CN109040147A - A kind of method and system of the encryption and decryption based on TEE+SE - Google Patents
A kind of method and system of the encryption and decryption based on TEE+SE Download PDFInfo
- Publication number
- CN109040147A CN109040147A CN201811280683.5A CN201811280683A CN109040147A CN 109040147 A CN109040147 A CN 109040147A CN 201811280683 A CN201811280683 A CN 201811280683A CN 109040147 A CN109040147 A CN 109040147A
- Authority
- CN
- China
- Prior art keywords
- security module
- data
- channel
- instruction
- connection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/06—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
- H04L9/0618—Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
- H04L2209/127—Trusted platform modules [TPM]
Abstract
The present invention provides a kind of method and systems of encryption and decryption based on TEE+SE, the described method comprises the following steps: SE security module receives the instruction and data from first passage or second channel, and label S1 is carried out to channel source, wherein, the first passage is connected between TEE safe unit and the SE security module, and the second channel is connected between rich OS unit and the SE security module;The SE security module obtains label, to obtain source-information S2;The described instruction and data of the SE security module processing separate sources simultaneously distinguish permission S3.Technical solution of the present invention can significantly reduce the delay of symmetrical encryption and decryption calculating process, promote data throughout, improve processing speed and performance, while the overall security without reducing cryptographic system.
Description
Technical field
The present invention relates to information security fields, more particularly, to a kind of technical field of encryption and decryption based on TEE+SE.
Background technique
SE is the security module with separate hardware logic circuit, there is specific physical security boundary.There is SE encryption to deposit
It stores up password sensitive security parameter, execute the functions such as the cryptographic algorithm checked and approved.
In practical applications, the safety in addition to SE as crypto module itself, the external running environment of SE is safe to be also
An important ring in cryptographic system general safety.In the mobile intelligent terminal cryptosecurity solution based on TEE+SE, TEE
It is capable of providing the input and output trusted channel of limited an external running environment and sensitive security parameter, is effectively enhanced
The overall security of cipher application system.
Mobile intelligent terminal based on TEE+SE, Exemplary Operating Environment are as shown in Figure 1.As shown in Figure 1, richness OS and TEE
It is connected, TEE is connected with SE.Only in terms of the visual angle of data flow, rich OS, such as Android, in application need to access cryptographic service
When, cryptographic service request command first is sent to the TA operated in TEE, TA is again to the security application Applet hair operated in SE
Send cryptographic service request command;Request results are returned to TA by Applet, and request results are returned to application program again by TA.
Primary typical data encrypting and deciphering process is as shown in Figure 2.As shown in Fig. 2, APP sends session key ciphertext to TEE
In TA, the Applet in SE receives session key ciphertext from TA and by private key decrypted session key, and by implementing result
It is back to TA, the implementing result is back to APP again by TA, the process imported so as to complete a session key;The APP
It sends clear data and SE, SE session key encryption data is forwarded to by TA to TA, and encrypted result is back to
Encrypted result is back to APP again by TA, TA, to complete the process of a data encryption, the process of decryption and the process of encryption
Symmetrically.
But it handles up, in the symmetrical encryption and decryption application scenarios of low latency, big data quantity in some requirements height, such as audio-video
Call, live streaming, broadcast, the transmission of big file etc., above-mentioned calculating process has the shortcomings that delay is high, processing speed is slow, handling capacity is low etc..
Application No. is 201610603214.7, entitled " a kind of exchange method of TA and SE, TA, SE and TSM are flat
The Chinese patent application of platform " describes the exchange method of TA and SE a kind of, TA, SE and TSM platform, is related to field of communication technology,
For improving the safety to full terminal SIM shield in the process of processing.The exchange method includes: that TA will be stored in TEE
Sensitive data be compiled into the first APDU instruction;SE parses the first APDU instruction received;SE obtains parsing
Sensitive data is handled;To treated, sensitive data encrypts SE;Encrypted sensitive data is compiled into second by SE
APDU instruction;TA parses the 2nd APDU instruction received;TSM platform to the encrypted sensitive data received into
Row parsing.
The program discloses the interaction between TEE and SE, but without the interaction between open richness OS and SE.
Summary of the invention
It is an object of the invention to overcome in the prior art TEE+SE postpone high, processing in symmetrical encryption and decryption application environment
The defects of speed is slow provides a kind of method and system of encryption and decryption based on TEE+SE.
According to the first aspect of the invention, a kind of method of encryption and decryption based on TEE+SE is provided, comprising the following steps: SE
Security module receives the instruction and data from first passage or second channel, and carries out label S1 to channel source, wherein
The first passage is connected between TEE safe unit and the SE security module, and the second channel is to be connected to rich OS
Between unit and the SE security module;The SE security module obtains label, to obtain source-information S2;The safe mould of SE
The described instruction and data of block processing separate sources simultaneously distinguish permission S3.
It optionally, include that instruction and data is transmitted to institute by the first connection by the first passage in the step S1
State SE security module;Instruction and data is transmitted to the SE security module by the second connection by the second channel;Described
One connection and second connection are different physical connection or different logical connections.
Optionally, the SE security module carries out label to first connection and second connection, described in distinguishing
First passage and the second channel.
Optionally, the step S3 includes that, for described instruction and data from the first passage, the SE is safe
Module provides all cryptographic service functions;For described instruction and data from the second channel, the SE security module
The cryptographic service function of only providing symmetric cryptography, symmetrically decrypt.
It optionally, further include the described instruction and data of the SE security module processing separate sources in the step S3
Before, check the source-information of described instruction and data.
According to the second aspect of the invention, a kind of system of encryption and decryption based on TEE+SE is provided, including, application processor
With SE security module, wherein the application processor includes richness OS unit and TEE safe unit, the TEE safe unit and institute
It states rich OS unit to be connected, and is connected with the SE security module by first passage;The richness OS unit and the safe mould of the SE
Block is connected by second channel;The SE security module is configured that reception from the first passage or the second channel
Instruction and data, and to channel source carry out label;Label is obtained, to obtain source-information;Handle the described of separate sources
Instruction and data simultaneously distinguishes permission.
Optionally, the SE security module includes SE platform and security application Applet, and the SE platform configuration is to receive
Instruction and data from the first passage or the second channel, and label is carried out to channel source;The safety is answered
It is configured to Applet, label is obtained from the SE platform, to obtain source-information;The security application Applet is also configured
To handle the described instruction of separate sources and data and distinguishing permission.
Optionally, instruction and data is transmitted to SE security module by the first connection by the first passage;Described second
Instruction and data is transmitted to SE security module by the second connection by channel;First connection and second connection are different
Physical connection or different logical connections.
Optionally, the SE security module is configured to, and label is carried out to first connection and second connection, with area
Divide the first passage and the second channel.
Optionally, the SE security module is configured to, and is handled the described instruction of separate sources and data and is distinguished permission packet
It includes: for described instruction and data from the first passage, providing all cryptographic service function to the TEE safe unit
Energy;For described instruction and data from the second channel, symmetric cryptography, symmetrical decryption are only provided to the richness OS unit
Cryptographic service function.
Optionally, the SE security module is additionally configured to, and before the described instruction and data of processing separate sources, checks institute
State the source-information of instruction and data.
Technical solution of the present invention advantage is as follows:
1) technical solution of the present invention is realized by increasing the second channel between richness OS unit and the SE security module
Direct exchange of the encryption and decryption data between rich OS unit and the SE security module, reduces because of the increased delay of TEE transfer,
So as to the processing speed and performance for significantly reducing the delay of calculating process, promoting data throughout, improving calculating process;
2) second channel of technical solution of the present invention only provides symmetrical encryption and decryption functions, does not allow to provide other passwords clothes
Business function, TEE are not reduced as the safety of running environment trusted channel outside SE, therefore the whole peace of entire cryptographic system
There is no reduce for full property.
Detailed description of the invention
Fig. 1 shows the schematic diagram of the system of the encryption and decryption of TEE+SE in background technique.
Fig. 2 shows the data flowcharts of the system of the encryption and decryption of TEE+SE in background technique.
Fig. 3 shows a kind of schematic diagram of the system of encryption and decryption based on TEE+SE according to the present invention.
Fig. 4 shows a kind of embodiment schematic diagram of SE security module according to the present invention.
Fig. 5 shows the calculating process flow chart of the system of the encryption and decryption according to the present invention based on TEE+SE.
Fig. 6 shows a kind of schematic diagram of the method for encryption and decryption based on TEE+SE according to the present invention.
Specific embodiment
The preferred embodiments of the present invention will be described in detail with reference to the accompanying drawing, and reference label refers to the group in the present invention
Part, technology, realizing under appropriate circumstances so as to advantages and features of the invention can be easier to be understood.Following description is pair
The materialization of the claims in the present invention, and other specific implementations not clearly stated relevant to claim also belong to power
The range that benefit requires.Simultaneously, it should be appreciated that for ease of description, the size of various pieces shown in attached drawing be not by
It is drawn according to actual proportionate relationship.Be to the description only actually of at least one exemplary embodiment below it is illustrative,
Never as to the present invention and its application or any restrictions used.
Technology, method and apparatus known to person of ordinary skill in the relevant may be not discussed in detail, but suitable
In the case of, the technology, method and apparatus should be considered as part of specification.
Technical solution of the present invention is specifically described with reference to the accompanying drawing.
Fig. 3 shows a kind of schematic diagram of the system of encryption and decryption based on TEE+SE according to the present invention.
As shown in figure 3, a kind of system of encryption and decryption based on TEE+SE is provided, including, application processor 310 and SE peace
Full module 320, wherein the application processor 310 includes richness OS unit 311 and TEE safe unit 312, and the TEE safety is single
Member 312 is connected with the richness OS unit 311, and is connected with the SE security module 320 by first passage;The richness OS unit
311 are connected with the SE security module 320 by second channel;The SE security module 320 is configured that reception is logical from first
The instruction and data in road or second channel, and label is carried out to channel source;Label is obtained, to obtain source-information;Processing
The described instruction and data of separate sources simultaneously distinguish permission.
The SE security module 320 is that have the security module of separate hardware logic circuit, there is specific physical security side
Boundary.SE has the function of encryption storage password sensitive security parameter, the cryptographic algorithm for executing approval etc..The richness OS unit 311 can
To be a kind of operating system, such as Android operation system.The TEE safe unit 312 is resident in mobile intelligent terminal
Safety zone on application processor, provides running environment unit 311 with the richness OS in equipment and deposited, and to described
Rich OS unit 311 provides the security service such as the secure storage of sensitive data, the cryptographic algorithm of approval, trusted user interface.
The first passage is the credible letter being connected between the TEE safe unit 312 and the SE security module 320
Road;The second channel is the untrusted channel being connected between the richness OS311 unit and the SE security module 320.Example
When needing to access cryptographic service such as the application in rich OS, cryptographic service request command can be sent to the TA in TEE, TA passes through the
One channel sends cryptographic service request command into SE again, and request results are returned to TA by SE, and request results are back to by TA again
Application program in rich OS.When application in rich OS needs to access cryptographic service, it can also directly pass through second channel to operation
Applet in SE sends cryptographic service request command, and request results are directly back in rich OS by Applet.Of the invention
The second channel of technical solution realizes encryption and decryption data between the richness OS unit 311 and the SE security module 320
Immediate data exchange, reduces because of the increased delay of 312 transfer of TEE safe unit, calculated so as to significantly reduce
The delay of journey, the processing speed and performance for promoting data throughout, improving calculating process.
The label is suitable for distinguishing the first passage and both sources of the second channel, can be two, i.e.,
The first passage and the second channel each own one are different from mutual label, convenient for distinguishing.That is each label generation
One source of table, how many source require how many a labels.
The SE security module 320 is available to arrive source-information corresponding with the label by obtaining label, i.e.,
First passage or second channel are identified by obtaining label.
It is logical can to identify that described instruction and data are derived from first by identification label for the SE security module 320
Road either second channel, so as to the described instruction and data progress different disposal to separate sources, it can had
The cryptographic service function of difference.
The SE security module 320 may include various structures, such as the SE security module 320 whole exactly one is answered
With can also include different functional areas according to the different function of realization.
Optionally, the SE security module 320 may include SE platform and security application Applet, the SE platform configuration
To receive the instruction and data from first passage or second channel, and carry out label to channel source;The security application
Applet is configured to, and label is obtained from the SE platform, to obtain source-information;The security application Applet is additionally configured to,
The described instruction and data of processing separate sources simultaneously distinguish permission.
The SE can also be other structures, be not limited to the tactic pattern of SE platform+Applet.One kind according to the present invention
Embodiment, the SE platform receive the instruction and data from first passage or second channel, can to channel source into
Line label, while can be to described instruction and its source of Data Identification.The security application Applet can be from the SE platform
The label is obtained, to get channel corresponding with label source-information.The security application Applet is from described
When SE platform receives described instruction and data, carrys out original label to it in advance and checked and identified, judge described instruction sum number
Which, according to channel derived from, then the order and data are performed corresponding processing.
Optionally, instruction and data is transmitted to SE security module 320 by the first connection by the first passage;Described
Instruction and data is transmitted to SE security module 320 by the second connection by two channels;First connection and second connection
It is different physical connection or different logical connections.
First connection and described second connects the physical connection that can be two different, can be two and different patrols
Connection is collected, can be using the same physical connection but there are two different logical connections.The above are described in illustration
First connection and second connection are different physical connection or different logical connections, can be not limited to above situation.
The physical connection includes but is not limited to the connection such as data/address bus, chip pin, Peripheral Interface, contactless antenna
Mode.
The logical connection includes but is not limited to the connection mechanism for following particular communication agreement, the data by encipherment protection
The communication modes such as stream.
Optionally, the SE security module 320 is configured to, and carries out label to first connection and second connection,
To distinguish the first passage and the second channel.
The SE security module 320 distinguishes first connection and second connection, and connects to described first
It connects and carries out label with second connection.The label may include two different labels, i.e. a label, which represents one, to be come
Source.
Optionally, the SE security module 320 is configured to, and is handled the described instruction of separate sources and data and is distinguished permission
It include: to provide all cryptographic service functions to TEE safe unit 312 for described instruction and data from first passage;It is right
In described instruction and data from second channel, the cryptographic service that only provides symmetric cryptography to rich OS unit 311, symmetrically decrypt
Function.
Since first passage is trusted channel, for the instruction and data from the first passage, the SE
Security module 320 can provide whole cryptographic service functions.Since the second channel is untrusted channel, the SE
Security module 320 only allows to execute limited cryptographic service function, i.e., for the instruction and data from the second channel
Symmetric cryptography and the cryptographic service function of symmetrically decrypting, and do not allow to execute other any cryptographic service functions.
The configuration of the SE security module 320 in this way can be provided with area for the order and data of separate sources
The cryptographic service function of limiting not and strictly.The TEE safe unit 312 described in this way is used as outside the SE security module 320 and transports
The safety of row environment trusted channel does not reduce, therefore there is no reduce for the overall security of entire cryptographic system.
The such setting of technical solution of the present invention can be reduced in symmetrical encryption and decryption delay, promotion data throughout,
While improving processing speed, and the safety without reducing entire cryptographic system.
Optionally, the SE security module 320 is additionally configured to, before the described instruction and data of processing separate sources, inspection
Look into the source-information of described instruction and data.
When the SE security module 320 receives described instruction and data, carrys out original label to it in advance and is checked and identified,
Judge that described instruction and data from which channel, then perform corresponding processing the order and data.
Fig. 4 shows a kind of embodiment schematic diagram of SE security module according to the present invention.
It is specifically described below with reference to a kind of embodiment of the Fig. 4 to technical solution of the present invention.This only realizes this
A kind of mode of the technical solution of invention, can include but is not limited to which.
As shown in figure 4, the SE security module may include SE platform and security application Applet, the SE platform includes
HAL layers, SE platform environment, SE platform api.The structure of SE platform+Applet is one kind of SE, and the present invention is not limited to specific
SE structure is only illustrated as an implementation with this structure and is illustrated to technical solution of the present invention.
The instruction and data of the HAL layers of reception from first passage or second channel, can carry out channel source
Label, each label represent a source, while can be to described instruction and its source of Data Identification.The SE platform environment
From described HAL layers receive label after, SE platform api can be delivered to, general-purpose interface api function is provided, answer the safety
It can be corresponding with the label logical to get by obtaining the label from the api function of SE platform api with Applet
Road source-information.When the security application Applet receives described instruction and data from the SE platform, its source is marked in advance
Number checked and identified, judge described instruction and data from which channel, then to the order and data into
The corresponding processing of row.Corresponding processing refers to for separate sources order and data, provides and has any different and strictly limit
Cryptographic service function.For example, providing all passwords to TEE safe unit for described instruction and data from first passage
Service function;For described instruction and data from second channel, symmetric cryptography, the symmetrically password decrypted only are provided to rich OS
Service function.
Fig. 5 shows the calculating process flow chart of the system of the encryption and decryption according to the present invention based on TEE+SE.
According to embodiment of the present invention, as shown in figure 5, SDK is that one kind can be opened in the software in rich OS unit
Kit is sent out, is illustrated by taking SDK as an example below, rather than the restriction to technical solution of the present invention, it can also be such as APP
Deng the application in richness OS.The process that session key imports is as follows, and the SDK sends session key ciphertext into TEE safe unit
TA, the security application Applet of SE security module imports the session key, and by private key decrypted session key, then sends out
Send cipher application TA, TA of the implementing result into TEE that the implementing result is back to the SDK again.When in symmetrical encryption and decryption
In computing environment, SDK directly transmits Applet of the clear data into SE, and data ciphertext is directly back to institute by the Applet
State SDK.Encryption process is symmetrical.Immediate data exchange of the encryption and decryption data between rich OS and SE is thereby realized,
Reduce the processing speed and performance that calculating process is improved because of the increased delay of TEE transfer.
Fig. 6 shows a kind of schematic diagram of the method for encryption and decryption based on TEE+SE according to the present invention.
As shown in fig. 6, providing a kind of method of encryption and decryption based on TEE+SE, comprising the following steps:
SE security module receives the instruction and data from first passage or second channel, and marks to channel source
Number S1, wherein the first passage is connected between TEE safe unit and the SE security module, and the second channel is
It is connected between rich OS unit and the SE security module;The SE security module obtains label, to obtain source-information S2;Institute
It states the described instruction of SE security module processing separate sources and data and distinguishes permission S3.
It optionally, include that instruction and data is transmitted to institute by the first connection by the first passage in the step S1
State SE security module;Instruction and data is transmitted to the SE security module by the second connection by the second channel;Described
One connection and second connection are different physical connection or different logical connections.
Optionally, the SE security module carries out label to first connection and second connection, described in distinguishing
First passage and the second channel.
Optionally, the step S3 includes, for described instruction and data from first passage, the SE security module
All cryptographic service functions are provided;For described instruction and data from second channel, the SE security module is only provided pair
The cryptographic service function of claiming encryption, symmetrically decrypt.
It optionally, further include the described instruction and data of the SE security module processing separate sources in the step S3
Before, check the source-information of described instruction and data.
Method of the invention hereinbefore has been combined system and is described in detail and explains, will no longer go to live in the household of one's in-laws on getting married here
It states.
Technical solution of the present invention advantage is as follows:
1) technical solution of the present invention is realized by increasing the second channel between richness OS unit and the SE security module
Direct exchange of the encryption and decryption data between rich OS unit and the SE security module, reduces because of the increased delay of TEE transfer,
So as to the processing speed and performance for significantly reducing the delay of calculating process, promoting data throughout, improving calculating process;
2) second channel of technical solution of the present invention only provides symmetrical encryption and decryption functions, does not allow to provide other passwords clothes
Business function, TEE are not reduced as the safety of running environment trusted channel outside SE, therefore the whole peace of entire cryptographic system
There is no reduce for full property.
In addition, although describing the operation of the method for the present invention in the accompanying drawings with particular order, this do not require that or
Hint must execute these operations in this particular order, or have to carry out shown in whole operation be just able to achieve it is desired
As a result.Additionally or alternatively, it is convenient to omit multiple steps are merged into a step and executed by certain steps, and/or by one
Step is decomposed into execution of multiple steps.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and this
Field technical staff can be designed alternative embodiment without departing from the scope of the appended claims.In claim
In, any reference symbol between parentheses should not be configured to limitations on claims.
Claims (11)
1. a kind of method of the encryption and decryption based on TEE+SE, comprising the following steps:
SE security module receives the instruction and data from first passage or second channel, and carries out label to channel source
(S1), wherein
The first passage is connected between TEE safe unit and the SE security module,
The second channel is connected between rich OS unit and the SE security module;
The SE security module obtains label, to obtain source-information (S2);
The described instruction and data of the SE security module processing separate sources simultaneously distinguish permission (S3).
2. according to the method described in claim 1, include in the step (S1),
Instruction and data is transmitted to the SE security module by the first connection by the first passage;
Instruction and data is transmitted to the SE security module by the second connection by the second channel;
First connection and second connection are different physical connection or different logical connections.
3. according to the method described in claim 2, further include,
The SE security module carries out label to first connection and second connection, to distinguish the first passage and institute
State second channel.
4. according to the method described in claim 1, wherein, the step (S3) includes,
For described instruction and data from the first passage, the SE security module provides all cryptographic service functions;
For described instruction and data from the second channel, the SE security module only provides symmetric cryptography, symmetric solution
Close cryptographic service function.
5. according to the method described in claim 1, wherein, further include in the step (S3),
Before the described instruction and data of the SE security module processing separate sources, the source letter of described instruction and data is checked
Breath.
6. a kind of system of the encryption and decryption based on TEE+SE, including, application processor and SE security module, wherein the application
Processor includes richness OS unit and TEE safe unit,
The TEE safe unit is connected with the richness OS unit, and is connected with the SE security module by first passage;
The richness OS unit is connected with the SE security module by second channel;
The SE security module is configured that
The instruction and data from the first passage or the second channel is received, and label is carried out to channel source;
Label is obtained, to obtain source-information;
The described instruction and data of processing separate sources simultaneously distinguish permission.
7. system according to claim 6, wherein the SE security module includes SE platform and security application Applet,
The SE platform configuration is instruction and data of the reception from the first passage or the second channel, and to logical
Road source carries out label;
The security application Applet is configured to, and label is obtained from the SE platform, to obtain source-information;
The security application Applet is additionally configured to, and is handled the described instruction of separate sources and data and is distinguished permission.
8. system according to claim 6, including,
Instruction and data is transmitted to SE security module by the first connection by the first passage;
Instruction and data is transmitted to SE security module by the second connection by the second channel;
First connection and second connection are different physical connection or different logical connections.
9. system according to claim 8, including,
The SE security module is configured to, and label is carried out to first connection and second connection, to distinguish described first
Channel and the second channel.
10. system according to claim 6, wherein
The SE security module is configured to, and is handled the described instruction of separate sources and data and is distinguished permission and include:
For described instruction and data from the first passage, all cryptographic service function are provided to the TEE safe unit
Energy;
For described instruction and data from the second channel, symmetric cryptography, symmetric solution are only provided to the richness OS unit
Close cryptographic service function.
11. system according to claim 6, wherein
The SE security module is additionally configured to, and before the described instruction and data of processing separate sources, checks described instruction sum number
According to source-information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811280683.5A CN109040147B (en) | 2018-10-30 | 2018-10-30 | Encryption and decryption method and system based on TEE+SE |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811280683.5A CN109040147B (en) | 2018-10-30 | 2018-10-30 | Encryption and decryption method and system based on TEE+SE |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109040147A true CN109040147A (en) | 2018-12-18 |
CN109040147B CN109040147B (en) | 2023-08-15 |
Family
ID=64614551
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811280683.5A Active CN109040147B (en) | 2018-10-30 | 2018-10-30 | Encryption and decryption method and system based on TEE+SE |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109040147B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111177701A (en) * | 2019-12-11 | 2020-05-19 | 北京握奇智能科技有限公司 | Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip |
EP3879783A4 (en) * | 2019-02-26 | 2021-12-22 | Advanced New Technologies Co., Ltd. | Data security processing method and terminal thereof, and server |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104899506A (en) * | 2015-05-08 | 2015-09-09 | 深圳市雪球科技有限公司 | Security system implementation method based on virtual security element in trusted execution environment |
CN106547633A (en) * | 2016-10-19 | 2017-03-29 | 沈阳微可信科技有限公司 | Multi-channel communication systems and electronic equipment |
CN106650461A (en) * | 2016-11-23 | 2017-05-10 | 北京握奇智能科技有限公司 | Mobile terminal and access method of embedded type security module based on same |
-
2018
- 2018-10-30 CN CN201811280683.5A patent/CN109040147B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104899506A (en) * | 2015-05-08 | 2015-09-09 | 深圳市雪球科技有限公司 | Security system implementation method based on virtual security element in trusted execution environment |
CN106547633A (en) * | 2016-10-19 | 2017-03-29 | 沈阳微可信科技有限公司 | Multi-channel communication systems and electronic equipment |
CN106650461A (en) * | 2016-11-23 | 2017-05-10 | 北京握奇智能科技有限公司 | Mobile terminal and access method of embedded type security module based on same |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3879783A4 (en) * | 2019-02-26 | 2021-12-22 | Advanced New Technologies Co., Ltd. | Data security processing method and terminal thereof, and server |
US11251976B2 (en) | 2019-02-26 | 2022-02-15 | Advanced New Technologies Co., Ltd. | Data security processing method and terminal thereof, and server |
CN111177701A (en) * | 2019-12-11 | 2020-05-19 | 北京握奇智能科技有限公司 | Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip |
Also Published As
Publication number | Publication date |
---|---|
CN109040147B (en) | 2023-08-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107342858A (en) | A kind of intelligent contract guard method and system based on trusted context | |
US20170302646A1 (en) | Identity authentication method and apparatus | |
CN103546289B (en) | USB (universal serial bus) Key based secure data transmission method and system | |
CN111431719A (en) | Mobile terminal password protection module, mobile terminal and password protection method | |
CN103401678A (en) | Method for ensuring data transmission safety of Internet of things | |
CN101834840A (en) | Efficient key derivation for end-to-end network security with traffic visibility | |
JP2014527787A (en) | Communication method for authentication using fingerprint information | |
CN108288004A (en) | A kind of encryption chip is in REE and TEE environmental coexistence system and methods | |
CN106603240B (en) | The authentication method of low cost radio frequency identification NTRU based on cloud | |
CN107634946A (en) | A kind of micro services node legitimacy verification method and device | |
CN103117851A (en) | Encryption control method and device capable of achieving tamper-proofing and repudiation-proofing by means of public key infrastructure (PKI) | |
CN105848145A (en) | WIFI intelligent configuration method and device | |
CN105141625A (en) | Safety mobile intelligent terminal based on password isolation mode and realization method thereof | |
CN109040147A (en) | A kind of method and system of the encryption and decryption based on TEE+SE | |
CN112788001A (en) | Data encryption-based data processing service processing method, device and equipment | |
CN106685897A (en) | Safe input method, device and system | |
CN109165531A (en) | A kind of AES mask method, electronic equipment and storage medium | |
CN105515757B (en) | Security information exchange device based on credible performing environment | |
CN103458401B (en) | A kind of voice encryption communication system and communication means | |
CN105281901A (en) | Encryption method for cloud tenant key information | |
CN107979608A (en) | The data encrypting and deciphering Transmission system and transmission method that a kind of interface can configure | |
CN103873245B (en) | Dummy machine system data ciphering method and equipment | |
Wang et al. | Research and Implementation of Hybrid Encryption System Based on SM2 and SM4 Algorithm | |
CN101515853A (en) | Information terminal and information safety device thereof | |
Yukun et al. | Lightweight anonymous authentication and key agreement protocols for mobile edge computing |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |