can significantly reduce the delay of symmetrical encryption and decryption calculating process, promote data throughout, improve processing speed and performance, while the overall security without reducing cryptographic system.

Description

A kind of method and system of the encryption and decryption based on TEE+SE
Technical field
The present invention relates to information security fields, more particularly, to a kind of technical field of encryption and decryption based on TEE+SE.
Background technique
SE is the security module with separate hardware logic circuit, there is specific physical security boundary.There is SE encryption to deposit It stores up password sensitive security parameter, execute the functions such as the cryptographic algorithm checked and approved.
In practical applications, the safety in addition to SE as crypto module itself, the external running environment of SE is safe to be also An important ring in cryptographic system general safety.In the mobile intelligent terminal cryptosecurity solution based on TEE+SE, TEE It is capable of providing the input and output trusted channel of limited an external running environment and sensitive security parameter, is effectively enhanced The overall security of cipher application system.
Mobile intelligent terminal based on TEE+SE, Exemplary Operating Environment are as shown in Figure 1.As shown in Figure 1, richness OS and TEE It is connected, TEE is connected with SE.Only in terms of the visual angle of data flow, rich OS, such as Android, in application need to access cryptographic service When, cryptographic service request command first is sent to the TA operated in TEE, TA is again to the security application Applet hair operated in SE Send cryptographic service request command;Request results are returned to TA by Applet, and request results are returned to application program again by TA.
Primary typical data encrypting and deciphering process is as shown in Figure 2.As shown in Fig. 2, APP sends session key ciphertext to TEE In TA, the Applet in SE receives session key ciphertext from TA and by private key decrypted session key, and by implementing result It is back to TA, the implementing result is back to APP again by TA, the process imported so as to complete a session key;The APP It sends clear data and SE, SE session key encryption data is forwarded to by TA to TA, and encrypted result is back to Encrypted result is back to APP again by TA, TA, to complete the process of a data encryption, the process of decryption and the process of encryption Symmetrically.
But it handles up, in the symmetrical encryption and decryption application scenarios of low latency, big data quantity in some requirements height, such as audio-video Call, live streaming, broadcast, the transmission of big file etc., above-mentioned calculating process has the shortcomings that delay is high, processing speed is slow, handling capacity is low etc..
Application No. is 201610603214.7, entitled " a kind of exchange method of TA and SE, TA, SE and TSM are flat The Chinese patent application of platform " describes the exchange method of TA and SE a kind of, TA, SE and TSM platform, is related to field of communication technology, For improving the safety to full terminal SIM shield in the process of processing.The exchange method includes: that TA will be stored in TEE Sensitive data be compiled into the first APDU instruction;SE parses the first APDU instruction received;SE obtains parsing Sensitive data is handled;To treated, sensitive data encrypts SE;Encrypted sensitive data is compiled into second by SE APDU instruction;TA parses the 2nd APDU instruction received;TSM platform to the encrypted sensitive data received into Row parsing.
The program discloses the interaction between TEE and SE, but without the interaction between open richness OS and SE.
Summary of the invention
It is an object of the invention to overcome in the prior art TEE+SE postpone high, processing in symmetrical encryption and decryption application environment The defects of speed is slow provides a kind of method and system of encryption and decryption based on TEE+SE.
According to the first aspect of the invention, a kind of method of encryption and decryption based on TEE+SE is provided, comprising the following steps: SE Security module receives the instruction and data from first passage or second channel, and carries out label S1 to channel source, wherein The first passage is connected between TEE safe unit and the SE security module, and the second channel is to be connected to rich OS Between unit and the SE security module;The SE security module obtains label, to obtain source-information S2;The safe mould of SE The described instruction and data of block processing separate sources simultaneously distinguish permission S3.
It optionally, include that instruction and data is transmitted to institute by the first connection by the first passage in the step S1 State SE security module;Instruction and data is transmitted to the SE security module by the second connection by the second channel;Described One connection and second connection are different physical connection or different logical connections.
Optionally, the SE security module carries out label to first connection and second connection, described in distinguishing First passage and the second channel.
Optionally, the step S3 includes that, for described instruction and data from the first passage, the SE is safe Module provides all cryptographic service functions;For described instruction and data from the second channel, the SE security module The cryptographic service function of only providing symmetric cryptography, symmetrically decrypt.
It optionally, further include the described instruction and data of the SE security module processing separate sources in the step S3 Before, check the source-information of described instruction and data.
According to the second aspect of the invention, a kind of system of encryption and decryption based on TEE+SE is provided, including, application processor With SE security module, wherein the application processor includes richness OS unit and TEE safe unit, the TEE safe unit and institute It states rich OS unit to be connected, and is connected with the SE security module by first passage;The richness OS unit and the safe mould of the SE Block is connected by second channel;The SE security module is configured that reception from the first passage or the second channel Instruction and data, and to channel source carry out label;Label is obtained, to obtain source-information;Handle the described of separate sources Instruction and data simultaneously distinguishes permission.
Optionally, the SE security module includes SE platform and security application Applet, and the SE platform configuration is to receive Instruction and data from the first passage or the second channel, and label is carried out to channel source;The safety is answered It is configured to Applet, label is obtained from the SE platform, to obtain source-information;The security application Applet is also configured To handle the described instruction of separate sources and data and distinguishing permission.
Optionally, instruction and data is transmitted to SE security module by the first connection by the first passage;Described second Instruction and data is transmitted to SE security module by the second connection by channel;First connection and second connection are different Physical connection or different logical connections.
Optionally, the SE security module is configured to, and label is carried out to first connection and second connection, with area Divide the first passage and the second channel.
Optionally, the SE security module is configured to, and is handled the described instruction of separate sources and data and is distinguished permission packet It includes: for described instruction and data from the first passage, providing all cryptographic service function to the TEE safe unit Energy;For described instruction and data from the second channel, symmetric cryptography, symmetrical decryption are only provided to the richness OS unit Cryptographic service function.
Optionally, the SE security module is additionally configured to, and before the described instruction and data of processing separate sources, checks institute State the source-information of instruction and data.
Technical solution of the present invention advantage is as follows:
1) technical solution of the present invention is realized by increasing the second channel between richness OS unit and the SE security module Direct exchange of the encryption and decryption data between rich OS unit and the SE security module, reduces because of the increased delay of TEE transfer, So as to the processing speed and performance for significantly reducing the delay of calculating process, promoting data throughout, improving calculating process;
2) second channel of technical solution of the present invention only provides symmetrical encryption and decryption functions, does not allow to provide other passwords clothes Business function, TEE are not reduced as the safety of running environment trusted channel outside SE, therefore the whole peace of entire cryptographic system There is no reduce for full property.
Detailed description of the invention
Fig. 1 shows the schematic diagram of the system of the encryption and decryption of TEE+SE in background technique.
Fig. 2 shows the data flowcharts of the system of the encryption and decryption of TEE+SE in background technique.
Fig. 3 shows a kind of schematic diagram of the system of encryption and decryption based on TEE+SE according to the present invention.
Fig. 4 shows a kind of embodiment schematic diagram of SE security module according to the present invention.
Fig. 5 shows the calculating process flow chart of the system of the encryption and decryption according to the present invention based on TEE+SE.
Fig. 6 shows a kind of schematic diagram of the method for encryption and decryption based on TEE+SE according to the present invention.
Specific embodiment
The preferred embodiments of the present invention will be described in detail with reference to the accompanying drawing, and reference label refers to the group in the present invention Part, technology, realizing under appropriate circumstances so as to advantages and features of the invention can be easier to be understood.Following description is pair The materialization of the claims in the present invention, and other specific implementations not clearly stated relevant to claim also belong to power The range that benefit requires.Simultaneously, it should be appreciated that for ease of description, the size of various pieces shown in attached drawing be not by It is drawn according to actual proportionate relationship.Be to the description only actually of at least one exemplary embodiment below it is illustrative, Never as to the present invention and its application or any restrictions used.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable In the case of, the technology, method and apparatus should be considered as part of specification.
Technical solution of the present invention is specifically described with reference to the accompanying drawing.
Fig. 3 shows a kind of schematic diagram of the system of encryption and decryption based on TEE+SE according to the present invention.
As shown in figure 3, a kind of system of encryption and decryption based on TEE+SE is provided, including, application processor 310 and SE peace Full module 320, wherein the application processor 310 includes richness OS unit 311 and TEE safe unit 312, and the TEE safety is single Member 312 is connected with the richness OS unit 311, and is connected with the SE security module 320 by first passage;The richness OS unit 311 are connected with the SE security module 320 by second channel;The SE security module 320 is configured that reception is logical from first The instruction and data in road or second channel, and label is carried out to channel source;Label is obtained, to obtain source-information;Processing The described instruction and data of separate sources simultaneously distinguish permission.
The SE security module 320 is that have the security module of separate hardware logic circuit, there is specific physical security side Boundary.SE has the function of encryption storage password sensitive security parameter, the cryptographic algorithm for executing approval etc..The richness OS unit 311 can To be a kind of operating system, such as Android operation system.The TEE safe unit 312 is resident in mobile intelligent terminal Safety zone on application processor, provides running environment unit 311 with the richness OS in equipment and deposited, and to described Rich OS unit 311 provides the security service such as the secure storage of sensitive data, the cryptographic algorithm of approval, trusted user interface.
The first passage is the credible letter being connected between the TEE safe unit 312 and the SE security module 320 Road;The second channel is the untrusted channel being connected between the richness OS311 unit and the SE security module 320.Example When needing to access cryptographic service such as the application in rich OS, cryptographic service request command can be sent to the TA in TEE, TA passes through the One channel sends cryptographic service request command into SE again, and request results are returned to TA by SE, and request results are back to by TA again Application program in rich OS.When application in rich OS needs to access cryptographic service, it can also directly pass through second channel to operation Applet in SE sends cryptographic service request command, and request results are directly back in rich OS by Applet.Of the invention The second channel of technical solution realizes encryption and decryption data between the richness OS unit 311 and the SE security module 320 Immediate data exchange, reduces because of the increased delay of 312 transfer of TEE safe unit, calculated so as to significantly reduce The delay of journey, the processing speed and performance for promoting data throughout, improving calculating process.
The label is suitable for distinguishing the first passage and both sources of the second channel, can be two, i.e., The first passage and the second channel each own one are different from mutual label, convenient for distinguishing.That is each label generation One source of table, how many source require how many a labels.
The SE security module 320 is available to arrive source-information corresponding with the label by obtaining label, i.e., First passage or second channel are identified by obtaining label.
It is logical can to identify that described instruction and data are derived from first by identification label for the SE security module 320 Road either second channel, so as to the described instruction and data progress different disposal to separate sources, it can had The cryptographic service function of difference.
The SE security module 320 may include various structures, such as the SE security module 320 whole exactly one is answered With can also include different functional areas according to the different function of realization.
Optionally, the SE security module 320 may include SE platform and security application Applet, the SE platform configuration To receive the instruction and data from first passage or second channel, and carry out label to channel source;The security application Applet is configured to, and label is obtained from the SE platform, to obtain source-information;The security application Applet is additionally configured to, The described instruction and data of processing separate sources simultaneously distinguish permission.
The SE can also be other structures, be not limited to the tactic pattern of SE platform+Applet.One kind according to the present invention Embodiment, the SE platform receive the instruction and data from first passage or second channel, can to channel source into Line label, while can be to described instruction and its source of Data Identification.The security application Applet can be from the SE platform The label is obtained, to get channel corresponding with label source-information.The security application Applet is from described When SE platform receives described instruction and data, carrys out original label to it in advance and checked and identified, judge described instruction sum number Which, according to channel derived from, then the order and data are performed corresponding processing.
Optionally, instruction and data is transmitted to SE security module 320 by the first connection by the first passage;Described Instruction and data is transmitted to SE security module 320 by the second connection by two channels;First connection and second connection It is different physical connection or different logical connections.
First connection and described second connects the physical connection that can be two different, can be two and different patrols Connection is collected, can be using the same physical connection but there are two different logical connections.The above are described in illustration First connection and second connection are different physical connection or different logical connections, can be not limited to above situation.
The physical connection includes but is not limited to the connection such as data/address bus, chip pin, Peripheral Interface, contactless antenna Mode.
The logical connection includes but is not limited to the connection mechanism for following particular communication agreement, the data by encipherment protection The communication modes such as stream.
Optionally, the SE security module 320 is configured to, and carries out label to first connection and second connection, To distinguish the first passage and the second channel.
The SE security module 320 distinguishes first connection and second connection, and connects to described first It connects and carries out label with second connection.The label may include two different labels, i.e. a label, which represents one, to be come Source.
Optionally, the SE security module 320 is configured to, and is handled the described instruction of separate sources and data and is distinguished permission It include: to provide all cryptographic service functions to TEE safe unit 312 for described instruction and data from first passage;It is right In described instruction and data from second channel, the cryptographic service that only provides symmetric cryptography to rich OS unit 311, symmetrically decrypt Function.
Since first passage is trusted channel, for the instruction and data from the first passage, the SE Security module 320 can provide whole cryptographic service functions.Since the second channel is untrusted channel, the SE Security module 320 only allows to execute limited cryptographic service function, i.e., for the instruction and data from the second channel Symmetric cryptography and the cryptographic service function of symmetrically decrypting, and do not allow to execute other any cryptographic service functions.
The configuration of the SE security module 320 in this way can be provided with area for the order and data of separate sources The cryptographic service function of limiting not and strictly.The TEE safe unit 312 described in this way is used as outside the SE security module 320 and transports The safety of row environment trusted channel does not reduce, therefore there is no reduce for the overall security of entire cryptographic system.
The such setting of technical solution of the present invention can be reduced in symmetrical encryption and decryption delay, promotion data throughout, While improving processing speed, and the safety without reducing entire cryptographic system.
Optionally, the SE security module 320 is additionally configured to, before the described instruction and data of processing separate sources, inspection Look into the source-information of described instruction and data.
When the SE security module 320 receives described instruction and data, carrys out original label to it in advance and is checked and identified, Judge that described instruction and data from which channel, then perform corresponding processing the order and data.
Fig. 4 shows a kind of embodiment schematic diagram of SE security module according to the present invention.
It is specifically described below with reference to a kind of embodiment of the Fig. 4 to technical solution of the present invention.This only realizes this A kind of mode of the technical solution of invention, can include but is not limited to which.
As shown in figure 4, the SE security module may include SE platform and security application Applet, the SE platform includes HAL layers, SE platform environment, SE platform api.The structure of SE platform+Applet is one kind of SE, and the present invention is not limited to specific SE structure is only illustrated as an implementation with this structure and is illustrated to technical solution of the present invention.
The instruction and data of the HAL layers of reception from first passage or second channel, can carry out channel source Label, each label represent a source, while can be to described instruction and its source of Data Identification.The SE platform environment From described HAL layers receive label after, SE platform api can be delivered to, general-purpose interface api function is provided, answer the safety It can be corresponding with the label logical to get by obtaining the label from the api function of SE platform api with Applet Road source-information.When the security application Applet receives described instruction and data from the SE platform, its source is marked in advance Number checked and identified, judge described instruction and data from which channel, then to the order and data into The corresponding processing of row.Corresponding processing refers to for separate sources order and data, provides and has any different and strictly limit Cryptographic service function.For example, providing all passwords to TEE safe unit for described instruction and data from first passage Service function;For described instruction and data from second channel, symmetric cryptography, the symmetrically password decrypted only are provided to rich OS Service function.
Fig. 5 shows the calculating process flow chart of the system of the encryption and decryption according to the present invention based on TEE+SE.
According to embodiment of the present invention, as shown in figure 5, SDK is that one kind can be opened in the software in rich OS unit Kit is sent out, is illustrated by taking SDK as an example below, rather than the restriction to technical solution of the present invention, it can also be such as APP Deng the application in richness OS.The process that session key imports is as follows, and the SDK sends session key ciphertext into TEE safe unit TA, the security application Applet of SE security module imports the session key, and by private key decrypted session key, then sends out Send cipher application TA, TA of the implementing result into TEE that the implementing result is back to the SDK again.When in symmetrical encryption and decryption In computing environment, SDK directly transmits Applet of the clear data into SE, and data ciphertext is directly back to institute by the Applet State SDK.Encryption process is symmetrical.Immediate data exchange of the encryption and decryption data between rich OS and SE is thereby realized, Reduce the processing speed and performance that calculating process is improved because of the increased delay of TEE transfer.
Fig. 6 shows a kind of schematic diagram of the method for encryption and decryption based on TEE+SE according to the present invention.
As shown in fig. 6, providing a kind of method of encryption and decryption based on TEE+SE, comprising the following steps:
SE security module receives the instruction and data from first passage or second channel, and marks to channel source Number S1, wherein the first passage is connected between TEE safe unit and the SE security module, and the second channel is It is connected between rich OS unit and the SE security module;The SE security module obtains label, to obtain source-information S2;Institute It states the described instruction of SE security module processing separate sources and data and distinguishes permission S3.
It optionally, include that instruction and data is transmitted to institute by the first connection by the first passage in the step S1 State SE security module;Instruction and data is transmitted to the SE security module by the second connection by the second channel;Described One connection and second connection are different physical connection or different logical connections.
Optionally, the SE security module carries out label to first connection and second connection, described in distinguishing First passage and the second channel.
Optionally, the step S3 includes, for described instruction and data from first passage, the SE security module All cryptographic service functions are provided;For described instruction and data from second channel, the SE security module is only provided pair The cryptographic service function of claiming encryption, symmetrically decrypt.
It optionally, further include the described instruction and data of the SE security module processing separate sources in the step S3 Before, check the source-information of described instruction and data.
Method of the invention hereinbefore has been combined system and is described in detail and explains, will no longer go to live in the household of one's in-laws on getting married here It states.
Technical solution of the present invention advantage is as follows:
1) technical solution of the present invention is realized by increasing the second channel between richness OS unit and the SE security module Direct exchange of the encryption and decryption data between rich OS unit and the SE security module, reduces because of the increased delay of TEE transfer, So as to the processing speed and performance for significantly reducing the delay of calculating process, promoting data throughout, improving calculating process;
2) second channel of technical solution of the present invention only provides symmetrical encryption and decryption functions, does not allow to provide other passwords clothes Business function, TEE are not reduced as the safety of running environment trusted channel outside SE, therefore the whole peace of entire cryptographic system There is no reduce for full property.
In addition, although describing the operation of the method for the present invention in the accompanying drawings with particular order, this do not require that or Hint must execute these operations in this particular order, or have to carry out shown in whole operation be just able to achieve it is desired As a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by one Step is decomposed into execution of multiple steps.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and this Field technical staff can be designed alternative embodiment without departing from the scope of the appended claims.In claim In, any reference symbol between parentheses should not be configured to limitations on claims.

Claims (11)

1. a kind of method of the encryption and decryption based on TEE+SE, comprising the following steps:
SE security module receives the instruction and data from first passage or second channel, and carries out label to channel source (S1), wherein
The first passage is connected between TEE safe unit and the SE security module,
The second channel is connected between rich OS unit and the SE security module;
The SE security module obtains label, to obtain source-information (S2);
The described instruction and data of the SE security module processing separate sources simultaneously distinguish permission (S3).
2. according to the method described in claim 1, include in the step (S1),
Instruction and data is transmitted to the SE security module by the first connection by the first passage;
Instruction and data is transmitted to the SE security module by the second connection by the second channel;
First connection and second connection are different physical connection or different logical connections.
3. according to the method described in claim 2, further include,
The SE security module carries out label to first connection and second connection, to distinguish the first passage and institute State second channel.
4. according to the method described in claim 1, wherein, the step (S3) includes,
For described instruction and data from the first passage, the SE security module provides all cryptographic service functions;
For described instruction and data from the second channel, the SE security module only provides symmetric cryptography, symmetric solution Close cryptographic service function.
5. according to the method described in claim 1, wherein, further include in the step (S3),
Before the described instruction and data of the SE security module processing separate sources, the source letter of described instruction and data is checked Breath.
6. a kind of system of the encryption and decryption based on TEE+SE, including, application processor and SE security module, wherein the application Processor includes richness OS unit and TEE safe unit,
The TEE safe unit is connected with the richness OS unit, and is connected with the SE security module by first passage;
The richness OS unit is connected with the SE security module by second channel;
The SE security module is configured that
The instruction and data from the first passage or the second channel is received, and label is carried out to channel source;
Label is obtained, to obtain source-information;
The described instruction and data of processing separate sources simultaneously distinguish permission.
7. system according to claim 6, wherein the SE security module includes SE platform and security application Applet,
The SE platform configuration is instruction and data of the reception from the first passage or the second channel, and to logical Road source carries out label;
The security application Applet is configured to, and label is obtained from the SE platform, to obtain source-information;
The security application Applet is additionally configured to, and is handled the described instruction of separate sources and data and is distinguished permission.
8. system according to claim 6, including,
Instruction and data is transmitted to SE security module by the first connection by the first passage;
Instruction and data is transmitted to SE security module by the second connection by the second channel;
First connection and second connection are different physical connection or different logical connections.
9. system according to claim 8, including,
The SE security module is configured to, and label is carried out to first connection and second connection, to distinguish described first Channel and the second channel.
10. system according to claim 6, wherein
The SE security module is configured to, and is handled the described instruction of separate sources and data and is distinguished permission and include:
For described instruction and data from the first passage, all cryptographic service function are provided to the TEE safe unit Energy;
For described instruction and data from the second channel, symmetric cryptography, symmetric solution are only provided to the richness OS unit Close cryptographic service function.
11. system according to claim 6, wherein
The SE security module is additionally configured to, and before the described instruction and data of processing separate sources, checks described instruction sum number According to source-information.
CN201811280683.5A 2018-10-30 2018-10-30 Encryption and decryption method and system based on TEE+SE Active CN109040147B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811280683.5A CN109040147B (en) 2018-10-30 2018-10-30 Encryption and decryption method and system based on TEE+SE

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811280683.5A CN109040147B (en) 2018-10-30 2018-10-30 Encryption and decryption method and system based on TEE+SE

Publications (2)

Publication Number Publication Date
CN109040147A true CN109040147A (en) 2018-12-18
CN109040147B CN109040147B (en) 2023-08-15

Family

ID=64614551

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811280683.5A Active CN109040147B (en) 2018-10-30 2018-10-30 Encryption and decryption method and system based on TEE+SE

Country Status (1)

Country Link
CN (1) CN109040147B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111177701A (en) * 2019-12-11 2020-05-19 北京握奇智能科技有限公司 Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip
EP3879783A4 (en) * 2019-02-26 2021-12-22 Advanced New Technologies Co., Ltd. Data security processing method and terminal thereof, and server

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104899506A (en) * 2015-05-08 2015-09-09 深圳市雪球科技有限公司 Security system implementation method based on virtual security element in trusted execution environment
CN106547633A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Multi-channel communication systems and electronic equipment
CN106650461A (en) * 2016-11-23 2017-05-10 北京握奇智能科技有限公司 Mobile terminal and access method of embedded type security module based on same

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104899506A (en) * 2015-05-08 2015-09-09 深圳市雪球科技有限公司 Security system implementation method based on virtual security element in trusted execution environment
CN106547633A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Multi-channel communication systems and electronic equipment
CN106650461A (en) * 2016-11-23 2017-05-10 北京握奇智能科技有限公司 Mobile terminal and access method of embedded type security module based on same

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3879783A4 (en) * 2019-02-26 2021-12-22 Advanced New Technologies Co., Ltd. Data security processing method and terminal thereof, and server
US11251976B2 (en) 2019-02-26 2022-02-15 Advanced New Technologies Co., Ltd. Data security processing method and terminal thereof, and server
CN111177701A (en) * 2019-12-11 2020-05-19 北京握奇智能科技有限公司 Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip

Also Published As

Publication number Publication date
CN109040147B (en) 2023-08-15

Similar Documents

Publication Publication Date Title
CN107342858A (en) A kind of intelligent contract guard method and system based on trusted context
US20170302646A1 (en) Identity authentication method and apparatus
CN103546289B (en) USB (universal serial bus) Key based secure data transmission method and system
CN111431719A (en) Mobile terminal password protection module, mobile terminal and password protection method
CN103401678A (en) Method for ensuring data transmission safety of Internet of things
CN101834840A (en) Efficient key derivation for end-to-end network security with traffic visibility
JP2014527787A (en) Communication method for authentication using fingerprint information
CN108288004A (en) A kind of encryption chip is in REE and TEE environmental coexistence system and methods
CN106603240B (en) The authentication method of low cost radio frequency identification NTRU based on cloud
CN107634946A (en) A kind of micro services node legitimacy verification method and device
CN103117851A (en) Encryption control method and device capable of achieving tamper-proofing and repudiation-proofing by means of public key infrastructure (PKI)
CN105848145A (en) WIFI intelligent configuration method and device
CN105141625A (en) Safety mobile intelligent terminal based on password isolation mode and realization method thereof
CN109040147A (en) A kind of method and system of the encryption and decryption based on TEE+SE
CN112788001A (en) Data encryption-based data processing service processing method, device and equipment
CN106685897A (en) Safe input method, device and system
CN109165531A (en) A kind of AES mask method, electronic equipment and storage medium
CN105515757B (en) Security information exchange device based on credible performing environment
CN103458401B (en) A kind of voice encryption communication system and communication means
CN105281901A (en) Encryption method for cloud tenant key information
CN107979608A (en) The data encrypting and deciphering Transmission system and transmission method that a kind of interface can configure
CN103873245B (en) Dummy machine system data ciphering method and equipment
Wang et al. Research and Implementation of Hybrid Encryption System Based on SM2 and SM4 Algorithm
CN101515853A (en) Information terminal and information safety device thereof
Yukun et al. Lightweight anonymous authentication and key agreement protocols for mobile edge computing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant