CN111177701B - Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip - Google Patents
Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip Download PDFInfo
- Publication number
- CN111177701B CN111177701B CN201911268846.2A CN201911268846A CN111177701B CN 111177701 B CN111177701 B CN 111177701B CN 201911268846 A CN201911268846 A CN 201911268846A CN 111177701 B CN111177701 B CN 111177701B
- Authority
- CN
- China
- Prior art keywords
- application
- security
- trusted
- signature
- cryptographic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
Abstract
The application relates to a method and equipment for realizing a password function based on a trusted execution environment and a security chip. The method comprises the following steps: responding to a password function service request sent by a software program client, and executing the corresponding password function service request by the trusted application to obtain an execution result; sending the execution result to a security application so that the security application operates according to the execution result and feeds back an operation result; the trusted application obtains a response according to the operation result fed back by the security application, and the response is sent to the client application; the trusted application program is installed in a trusted execution environment, the client application is installed in a rich operating system, and the security application is installed in a security chip. The intelligent code key product meeting the relevant specifications can be realized on the mobile intelligent terminal; and the safety and the user experience of the cryptographic module can be obviously improved.
Description
Technical Field
The present application relates to the field of mobile security technologies, and in particular, to a method and an apparatus for implementing a cryptographic function service based on a trusted execution environment and a security chip.
Background
With the gradual maturity of wireless broadband technology and the overall promotion of informatization construction, it has become the mainstream of society to improve the efficiency of work processing by using mobile internet and various information systems through a mobile intelligent terminal. However, the internet faces various attacks such as viruses, trojans, rogue software, eavesdropping, tampering and the like, and the mobile intelligent terminal provides more convenient and flexible cryptographic function services, and meanwhile, the security risk is gradually revealed; the authenticity of the network identity, the access control of information resources, the confidentiality of transmitted information, and the like are major issues to be solved urgently. In order to solve the above problems, PKI technology and various cryptographic module-like products have come from this.
According to the password boundary division, the password module can be divided into a software password module, a hardware password module, a hybrid password module and the like. At present, the traditional mobile intelligent terminal security schemes based on hardware include the following: the password SD card, the password SIM card, the Bluetooth, the audio external password module and the like.
In other prior arts, a user may obtain an authorization code and a registration code from a service provider, and obtain a usage right of software after inputting the software, however, the security of the protection measure is poor in this method, when a software program runs in an untrusted execution environment, a calculation process of the authorization code may be cracked, and an authorization protection mechanism may be bypassed by tampering an authorization state.
At present, the cryptographic algorithm and the cryptographic information storage of cryptographic modules based on an SIM card and an SD card are realized by hardware, so that the security threat faced by pure software can be avoided, the security is high, on one hand, a user needs to purchase the SIM card and the SD card, on the other hand, the existing SIM card and the SD secure encryption card need to occupy a card slot of a terminal, the encryption performance, the power consumption and the compatibility have great problems, and the user has high use cost, low performance and low usability.
Bluetooth, the cryptographic algorithm and the password information storage of the external cryptographic module of audio frequency are realized by hardware, and the external cryptographic module of hardware can avoid the security threat that pure software faces, and the security is high, nevertheless needs the user to purchase and carry extra security equipment on the one hand, and compatibility and performance problem exist with mobile terminal in on the other hand Bluetooth, the external cryptographic module of audio frequency, and user use cost is high, and the convenience, the ease for use is low, and user experience is relatively poor.
Disclosure of Invention
Based on this, it is necessary to provide a cryptographic function service implementation method based on a trusted execution environment and a security chip, and a cryptographic function service is constructed by a Trusted Execution Environment (TEE) and an embedded security chip (eSE) on an intelligent terminal.
Another object of the present invention is to provide a file system for cooperating trusted applications and secure applications under the constraint condition that eSE resources are limited and on the premise that module security is not reduced.
A cipher function service implementation method based on a trusted execution environment and a security chip is used for providing cipher function service for an intelligent terminal, and is characterized in that the intelligent terminal comprises a rich operating system 1, a trusted execution environment 2 and a security chip 3;
the client application 11 runs in the rich operating system 1, and the trusted application TA21 runs in the trusted execution environment 2; the secure chip 3 runs a secure application 31;
the trusted application TA21 cooperates with the secure application 31 to perform cryptographic functions.
The cryptographic function service implementation method based on the trusted execution environment 2 and the security chip 3 comprises the following steps:
the trusted application TA21 responds to the cryptographic function service request sent by the client application 11, and executes the corresponding cryptographic function service request to obtain an execution result;
the trusted application TA21 sends the execution result to the secure application 31, so that the secure application 31 operates according to the execution result and feeds back the operation result;
the trusted application TA21 receives the operation result fed back by the secure application 31, processes the operation result, obtains a response, and sends the response to the client application 11.
Further, the cryptographic function service includes a secure storage service;
the secure application 31 calls its interface to implement file system and sensitive data storage;
the trusted application TA21 implements the non-sensitive data storage by calling the TEE Internal API of the trusted execution environment 2.
Further, the cryptographic function service includes a cryptographic algorithm service;
the security application 31 implements a cryptographic algorithm service by calling its internal interface.
Further, the trusted application TA21, in response to the cryptographic function service request sent by the client application 11, executes the corresponding cryptographic function service request to obtain an execution result, including:
in response to the cryptographic function service request sent by the client application 11, the APDU command format of the cryptographic function service request is converted into the private instruction of the security application 31 by calling a preset cryptographic function service interface.
Further, the trusted application TA21 receives and processes the operation result fed back by the secure application 31, obtains a response, and sends the response to the client application 11, including:
receiving an operation result fed back by the security application 31, processing the operation result and converting the format of the processing result into an APDU command format; the response reply in APDU command format is sent to the client application 11.
Furthermore, the file system is composed of applications, containers and files and is in a tree-shaped storage structure of 'device-application-container-key';
in the file system, the security application 31 stores a directory structure, attributes of files, and manages access control rights of all files.
Further, the file content of the non-sensitive data file is stored in TA21 in the form of a secure storage object, the ID of the secure storage object is assigned by the secure application 31, and the secure application 31 maintains the correspondence of the file name, the attribute, and the object ID.
A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the above method when executing the computer program.
A computer-readable storage medium, on which a computer program is stored, characterized in that the computer program realizes the steps of the above-mentioned method when being executed by a processor.
According to the method and the device for realizing the cryptographic function service based on the trusted execution environment and the security chip, the corresponding cryptographic function service is executed by responding to the cryptographic function service request sent by the client application, and the execution result is obtained; sending the execution result to the security application so that the security application operates according to the execution result to obtain an operation result and feeds back the operation result, receiving the operation result fed back by the security application by the trusted application to process the operation result to obtain a response, and sending the response to the client application; the trusted application program is installed in a trusted execution environment, the client application is installed in a rich system, and the security application is installed in a security chip. The method can be realized on an intelligent terminal, and an intelligent password key product meeting the relevant specifications is obtained; and the user experience and the security of the authorization mechanism can be obviously improved.
Drawings
FIG. 1 is a diagram of a TEE + eSE based cryptographic module software framework;
FIG. 2 is a flow chart illustrating a method for implementing a cryptographic function based on a TEE + eSE cryptographic module;
FIG. 3 is a schematic diagram of an overall framework for implementing cryptographic functionality services based on TEE + eSE;
FIG. 4 is a schematic diagram of an overall file system composition structure in a method for implementing a cryptographic function based on a TEE + eSE cryptographic module;
FIG. 5 is a file system layout diagram of a TEE + eSE based cryptographic module;
FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of and not restrictive on the broad application.
The application provides a cryptographic function service based on a security service and a security storage characteristic which are constructed by a Trusted Execution Environment (TEE) and an embedded security chip (eSE) on an intelligent terminal. Under the constraint condition that eSE resources are limited, the file system for the cooperation of the trusted application and the security application can be provided on the premise of not reducing the security of the module.
FIG. 1 is a diagram of a TEE + eSE based cryptographic module software framework.
The cryptographic function service implementation method based on the trusted execution environment and the security chip can be applied to the application environment shown in fig. 1. This application environment is composed of REE1 and TEE2 and eSE 3. TEE2 (trusted execution environment) is a secure area residing on the main processor of the mobile device, providing a runtime environment (i.e., REE1) that coexists with Rich OS (Rich operating system) on the mobile device, and eSE3 is an embedded secure chip on the mobile terminal. The client application 11 is run in the REE1, the trusted application TA21 is run in the TEE2, and the secure application 31 is run in the eSE 3. TEE2 provides security services such as secure storage of sensitive data, approved cryptographic algorithms, trusted user interfaces, etc. to REE 1. TEE2 provides both data confidentiality and data integrity protection, provides access right control for TA21 (i.e., trusted applications, or trusted applications, and the like) to access resources and data, and isolates operating environments and sensitive data between multiple TAs. The eSE3 provides a secure execution environment for the secure application 31, and the eSE3 can securely store data and code logic, and provide secure services, such as algorithms and key protection, for the secure application 31.
The trusted application TA21 running in the trusted execution environment TEE2 and the secure application 31 running in the embedded secure chip eSE3 form a cryptographic module of TEE + eSE, and the TA21 cooperates with the secure application 31 to complete approved cryptographic functions.
Fig. 2 is a schematic flowchart illustrating a method for implementing a cryptographic function based on a TEE + eSE cryptographic module, which is described by taking the mobile device in fig. 1 as an example, and includes the following steps:
step 202, TA21 responds to the cryptographic function service request sent by client application 11, and executes the corresponding cryptographic function service to obtain the execution result;
step 204, sending the execution result to the security application 31, so that the security application 31 performs an operation according to the execution result and feeds back an operation result;
step 206, receiving the operation result fed back by the security application 31, processing the operation result to obtain a response, and sending the response to the client application 11;
wherein, the trusted application 21 is installed in TEE2, the client application 11 is installed in REE1, and the secure application 31 is installed in the secure chip 3.
According to the method and the device for realizing the cryptographic function service based on the trusted execution environment and the security chip, the trusted application executes the corresponding cryptographic function service by responding to the cryptographic function service request sent by the client application to obtain an execution result; sending the execution result to the security application so that the security application operates according to the execution result and feeds back the operation result, receiving and processing the operation result fed back by the security application by the trusted application to obtain a response and sending the response to the client application; the trusted application program is installed in a trusted execution environment, the client application is installed in the REE, and the security application is installed in the security chip. The intelligent password key product meeting the relevant specifications can be realized on the mobile intelligent terminal; and the safety of the password product can be obviously improved.
In one embodiment, TA21, in response to a cryptographic function service request sent by client application 11, executes the corresponding cryptographic function service request to obtain a response, including: responding to the cryptographic function service request sent by the client application 11, executing the corresponding cryptographic function service, and obtaining a response; wherein the cryptographic function service comprises a cryptographic algorithm service and a secure storage service.
TA21 accomplishes the distribution of instructions, the storage of file contents, the communication with the security application 31 and the like by calling a TEE Internal API of TEE2, and the security application 31(Applet) realizes the cryptographic functions of storage and management of each element in the cryptographic module file system, the storage of key security parameters, cryptographic algorithm service and the like by calling a JavaCard interface.
As an example, the method comprises:
1) the Client application 11 sends an APDU command meeting a preset specification to TA21 by calling a TEE Client API of TEE 2;
2) TA21 receives the APDU from client application 11, processes it according to the function design of cryptographic module, interprets it as a command supported by the security application, and sends it to security application 31;
3) secure application 31 receives the command from TA21, performs corresponding processing, and returns a response to TA 21;
4) TA21 receives the response reply from secure application 31, performs corresponding processing, and returns a response APDU to client application 11.
Fig. 3 shows an overall framework diagram of a TEE + eSE based implementation cryptographic function service.
The cipher module realizes a corresponding cipher function according to GMT0017-2012 data format specification of the cipher application interface of the intelligent cipher key, and mainly comprises the following parts: the system comprises equipment management, access control, application management, file management, container management, password service and the like, wherein different modules realize the flow realization of corresponding password functions.
As shown in fig. 3, fig. 3 illustrates the overall framework of cryptographic module implementation from both the horizontal and vertical dimensions. The longitudinal direction is mainly divided from the hierarchy of the cryptographic function processing and calling process, and the transverse direction is mainly divided aiming at the functional modules of different longitudinal levels. The longitudinal direction mainly comprises the following four layers: the system comprises an instruction distribution layer, an instruction processing interface layer, a packaging library interface layer and a platform correlation interface. The services are provided from the bottom to the top in the vertical direction.
The instruction distribution layer is responsible for receiving APDU instructions which are in accordance with GMT0017-2012 intelligent cipher key cipher application interface data format specifications from the client application 11, carrying out format check on the instructions according to the specifications, and then distributing the checked instructions to the instruction processing interface layer for processing according to the instruction cipher function;
the packaging library interface layer provides packaged TEE2 file system element operation, TEE2 cryptographic service operation service and eSE3 communication interfaces for the instruction processing interface layer; the platform related interface layer encapsulates a TEE2 platform, a storage object operation interface and a password operation interface provided by an eSE platform according to the requirements of the password module, and provides platform support for realizing the password function of the password module;
after the client application 11 loads the cryptographic module, it sends a standard APDU command that conforms to "GMT 0017-2012 smart cryptographic key cryptographic application interface data format specification" to TA21 in the cryptographic module, and after receiving the APDU command:
firstly, an instruction distribution layer checks whether an instruction meets the specification, if so, an instruction processing interface of a corresponding function is called according to a password function defined by the specification; if the password is not in accordance with the specification, the password service is refused to be provided;
secondly, the instruction processing interface calls a service provided by the packaged packaging library interface layer to realize a password function according to the division of labor of TA21 and the security application 31 in the password module and the flow of realizing the password service;
as the cryptographic function service, the following describes a cryptographic function implementation flow by taking a signature instruction processing flow as an example.
step 5, TA21 organizes the signature command supported by the security application 31, and calls an eSE3 communication command of an interface layer of a packaging library to issue the signature command to the security application 31 for processing;
step 6, the security application 31 receives the instruction, checks whether the current state of the corresponding application and the user authority meet the signature conditions, rejects the signature if the current state of the corresponding application and the user authority do not meet the signature conditions, searches a signature key pair under the corresponding application container for signature if the current state of the corresponding application and the user authority meet the signature conditions, and then sends the signature result to the TA 21;
step 7, TA21 receives the signature result sent by the security application 31, organizes the response according to the defined APDU response format and returns the response to the client application 11 to complete the signature operation;
because the security application 31 is installed in the eSE3, the storage of the security parameters of the cryptographic module, the cryptographic operation and the like are all in the security application 31, and the cryptographic module supports hardware to generate random numbers, hardware to generate keys and hardware cryptographic calculation, thereby avoiding attacks from non-secure environments and ensuring the security of cryptographic function services and the correctness of the cryptographic operation.
Fig. 4 shows a schematic diagram of an overall file system storage structure in a method for realizing a cryptographic function based on a TEE + eSE cryptographic module.
As shown in fig. 4, the file system of the smart key is composed of an application, a container, and a file. The types of the files can be divided into: the device information file, the PIN file, the certificate file, the key file and the like are stored according to a hierarchical structure of 'device-application-container-key', a plurality of applications can be supported under one device, a plurality of containers can be supported under one application, a plurality of key files and certificate files can be stored under one container, and the cryptographic module file system is in a tree structure.
In other implementations, due to the limited storage resources of the eSE3 devices, the storage space allocated to each security application is typically only a few tens of KB, and cannot support complex, larger-scale file system storage. On the other hand, the secure storage space of TEE2 is relatively open, enabling a larger storage capacity. Therefore, the invention combines the hardware security feature of the eSE3 with the security storage function of the TEE2, and realizes a collaborative file system which gives consideration to both security and expansibility.
FIG. 5 shows a file system layout of a TEE + eSE based cryptographic module.
As shown in fig. 5, the collaborative division strategy of the file system design in the present invention is:
1) the security application 31 stores a directory structure;
2) the security application 31 stores the attributes of all files;
3) the security application 31 stores the file content of sensitive data files (e.g., PINs, keys, etc.);
4) TA21 stores the file content of non-sensitive data files (e.g., certificates, device information, etc.);
5) the security application generates, manages, and maintains IDs of storage objects in TA21 that store non-sensitive data files.
6) The security application 31 manages access control rights for all files.
In one embodiment, the security application 31 is used to store directory structures, attributes of files, file contents of sensitive data files, and access control rights to manage all files; TA21 is used to store the file content of non-sensitive data files (e.g., certificates, device information, etc.).
In one implementation, in the security application 31, each type of application, container, file, key file, and the like in the file system is implemented by an independent Java class, and the application, container, file, key, and the like generated in the cryptographic module are all objects of the corresponding class. The application attribute information such as an application name, an application ID and the like is a member of a domain variable array in an application class, and a PIN object and a container object under application are members of the domain variable array in the application class; container attributes such as container name, container type, container ID, etc. are members of the domain variables in the container class, the key object under the container is a member of the array of domain variables in the container class, and so on.
If the user creates a file system element, the security application 31 first checks if the eSE3 space is full, reports an error if full, instantiates a corresponding element object if not, and registers for use by the user. When the user deletes a file system element, the security application 31 first clears all data in the object and then frees the object storage space for subsequent use.
The structure of the file system in the cryptographic module, the attributes of the elements and the operating permissions of the elements of the cryptographic module are stored, managed and controlled by the security application 31. The key, the attributes of the user PIN and the content involved in the cryptographic module are all stored in the eSE3, the name and attributes of the certificate file and other binary files are stored in the eSE3, the file content is stored in the TEE2 in the form of a secure storage object, the ID of which is assigned by the secure application 31, ensuring uniqueness, and the secure application 31 maintains correspondence of the file name, attributes and object ID.
The operation authority of all elements in the file system and the like are uniformly managed by the security application 31 in the eSE31, and when creating, deleting, reading and writing a file system object, the security application 31 checks and determines whether the file system object has the corresponding operation authority. After checking and determining that the certificate file and the binary file have the corresponding operation authority, the security application 31 sends the security storage object ID of the corresponding file to TA21, and TA21 may perform the corresponding operation on the file.
As the cryptographic function service, the cryptographic function implementation flow is described below by taking a certificate writing instruction processing flow as an example.
step 5, the secure application 31 generates a secure storage ID according to the application ID, the container ID, and the certificate type, and returns to TA 21;
step 6, TA21 generates a secure storage object using the ID generated by the secure application, and stores the certificate information; after TA21 succeeds in writing the certificate, TA21 organizes the commands supported by the security application 31, and notifies the security application that the certificate was written successfully.
Step 7, the security application 31 writes the ID into the certificate object under the corresponding application and container, the security application 31 maintains the management application, container, certificate type and security storage ID, and returns to TA 21;
at step 8, TA21 returns the result to client application 11.
The storage structure of the file system and the operation management of the file system in the invention are all responsible for the security application 31, the contents with higher security of the key and PIN are stored in the security application 31, the contents of the file with lower security are stored in TA21, the security chip and TEE cooperate to realize the file system of the cryptographic module, the expansibility of the file system is strong on the basis of guaranteeing the confidentiality and integrity of key security parameters such as the key of the cryptographic module and the user PIN, and the problem of the limitation of eSE3 resources is solved to a certain extent.
The cryptographic function interface is provided for a client in an SDK form, the interface definition completely conforms to GM/T0016 national cryptographic specifications, and the interface realizes that the corresponding cryptographic function is translated into an APDU instruction conforming to the GM/T0017 national cryptographic specification and is sent to TA21 running in a trusted execution environment, TA21 and the security application 31 cooperate to realize the corresponding cryptographic function.
In this implementation, in the present invention, TA21 cooperates with security application 31 to provide cryptographic services conforming to the GM/T0017 specification. When the client uses the cryptographic service provided by the cryptographic module, it is necessary to ensure that the security application 31 is downloaded and installed. The installation of the security application 31 may be preset on a production line of the mobile intelligent terminal, or may be installed after the installation of the security application 11. If the security application 31 is preset in a production line and provides a client SDK meeting the GM/T0016 specification and a trusted application meeting the GM/T0017 specification before deployment, a user only needs to perform configuration development according to the development of a conventional mobile intelligent terminal application program, and application software for providing corresponding cryptographic service can be realized; if the secure application 31 adopts a post-installation mode, before deployment, a client application 11 or service for downloading and installing the secure application 31, a client SDK conforming to the GM/T0016 specification, and a trusted application TA21 conforming to the GM/T0017 specification should be provided, and a user completes the downloading and installation of the secure application 31 using the client application 11, and performs configuration development according to conventional mobile intelligent terminal application program development, so that application software providing corresponding cryptographic services can be realized. The deployment process does not need to purchase or send extra hardware, and is convenient and quick.
Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:
TA21 responds to the cryptographic function service request sent by client application 11, and executes the corresponding cryptographic function service request to obtain an execution result; TA21 sends the execution result to secure application 31, so that secure application 31 operates according to the execution result and feeds back the operation result; TA21 receives the operation result fed back by security application 31, processes the operation result to obtain a response, and sends the response to client application 11; wherein the TA21 is installed in TEE2, the client application 11 is installed in REE1, and the security application 31 is installed in eSE 3.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:
TA21 responds to the cryptographic function service request sent by client application 11, and executes the corresponding cryptographic function service request to obtain an execution result; TA21 sends the execution result to secure application 31, so that secure application 31 operates according to the execution result and feeds back the operation result; TA21 processes the operation result fed back by security application 31 to obtain a response, and sends the response to client application 11; wherein the TA21 is installed in TEE2, the client application 11 is installed in REE1, and the security application 31 is installed in eSE 3. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (7)
1. A cryptographic function service implementation method based on a trusted execution environment and a security chip is used for providing cryptographic function service for an intelligent terminal, and is characterized in that the intelligent terminal comprises a rich operating system (1), a trusted execution environment (2) and a security chip (3);
a client application (11) is run in the rich operating system (1), and a trusted application TA (21) is run in the trusted execution environment (2); running a security application (31) in the security chip (3);
the trusted application TA (21) and the security application (31) cooperate to complete a password function;
the method for realizing the cryptographic function service based on the trusted execution environment (2) and the security chip (3) comprises the following steps:
step S202, the trusted application TA (21) responds to the password function service request sent by the client application (11) and executes the corresponding password function service request to obtain an execution result;
step S204, the trusted application TA (21) sends the execution result to the secure application (31) so that the secure application (31) operates according to the execution result and feeds back the operation result;
step S206, the trusted application TA (21) receives the operation result fed back by the secure application (31), processes the operation result to make a response, and sends the response to the client application (11);
the cryptographic function service comprises a secure storage service and a cryptographic algorithm service;
the security application (31) realizes file system and sensitive data storage by calling an interface thereof;
the trusted application TA (21) realizes non-sensitive data storage by calling a TEE Internal API of the trusted execution environment (2);
the file system consists of an application, a container and a file and is in a tree-shaped storage structure of 'device-application-container-key';
in the file system, the security application (31) stores a directory structure and file attributes, and manages access control rights of all files;
the trusted application TA (21) stores file content of non-sensitive data files, including certificates;
the security application (31) stores the file content of the sensitive data file, including a user PIN, a key;
the secure application (31) generates, manages, maintains an ID of a storage object storing the non-sensitive data file in the trusted application TA (21),
the step S202 includes:
the method comprises the following steps that a trusted application TA (21) receives a signature command sent by a client, checks the command format, and directly refuses to provide signature service if the format is wrong; if the format is correct, the instruction is distributed to a password service module of a corresponding instruction processing interface layer;
secondly, the trusted application TA (21) judges whether the signature data to be signed is a signature original text or corresponding summary information according to the instruction parameters; if the signature is a signature original text, the trusted application TA (21) calculates a digest of the signature original text,
thirdly, the trusted application TA (21) organizes the signature instruction supported by the security application (31) and issues the signature instruction to the security application (31) for processing;
step S204 includes:
step four, the security application (31) receives the instruction, checks whether the user authority meets the signature condition, refuses the signature if the user authority does not meet the signature condition, searches a key pair under the corresponding application container for signature if the user authority meets the signature condition, and then sends a signature result back to the trusted application TA (21);
the step S206 includes:
and a fifth step, the trusted application TA (21) receives the signature result sent by the security application (31), organizes a response and returns a signature operation completed by the client application (11).
2. The method of claim 1,
the secure application (31) implements cryptographic algorithm services by invoking its internal interface.
3. The method according to claim 1, wherein the trusted application TA (21), in response to the cryptographic function service request sent by the client application (11), executes the corresponding cryptographic function service request, resulting in an execution result, comprising:
responding to a cryptographic function service request sent by a client application (11), and converting an APDU command format of the cryptographic function service request into an instruction supported by a security application (31) by calling a preset cryptographic function service interface.
4. The method according to claim 1, wherein the trusted application TA (21) receives the operation result fed back by the secure application (31), processes the operation result according to the cryptographic module functional design to obtain a response, and sends the response to the client application (11), and comprises:
receiving an operation result fed back by the security application (31), and processing according to the functional design of the cryptographic module to obtain a processing result;
converting the format of the processing result into an APDU command format; -sending a response reply in the APDU command format to a client application (11).
5. The method of claim 1,
the file content of the non-sensitive data file is stored in a trusted application TA (21) in the form of a secure storage object, the ID of which is assigned and managed by the secure application (31), the secure application (31) maintaining a correspondence of file names, attributes and object IDs.
6. A computer device comprising a memory and a processor, the memory storing a computer program, wherein the processor implements the steps of the method of any one of claims 1 to 5 when executing the computer program.
7. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911268846.2A CN111177701B (en) | 2019-12-11 | 2019-12-11 | Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911268846.2A CN111177701B (en) | 2019-12-11 | 2019-12-11 | Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111177701A CN111177701A (en) | 2020-05-19 |
| CN111177701B true CN111177701B (en) | 2022-09-13 |
Family
ID=70655461
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911268846.2A Active CN111177701B (en) | 2019-12-11 | 2019-12-11 | Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111177701B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112101949B (en) * | 2020-09-18 | 2022-12-16 | 支付宝(杭州)信息技术有限公司 | Safe service request processing method and device |
| CN115618328B (en) * | 2022-12-16 | 2023-06-13 | 飞腾信息技术有限公司 | Security architecture system, security management method, computing device, and readable storage medium |
| CN115618327B (en) * | 2022-12-16 | 2023-06-13 | 飞腾信息技术有限公司 | Security architecture system, security management method, computing device, and readable storage medium |
| CN117353921B (en) * | 2023-12-06 | 2024-02-13 | 飞腾信息技术有限公司 | Key management method, device, computing equipment and computer readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793815A (en) * | 2014-01-23 | 2014-05-14 | 武汉天喻信息产业股份有限公司 | Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards |
| CN104318182A (en) * | 2014-10-29 | 2015-01-28 | 中国科学院信息工程研究所 | Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension |
| CN105574440A (en) * | 2014-10-31 | 2016-05-11 | 惠普发展公司,有限责任合伙企业 | Hardware-protective data processing systems and methods using an application executing in a secure domain |
| CN107426174A (en) * | 2017-06-09 | 2017-12-01 | 武汉果核科技有限公司 | A kind of access control system and method for credible performing environment |
Family Cites Families (20)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103002027B (en) * | 2012-11-26 | 2015-09-02 | 中国科学院高能物理研究所 | Data-storage system and the method for tree directory structure is realized based on key-value pair system |
| US8935746B2 (en) * | 2013-04-22 | 2015-01-13 | Oracle International Corporation | System with a trusted execution environment component executed on a secure element |
| CN104077533B (en) * | 2014-07-17 | 2017-09-15 | 北京握奇智能科技有限公司 | A kind of method and apparatus for operating sensitive data |
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
| US10846696B2 (en) * | 2015-08-24 | 2020-11-24 | Samsung Electronics Co., Ltd. | Apparatus and method for trusted execution environment based secure payment transactions |
| CN106127074B (en) * | 2016-06-24 | 2018-12-21 | 江西金格科技股份有限公司 | A kind of storage of storage equipment and its data and read method based on intelligent key |
| CN106650461A (en) * | 2016-11-23 | 2017-05-10 | 北京握奇智能科技有限公司 | Mobile terminal and access method of embedded type security module based on same |
| KR102604046B1 (en) * | 2016-11-28 | 2023-11-23 | 삼성전자주식회사 | Method for Managing Program and Electronic Device supporting the same |
| CN107027115B (en) * | 2017-04-18 | 2020-06-16 | 深圳融卡智能科技有限公司 | Equipment and method for safely realizing soft SIM card |
| CN107392055A (en) * | 2017-07-20 | 2017-11-24 | 深圳市金立通信设备有限公司 | A kind of dual system safety chip control method, terminal, computer-readable recording medium and the dual system framework based on safety chip |
| WO2019071650A1 (en) * | 2017-10-09 | 2019-04-18 | 华为技术有限公司 | Method for upgrading application in security element and related device |
| CN109872148B (en) * | 2017-12-01 | 2021-06-29 | 北京握奇智能科技有限公司 | Trusted data processing method and device based on TUI and mobile terminal |
| CN108229956A (en) * | 2017-12-13 | 2018-06-29 | 北京握奇智能科技有限公司 | Network bank business method, apparatus, system and mobile terminal |
| CN108234509A (en) * | 2018-01-16 | 2018-06-29 | 国民认证科技(北京)有限公司 | FIDO authenticators, Verification System and method based on TEE and PKI certificates |
| US11126699B2 (en) * | 2018-02-07 | 2021-09-21 | Nec Corporation | Replica trusted execution environment: enabling seamless replication of trusted execution environment (TEE)-based enclaves in the cloud |
| CN108595982B (en) * | 2018-03-19 | 2021-09-10 | 中国电子科技集团公司第三十研究所 | Secure computing architecture method and device based on multi-container separation processing |
| CN108616352B (en) * | 2018-04-13 | 2022-01-18 | 北京握奇智能科技有限公司 | Dynamic password generation method and system based on secure element |
| CN110401538B (en) * | 2018-04-24 | 2022-04-22 | 北京握奇智能科技有限公司 | Data encryption method, system and terminal |
| CN108733455B (en) * | 2018-05-31 | 2020-08-18 | 上海交通大学 | Container isolation enhancing system based on ARM TrustZone |
| CN109040147B (en) * | 2018-10-30 | 2023-08-15 | 北京握奇智能科技有限公司 | Encryption and decryption method and system based on TEE+SE |
-
2019
- 2019-12-11 CN CN201911268846.2A patent/CN111177701B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103793815A (en) * | 2014-01-23 | 2014-05-14 | 武汉天喻信息产业股份有限公司 | Mobile intelligent terminal acquirer system and method suitable for bank cards and business cards |
| CN104318182A (en) * | 2014-10-29 | 2015-01-28 | 中国科学院信息工程研究所 | Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension |
| CN105574440A (en) * | 2014-10-31 | 2016-05-11 | 惠普发展公司,有限责任合伙企业 | Hardware-protective data processing systems and methods using an application executing in a secure domain |
| CN107426174A (en) * | 2017-06-09 | 2017-12-01 | 武汉果核科技有限公司 | A kind of access control system and method for credible performing environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111177701A (en) | 2020-05-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111177701B (en) | Method and equipment for realizing cryptographic function service based on trusted execution environment and security chip | |
| CN110727712B (en) | Data processing method and device based on block chain network, electronic equipment and storage medium | |
| Kostiainen et al. | On-board credentials with open provisioning | |
| US7765397B2 (en) | Generating, migrating or exporting bound keys | |
| US7487365B2 (en) | Saving and retrieving data based on symmetric key encryption | |
| CN101231768B (en) | Multi-application intelligent card and method for realizing intelligent card multi application | |
| US20150134953A1 (en) | Method and apparatus for offering cloud-based hsm services | |
| CN110326266B (en) | Data processing method and device | |
| US9608979B2 (en) | Systems, methods, and computer program products for securely managing data on a secure element | |
| CN111556029A (en) | Identity authentication method and device based on Secure Element (SE) | |
| CN103034789B (en) | Bundle deployment method and device and security framework | |
| CA2778805C (en) | Saving and retrieving data based on public key encryption | |
| CN112765637A (en) | Data processing method, password service device and electronic equipment | |
| CN111414640B (en) | Key access control method and device | |
| CN114172747A (en) | Method and system for group members to obtain authentication certificate based on digital certificate | |
| CN112422516B (en) | Trusted connection method and device based on power edge calculation and computer equipment | |
| CN110868416A (en) | Method and equipment for realizing cryptographic function service based on trusted execution environment | |
| CN117453343A (en) | Virtual machine measurement and secret calculation authentication method, device, system and storage medium | |
| US20240113898A1 (en) | Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity | |
| CN113868713A (en) | Data verification method and device, electronic equipment and storage medium | |
| CN111552551A (en) | User management method and device based on master-slave system, computer equipment and medium | |
| US20230403138A1 (en) | Agentless single sign-on techniques | |
| US20210350029A1 (en) | Electronic device | |
| Tamrakar et al. | On rehoming the electronic id to TEEs | |
| CN113360919A (en) | Cloud computing security access control method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |