CN114465726A - Digital wallet security framework system based on security unit and trusted execution environment - Google Patents

Digital wallet security framework system based on security unit and trusted execution environment Download PDF

Info

Publication number
CN114465726A
CN114465726A CN202210381523.XA CN202210381523A CN114465726A CN 114465726 A CN114465726 A CN 114465726A CN 202210381523 A CN202210381523 A CN 202210381523A CN 114465726 A CN114465726 A CN 114465726A
Authority
CN
China
Prior art keywords
key
execution environment
trusted
security
digital
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210381523.XA
Other languages
Chinese (zh)
Other versions
CN114465726B (en
Inventor
佟冬
杨波
张彦超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Unionpay Card Technology Co ltd
Original Assignee
Beijing Unionpay Card Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Unionpay Card Technology Co ltd filed Critical Beijing Unionpay Card Technology Co ltd
Priority to CN202210381523.XA priority Critical patent/CN114465726B/en
Publication of CN114465726A publication Critical patent/CN114465726A/en
Application granted granted Critical
Publication of CN114465726B publication Critical patent/CN114465726B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/50Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using hash chains, e.g. blockchains or hash trees
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/36Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes
    • G06Q20/367Payment architectures, schemes or protocols characterised by the use of specific devices or networks using electronic wallets or electronic money safes involving electronic purses or money safes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/382Payment protocols; Details thereof insuring higher security of transaction
    • G06Q20/3829Payment protocols; Details thereof insuring higher security of transaction involving key management
    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C1/00Apparatus or methods whereby a given sequence of signs, e.g. an intelligible text, is transformed into an unintelligible sequence of signs by transposing the signs or groups of signs or by replacing them by others according to a predetermined system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Signal Processing (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • General Business, Economics & Management (AREA)
  • Strategic Management (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)

Abstract

The invention provides a digital wallet security framework system based on a security unit and a trusted execution environment. The hardware of the invention comprises a safety unit and a mobile terminal central processing unit supporting ARM TrustZone technology. In the digital currency wallet security framework system: by virtue of the cryptographic algorithm library, the trusted UI, the logic engine, the key manager, the digital money wallet base service provides for a plurality of digital money wallet trusted applications: identity authentication, secure storage, key operation, dual off-line transactions, etc. According to the scheme, the security unit is used for protecting the security of the core key, the trusted execution environment is used for protecting the security of the security sensitive program execution process and the security of the sensitive information, so that the security unit and the trusted execution environment cooperatively protect related digital assets in the digital currency wallet, and respective technical advantages of SE and TEE are exerted.

Description

Digital wallet security framework system based on security unit and trusted execution environment
Technical Field
The invention relates to the field of digital currency offline transactions, in particular to a digital wallet security framework system based on a security unit and a trusted execution environment.
Background
In the current world, the development of the encrypted currency, particularly the global stable currency, in the financial field is transiting from the information age to the digital age, and meanwhile, the international society has high attention on the development situation of the digital currency of the central bank. For governments of various countries, the digital currency as the blood of digital economy has become necessary financial infrastructure in compliance with the current requirements for building digital economy to adapt to the times. With the continuous deepening of the digital currency related research work of the central banks of various countries, the digital currency target positioning, the applicable scene, the technical architecture and the positive change brought to the financial system of the central banks are clearer.
According to the retail type central bank data currency use scene and the current domestic mobile payment development status, the mobile terminal device is the most suitable medium for the public to use the type of digital currency. The mobile payment technology brings convenient consumption experience for terminal users, and meanwhile, the problem of complex personal privacy data leakage is also introduced.
In addition, the double off-line payment which is one of the cash-like functions of the digital currency of the central bank is not compatible with the existing mobile payment technology, and certain potential safety hazards can be hidden. Thus, if such a digital currency wallet is implemented on an existing mobile payment technology infrastructure, insufficient data protection may occur, resulting in a risk of data leakage. Problems such as data leakage may occur that pose security risks and spread throughout the financial system. Therefore, how to provide a transaction environment that can enable the mobile-end dual-offline payment to be performed safely becomes a problem to be solved urgently.
Disclosure of Invention
The invention provides a digital currency wallet security framework system based on a security unit and a trusted execution environment, which is used for solving the problem that a mobile terminal double-off-line payment environment in the prior art has security risks.
In order to achieve the above object, the present invention provides a digital currency wallet security framework system based on a security unit and a trusted execution environment, which includes a rich execution environment, a hardware platform, and a trusted execution environment, wherein the rich execution environment has a digital currency wallet application and a rich execution environment operating system; the trusted execution environment is provided with a plurality of digital currency wallet trusted applications and a trusted execution environment operating system; the hardware platform comprises a security unit which can only be accessed by the trusted execution environment, and resources in the hardware platform cannot be simultaneously occupied by the rich execution environment and the trusted execution environment; a rich execution environment message agent in the rich execution environment operating system is used for receiving a trusted service request of a digital currency wallet application in the rich execution environment and forwarding the trusted service request to a trusted application in the trusted execution environment; a plurality of digital currency wallet trusted applications in the trusted execution environment execute corresponding security sensitive programs after receiving the instruction and the parameters forwarded by the logic engine; a digital currency wallet base service in the trusted execution environment provides a unified service interface for the plurality of digital currency wallet trusted applications; the safety unit is used for generating a terminal master key when the terminal is powered on for the first time, deriving a storage root key by using the terminal master key, deriving a storage key based on the storage root key when needed, transmitting the storage key to the trusted execution environment, and immediately clearing the storage key after the storage key is used; wherein the digital currency wallet application provides basic functions to a user, and the digital currency wallet trusted application is used for ensuring that the security sensitive program execution flow is correct and sensitive information is not leaked by unauthorized; the security sensitive program comprises programs such as digital currency dual-offline transaction and/or digital currency cashing and/or digital certificate importing, and the sensitive information comprises a digital certificate and/or a secret key and/or a private key and/or a payment password and/or a transaction record and/or user personal privacy information.
Preferably, as a preference of the above technical solution, the trusted execution environment operating system further includes a trusted execution environment message agent, configured to process the trusted service request command packet forwarded by the rich execution environment message agent, parse data in the command packet, verify validity of the data, and then repackage the instruction packet and send the repackaged instruction packet to a logic engine in the trusted execution environment operating system.
Preferably, as a preferred option of the above technical solution, the trusted execution environment operating system includes a cryptographic algorithm library and a key manager, where the cryptographic algorithm library at least includes a symmetric cryptographic algorithm, an asymmetric cryptographic algorithm, and multiple hash algorithms; the key manager is a module which is only provided with the access authority of the security unit in the trusted execution environment, and is used for periodically monitoring all keys involved in the digital currency transaction process and ensuring the confidentiality and the integrity of the keys.
Preferably, as a preferred option of the above technical solution, the trusted execution environment operating system includes a trusted UI, and when the trusted UI is invoked, the display screen and the touch screen permission are managed from the rich execution environment, so as to ensure authenticity and integrity of the relevant data during human-computer interaction.
Preferably, the trusted execution environment operating system includes a logic engine, and the logic engine manages available software and hardware resources, executes trusted boot of a trusted application, and/or routes a trusted service request through a trusted device driver in the trusted execution environment operating system.
Preferably, as a preferred aspect of the foregoing technical solution, when the terminal is powered on for the first time, the security unit is configured to generate a terminal master key, and derive the storage root key by using the terminal master key, and includes: the internal true random number generator of the security unit reads a random number with a fixed length as a terminal master key tmk; in the security element of the terminal there is a key derivation function
Figure 100002_DEST_PATH_IMAGE001
Wherein, in the step (A),
Figure 100002_DEST_PATH_IMAGE002
is a space of a seed of a key,
Figure 100002_DEST_PATH_IMAGE003
is a derived key space, using
Figure 100002_DEST_PATH_IMAGE004
And tmk generate storage root keys for deriving other keys only
Figure 100002_DEST_PATH_IMAGE005
Preferably, the above technical solution, where the trusted application of the digital money wallet is used to protect sensitive information from unauthorized disclosure, includes: using a secondary root key
Figure 100002_DEST_PATH_IMAGE006
The method comprises the steps that a derived storage key encapsulates a digital certificate and/or a key and/or a private key and/or a payment password and/or a transaction record of sensitive information in a trusted application of a digital currency wallet in a terminal and/or data of user personal privacy information, the storage key is transmitted to a trusted execution environment TEE from a security unit SE after being derived, the encapsulation process of the sensitive information is achieved in the trusted execution environment, and a data block obtained after encapsulation is stored outside the security unit and the trusted execution environment.
Preferably, as a preference of the above technical solution, a slave root key is used
Figure 451265DEST_PATH_IMAGE006
The derived storage key encapsulates sensitive information in a trusted application of the digital currency wallet in the terminal, and comprises the following steps:
using key derivation functions
Figure 740426DEST_PATH_IMAGE004
And storing the root key srk to generate a key for protecting the integrity of data of the sensitive information
Figure 100002_DEST_PATH_IMAGE007
Figure 100002_DEST_PATH_IMAGE008
Wherein the character string
Figure 100002_DEST_PATH_IMAGE009
Identifying that the derived key is a storage key, string, for secure storage
Figure 100002_DEST_PATH_IMAGE010
The representation-derived key is used to calculate a message authentication code,
Figure 100002_DEST_PATH_IMAGE011
the character string corresponds to data in the sensitive information to be protected currently;
secret key
Figure 493182DEST_PATH_IMAGE007
Used after being securely transmitted to a trusted execution environment
Figure 100002_DEST_PATH_IMAGE012
Function computation for security hardened data blocks
Figure 100002_DEST_PATH_IMAGE013
Figure 100002_DEST_PATH_IMAGE014
The specific calculation method is as follows:
Figure 100002_DEST_PATH_IMAGE015
Figure 100002_DEST_PATH_IMAGE016
indicating use of
Figure 229055DEST_PATH_IMAGE010
Function and key
Figure 100002_DEST_PATH_IMAGE017
For data in plain text
Figure 100002_DEST_PATH_IMAGE018
The message authentication code is calculated and,
Figure 100002_DEST_PATH_IMAGE019
indicating use of
Figure 517910DEST_PATH_IMAGE010
Function and key
Figure 351874DEST_PATH_IMAGE007
As data
Figure 100002_DEST_PATH_IMAGE020
A message authentication code is calculated.
Preferably, as a preference of the above technical solution, a slave root key is used
Figure 849983DEST_PATH_IMAGE006
The derived storage key encapsulates sensitive information in a trusted application of the digital currency wallet in the terminal, and comprises the following steps:
using key derivation functions
Figure 296270DEST_PATH_IMAGE004
And storing the root key srk to generate a key for protecting the confidentiality and integrity of the data of the sensitive information
Figure 100002_DEST_PATH_IMAGE021
Figure 100002_DEST_PATH_IMAGE022
Wherein the character string
Figure 100002_DEST_PATH_IMAGE023
Identifying that the derived key is a storage key, string, for secure storage
Figure 100002_DEST_PATH_IMAGE024
Indicating that the first key derived is used to encrypt data and the second key is used to calculate a message authentication code,
Figure 771724DEST_PATH_IMAGE011
the character string corresponds to data in the sensitive information to be protected currently;
secret key
Figure 511010DEST_PATH_IMAGE021
Used after being securely transmitted to a trusted execution environment
Figure 247147DEST_PATH_IMAGE012
Function computation for security hardened data blocks
Figure 464502DEST_PATH_IMAGE013
Figure 100002_DEST_PATH_IMAGE025
,
The specific calculation method is as follows:
Figure 100002_DEST_PATH_IMAGE026
,
Figure 100002_DEST_PATH_IMAGE027
indicating use of
Figure 100002_DEST_PATH_IMAGE028
Function and key
Figure 609176DEST_PATH_IMAGE017
Encrypting plaintext data
Figure 20828DEST_PATH_IMAGE018
Figure 100002_DEST_PATH_IMAGE029
Indicating use of
Figure 447523DEST_PATH_IMAGE028
Function and key
Figure 100002_DEST_PATH_IMAGE030
As data
Figure 530886DEST_PATH_IMAGE020
Encryption is performed.
The technical scheme of the invention provides a digital currency wallet security framework system based on a security unit and a trusted execution environment, which comprises a rich execution environment, a hardware platform and a trusted execution environment, wherein the rich execution environment is provided with a digital currency wallet application and a rich execution environment operating system; the trusted execution environment is provided with a plurality of digital currency wallet trusted applications and a trusted execution environment operating system; the hardware platform comprises a security unit which can only be accessed by the trusted execution environment, and resources in the hardware platform cannot be simultaneously occupied by the rich execution environment and the trusted execution environment; a rich execution environment message agent in the rich execution environment operating system is used for directly communicating with a digital currency wallet application in the rich execution environment and sending a trusted service request to a trusted application in the trusted execution environment; a plurality of digital currency wallet trusted applications in the trusted execution environment execute corresponding security sensitive programs after receiving the instruction and the parameters forwarded by the logic engine; the safety unit is used for generating a terminal master key when the terminal is powered on for the first time, deriving a storage root key by using the terminal master key, deriving a storage key based on the storage root key when needed, transmitting the storage key to the trusted execution environment, and immediately clearing the storage key after the storage key is used; wherein the digital currency wallet application provides basic functions to a user, and the digital currency wallet trusted application is used for ensuring that the security sensitive program execution flow is correct and sensitive information is not leaked by unauthorized; the security sensitive program comprises programs such as digital currency double-off-line transaction, digital currency cashing and returning, digital certificate importing and the like, and the sensitive information comprises a digital certificate, a secret key, a private key, a payment password, transaction records, user personal privacy information and the like.
The invention provides a safe processing and storage environment for sensitive information such as digital certificates, private keys, secret keys, payment passwords and the like related to the digital currency wallet, comprehensively reinforces the execution processes of security sensitive programs such as double off-line transactions, digital currency cashing and returning, certificate importing and the like of the digital currency wallet, and provides comprehensive protection for digital assets of digital currency users.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description will be given below of the drawings required for the embodiments or the technical solutions in the prior art, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a digital currency wallet security framework system based on a security unit and a trusted execution environment provided by the invention.
Fig. 2 is a schematic diagram of the key system of the security unit digital currency wallet related in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some embodiments of the present invention, but not all embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
Fig. 1 is a schematic structural diagram provided by an embodiment of the present invention, and as shown in fig. 1, the digital currency wallet security framework system based on a security unit and a trusted execution environment provided by the present invention includes: rich execution environment, hardware platform, trusted execution environment. The rich execution environment comprises a plurality of execution Applications (APP) of the mobile terminal, a digital currency wallet application and a rich execution environment operating system containing a rich execution environment message agent. The hardware platform comprises a mobile terminal central processor supporting ARMTrustzone technology and a security unit. The trusted execution environment comprises a plurality of trusted applications, a digital currency wallet trusted application, and a trusted execution environment operating system. The trusted execution environment operating system includes: a digital currency wallet base service, a cryptographic algorithm library, a trusted UI, a logic engine, a key manager, a trusted execution environment message agent, a trusted device driver, and the like.
Specifically, the rich execution environment message agent is a daemon part in an REE (rich execution environment) side operating system kernel, and an application in the rich execution environment can only serve a request in the trusted execution environment through the message agent. The application in the rich execution environment sends the trusted service request command packet to the rich execution environment message broker, which forwards the trusted service request to the trusted application in the trusted execution environment TEE (trusted execution environment). When passing trusted service requests, the agent assembles a command packet that invokes the trusted service in the TEE according to the request type. And meanwhile, the system is responsible for receiving a response data packet of the trusted service request and returning the response data packet to the request initiator.
The trusted execution environment message agent is used for processing the trusted service request command packet forwarded by the rich execution environment message agent, analyzing the instruction and parameter data in the command packet, verifying the validity of the instruction and the parameter, and then re-encapsulating the instruction packet and routing to the logic engine.
The digital currency wallet basic service depends on a cryptographic algorithm library, a key manager, a trusted UI and the like, and provides service interfaces of uniform and standard secure storage, identity authentication, key operation, double off-line transaction and the like for trusted application of each digital currency wallet; and simultaneously, the system is responsible for distributing mutually isolated software and hardware resources for trusted applications of the digital currency purses.
A cryptographic algorithm library: cryptographic algorithm support is provided for digital currency wallet infrastructure, key managers, logic engines, and other trusted applications, including symmetric and asymmetric cryptographic algorithms, and a variety of hash algorithms, such as the cryptographic algorithms SM2, SM3, and SM 4.
A key manager: all keys used in the trusted execution environment are managed depending on SE (SEcure element) financial level security characteristics, and full life cycle management and control is performed on the keys from the aspects of generation, derivation, import, use, storage, destruction and the like. And meanwhile, the security module is responsible for protecting the confidentiality and integrity of the key and is the only module with SE access right in the TEE. A key binding function is provided to ensure that each digital currency wallet trusted application can only access and use keys bound to it.
The digital money wallet application that takes advantage of TEE security features is implemented in two parts, a digital money wallet application in a rich environment and a digital money wallet trusted application in a trusted execution environment. The digital currency wallet application provides basic functionality (non-security sensitive functionality) to the user: including Graphical User Interface (GUI) and data processing, remote access, etc. The digital currency wallet trusted application is used to execute security sensitive programs and process sensitive information.
Resources in the hardware platform cannot be simultaneously occupied by the rich execution environment and the trusted execution environment. The central processor of the mobile terminal supports and is protected by the ARM TrustZone extension technology, and the SE component in hardware can only be accessed by the TEE. The SE can resist laboratory level attack technology and protect the equipment master key from being accessed by the outside without authorization.
When the trusted man-machine interaction (trusted UI) is used, the display screen and the touch screen of the terminal are taken over from the REE, authenticity and integrity of relevant data during man-machine interaction are guaranteed, and when the display screen and/or the touch screen display transaction amount, input transaction amount or payment password, the trusted UI prevents relevant sensitive information from being stolen or tampered by an adversary.
The logic engine is the core of the TEE operating system, and is driven and managed by a trusted device in the trusted execution environment operating system to use available software and hardware resources, execute trusted start of the trusted application, and route the trusted service request to the corresponding trusted application. And when the trusted start is executed, each started trusted application is endowed with a fixed unique identity, so that the digital money wallet basic service can control software and hardware resources which can be accessed by each digital money wallet trusted application according to the identity.
The safety unit is used for generating a terminal master key when the terminal is powered on for the first time, deriving a storage root key by using the terminal master key, deriving a storage key based on the storage root key when needed, transmitting the storage key to a trusted execution environment, and immediately clearing the storage key after the storage key is used; wherein the digital currency wallet application provides basic functions to a user, and the digital currency wallet trusted application is used for ensuring that the security sensitive program execution flow is correct and sensitive information is not leaked by unauthorized; the security sensitive program comprises programs such as digital currency double-off-line transaction, digital currency cashing and returning, digital certificate importing and the like, and the sensitive information comprises a digital certificate, a secret key, a private key, a payment password, transaction records, user personal privacy information and the like.
The generation of the key is illustrated with reference to fig. 2:
the security unit is used for generating a terminal master key and a derived storage root key when the terminal is powered on for the first time, and safely storing the terminal master key and the derived storage root key in the security unit: the secure cell internal true random number generator reads a random number random of fixed length as the terminal master key tmk. After obtaining the terminal master key tmk, the security element performs key derivation, and the security element of the terminal has a key derivation function
Figure 280798DEST_PATH_IMAGE001
Wherein, in the step (A),
Figure 361887DEST_PATH_IMAGE002
is a space of a seed of a key,
Figure 305572DEST_PATH_IMAGE003
is derived key spaceIn between, use
Figure 416792DEST_PATH_IMAGE004
And tmk generate storage root keys for deriving other keys only
Figure 427736DEST_PATH_IMAGE005
The secure element SE establishes a secure transmission channel before transmitting keys with the trusted execution environment TEE, and a key manager in the trusted execution environment TEE negotiates session keys for transmitting keys with the SE using an SM2 key exchange protocol implemented according to a national cryptographic standard in a cryptographic algorithm library. Based on the session key, the secure element SE and the trusted execution environment TEE may securely transmit the key.
The trustZone-based trusted execution environment is used for sensitive information management and comprises the following steps: using slave storage root keys
Figure 100002_DEST_PATH_IMAGE031
The derived storage key at least encapsulates a related digital certificate, a cryptographic key and a payment password related to a digital currency wallet in the terminal, the storage key is safely transmitted to the TEE from the SE after being derived, the sensitive information encapsulation process is realized in a trusted execution environment, and a data block obtained after encapsulation is stored outside a security unit and the trusted execution environment.
The present invention is illustrated by way of example below, but not by way of limitation, how sensitive information is protected from unauthorized disclosure.
Figure 210884DEST_PATH_IMAGE011
Is a string of characters that corresponds to data in sensitive information that is currently to be protected, such as: the type of the currently protected sensitive information is a key, the key comprises a key 1 (data) and a key 2 (data), and the key 1 and the key 2 respectively correspond to two different keys
Figure 316899DEST_PATH_IMAGE011
Now to sensitive letterDigital certificate in information
Figure DEST_PATH_IMAGE032
And a private key
Figure DEST_PATH_IMAGE033
Taking the protection as an example for explanation, the key obtained in the following flow
Figure DEST_PATH_IMAGE034
Secret key
Figure DEST_PATH_IMAGE035
Data in the current sensitive information for protection.
Further, when protecting digital certificates and/or keys and/or payment passwords and/or transaction records and/or user privacy information in sensitive information in the following manner, the following obtained keys
Figure 368163DEST_PATH_IMAGE034
Secret key
Figure 200989DEST_PATH_IMAGE035
The specific data of (2) changes with the type of sensitive information currently being protected, and the remaining steps are the same.
Now, the following details are described:
1. using slave storage root keys
Figure 46717DEST_PATH_IMAGE031
Derived storage key encapsulates digital certificate related to digital currency wallet in terminal, protects digital certificate
Figure 230573DEST_PATH_IMAGE032
Integrity. At this time, the process of the present invention,
Figure 113559DEST_PATH_IMAGE011
and digital certificate
Figure 426990DEST_PATH_IMAGE032
The data correspond toIt is convenient to understand the present embodiment
Figure 646881DEST_PATH_IMAGE011
Direct replacement by character strings
Figure DEST_PATH_IMAGE036
Using key derivation functions
Figure DEST_PATH_IMAGE037
And storing the root key
Figure 177089DEST_PATH_IMAGE031
Generating data for protecting digital certificates
Figure 881740DEST_PATH_IMAGE032
Integrity key
Figure 111995DEST_PATH_IMAGE034
Figure DEST_PATH_IMAGE038
Wherein the character string
Figure DEST_PATH_IMAGE039
Identifying derived keys for secure storage, strings
Figure DEST_PATH_IMAGE040
The representation-derived key is used to calculate a message authentication code.
Secret key
Figure 738673DEST_PATH_IMAGE034
Is safely transmitted to the TEE for use
Figure DEST_PATH_IMAGE041
Data block with function computation security reinforcement
Figure DEST_PATH_IMAGE042
Figure DEST_PATH_IMAGE043
The specific calculation method of the above formula is as follows:
Figure DEST_PATH_IMAGE044
Figure DEST_PATH_IMAGE045
indicating use of
Figure DEST_PATH_IMAGE046
Function and key
Figure DEST_PATH_IMAGE047
For data in plain text
Figure DEST_PATH_IMAGE048
The message authentication code is calculated and,
Figure DEST_PATH_IMAGE049
indicating use of
Figure 809704DEST_PATH_IMAGE046
Function and key
Figure 52467DEST_PATH_IMAGE034
As data
Figure 245551DEST_PATH_IMAGE032
A message authentication code is calculated.
Digital currency wallet trusted applications with data ownership can be used
Figure DEST_PATH_IMAGE050
Function verification and recovery
Figure 446725DEST_PATH_IMAGE042
Digital certificate in
Figure 328355DEST_PATH_IMAGE032
First obtain the secret key from SE
Figure 109230DEST_PATH_IMAGE034
Then execute
Figure 625662DEST_PATH_IMAGE050
And (3) recovering data after verification:
Figure DEST_PATH_IMAGE051
the specific calculation method is as follows:
Figure 794475DEST_PATH_IMAGE042
the data block is divided into a data area and a message authentication code area, and the data area stores data
Figure 163401DEST_PATH_IMAGE032
Can be represented as
Figure DEST_PATH_IMAGE052
(ii) a Message authentication code area storage
Figure DEST_PATH_IMAGE053
Can be represented as
Figure DEST_PATH_IMAGE054
Computing while verifying data integrity
Figure DEST_PATH_IMAGE055
After and with
Figure 498699DEST_PATH_IMAGE054
Comparing, if the data are the same, returning the plaintext data
Figure DEST_PATH_IMAGE056
And if the data are different, returning abnormal information.
2. Protecting private keys
Figure 666375DEST_PATH_IMAGE033
Confidentiality and integrity. At this time, the process of the present invention,
Figure 943773DEST_PATH_IMAGE011
with a private key
Figure 190208DEST_PATH_IMAGE033
Data correspondence is used for the convenience of understanding the present embodiment
Figure 578465DEST_PATH_IMAGE011
Direct replacement by character strings
Figure DEST_PATH_IMAGE057
Use of
Figure 943192DEST_PATH_IMAGE037
And srk generation for protecting private key data
Figure 657070DEST_PATH_IMAGE033
Secret key for confidentiality and integrity
Figure 233545DEST_PATH_IMAGE035
Figure DEST_PATH_IMAGE058
Wherein the character string
Figure DEST_PATH_IMAGE059
Identifying derived keys for secure storage, strings
Figure DEST_PATH_IMAGE060
Indicating that the first key derived is used to encrypt data and the second key is used to calculate a message authentication code.
At secret key
Figure 254853DEST_PATH_IMAGE035
Is safely transmitted to the TEE for use
Figure 397121DEST_PATH_IMAGE041
Data block with function computation security reinforcement
Figure DEST_PATH_IMAGE061
Figure DEST_PATH_IMAGE062
,
The calculation method of the above formula is as follows:
Figure DEST_PATH_IMAGE063
,
Figure DEST_PATH_IMAGE064
indicating use of
Figure DEST_PATH_IMAGE065
Function and key
Figure 501474DEST_PATH_IMAGE047
Encrypting plaintext data
Figure 830824DEST_PATH_IMAGE048
. The trusted application of digital currency wallet possessing data ownership can use
Figure 560883DEST_PATH_IMAGE050
Function from
Figure 996806DEST_PATH_IMAGE061
Verifying and recovering private key data
Figure 786907DEST_PATH_IMAGE033
First obtain the secret key from SE
Figure 947761DEST_PATH_IMAGE035
Then execute
Figure 481511DEST_PATH_IMAGE050
And (3) recovering data after verification:
Figure DEST_PATH_IMAGE066
the specific calculation method is as follows:
Figure 365416DEST_PATH_IMAGE061
the data block may be divided into a data area and a message authentication code area:
data area for storing cipher text data
Figure DEST_PATH_IMAGE067
Can be represented as
Figure DEST_PATH_IMAGE068
(ii) a Message authentication code area storage
Figure DEST_PATH_IMAGE069
Can be represented as
Figure DEST_PATH_IMAGE070
Computing while verifying data integrity
Figure DEST_PATH_IMAGE071
After and with
Figure 285006DEST_PATH_IMAGE070
Comparing, if the data are the same, recovering the ciphertext data
Figure DEST_PATH_IMAGE072
Figure DEST_PATH_IMAGE073
Indicating use of
Figure DEST_PATH_IMAGE074
Function and key
Figure 136418DEST_PATH_IMAGE047
Decrypting data
Figure DEST_PATH_IMAGE075
. And if the verification data fails, returning abnormal data.
The technical solution of the present invention is described by a specific embodiment:
when a dual offline transaction is initiated: the receiving and paying parties operate the digital currency wallet application in the rich execution environment of the mobile terminal to trigger a double-off-line transaction instruction, a trusted service request is sent to the trusted application in the trusted execution environment TEE through a rich execution environment message agent through a hardware platform, the digital currency wallet trusted application executes a double-off-line transaction function, and the trusted application selects and executes different sub-functions according to receiving and paying roles. And in the sending process, the trusted execution environment message agent forwards the trusted service request command packet to a logic engine in the TEE after command and parameter validity check.
And after receiving the trusted service request command packet, a logic engine in the TEE analyzes the trusted target digital wallet application in the command packet, loads target digital wallet codes from a storage area into a secure memory controlled by the TEE, runs a target digital wallet program and transmits the trusted service request command packet to the TEE after verifying the authenticity and integrity of the codes, and if the authenticity and integrity verification fails, returns abnormal information after terminating the loading process.
And after the target digital currency wallet trusted application runs, processing the received trusted service request command packet, analyzing instructions and parameters, and executing different programs according to the instructions. Such as a dual offline transaction program and/or a digital currency redemption program and/or a certificate update program or other uniquely customized program. The digital wallet trusted application uses the TEEs' trusted computing resources and/or trusted storage resources, etc. through a standardized digital currency wallet infrastructure.
The digital money wallet basic service is realized by Data _ Seal and Data _ Unseal functions, Data security storage space is distributed for each digital wallet trusted application, and key security storage space is distributed for each digital wallet trusted application through a key manager, so that sensitive information stored by each digital wallet trusted application is ensured to be isolated from each other. And customizing a uniform information input and output interface for each wallet trusted application based on the trusted UI digital currency wallet basic service, so that the interoperability of the digital currency wallet is enhanced. And (3) selecting an encryption algorithm and an encryption mode which are sufficiently safe for each wallet trusted application by combining a password algorithm library and a certain security policy digital currency wallet basic service. By combining secure storage, trusted UI, cryptographic keys, and cryptographic algorithm capabilities, the digital money wallet base service provides standardized dual offline transactions, digital money redemption, certificate updates, or other unique customization functions for individual wallet trusted applications. For example, when the dual offline transaction function is invoked, the digital money wallet base service obtains the storage key of the relevant sensitive information from the SE through the password manager, and then invokes the Data _ Unseal function to verify and recover the relevant transaction key and certificate. Executing different sub-processes according to the payment and receipt roles, wherein the payment receiving terminal waits for the transaction to be continuously executed after acquiring the secret key, the payment terminal inputs the user payment password under the prompt of a unified and customized information input and output interface, the TEE calculates the Hash operation message authentication code for the user payment password, the user payment password Hash operation message authentication code is compared with the user payment password Hash operation message authentication code safely stored in the TEE, if the comparison is wrong, the transaction is stopped, abnormal information is returned, and if the comparison is correct, the user is prompted to perform the next operation through the information input and output interface, the transaction is waited to be continuously executed. And then the collection terminal and the payment terminal exchange transaction data by utilizing a near field communication technology to jointly complete a transaction flow. And when the transaction is finished, the digital currency wallet basic service informs the user of the transaction result through a unified and customized information input and output interface.
When the signature calculation or verification is involved in the process, the digital currency wallet basic service performs calculation or verification by using SM2 and SM3 algorithms in the cryptographic algorithm library; when the wallet Data updating or the transaction record Data storage is involved, the digital money wallet basic service calls a Data _ Seal function to package related Data, and the confidentiality and the integrity of the Data are protected. Wallet data refers to a set of long-term stored, updatable data, including digital currency, identification digital certificates and other information pertaining to the user; the transaction record data refers to information which is generated after transaction and can prove the transaction authenticity and the fund transfer relationship, and comprises transaction amount, time error, a payer certificate, a payee certificate, a payer signature and the like.
When the TEE software and hardware resources are used in the process, the logic engine, the digital money wallet basic service, the key manager and other components use the software and hardware resources in the TEE through a trusted device driver, and the trusted device driver comprises a display driver, a touch screen driver, a security unit driver, a near field communication module driver and the like.
When the process involves obtaining a stored key for the relevant data from the SE, the digital money wallet infrastructure sends instructions and parameters to the SE using the key extraction interface of the key manager. After receiving the instruction, the SE calls the instruction according to the parameters and the storage root key
Figure DEST_PATH_IMAGE076
The function derives a corresponding storage key, the storage key is encrypted by the session key and then returned to the key manager of the TEE, and the key manager decrypts the storage key by using the session key and then returns the plaintext storage key to the basic service of the digital money wallet. The storage key is cleared immediately after the encryption or decryption operation is performed.
The technical scheme provided by the invention is characterized in that the technical advantages of SE and TrustZone are fully exerted, and different storage keys are distributed to sensitive information used by each digital wallet trusted application by a SE protection equipment multi-level key system, so that the security of key and data storage is improved; the TEE ensures the execution safety of the key flow of the digital money wallet, and integrates SE and TEE software and hardware resources through the basic service of the digital money wallet to provide a uniform standard functional interface for each trusted application of the digital money wallet on the upper layer. The double offline transaction with the cash-like function realized based on the basic service of the digital currency wallet can ensure that each digital currency wallet can execute safe and unified double offline transaction, and different wallets can mutually transact and mutually communicate.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (9)

1. A digital wallet security framework system based on a security unit and a trusted execution environment is characterized by comprising a rich execution environment, a hardware platform and the trusted execution environment,
the rich execution environment has a digital currency wallet application and a rich execution environment operating system;
the trusted execution environment is provided with a plurality of digital currency wallet trusted applications and a trusted execution environment operating system;
the hardware platform comprises a security unit which can only be accessed by the trusted execution environment, and resources in the hardware platform cannot be simultaneously occupied by the rich execution environment and the trusted execution environment;
a rich execution environment message broker in the rich execution environment operating system to receive a trusted service request for a digital currency wallet application in a rich execution environment and forward the trusted service request to a trusted application in a trusted execution environment;
a plurality of digital currency wallet trusted applications in the trusted execution environment execute corresponding security sensitive programs after receiving instructions and parameters through the trusted execution environment operating system; a digital currency wallet base service in the trusted execution environment provides a unified service interface for the plurality of digital currency wallet trusted applications;
the safety unit is used for generating a terminal master key when the terminal is powered on for the first time, deriving a storage root key by using the terminal master key, deriving a storage key based on the storage root key when needed, transmitting the storage key to the trusted execution environment, and immediately clearing the storage key after the storage key is used;
wherein the digital currency wallet application provides basic functions for users, and the digital currency wallet trusted application is used for protecting correct security sensitive program execution flow and sensitive information from unauthorized disclosure; wherein the security sensitive program comprises a digital currency dual offline transaction and/or a digital currency redemption and/or a digital certificate import program, and the sensitive information comprises data of a digital certificate and/or a secret key and/or a private key and/or a payment password and/or a transaction record and/or user personal privacy information.
2. The digital wallet security framework system of claim 1, wherein the trusted execution environment operating system further comprises a trusted execution environment message agent configured to process a trusted service request command packet forwarded by the rich execution environment message agent, parse data in the command packet, verify the validity of the data, and then repackage the instruction packet and send the repackaged instruction packet to a logic engine in the trusted execution environment operating system.
3. The digital wallet security framework system of claim 1, wherein the trusted execution environment operating system comprises a cryptographic algorithm library, a key manager, the cryptographic algorithm library comprising at least symmetric and asymmetric cryptographic algorithms and a hash algorithm; the key manager is a module which is only provided with the access authority of the security unit in the trusted execution environment, and is used for periodically monitoring all keys involved in the digital currency transaction process and ensuring the confidentiality and the integrity of the keys.
4. The digital wallet security framework system of claim 1, wherein the trusted execution environment operating system comprises a trusted UI that when invoked takes over display screen and touch screen permissions from the rich execution environment to ensure authenticity and integrity of human interaction data.
5. The digital wallet security framework system of claim 1, wherein the trusted execution environment operating system comprises a logic engine to execute trusted launch of trusted applications and/or to route trusted service requests through a trusted device driver in the trusted execution environment operating system.
6. The digital wallet security framework system of claim 1, wherein the security unit is configured to generate a terminal master key when the terminal is first powered up, and to derive the storage root key using the terminal master key, comprising:
the secure element internal true random number generator reads a random number of a fixed length as a terminal master key tmk;
in the security element of the terminal there is a key derivation function
Figure DEST_PATH_IMAGE001
Wherein, in the step (A),
Figure DEST_PATH_IMAGE002
is a space of a seed of a key,
Figure DEST_PATH_IMAGE003
is a derived key space, using a key derivation function
Figure DEST_PATH_IMAGE004
And the terminal master key tmk generate a storage root key that is used only to derive other keys:
Figure DEST_PATH_IMAGE005
wherein the character string
Figure DEST_PATH_IMAGE006
The key that identifies the derivation is the storage root key for secure storage.
7. The digital wallet security framework system of claim 6, wherein the digital currency wallet trusted application is to protect sensitive information from unauthorized disclosure, comprising:
using a secondary root key
Figure DEST_PATH_IMAGE007
And the derived storage key is used for packaging a digital certificate and/or a key and/or a private key and/or a payment password and/or a transaction record of the sensitive information in the trusted application of the digital currency wallet in the terminal and/or data of personal privacy information of a user, the storage key is transmitted to the trusted execution environment from the security unit after being derived, so that the packaging process of the sensitive information is realized in the trusted execution environment, and a data block obtained after packaging is stored outside the security unit and the trusted execution environment.
8. The digital wallet security framework system of claim 7, wherein the use is derived from the storage root key
Figure 139492DEST_PATH_IMAGE007
The derived storage key encapsulates sensitive information in a trusted application of the digital currency wallet in the terminal, and comprises the following steps:
using key derivation functions
Figure 181266DEST_PATH_IMAGE004
And storing the root key srk to generate a key for protecting the integrity of data of the sensitive information
Figure DEST_PATH_IMAGE008
Figure DEST_PATH_IMAGE009
Wherein the character string
Figure DEST_PATH_IMAGE010
Identifying that the derived key is a storage key for secure storageCharacter string
Figure DEST_PATH_IMAGE011
The representation-derived key is used to calculate a message authentication code,
Figure DEST_PATH_IMAGE012
the character string corresponds to data in the sensitive information to be protected currently;
at secret key
Figure 337835DEST_PATH_IMAGE008
Used after being securely transmitted to a trusted execution environment
Figure DEST_PATH_IMAGE013
Function computation for security hardened data blocks
Figure DEST_PATH_IMAGE014
Figure DEST_PATH_IMAGE015
The specific calculation method is as follows:
Figure DEST_PATH_IMAGE016
Figure DEST_PATH_IMAGE017
indicating use of
Figure 793698DEST_PATH_IMAGE011
Function and key
Figure DEST_PATH_IMAGE018
As plaintext data
Figure DEST_PATH_IMAGE019
The message authentication code is calculated and,
Figure DEST_PATH_IMAGE020
indicating use of
Figure 952278DEST_PATH_IMAGE011
Function and key
Figure 571478DEST_PATH_IMAGE008
As data
Figure DEST_PATH_IMAGE021
A message authentication code is calculated.
9. The digital wallet security framework system of claim 7, wherein a slave root key is used
Figure 667872DEST_PATH_IMAGE007
The derived storage key encapsulates sensitive information in a trusted application of the digital currency wallet in the terminal, and comprises the following steps:
using key derivation functions
Figure 194668DEST_PATH_IMAGE004
And storing the root key srk to generate a key for protecting the confidentiality and integrity of the data of the sensitive information
Figure DEST_PATH_IMAGE022
Figure DEST_PATH_IMAGE023
Wherein the character string
Figure DEST_PATH_IMAGE024
Identifying the derived key as a storage key, string, for secure storage
Figure DEST_PATH_IMAGE025
Indicating that the first key derived is used to encrypt data and the second key is used to calculate a message authentication code,
Figure 614279DEST_PATH_IMAGE012
the character string corresponds to data in the sensitive information to be protected currently;
secret key
Figure 138802DEST_PATH_IMAGE022
Used after being securely transmitted to a trusted execution environment
Figure 424290DEST_PATH_IMAGE013
Function computation for security hardened data blocks
Figure 692460DEST_PATH_IMAGE014
Figure DEST_PATH_IMAGE026
,
The specific calculation method is as follows:
Figure DEST_PATH_IMAGE027
,
Figure DEST_PATH_IMAGE028
indicating use of
Figure DEST_PATH_IMAGE029
Function and key
Figure 700998DEST_PATH_IMAGE018
Encrypting plaintext data
Figure 163466DEST_PATH_IMAGE019
Figure DEST_PATH_IMAGE030
Indicating use of
Figure 998567DEST_PATH_IMAGE029
Function and key
Figure DEST_PATH_IMAGE031
As data
Figure 601586DEST_PATH_IMAGE021
And performing encryption.
CN202210381523.XA 2022-04-13 2022-04-13 Digital wallet security framework system based on security unit and trusted execution environment Active CN114465726B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210381523.XA CN114465726B (en) 2022-04-13 2022-04-13 Digital wallet security framework system based on security unit and trusted execution environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210381523.XA CN114465726B (en) 2022-04-13 2022-04-13 Digital wallet security framework system based on security unit and trusted execution environment

Publications (2)

Publication Number Publication Date
CN114465726A true CN114465726A (en) 2022-05-10
CN114465726B CN114465726B (en) 2022-06-28

Family

ID=81418559

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210381523.XA Active CN114465726B (en) 2022-04-13 2022-04-13 Digital wallet security framework system based on security unit and trusted execution environment

Country Status (1)

Country Link
CN (1) CN114465726B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115082067A (en) * 2022-07-27 2022-09-20 北京大学 Digital currency double-off-line payment method and device based on SM2
CN115618328A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN116151827A (en) * 2023-04-04 2023-05-23 北京银联金卡科技有限公司 Digital wallet safety frame and double off-line transaction method based on safety frame
CN117176362A (en) * 2023-11-03 2023-12-05 荣耀终端有限公司 Authentication method and device
CN117353921A (en) * 2023-12-06 2024-01-05 飞腾信息技术有限公司 Key management method, device, computing equipment and computer readable storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411506A (en) * 2016-08-31 2017-02-15 飞天诚信科技股份有限公司 Key derivation method and device applicable to digital currency
CN110569291A (en) * 2019-09-16 2019-12-13 东信和平科技股份有限公司 Key data query and acquisition method and device for digital currency wallet
US20200226586A1 (en) * 2017-08-14 2020-07-16 Feitian Technologies Co., Ltd. Method for realizing digital currency wallet by using hardware, and hardware wallet
US20210083872A1 (en) * 2018-05-15 2021-03-18 Kelvin Zero Inc. Systems, methods, and devices for secure blockchain transaction and subnetworks
CN113065856A (en) * 2021-02-22 2021-07-02 北京飞纳泰科信息技术有限公司 Digital currency wallet security synchronization method

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106411506A (en) * 2016-08-31 2017-02-15 飞天诚信科技股份有限公司 Key derivation method and device applicable to digital currency
US20200226586A1 (en) * 2017-08-14 2020-07-16 Feitian Technologies Co., Ltd. Method for realizing digital currency wallet by using hardware, and hardware wallet
US20210083872A1 (en) * 2018-05-15 2021-03-18 Kelvin Zero Inc. Systems, methods, and devices for secure blockchain transaction and subnetworks
CN110569291A (en) * 2019-09-16 2019-12-13 东信和平科技股份有限公司 Key data query and acquisition method and device for digital currency wallet
CN113065856A (en) * 2021-02-22 2021-07-02 北京飞纳泰科信息技术有限公司 Digital currency wallet security synchronization method

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115082067A (en) * 2022-07-27 2022-09-20 北京大学 Digital currency double-off-line payment method and device based on SM2
CN115618328A (en) * 2022-12-16 2023-01-17 飞腾信息技术有限公司 Security architecture system, security management method, computing device, and readable storage medium
CN116151827A (en) * 2023-04-04 2023-05-23 北京银联金卡科技有限公司 Digital wallet safety frame and double off-line transaction method based on safety frame
CN117176362A (en) * 2023-11-03 2023-12-05 荣耀终端有限公司 Authentication method and device
CN117176362B (en) * 2023-11-03 2024-04-02 荣耀终端有限公司 Authentication method and device
CN117353921A (en) * 2023-12-06 2024-01-05 飞腾信息技术有限公司 Key management method, device, computing equipment and computer readable storage medium
CN117353921B (en) * 2023-12-06 2024-02-13 飞腾信息技术有限公司 Key management method, device, computing equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN114465726B (en) 2022-06-28

Similar Documents

Publication Publication Date Title
CN114465726B (en) Digital wallet security framework system based on security unit and trusted execution environment
EP3962020B1 (en) Information sharing methods and systems
EP3961455B1 (en) Data verification methods, apparatuses, and devices
RU2649786C2 (en) Mobile payment device based on biological technology, method and device
EP2634703B1 (en) Removable storage device, and data processing system and method based on the device
CN111654367B (en) Method for cryptographic operation and creation of working key, cryptographic service platform and device
EP2095288B1 (en) Method for the secure storing of program state data in an electronic device
US20150310427A1 (en) Method, apparatus, and system for generating transaction-signing one-time password
WO2015065249A1 (en) Method and system for protecting information against unauthorized use (variants)
US20240305442A1 (en) Data management and encryption in a distributed computing system
KR100939725B1 (en) Certification method for a mobile phone
US20230327863A1 (en) Data management and encryption in a distributed computing system
CN116151827B (en) Digital wallet security system and double off-line transaction method based on security system
EP3961546A1 (en) Information sharing methods, apparatuses, and devices
CN111181960A (en) Safety credit granting and signature system based on terminal equipment block chain application
CN116886356A (en) Chip-level transparent file encryption storage system, method and equipment
Yang et al. AEP-M: Practical anonymous E-payment for mobile devices using ARM trustzone and divisible E-cash
US20180240111A1 (en) Security architecture for device applications
WO2008113302A2 (en) Method for generation of the authorized electronic signature of the authorized person and the device to perform the method
KR101604459B1 (en) Method, apparatus and system for generating transaction related otp
KR20130082845A (en) Automatic teller machine for generating a master key and method employing the same
EP4307611A1 (en) Data communication and cryptographic operations for secure wireless interactions
US20240144232A1 (en) Systems and methods for terminal device attestation for contactless payments
US20240020694A1 (en) Rapid secure wireless transaction
WO2024191507A1 (en) Credential management in a decentralized heterogeneous transaction system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant