CN111177701A - Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip - Google Patents

Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip Download PDF

Info

Publication number
CN111177701A
CN111177701A CN201911268846.2A CN201911268846A CN111177701A CN 111177701 A CN111177701 A CN 111177701A CN 201911268846 A CN201911268846 A CN 201911268846A CN 111177701 A CN111177701 A CN 111177701A
Authority
CN
China
Prior art keywords
application
security
trusted
cryptographic
function service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201911268846.2A
Other languages
Chinese (zh)
Other versions
CN111177701B (en
Inventor
刘亚雷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing WatchSmart Technologies Co Ltd filed Critical Beijing WatchSmart Technologies Co Ltd
Priority to CN201911268846.2A priority Critical patent/CN111177701B/en
Publication of CN111177701A publication Critical patent/CN111177701A/en
Application granted granted Critical
Publication of CN111177701B publication Critical patent/CN111177701B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • G06F21/46Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories

Abstract

The application relates to a method and equipment for realizing a password function based on a trusted execution environment and a security chip. The method comprises the following steps: responding to a password function service request sent by a software program client, and executing the corresponding password function service request by the trusted application to obtain an execution result; sending the execution result to a security application so that the security application operates according to the execution result and feeds back an operation result; the trusted application obtains a response according to the operation result fed back by the security application, and the response is sent to the client application; the trusted application program is installed in a trusted execution environment, the client application is installed in a rich operating system, and the security application is installed in a security chip. The intelligent password key product meeting the relevant specifications can be realized on the mobile intelligent terminal; and the safety and the user experience of the cryptographic module can be obviously improved.

Description

Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip
Technical Field
The present application relates to the field of mobile security technologies, and in particular, to a method and an apparatus for implementing a cryptographic function service based on a trusted execution environment and a security chip.
Background
With the gradual maturity of wireless broadband technology and the overall promotion of informatization construction, it has become the mainstream of society to improve the efficiency of work processing by using mobile internet and various information systems through a mobile intelligent terminal. However, the internet is under various attacks such as virus, trojan, rogue software, eavesdropping, tampering and the like, and the security risk is gradually shown while the mobile intelligent terminal provides more convenient and flexible cryptographic function service; the authenticity of the network identity, the access control of information resources, the confidentiality of transmitted information, and the like are major issues to be solved urgently. In order to solve the above problems, PKI technology and various cryptographic module-like products have come from this.
According to the password boundary division, the password module can be divided into a software password module, a hardware password module, a hybrid password module and the like. At present, the traditional mobile intelligent terminal security schemes based on hardware include the following: the password SD card, the password SIM card, the Bluetooth, the audio external password module and the like.
In other prior arts, a user may obtain an authorization code and a registration code from a service provider, and obtain a usage right of software after inputting the software, however, this method also has a problem of poor security of protection measures, and when a software program runs in an untrusted execution environment, a calculation process of the authorization code may be cracked, and an authorization protection mechanism may be bypassed by tampering an authorization state.
At present, the cryptographic algorithm and the cryptographic information storage of cryptographic modules based on an SIM card and an SD card are realized by hardware, so that the security threat faced by pure software can be avoided, the security is high, on one hand, a user needs to purchase the SIM card and the SD card, on the other hand, the existing SIM card and the SD secure encryption card need to occupy a card slot of a terminal, the encryption performance, the power consumption and the compatibility have great problems, and the user has high use cost, low performance and low usability.
Bluetooth, the cryptographic algorithm and the password information storage of the external cryptographic module of audio frequency are realized by hardware, and the external cryptographic module of hardware can avoid the security threat that pure software faces, and the security is high, nevertheless needs the user to purchase and carry extra security equipment on the one hand, and compatibility and performance problem exist with mobile terminal in on the other hand Bluetooth, the external cryptographic module of audio frequency, and user use cost is high, and the convenience, the ease for use is low, and user experience is relatively poor.
Disclosure of Invention
Therefore, it is necessary to provide a cryptographic function service implementation method based on a trusted execution environment and a security chip, in order to solve the above technical problem, where a cryptographic function service is constructed by a Trusted Execution Environment (TEE) and an embedded security chip (eSE) on an intelligent terminal.
Another object of the present invention is to provide a file system for cooperating trusted applications and secure applications under the constraint condition that eSE resources are limited and on the premise that module security is not reduced.
A cipher function service implementation method based on a trusted execution environment and a security chip is used for providing cipher function service for an intelligent terminal, and is characterized in that the intelligent terminal comprises a rich operating system 1, a trusted execution environment 2 and a security chip 3;
the client application 11 is run in the rich operating system 1, and the trusted application TA21 is run in the trusted execution environment 2; the secure chip 3 runs a secure application 31;
the trusted application TA21 performs cryptographic functions in cooperation with the secure application 31.
The cryptographic function service implementation method based on the trusted execution environment 2 and the security chip 3 comprises the following steps:
the trusted application TA21 responds to the cryptographic function service request sent by the client application 11, and executes the corresponding cryptographic function service request to obtain an execution result;
the trusted application TA21 sends the execution result to the secure application 31, so that the secure application 31 operates according to the execution result and feeds back the operation result;
the trusted application TA21 receives the operation result fed back by the secure application 31, processes the operation result, obtains a response, and sends the response to the client application 11.
Further, the cryptographic function service includes a secure storage service;
the secure application 31 calls its interface to implement file system and sensitive data storage;
the trusted application TA21 implements the non-sensitive data storage by calling the TEE Internal API of the trusted execution environment 2.
Further, the cryptographic function service includes a cryptographic algorithm service;
the security application 31 implements a cryptographic algorithm service by calling its internal interface.
Further, in response to the cryptographic function service request sent by the client application 11, the trusted application TA21 executes the corresponding cryptographic function service request, and obtains an execution result, including:
in response to the cryptographic function service request sent by the client application 11, the APDU command format of the cryptographic function service request is converted into the private instruction of the security application 31 by calling a preset cryptographic function service interface.
Further, the trusted application TA21 receives and processes the operation result fed back by the secure application 31, obtains a response, and sends the response to the client application 11, including:
receiving an operation result fed back by the security application 31, processing the operation result and converting the format of the processing result into an APDU command format; the response reply in APDU command format is sent to the client application 11.
Furthermore, the file system is composed of applications, containers and files and is in a tree-shaped storage structure of 'device-application-container-key';
in the file system, the security application 31 stores a directory structure, attributes of files, and manages access control rights of all files.
Further, the file content of the non-sensitive data file is stored in TA21 in the form of a secure storage object, the ID of the secure storage object is assigned by the secure application 31, and the secure application 31 maintains the correspondence of the file name, the attribute, and the object ID.
A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the above method when executing the computer program.
A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program realizes the steps of the above-mentioned method when being executed by a processor.
According to the method and the device for realizing the cryptographic function service based on the trusted execution environment and the security chip, the corresponding cryptographic function service is executed by responding to the cryptographic function service request sent by the client application, and the execution result is obtained; sending the execution result to the security application so that the security application operates according to the execution result to obtain an operation result and feeds back the operation result, receiving the operation result fed back by the security application by the trusted application to process the operation result to obtain a response, and sending the response to the client application; the trusted application program is installed in a trusted execution environment, the client application is installed in a rich system, and the security application is installed in a security chip. The method can be realized on an intelligent terminal and conforms to the intelligent password key product of the relevant standard; and the user experience and the safety of the authorization mechanism can be obviously improved.
Drawings
FIG. 1 is a diagram of a TEE + eSE based cryptographic module software framework;
FIG. 2 is a flow chart illustrating a method for implementing a cryptographic function based on a TEE + eSE cryptographic module;
FIG. 3 is a schematic diagram of an overall framework for implementing cryptographic functionality services based on TEE + eSE;
FIG. 4 is a schematic diagram of an overall file system composition structure in a method for implementing a cryptographic function based on a TEE + eSE cryptographic module;
FIG. 5 is a file system layout diagram of a TEE + eSE based cryptographic module;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The application provides a cryptographic function service based on a security service and a security storage characteristic which are constructed by a Trusted Execution Environment (TEE) and an embedded security chip (eSE) on an intelligent terminal. Under the constraint condition that eSE resources are limited, the file system for the cooperation of the trusted application and the security application can be provided on the premise of not reducing the security of the module.
FIG. 1 is a diagram of a TEE + eSE based cryptographic module software framework.
The cryptographic function service implementation method based on the trusted execution environment and the security chip can be applied to the application environment shown in fig. 1. This application environment is composed of REE1 and TEE2 and eSE 3. TEE2 (trusted execution environment) is a secure area residing on the main processor of the mobile device, providing a runtime environment (i.e., REE1) that coexists with Rich OS (Rich operating system) on the mobile device, and eSE3 is an embedded secure chip on the mobile terminal. The client application 11 is run in the REE1, the trusted application TA21 is run in the TEE2, and the secure application 31 is run in the eSE 3. TEE2 provides security services such as secure storage of sensitive data, approved cryptographic algorithms, trusted user interfaces, etc. to REE 1. TEE2 provides both data confidentiality and data integrity protection, provides access right control for TA21 (i.e., trusted applications, or trusted applications, and the like) to access resources and data, and isolates operating environments and sensitive data between multiple TAs. The eSE3 provides a secure execution environment for the secure application 31, and the eSE3 can securely store data and code logic while providing secure services, such as algorithm and key protection, for the secure application 31.
The trusted application TA21 running in the trusted execution environment TEE2 and the secure application 31 running in the embedded secure chip eSE3 form a cryptographic module of TEE + eSE, and the TA21 cooperates with the secure application 31 to complete approved cryptographic functions.
Fig. 2 is a schematic flowchart illustrating a method for implementing a cryptographic function based on a TEE + eSE cryptographic module, which is described by taking the mobile device in fig. 1 as an example, and includes the following steps:
step 202, TA21 responds to the cryptographic function service request sent by client application 11, and executes the corresponding cryptographic function service to obtain the execution result;
step 204, sending the execution result to the security application 31, so that the security application 31 performs an operation according to the execution result and feeds back an operation result;
step 206, receiving the operation result fed back by the security application 31, processing the operation result to obtain a response, and sending the response to the client application 11;
wherein, the trusted application 21 is installed in the TEE2, the client application 11 is installed in the REE1, and the secure application 31 is installed in the secure chip 3.
According to the method and the device for realizing the cryptographic function service based on the trusted execution environment and the security chip, the trusted application executes the corresponding cryptographic function service by responding to the cryptographic function service request sent by the client application to obtain an execution result; sending the execution result to the security application so that the security application operates according to the execution result and feeds back the operation result, receiving and processing the operation result fed back by the security application by the trusted application to obtain a response and sending the response to the client application; the trusted application program is installed in a trusted execution environment, the client application is installed in the REE, and the security application is installed in the security chip. The intelligent password key product meeting the relevant specifications can be realized on the mobile intelligent terminal; and the safety of the password product can be obviously improved.
In one embodiment, TA21, in response to a cryptographic function service request sent by client application 11, executes the corresponding cryptographic function service request to obtain a response, including: responding to the cryptographic function service request sent by the client application 11, executing the corresponding cryptographic function service, and obtaining a response; wherein the cryptographic function service comprises a cryptographic algorithm service and a secure storage service.
TA21 accomplishes the distribution of instructions, the storage of file contents, the communication with the security application 31 and the like by calling a TEE Internal API of TEE2, and the security application 31(Applet) realizes the cryptographic functions of storage and management of each element in the cryptographic module file system, the storage of key security parameters, cryptographic algorithm service and the like by calling a JavaCard interface.
As an example, the method comprises:
1) the Client application 11 sends an APDU command meeting a preset specification to TA21 by calling a TEE Client API of TEE 2;
2) TA21 receives the APDU from client application 11, processes it according to the function design of the cryptographic module, interprets it as a command supported by the security application, and sends it to security application 31;
3) the secure application 31 receives the command from TA21, performs corresponding processing, and returns a response to TA 21;
4) TA21 receives the response reply from secure application 31, performs corresponding processing, and returns a response APDU to client application 11.
Fig. 3 shows an overall framework diagram of a TEE + eSE based implementation cryptographic function service.
The cipher module realizes a corresponding cipher function according to GMT0017-2012 data format specification of the cipher application interface of the intelligent cipher key, and mainly comprises the following parts: the system comprises equipment management, access control, application management, file management, container management, password service and the like, wherein different modules realize the flow realization of corresponding password functions.
As shown in fig. 3, fig. 3 illustrates the overall framework of cryptographic module implementation from both the horizontal and vertical dimensions. The longitudinal direction is mainly divided from the hierarchy of the cryptographic function processing and calling process, and the transverse direction is mainly divided aiming at the functional modules of different longitudinal levels. The longitudinal direction mainly comprises the following four layers: the system comprises an instruction distribution layer, an instruction processing interface layer, a packaging library interface layer and a platform correlation interface. The services are provided from the bottom to the top in the vertical direction.
The instruction distribution layer is responsible for receiving APDU instructions which are in accordance with GMT0017-2012 intelligent cipher key cipher application interface data format specifications from the client application 11, carrying out format check on the instructions according to the specifications, and then distributing the checked instructions to the instruction processing interface layer for processing according to the instruction cipher function;
the packaging library interface layer provides packaged TEE2 file system element operation, TEE2 cryptographic service operation service and an eSE3 communication interface for the instruction processing interface layer; the platform related interface layer encapsulates a TEE2 platform, a storage object operation interface and a password operation interface provided by an eSE platform according to the requirements of the password module, and provides platform support for realizing the password function of the password module;
after the client application 11 loads the cryptographic module, it sends a standard APDU instruction that conforms to GMT0017-2012 specification of data format of the cryptographic application interface of the smart cryptographic key to TA21 in the cryptographic module, and after receiving the APDU instruction:
firstly, an instruction distribution layer checks whether an instruction meets the specification, if so, an instruction processing interface of a corresponding function is called according to a password function defined by the specification; if the password is not in accordance with the specification, the password service is refused to be provided;
secondly, the instruction processing interface calls a service provided by the packaged packaging library interface layer to realize a password function according to the division of labor of TA21 and the security application 31 in the password module and the flow of realizing the password service;
as the cryptographic function service, the following describes a cryptographic function implementation flow by taking a signature instruction processing flow as an example.
Step 1, a client application 11 issues an RSA signature instruction;
step 2, TA21 receives a signature command sent by a client, checks the command format, and directly refuses to provide signature service if the format is wrong; if the format is correct, the instruction is distributed to a password service module of a corresponding instruction processing interface layer;
step 3, the instruction processing interface layer TA21 judges whether the signature data to be signed is a signature original or corresponding summary information according to the instruction parameters; if the signature is a signature original text, executing the step 4, and if the abstract is important, directly jumping to the step 5;
step 4, if the data to be signed is a signature original text, TA21 is responsible for calculating the abstract of the signature original text;
step 5, TA21 organizes the signature command supported by the security application 31, and calls an eSE3 communication command of an interface layer of a packaging library to issue the signature command to the security application 31 for processing;
step 6, the security application 31 receives the instruction, checks whether the current state of the corresponding application and the user authority meet the signature conditions, refuses the signature if the current state of the corresponding application and the user authority do not meet the signature conditions, searches for a signature key pair under the corresponding application container to carry out signature if the current state of the corresponding application and the user authority meet the signature conditions, and then sends a signature result to the TA 21;
step 7, TA21 receives the signature result sent by the security application 31, organizes the response according to the defined APDU response format and returns the response to the client application 11 to complete the signature operation;
because the security application 31 is installed in the eSE3, the storage of the security parameters of the cryptographic module, the cryptographic operation and the like are all in the security application 31, and the cryptographic module supports hardware to generate random numbers, hardware to generate keys and hardware cryptographic calculation, thereby avoiding attacks from non-secure environments and ensuring the security of cryptographic function services and the correctness of the cryptographic operation.
Fig. 4 is a schematic diagram illustrating an overall file system storage structure in a method for implementing a cryptographic function based on a TEE + eSE cryptographic module.
As shown in fig. 4, the file system of the smart key is composed of an application, a container, and a file. The types of the files can be divided into: the device information file, the PIN file, the certificate file, the key file and the like are stored according to a hierarchical structure of 'device-application-container-key', a plurality of applications can be supported under one device, a plurality of containers can be supported under one application, a plurality of key files and certificate files can be stored under one container, and the cryptographic module file system is in a tree structure.
In other implementations, due to the limited storage resources of the eSE3 devices, the storage space allocated to each security application is typically only a few tens of KB, and cannot support complex, larger-scale file system storage. On the other hand, the secure storage space of TEE2 is relatively open, enabling a larger storage capacity. Therefore, the invention combines the hardware security feature of the eSE3 with the security storage function of the TEE2, and realizes a collaborative file system which gives consideration to both security and expansibility.
FIG. 5 shows a file system layout of a TEE + eSE based cryptographic module.
As shown in fig. 5, the collaborative division strategy of the file system design in the present invention is:
1) the security application 31 stores a directory structure;
2) the security application 31 stores the attributes of all files;
3) the security application 31 stores the file content of sensitive data files (e.g., PINs, keys, etc.);
4) TA21 stores the file content of non-sensitive data files (e.g., certificates, device information, etc.);
5) the security application generates, manages, and maintains IDs of storage objects in TA21 that store non-sensitive data files.
6) The security application 31 manages access control rights for all files.
In one embodiment, the security application 31 is used to store directory structures, attributes of files, file contents of sensitive data files, and access control rights to manage all files; TA21 is used to store the file content of non-sensitive data files (e.g., certificates, device information, etc.).
In one implementation, in the security application 31, each type of application, container, file, key file, and the like in the file system is implemented by an independent Java class, and the application, container, file, key, and the like generated in the cryptographic module are all objects of the corresponding class. The application attribute information such as the application name, the application ID and the like are members of domain variables in the application class, and the PIN object and the container object under application are members of a domain variable array in the application class; container attributes such as container name, container type, container ID, etc. are members of the domain variables in the container class, the key object under the container is a member of the array of domain variables in the container class, and so on.
If the user creates a file system element, the security application 31 first checks if the eSE3 space is full, reports an error if full, and instantiates a corresponding element object and registers for the user to use if not full. When the user deletes a file system element, the security application 31 first clears all data in the object and then frees the object storage space for subsequent use.
The structure of the file system in the cryptographic module, the attributes of the elements and the operating permissions of the elements of the cryptographic module are stored, managed and controlled by the security application 31. The key, the attributes of the user PIN and the content involved in the cryptographic module are all stored in the eSE3, the name and attributes of the certificate file and other binary files are stored in the eSE3, the file content is stored in the TEE2 in the form of a secure storage object, the ID of which is assigned by the secure application 31, ensuring uniqueness, and the secure application 31 maintains correspondence of the file name, attributes and object ID.
The operation authority of all elements in the file system and the like are uniformly managed by the security application 31 in the eSE31, and when creating, deleting, reading and writing a file system object, the security application 31 checks and determines whether the file system object has the corresponding operation authority. After checking and determining that the certificate file and the binary file have the corresponding operation authority, the security application 31 sends the security storage object ID of the corresponding file to TA21, and TA21 may perform the corresponding operation on the file.
As the cryptographic function service, the following describes a cryptographic function implementation flow by taking a certificate writing instruction processing flow as an example.
Step 1, a client application 11 issues a certificate writing instruction;
step 2, TA21 receives the certificate writing instruction sent by client application 11, checks the instruction format, and directly refuses certificate writing if the format is wrong; if the format is correct, the instruction is distributed to a container management module of an instruction processing interface layer;
step 3, TA21 organizes the private instruction supported by the security application, and the instruction is sent to the security application 31 to obtain the file storage ID; the instruction is provided with an application ID, a container ID, and a certificate type, and is a private instruction of the secure application 31.
Step 4, the security application 31 checks whether the state and the authority of the current application of the cryptographic module meet the certificate writing condition according to the application ID, if not, refuses the certificate writing, and if so, performs the step 5;
step 5, the secure application 31 generates a secure storage ID according to the application ID, the container ID, and the certificate type, and returns to TA 21;
step 6, TA21 generates a secure storage object using the ID generated by the secure application, and stores the certificate information; after TA21 succeeds in writing the certificate, TA21 organizes the commands supported by the secure application 31 to notify the secure application that the certificate was written successfully.
Step 7, the security application 31 writes the ID into the certificate object under the corresponding application and container, the security application 31 maintains the management application, container, certificate type and security storage ID, and returns to TA 21;
at step 8, TA21 returns the result to client application 11.
The storage structure of the file system and the operation management of the file system in the invention are all responsible for the security application 31, the contents with higher security of the key and the PIN are stored in the security application 31, the contents of the file with lower security are stored in TA21, the security chip and the TEE cooperate to realize the file system of the cryptographic module, and the file system has strong expansibility on the basis of ensuring the confidentiality and the integrity of key security parameters such as the key of the cryptographic module and the user PIN, and the problem of limitation of eSE3 resources is solved to a certain extent.
The cryptographic function interface is provided for a client in an SDK form, the interface definition completely conforms to GM/T0016 national cryptographic specifications, and the interface realizes that the corresponding cryptographic function is translated into an APDU instruction conforming to the GM/T0017 national cryptographic specification and is sent to TA21 running in a trusted execution environment, TA21 and the security application 31 cooperate to realize the corresponding cryptographic function.
In this implementation, in the present invention, TA21 cooperates with security application 31 to provide cryptographic services conforming to the GM/T0017 specification. When the client uses the cryptographic service provided by the cryptographic module, it is necessary to ensure that the security application 31 is downloaded and installed. The installation of the security application 31 may be preset on a production line of the mobile intelligent terminal, or may be installed after the installation of the security application 11. If the security application 31 is preset in a production line and provides a client SDK meeting the GM/T0016 specification and a trusted application meeting the GM/T0017 specification before deployment, a user only needs to perform configuration development according to the development of a conventional mobile intelligent terminal application program, and application software for providing corresponding cryptographic service can be realized; if the secure application 31 adopts a post-installation mode, before deployment, a client application 11 or service for downloading and installing the secure application 31, a client SDK conforming to the GM/T0016 specification, and a trusted application TA21 conforming to the GM/T0017 specification should be provided, and a user completes the downloading and installation of the secure application 31 using the client application 11, and performs configuration development according to conventional mobile intelligent terminal application program development, so that application software providing corresponding cryptographic services can be realized. The deployment process does not need to purchase or send extra hardware, and is convenient and quick.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
TA21 responds to the cryptographic function service request sent by client application 11, and executes the corresponding cryptographic function service request to obtain an execution result; TA21 sends the execution result to secure application 31, so that secure application 31 operates according to the execution result and feeds back the operation result; TA21 receives the operation result fed back by security application 31, processes the operation result to obtain a response, and sends the response to client application 11; wherein the TA21 is installed in TEE2, the client application 11 is installed in REE1, and the security application 31 is installed in eSE 3.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
TA21 responds to the cryptographic function service request sent by client application 11, and executes the corresponding cryptographic function service request to obtain an execution result; TA21 sends the execution result to secure application 31, so that secure application 31 operates according to the execution result and feeds back the operation result; TA21 processes the operation result fed back by security application 31 to obtain a response, and sends the response to client application 11; wherein the TA21 is installed in TEE2, the client application 11 is installed in REE1, and the security application 31 is installed in eSE 3. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (9)

1. A cryptographic function service implementation method based on a trusted execution environment and a security chip is used for providing cryptographic function service for an intelligent terminal, and is characterized in that the intelligent terminal comprises a rich operating system (1), a trusted execution environment (2) and a security chip (3);
a client application (11) is run in the rich operating system (1), and a trusted application TA (21) is run in the trusted execution environment (2); running a security application (31) in the security chip (3);
the trusted application TA (21) and the security application (31) cooperate to complete a password function;
the method for realizing the cryptographic function service based on the trusted execution environment (2) and the security chip (3) comprises the following steps:
step S202, the trusted application TA (21) responds to the password function service request sent by the client application (11) and executes the corresponding password function service request to obtain an execution result;
step S204, the trusted application TA (21) sends the execution result to the secure application (31) so that the secure application (31) operates according to the execution result and feeds back the operation result;
in step S206, the trusted application TA (21) receives the operation result fed back by the secure application (31), processes the operation result to make a response, and sends the response to the client application (11).
2. The method of claim 1, wherein the cryptographic function service comprises a secure storage service;
wherein the secure application (31) implements a file system and sensitive data storage by calling its interface;
the trusted application TA (21) implements the non-sensitive data storage by calling the teenternalapi of the trusted execution environment (2).
3. The method of claim 1, wherein the cryptographic function service comprises a cryptographic algorithm service;
the secure application (31) implements cryptographic algorithm services by invoking its internal interface.
4. The method according to claim 1, wherein the trusted application TA (21), in response to the cryptographic function service request sent by the client application (11), executes the corresponding cryptographic function service request, resulting in an execution result, comprising:
responding to a cryptographic function service request sent by a client application (11), and converting an APDU command format of the cryptographic function service request into an instruction supported by a security application (31) by calling a preset cryptographic function service interface.
5. The method according to claim 1, wherein the trusted application TA (21) receives the operation result fed back by the secure application (31), processes the operation result according to the cryptographic module functional design to obtain a response, and sends the response to the client application (11), and comprises:
receiving an operation result fed back by the security application (31), and processing according to the functional design of the cryptographic module to obtain a processing result;
converting the format of the processing result into an APDU command format; -sending a response reply in the APDU command format to a client application (11).
6. The method of claim 2,
the file system consists of an application, a container and a file and is in a tree-shaped storage structure of 'device-application-container-key';
in the file system, the security application (31) stores a directory structure, attributes of files, and manages access control rights of all files.
7. The method of claim 2,
the file content of the non-sensitive data file is stored in a trusted application TA (21) in the form of a secure storage object, the ID of which is assigned and managed by the secure application (31), the secure application (31) maintaining a correspondence of file names, attributes and object IDs.
8. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 7 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 7.
CN201911268846.2A 2019-12-11 2019-12-11 Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip Active CN111177701B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911268846.2A CN111177701B (en) 2019-12-11 2019-12-11 Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911268846.2A CN111177701B (en) 2019-12-11 2019-12-11 Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip

Publications (2)

Publication Number Publication Date
CN111177701A true CN111177701A (en) 2020-05-19
CN111177701B CN111177701B (en) 2022-09-13

Family

ID=70655461

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911268846.2A Active CN111177701B (en) 2019-12-11 2019-12-11 Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip

Country Status (1)

Country Link
CN (1) CN111177701B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112101949A (en) * 2020-09-18 2020-12-18 支付宝(杭州)信息技术有限公司 Safe service request processing method and device
CN115618328A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN115618327A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN117353921A (en) * 2023-12-06 2024-01-05 飞腾信息技术有限公司 Key management method, device, computing equipment and computer readable storage medium

Citations (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103002027A (en) * 2012-11-26 2013-03-27 中国科学院高能物理研究所 System and method for data storage on basis of key-value pair system tree-shaped directory achieving structure
CN103793815A (en) * 2014-01-23 2014-05-14 武汉天喻信息产业股份有限公司 Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards
CN104077533A (en) * 2014-07-17 2014-10-01 北京握奇智能科技有限公司 Sensitive data operating method and device
US20140317686A1 (en) * 2013-04-22 2014-10-23 Oracle International Corporation System with a trusted execution environment component executed on a secure element
CN104318182A (en) * 2014-10-29 2015-01-28 中国科学院信息工程研究所 Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension
CN105574440A (en) * 2014-10-31 2016-05-11 惠普发展公司,有限责任合伙企业 Hardware-protective data processing systems and methods using an application executing in a secure domain
CN105812332A (en) * 2014-12-31 2016-07-27 北京握奇智能科技有限公司 Data protection method
CN106127074A (en) * 2016-06-24 2016-11-16 江西金格科技股份有限公司 A kind of storage device based on intelligent key and data thereof store and read method
US20170061436A1 (en) * 2015-08-24 2017-03-02 Samsung Electronics Co., Ltd. Apparatus and method for trusted execution environment based secure payment transactions
CN106650461A (en) * 2016-11-23 2017-05-10 北京握奇智能科技有限公司 Mobile terminal and access method of embedded type security module based on same
CN107027115A (en) * 2017-04-18 2017-08-08 深圳融卡智能科技有限公司 A kind of device and method of the soft SIM card of application solutions
CN107392055A (en) * 2017-07-20 2017-11-24 深圳市金立通信设备有限公司 A kind of dual system safety chip control method, terminal, computer-readable recording medium and the dual system framework based on safety chip
CN107426174A (en) * 2017-06-09 2017-12-01 武汉果核科技有限公司 A kind of access control system and method for credible performing environment
WO2018097662A1 (en) * 2016-11-28 2018-05-31 Samsung Electronics Co., Ltd. Method and apparatus for managing program of electronic device
CN108229956A (en) * 2017-12-13 2018-06-29 北京握奇智能科技有限公司 Network bank business method, apparatus, system and mobile terminal
CN108234509A (en) * 2018-01-16 2018-06-29 国民认证科技(北京)有限公司 FIDO authenticators, Verification System and method based on TEE and PKI certificates
CN108595982A (en) * 2018-03-19 2018-09-28 中国电子科技集团公司第三十研究所 A kind of secure computing architecture method and device based on more container separating treatments
CN108616352A (en) * 2018-04-13 2018-10-02 北京握奇智能科技有限公司 Dynamic password formation method based on safety element and system
CN108733455A (en) * 2018-05-31 2018-11-02 上海交通大学 Vessel isolation based on ARM TrustZone enhances system
CN109040147A (en) * 2018-10-30 2018-12-18 北京握奇智能科技有限公司 A kind of method and system of the encryption and decryption based on TEE+SE
CN109863475A (en) * 2017-10-09 2019-06-07 华为技术有限公司 The upgrade method and relevant device of a kind of application in safety element
CN109872148A (en) * 2017-12-01 2019-06-11 北京握奇智能科技有限公司 Trust data processing method, device and mobile terminal based on TUI
US20190243950A1 (en) * 2018-02-07 2019-08-08 NEC Laboratories Europe GmbH Allowing remote attestation of trusted execution environment enclaves via proxy
CN110401538A (en) * 2018-04-24 2019-11-01 北京握奇智能科技有限公司 Data ciphering method, system and terminal

Patent Citations (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103002027A (en) * 2012-11-26 2013-03-27 中国科学院高能物理研究所 System and method for data storage on basis of key-value pair system tree-shaped directory achieving structure
US20140317686A1 (en) * 2013-04-22 2014-10-23 Oracle International Corporation System with a trusted execution environment component executed on a secure element
CN103793815A (en) * 2014-01-23 2014-05-14 武汉天喻信息产业股份有限公司 Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards
CN104077533A (en) * 2014-07-17 2014-10-01 北京握奇智能科技有限公司 Sensitive data operating method and device
CN104318182A (en) * 2014-10-29 2015-01-28 中国科学院信息工程研究所 Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension
CN105574440A (en) * 2014-10-31 2016-05-11 惠普发展公司,有限责任合伙企业 Hardware-protective data processing systems and methods using an application executing in a secure domain
CN105812332A (en) * 2014-12-31 2016-07-27 北京握奇智能科技有限公司 Data protection method
US20170061436A1 (en) * 2015-08-24 2017-03-02 Samsung Electronics Co., Ltd. Apparatus and method for trusted execution environment based secure payment transactions
CN106127074A (en) * 2016-06-24 2016-11-16 江西金格科技股份有限公司 A kind of storage device based on intelligent key and data thereof store and read method
CN106650461A (en) * 2016-11-23 2017-05-10 北京握奇智能科技有限公司 Mobile terminal and access method of embedded type security module based on same
WO2018097662A1 (en) * 2016-11-28 2018-05-31 Samsung Electronics Co., Ltd. Method and apparatus for managing program of electronic device
CN107027115A (en) * 2017-04-18 2017-08-08 深圳融卡智能科技有限公司 A kind of device and method of the soft SIM card of application solutions
CN107426174A (en) * 2017-06-09 2017-12-01 武汉果核科技有限公司 A kind of access control system and method for credible performing environment
CN107392055A (en) * 2017-07-20 2017-11-24 深圳市金立通信设备有限公司 A kind of dual system safety chip control method, terminal, computer-readable recording medium and the dual system framework based on safety chip
CN109863475A (en) * 2017-10-09 2019-06-07 华为技术有限公司 The upgrade method and relevant device of a kind of application in safety element
CN109872148A (en) * 2017-12-01 2019-06-11 北京握奇智能科技有限公司 Trust data processing method, device and mobile terminal based on TUI
CN108229956A (en) * 2017-12-13 2018-06-29 北京握奇智能科技有限公司 Network bank business method, apparatus, system and mobile terminal
CN108234509A (en) * 2018-01-16 2018-06-29 国民认证科技(北京)有限公司 FIDO authenticators, Verification System and method based on TEE and PKI certificates
US20190243950A1 (en) * 2018-02-07 2019-08-08 NEC Laboratories Europe GmbH Allowing remote attestation of trusted execution environment enclaves via proxy
CN108595982A (en) * 2018-03-19 2018-09-28 中国电子科技集团公司第三十研究所 A kind of secure computing architecture method and device based on more container separating treatments
CN108616352A (en) * 2018-04-13 2018-10-02 北京握奇智能科技有限公司 Dynamic password formation method based on safety element and system
CN110401538A (en) * 2018-04-24 2019-11-01 北京握奇智能科技有限公司 Data ciphering method, system and terminal
CN108733455A (en) * 2018-05-31 2018-11-02 上海交通大学 Vessel isolation based on ARM TrustZone enhances system
CN109040147A (en) * 2018-10-30 2018-12-18 北京握奇智能科技有限公司 A kind of method and system of the encryption and decryption based on TEE+SE

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112101949A (en) * 2020-09-18 2020-12-18 支付宝(杭州)信息技术有限公司 Safe service request processing method and device
CN115618328A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN115618327A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN115618327B (en) * 2022-12-16 2023-06-13 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN117353921A (en) * 2023-12-06 2024-01-05 飞腾信息技术有限公司 Key management method, device, computing equipment and computer readable storage medium
CN117353921B (en) * 2023-12-06 2024-02-13 飞腾信息技术有限公司 Key management method, device, computing equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN111177701B (en) 2022-09-13

Similar Documents

Publication Publication Date Title
CN111177701B (en) Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip
CN110727712B (en) Data processing method and device based on block chain network, electronic equipment and storage medium
US10601596B2 (en) Techniques to secure computation data in a computing environment
US7765397B2 (en) Generating, migrating or exporting bound keys
US7487365B2 (en) Saving and retrieving data based on symmetric key encryption
CN101231768B (en) Multi-application intelligent card and method for realizing intelligent card multi application
WO2015069460A1 (en) Method and apparatus for offering cloud-based hsm services
US9608979B2 (en) Systems, methods, and computer program products for securely managing data on a secure element
CN110326266B (en) Data processing method and device
CN111556029A (en) Identity authentication method and device based on Secure Element (SE)
CA2778805C (en) Saving and retrieving data based on public key encryption
CN112765637A (en) Data processing method, password service device and electronic equipment
CN111414640B (en) Key access control method and device
WO2020177548A1 (en) Blockchain authority control method and device
CN107358118B (en) SFS access control method and system, SFS and terminal equipment
CN111783051A (en) Identity authentication method and device and electronic equipment
CN112422516B (en) Trusted connection method and device based on power edge calculation and computer equipment
CN110868416A (en) Method and equipment for realizing cryptographic function service based on trusted execution environment
CN108848165B (en) Service request processing method and device, computer equipment and storage medium
CN117063174A (en) Security module and method for inter-app trust through app-based identity
CN111552551A (en) User management method and device based on master-slave system, computer equipment and medium
CN105574425A (en) Method and device for accessing stored data
US11941158B2 (en) Electronic device
JP7211472B2 (en) Data writing method
Tamrakar et al. On rehoming the electronic id to TEEs

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant