CN113536285A - Special password encryption method and device for terminal equipment - Google Patents
Special password encryption method and device for terminal equipment Download PDFInfo
- Publication number
- CN113536285A CN113536285A CN202010283410.7A CN202010283410A CN113536285A CN 113536285 A CN113536285 A CN 113536285A CN 202010283410 A CN202010283410 A CN 202010283410A CN 113536285 A CN113536285 A CN 113536285A
- Authority
- CN
- China
- Prior art keywords
- password
- operation instruction
- tee
- special
- password operation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a special password encryption method and a special password encryption device for terminal equipment, and the method comprises the following steps: when the terminal equipment detects a password operation instruction of an application layer, the password operation instruction is sent to a TEE client side of a safe execution environment; the TEE client sends the password operation instruction to a trusted application TA used for processing the password operation instruction in the TEE system; and the TA analyzes the password operation instruction, executes the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result, and feeds back the execution result to the application layer through the TEE client. By applying the technical scheme disclosed by the application, the security of calling the special password algorithm is ensured by utilizing the TEE system, the realization cost is reduced, the power consumption is reduced, and the overall performance of the terminal equipment is improved on the premise of ensuring the security intensity by utilizing the special password.
Description
Technical Field
The present application relates to the field of information security technologies, and in particular, to a method and an apparatus for encrypting a password dedicated to a terminal device.
Background
At present, in order to meet the requirements of some clients with higher information security requirements, a plurality of terminal devices adopt an encryption method of a special password, and the encryption method is approved by a third party authority so as to ensure the information security strength of the terminal.
In order to ensure the security of the encryption method, the existing encryption method of the special password is usually realized by adding a hardware module. Specifically, the encryption method of the special password is preset in a special password hardware module (such as a TF password card, a sim key, a film card and the like), the password hardware module provides an operation processing interface of the special password to an application layer through an adaptive terminal drive and password service provided by an integrated password card provider, and the application layer of the terminal equipment realizes a corresponding encryption and decryption processing function based on the special password by calling the interfaces. In practical applications, some manufacturers place the hardware cryptographic module outside the terminal device, and some manufacturers place the hardware cryptographic module inside the terminal device.
The inventor discovers that in the process of implementing the invention: the existing encryption method for the special password has the problems of high hardware cost, large power consumption and reduction of the overall service performance of the terminal. Through careful research and analysis on the above prior art, the inventors found that the main reasons for the above problems are as follows:
1. the existing scheme depends on the realization of a password hardware module, so that the hardware cost can be greatly increased due to the addition of the hardware of the terminal equipment. The password cards in the industry are usually hundreds of yuan, and the increased cost ratio is very high relative to most mobile phone terminals.
2. The introduction of the cipher hardware module requires the terminal device to supply power to the cipher hardware module, so that the power consumption of the terminal can be greatly increased, and the cipher hardware module is especially external. Since the terminal devices using the cryptographic hardware module are generally used in mobile offices of industrial customers, the demands of the customers on the sustainable use time of the terminal devices are high, and the increase of the power consumption can cause the sustainable use time of the terminal to be obviously reduced, so that the demands of the long sustainable use time cannot be met.
3. The existing cryptographic hardware module, no matter what kind of form is adopted for implementation, has low chip computing power and small running memory, so that the limited computing power can cause the processing efficiency of the cryptographic hardware module to be low, thereby often becoming the performance bottleneck of the whole service and being incapable of meeting some services with high performance requirements, such as video services and the like.
Disclosure of Invention
In view of the above, the main objective of the present invention is to provide a method and an apparatus for encrypting a private password of a terminal device, which can reduce implementation cost, reduce power consumption, and improve overall performance of the terminal device on the premise of ensuring security strength by using the private password.
A special password encryption method for a terminal device comprises the following steps:
when the terminal equipment detects a password operation instruction of an application layer, the password operation instruction is sent to a TEE client side of a safe execution environment;
the TEE client sends the password operation instruction to a trusted application TA used for processing the password operation instruction in the TEE system;
and the TA analyzes the password operation instruction, executes the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result, and feeds back the execution result to the application layer through the TEE client.
Preferably, the sending the cryptographic operation instruction to the secure execution environment TEE client includes:
and the terminal equipment sends the password operation instruction to a TEE client side of a safe execution environment through a preset standard interface of a special password.
A special password encryption apparatus for a terminal device, comprising:
the application layer module is used for sending the password operation instruction to the TEE client side when the password operation instruction of the application layer is detected;
the TEE client is used for sending the password operation instruction to a trusted application TA (trusted application TA) used for processing the password operation instruction in the TEE system;
and the TEE system module is used for analyzing the password operation instruction by the TA, executing the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result, and feeding back the execution result to the application layer through the TEE client.
Preferably, the application layer operation module is configured to send the password operation instruction to a safe execution environment TEE client through a preset standard interface of a dedicated password.
The application also discloses a terminal device, which is characterized by comprising a processor and a memory;
the memory stores an application program executable by the processor for causing the processor to execute the terminal device specific cryptographic encryption method as described above.
The application also discloses a computer readable storage medium, which is characterized in that computer readable instructions are stored, and the computer readable instructions are used for executing the special password encryption method of the terminal equipment.
According to the technical scheme, the special password encryption method and device for the terminal equipment, provided by the application, utilize the security of the TEE system, place the special password algorithm library in the TEE system, and configure the corresponding trusted application TA for processing the password operation instruction in the TEE system, so that the application in the terminal operation system can call the TA in the TEE system through the TEE client to complete the operations of encryption and decryption of the special password of the corresponding information and the like. Therefore, the security of operations such as encryption and decryption of the special password of the security execution environment guarantee provided by the TEE system can be fully utilized, the security of the terminal equipment is enhanced, and a plurality of problems caused by additionally increasing the password hardware module are avoided, so that the purposes of reducing the implementation cost, reducing the power consumption and improving the overall performance of the terminal equipment can be achieved on the premise of guaranteeing the security strength by utilizing the special password.
Drawings
FIG. 1 is a schematic flow chart of a method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a terminal system architecture according to an embodiment of the present invention;
fig. 3 is a structural diagram of a private cryptographic apparatus of a terminal device according to the present invention.
Fig. 4 is a structural diagram of a terminal device according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
In the present application, it will be considered to ensure the security of the private password encryption by using the secure execution environment in the terminal device.
The secure execution environment (TEE) is essentially a secure Operating System (OS), which is a simplified real-time operating system, and its main purpose is to create a Trusted execution environment under an Android platform to store confidential data of a user.
The secure OS is implemented based on ARM's TrustZone technology. The TrustZone technology can protect peripherals such as a secure memory, an encryption block, a keyboard, a screen and the like on hardware, thereby ensuring that the peripherals are prevented from being attacked by software. TrustZone technology is an extension of the ARM processor core, so that a single processor can safely and effectively switch between the secure world and the non-secure world in a time slice manner. Based on the characteristics, the Android runs in a non-secure world, the secure OS runs in a secure world, and the two systems are isolated from each other on hardware, so that the security of the execution environment of the secure OS can be ensured.
In the embodiment of the invention, by utilizing the security of the TEE system, a special password operation instruction execution algorithm (comprising a special password interface, a special password service, a special password algorithm library and the like) is placed in the TEE system in advance, and a corresponding trusted application TA for processing the password operation instruction is configured in the TEE system, so that the application in the android system can call the TA in the TEE system through the TEE client, and the execution of the password operation instruction is independently completed in the TEE system, thus the following technical effects can be obtained:
1. the security intensity of the use of the special password can be ensured by fully utilizing the TEE system, and the security requirement of the relevant authority mechanism of the special password can be ensured to be met.
2. Because the TEE system is a module of the terminal device and no additional new hardware is added, the cost is not increased, and the power consumption is not additionally increased.
3. The operation of the TEE system is essentially that the terminal processor operates in a time-sharing mode, that is, the dedicated cryptographic operation of the present application is also performed by the processor of the terminal, so that the overall performance of the terminal device can be improved because the processing capability of the processor of the terminal is much stronger than that of the processor of the cryptographic module in the industry, and the overall performance reduction of the terminal device caused by the limitation of the processing capability of the cryptographic hardware module is avoided.
Fig. 1 is a schematic flowchart of a method according to an embodiment of the present invention, and as shown in fig. 1, a method for encrypting a private password of a terminal device implemented in the embodiment mainly includes:
In this step, when the terminal device detects a password operation instruction of the application layer, that is, when a certain APP sends an operation instruction to the terminal device operating system, and the terminal device finds that the instruction belongs to the password operation instruction through the parsing instruction, the operating system sends the password operation instruction to the TEE client, and the TEE client transfers the password operation instruction to the corresponding APP in the TEE system, so that the password operation instruction is executed in the TEE system.
Preferably, a standard interface of a special password is arranged between the application of the terminal equipment operating system and the TEE client, the standard interface is used for providing a group of standard special password operating interfaces for the application layer, and meanwhile, a password instruction sent by the application is converted into a special password operating instruction which can be identified by the TEE client and the trusted application in the TEE system, so that the safety of special password operation can be improved, the low-level operating instruction of the special password is shielded, and the convenience of calling a special password encryption algorithm in the TEE system by the application layer is improved. Based on this, in one embodiment, the following steps may be adopted in step 101 to send the cryptographic operation instruction to the secure execution environment TEE client:
and the terminal equipment sends the password operation instruction to a TEE client side of a safe execution environment through a preset standard interface of a special password.
Preferably, the standard interface may be defined in advance according to an interface standard required by an authority issuing the private password.
And 102, the TEE client sends the password operation instruction to a trusted application TA (trusted application TA) used for processing the password operation instruction in the TEE system.
In this step, after receiving the password operation instruction, the TEE client transfers the password operation instruction to a Trusted Application (TA) for processing the password operation instruction in the TEE system, so as to trigger execution of corresponding processing operation in the TEE system. It should be noted that, in order to implement that the corresponding dedicated cryptographic processing method is called in the TEE system to execute the cryptographic operation instruction, a trusted application needs to be configured in the TEE system, and the TA runs in the secure OS.
And 103, the TA analyzes the password operation instruction, executes the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result, and feeds back the execution result to the application layer through the TEE client.
In this step, the specific implementation of analyzing the password operation instruction and executing the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result is known by those skilled in the art, and is not described herein again.
Fig. 2 is a schematic diagram of a terminal system according to a preferred embodiment of the present invention. As shown in fig. 2, the trusted zone (TrustZone) is a physically separate zone on the terminal hardware platform, and the secure OS runs on top of the TrustZone, which constitute the TEE system. As described above, the security of the TEE and the physical isolation of the TEE from the terminal hardware and software may ensure the security strength of the dedicated cryptographic operations performed therein. The special cryptographic operation instruction execution algorithm in fig. 2 is used to execute a specific cryptographic operation, where the special cryptographic internal interface and the special cryptographic service module are used to enable a Trusted Application (TA) in the TEE system to call an algorithm in a special cryptographic algorithm library, and specific implementation methods of these interfaces and services are known by those skilled in the art and are not described herein again. The TEE client (TEECA) runs on an android system and communicates with the TA through a standard interface, and since the communication between the TEECA and the TA needs to be verified in various ways, the TEECA client can ensure that only authorized applications can use the channel to call a special cryptographic algorithm. A layer of special password operation interface is also packaged on the TEECA, and the interface is used for common applications in the android system and can be defined according to an interface standard required by an authority issuing the special password.
Fig. 3 is a structural diagram of a private password encryption apparatus of a terminal device implemented according to the present invention, as shown in fig. 3, the apparatus includes:
the application layer module 301 is configured to send a password operation instruction to a security execution environment TEE client when the password operation instruction of the application layer is detected;
the TEE client 302 is configured to send the password operation instruction to a trusted application TA in the TEE system, where the trusted application TA is used for processing the password operation instruction;
the TEE system module 303 is configured to analyze the password operation instruction by the TA, execute the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result, and feed back the execution result to the application layer through the TEE client.
In an embodiment, the application layer operation module 301 is configured to send the password operation instruction to a secure execution environment TEE client through a standard interface of a preset special password.
Fig. 4 is a block diagram of a private network cluster terminal according to the present invention.
As shown in fig. 4, the private network cluster terminal includes: a processor 401 and a memory 402; in which a memory 402 stores an application executable by the processor 401 for causing the processor 401 to perform a method for cryptographic private use of a terminal device as described in any one of the above.
The memory 402 may be embodied as various storage media such as an Electrically Erasable Programmable Read Only Memory (EEPROM), a Flash memory (Flash memory), and a Programmable Read Only Memory (PROM). Processor 401 may be implemented to include one or more central processors or one or more field programmable gate arrays that integrate one or more central processor cores. In particular, the central processor or central processor core may be implemented as a CPU or MCU.
It should be noted that not all steps and modules in the above flows and structures are necessary, and some steps or modules may be omitted according to actual needs. The execution order of the steps is not fixed and can be adjusted as required. The division of each module is only for convenience of describing adopted functional division, and in actual implementation, one module may be divided into multiple modules, and the functions of multiple modules may also be implemented by the same module, and these modules may be located in the same device or in different devices.
The hardware modules in the various embodiments may be implemented mechanically or electronically. For example, a hardware module may include a specially designed permanent circuit or logic device (e.g., a special purpose processor such as an FPGA or ASIC) for performing specific operations. A hardware module may also include programmable logic devices or circuits (e.g., including a general-purpose processor or other programmable processor) that are temporarily configured by software to perform certain operations. The implementation of the hardware module in a mechanical manner, or in a dedicated permanent circuit, or in a temporarily configured circuit (e.g., configured by software), may be determined based on cost and time considerations.
The present invention also provides a machine-readable storage medium storing instructions for causing a machine to perform a method as described herein. Specifically, a system or an apparatus equipped with a storage medium on which a software program code that realizes the functions of any of the embodiments described above is stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program code stored in the storage medium. Further, part or all of the actual operations may be performed by an operating system or the like operating on the computer by instructions based on the program code. The functions of any of the above-described embodiments may also be implemented by writing the program code read out from the storage medium to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion unit connected to the computer, and then causing a CPU or the like mounted on the expansion board or the expansion unit to perform part or all of the actual operations based on the instructions of the program code.
Examples of the storage medium for supplying the program code include floppy disks, hard disks, magneto-optical disks, optical disks (e.g., CD-ROMs, CD-R, CD-RWs, DVD-ROMs, DVD-RAMs, DVD-RWs, DVD + RWs), magnetic tapes, nonvolatile memory cards, and ROMs. Alternatively, the program code may be downloaded from a server computer or the cloud by a communication network.
"exemplary" means "serving as an example, instance, or illustration" herein, and any illustration, embodiment, or steps described as "exemplary" herein should not be construed as a preferred or advantageous alternative. For the sake of simplicity, the drawings are only schematic representations of the parts relevant to the invention, and do not represent the actual structure of the product. In addition, in order to make the drawings concise and understandable, components having the same structure or function in some of the drawings are only schematically illustrated or only labeled. In this document, "a" does not mean that the number of the relevant portions of the present invention is limited to "only one", and "a" does not mean that the number of the relevant portions of the present invention "more than one" is excluded. In this document, "upper", "lower", "front", "rear", "left", "right", "inner", "outer", and the like are used only to indicate relative positional relationships between relevant portions, and do not limit absolute positions of the relevant portions.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (6)
1. A special password encryption method for a terminal device is characterized by comprising the following steps:
when the terminal equipment detects a password operation instruction of an application layer, the password operation instruction is sent to a TEE client side of a safe execution environment;
the TEE client sends the password operation instruction to a trusted application TA used for processing the password operation instruction in the TEE system;
and the TA analyzes the password operation instruction, executes the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result, and feeds back the execution result to the application layer through the TEE client.
2. The method of claim 1, wherein: sending the cryptographic operation instruction to a secure execution environment (TEE) client comprises:
and the terminal equipment sends the password operation instruction to a TEE client side of a safe execution environment through a preset standard interface of a special password.
3. A special password encryption device for a terminal device, comprising:
the application layer module is used for sending the password operation instruction to the TEE client side when the password operation instruction of the application layer is detected;
the TEE client is used for sending the password operation instruction to a trusted application TA (trusted application TA) used for processing the password operation instruction in the TEE system;
and the TEE system module is used for analyzing the password operation instruction by the TA, executing the password operation instruction by calling a corresponding algorithm in a special password algorithm library in the TEE system according to the analysis result, and feeding back the execution result to the application layer through the TEE client.
4. The private cryptographic apparatus of claim 3,
and the application layer operation module is used for sending the password operation instruction to the TEE client side through a preset standard interface of a special password.
5. A terminal device comprising a processor and a memory;
the memory stores an application program executable by the processor for causing the processor to execute the private cryptographic method of the terminal device according to any one of claims 1 to 2.
6. A computer-readable storage medium having stored therein computer-readable instructions for executing the terminal device specific cryptographic encryption method according to any one of claims 1 to 2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010283410.7A CN113536285A (en) | 2020-04-13 | 2020-04-13 | Special password encryption method and device for terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010283410.7A CN113536285A (en) | 2020-04-13 | 2020-04-13 | Special password encryption method and device for terminal equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113536285A true CN113536285A (en) | 2021-10-22 |
Family
ID=78087798
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010283410.7A Pending CN113536285A (en) | 2020-04-13 | 2020-04-13 | Special password encryption method and device for terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113536285A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116484438A (en) * | 2022-01-17 | 2023-07-25 | 荣耀终端有限公司 | Information processing method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
| CN109658545A (en) * | 2018-04-02 | 2019-04-19 | 深圳中泰智丰物联网科技有限公司 | A kind of cipher set-up method and network access system of network lock |
| CN110401538A (en) * | 2018-04-24 | 2019-11-01 | 北京握奇智能科技有限公司 | Data ciphering method, system and terminal |
| CN110868416A (en) * | 2019-11-15 | 2020-03-06 | 北京握奇智能科技有限公司 | Method and equipment for realizing cryptographic function service based on trusted execution environment |
-
2020
- 2020-04-13 CN CN202010283410.7A patent/CN113536285A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
| CN109658545A (en) * | 2018-04-02 | 2019-04-19 | 深圳中泰智丰物联网科技有限公司 | A kind of cipher set-up method and network access system of network lock |
| CN110401538A (en) * | 2018-04-24 | 2019-11-01 | 北京握奇智能科技有限公司 | Data ciphering method, system and terminal |
| CN110868416A (en) * | 2019-11-15 | 2020-03-06 | 北京握奇智能科技有限公司 | Method and equipment for realizing cryptographic function service based on trusted execution environment |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116484438A (en) * | 2022-01-17 | 2023-07-25 | 荣耀终端有限公司 | Information processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3484125B1 (en) | Method and device for scheduling interface of hybrid cloud | |
| US11076295B2 (en) | Remote management method, and device | |
| CN106899571B (en) | Information interaction method and device | |
| US11025415B2 (en) | Cryptographic operation method, method for creating working key, cryptographic service platform, and cryptographic service device | |
| WO2019134361A1 (en) | Method and device for calling an interface and responding to an interface call, electronic device, and medium | |
| CN104871484A (en) | System and method for an endpoint hardware assisted network firewall in a security environment | |
| CN105975867B (en) | A kind of data processing method | |
| CN109769010B (en) | Method, device, equipment and storage medium for accessing CloudStack server based on SDK | |
| CN106127059A (en) | The realization of credible password module and method of servicing on a kind of ARM platform | |
| CN115225269A (en) | Key management method, device and system for distributed password card | |
| CN104281272A (en) | Password input processing method and device | |
| CN112987942A (en) | Method, device and system for inputting information by keyboard, electronic equipment and storage medium | |
| CN106375996B (en) | Virtual user identity identification card protection method, application processor and terminal | |
| CN101807237B (en) | Signature method and device | |
| CN111008384A (en) | Artificial intelligence platform configuration file encryption method, system, terminal and storage medium | |
| CN113536285A (en) | Special password encryption method and device for terminal equipment | |
| CN116418522A (en) | Cloud server crypto-engine system based on virtualization technology | |
| CN103873245B (en) | Dummy machine system data ciphering method and equipment | |
| CN111984991A (en) | Data encryption storage method, system, terminal and storage medium | |
| CN108848094B (en) | Data security verification method, device, system, computer equipment and storage medium | |
| CN109327864A (en) | Flow processing method, device, equipment and storage medium | |
| CN115883078A (en) | File encryption method, file decryption method, file encryption device, file decryption equipment and storage medium | |
| US20160014115A1 (en) | Apparatus used for security information interaction | |
| CN113037760B (en) | Message sending method and device | |
| CN115333753A (en) | Internet protocol address generation method and device, storage medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |