CN115175179A - Access authorization method, device, terminal and storage medium - Google Patents

Access authorization method, device, terminal and storage medium Download PDF

Info

Publication number
CN115175179A
CN115175179A CN202110298419.XA CN202110298419A CN115175179A CN 115175179 A CN115175179 A CN 115175179A CN 202110298419 A CN202110298419 A CN 202110298419A CN 115175179 A CN115175179 A CN 115175179A
Authority
CN
China
Prior art keywords
sim card
information
tee
application
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110298419.XA
Other languages
Chinese (zh)
Inventor
霍薇靖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110298419.XA priority Critical patent/CN115175179A/en
Publication of CN115175179A publication Critical patent/CN115175179A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/12Details relating to cryptographic hardware or logic circuitry
    • H04L2209/127Trusted platform modules [TPM]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephone Function (AREA)

Abstract

The application discloses an authorized access method, an authorized access device, a terminal and a storage medium, wherein the method comprises the following steps: under the condition that a terminal application initiates a first request, carrying out encryption operation on received first information in a TEE based on a first set TA to obtain second information; wherein the first request is for requesting access to a SIM card application; the first information represents the identity of a user; decrypting the second information in the SIM card based on a second set TA to obtain the first information; and verifying the first information through the SIM card application so as to determine whether to carry out access authorization on the SIM card application for the terminal application according to a verification result.

Description

Access authorization method, device, terminal and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access authorization method, an access authorization device, a terminal, and a storage medium.
Background
The Subscriber Identity Module (SIM) is an important physical identifier of a mobile Identity of a Subscriber, and the SIM card is used as a security carrier with a space open feature, and can carry various card applications, and provide various services for the Subscriber through terminal applications. Because various safety risks exist in the terminal environment, information safety hidden dangers exist when the SIM card is subjected to access authorization.
Disclosure of Invention
In order to solve the related technical problem, embodiments of the present application provide an access authorization method, an apparatus, a terminal, and a storage medium.
The technical scheme of the embodiment of the application is realized as follows:
the embodiment of the application provides an access authorization method, which comprises the following steps:
under the condition that the terminal Application initiates a first request, encrypting the received first information based on a first set Trusted Application (TA) in a Trusted Execution Environment (TEE) to obtain second information; wherein the first request is for requesting access to a Subscriber Identity Module (SIM) card application; the first information represents a user identity;
decrypting the second information in the SIM card based on a second set TA to obtain the first information;
and verifying the first information through the SIM card application so as to determine whether to perform access authorization on the SIM card application on the terminal application according to a verification result.
In one embodiment, a first public key and a second public key for encryption and decryption are preset in both the TEE and the SIM card; the first public key is generated by a first Trusted Service platform (TSM) corresponding to the TEE; the second public key is generated by a second TSM corresponding to the SIM card;
before the terminal application initiates the first request, the method further comprises:
and loading a first private key corresponding to the first public key to the first set TA through a first TSM in the TEE, and loading a second private key corresponding to the second public key to the second set TA through a second TSM in the SIM card.
In an embodiment, before the encrypting the received first information based on the first set TA in the TEE, the method further comprises:
receiving the first information based on a third set TA in a TEE; wherein the content of the first and second substances,
the third setting TA is used for receiving the first information input by the user in the TEE. .
In an embodiment, before receiving the first information based on a third set TA in a TEE, the method further comprises:
after the terminal application initiates the first request, sending a second request to a SIM card access agent in a Rich Execution Environment (REE) through the terminal application; the second request is used for requesting a user to input the first information;
and sending the second request to the TEE through the SIM card access agent.
In an embodiment, the method further comprises:
and sending the second information generated by the first set TA to an SIM card through an SIM card access agent in the REE.
In an embodiment, the method further comprises:
sending the verification result to a SIM card access agent in the REE;
and sending the verification result to the terminal application through the SIM card access agent.
An embodiment of the present application further provides an access authorization apparatus, including:
the TEE module is used for carrying out encryption operation on the received first information based on a first set TA in the TEE under the condition that the terminal application initiates a first request to obtain second information; wherein the first request is for requesting access to a SIM card application; the first information represents the identity of a user;
the SIM card module is used for decrypting the second information in the SIM card based on a second set TA to obtain the first information; and verifying the first information through the SIM card application so as to determine whether to perform access authorization on the SIM card application on the terminal application according to a verification result.
An embodiment of the present application further provides a terminal, including: a first processor and a first communication interface; wherein the content of the first and second substances,
the first processor is used for carrying out encryption operation on the received first information based on a first set TA in the TEE under the condition that the terminal application initiates a first request to obtain second information; decrypting the second information in the SIM card based on a second set TA to obtain the first information; the first information is verified through the SIM card application, so that whether the terminal application is authorized to access the SIM card application or not is determined according to a verification result; wherein the content of the first and second substances,
the first request is for requesting access to a SIM card application; the first information characterizes a user identity.
An embodiment of the present application further provides a terminal, including: a first processor and a first memory for storing a computer program capable of running on the processor,
wherein the first processor is configured to execute the steps of the method according to any of the above embodiments when the computer program is executed.
The present application further provides a storage medium having a computer program stored thereon, where the computer program is executed by a processor to implement the steps of the method according to any one of the above embodiments.
According to the authorized access method, the authorized access device, the terminal and the storage medium, when a terminal application initiates a first request for requesting access to an SIM card application, encryption operation is performed on received first information representing user identity based on a first set TA in a TEE to obtain second information, then the second information is decrypted in the SIM card based on the second set TA to obtain the first information, the first information is verified through the SIM card application, and whether access authorization related to the SIM card application is performed on the terminal application is determined according to a verification result. In the access authorization process, the first information representing the user identity is encrypted and transmitted between the TEE and the SIM card, so that the information leakage risk when the information is transmitted between the TEE and the SIM card is reduced, and the information safety hidden danger is avoided.
Drawings
Fig. 1 is a schematic diagram of a related art terminal architecture;
FIG. 2 is a schematic diagram illustrating a flow chart of an authorized access method according to an embodiment of the present application;
fig. 3 is a schematic diagram of a terminal architecture according to an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating a flow chart of an authorized access method according to an embodiment of the present application;
FIG. 5 is a schematic diagram of an authorized access device according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present application.
Detailed Description
The SIM card and a Universal Subscriber Identity Module (USIM) card are important physical identifiers of the mobile Identity of the user, and the SIM card is used as a security carrier with a space opening characteristic, can bear various SIM card applications cooperated by an operator and a third party application developer, and provides various services for the user through terminal application on the basis. At present, various security risks exist in a terminal environment, including privacy disclosure, authentication risks, transaction networks, malicious software, phishing websites and the like, when a terminal application accesses an SIM card, the terminal cannot provide a secure environment, and information security risks exist. For example, when a transfer transaction is performed based on bank certificates stored in the SIM card in a banking application, a password needs to be input to the SIM card. Referring to fig. 1, in the related art, password input is performed in a TEE, but since there is no communication interface between the TEE and a SIM card, the password input in the TEE also needs to be input to the SIM card through an REE, and there may be a risk that the password is tampered or stolen in the process.
Based on this, in the embodiment of the present application, when a terminal application initiates a first request for requesting access to an SIM card application, an encryption operation is performed on received first information representing a user identity based on a first set TA in a TEE to obtain second information, then, the second information is decrypted in the SIM card based on a second set TA to obtain the first information, and the first information is verified by the SIM card application to determine whether to perform access authorization on the terminal application with respect to the SIM card application according to a verification result.
The terms used in the examples of the present application are defined as follows:
TEE: is an application management standard based on the secure chip technology provided by the Global Platform organization (GP). The purpose of TEE is to isolate highly security sensitive applications from the general software environment, securely providing access to hardware resources, including secure storage, secure display, and user interface capabilities.
REE: and traditional terminal application running environments such as mobile operating systems of iOS, android and the like.
Where TEE is used to install, store and protect trusted applications and REE is used to install, store applications other than trusted applications. The TEE has its own operating system, isolated from the operating system in the REE environment. Authorized applications in the REE do not have direct access to the TEE's resources and need to access the proxy through the SIM card to communicate with the TEE.
The SIM card access agent: and the REE is positioned in the REE and used for providing an interface for the terminal application to access the SIM card and an access interface between the REE and the TEE. The security access agent can receive an instruction sent by the terminal application to the SIM card and send the instruction to the TEE on one hand, and can receive an instruction returned by the TEE and send the instruction to the SIM card on the other hand. In addition, the security access agent can also receive the result returned by the SIM card and return the result to the terminal application.
The SIM card authorizes access management TA: including a SIM card authorization access management TA located in the TEE and a SIM card authorization access management TA located in the SIM card. The SIM card in the TEE authorizes the access management TA to receive information input by the user through other TAs in the TEE, such as a password input TA, a fingerprint input TA, or other biometric input TA, and encrypts the information input by the user by using various types of cryptographic algorithms, such as RSA algorithm, elliptic Curve Cryptography (ECC) algorithm, advanced Encryption Standard (AES) algorithm, triple Data Encryption (3 des, triple Data Encryption) algorithm, and national cryptographic algorithm. And the SIM card authorization access management TA in the SIM card receives the instruction of the SIM card application in the SIM card, decrypts and verifies the instruction, and then sends the verification result and the decrypted instruction to the corresponding SIM card application.
SIM card application: the method is characterized in that the method is used for the in-card security application of the SIM card, has self service logic and has related authorized access capability, namely after receiving an instruction sent by an SIM card access agent in the REE, the instruction is sent to an authorized access management TA in the SIM card for verification, after receiving a verification result and a decryption instruction of the authorized access management TA of the SIM card, the corresponding instruction is executed, and after the completion, the execution result is returned to the SIM card access agent in the REE.
The present application will be described in further detail with reference to the following drawings and examples.
Fig. 2 is a schematic diagram illustrating an implementation of an authorized access method according to an embodiment of the present application, and referring to fig. 2, the method includes:
step 201: and under the condition that the terminal application initiates the first request, encrypting the received first information in the TEE based on the first set TA to obtain second information.
Wherein the first request is for requesting access to a SIM card application; the first information characterizes a user identity.
In actual application, the terminal application runs in the REE and requests access to the SIM card application. For example, a banking application running in the REE makes a transfer transaction request to access a banking certificate application in the SIM card. Before the terminal application accesses the SIM card application, the SIM card application needs to verify the user identity of the terminal application, and the terminal application is opened for authorized access after the verification is passed. Here, for the first information characterizing the user identity, an encryption operation is performed in the TEE based on the first setting TA.
In the embodiment of the present application, a TA for authorizing access to management by a SIM card, i.e. a first setting TA, is deployed in a TEE, and a TA for authorizing access to management by a SIM card, i.e. a second setting TA, is also deployed in the SIM card. The first and second setting TAs are mainly used to perform an encryption operation and a decryption operation with respect to the first information, respectively. In one embodiment, a first public key and a second public key for encryption and decryption are preset in both the TEE and the SIM card; the first public key is generated by a first TSM corresponding to the TEE; the second public key is generated by a second TSM corresponding to the SIM card;
before the terminal application initiates the first request, the method further comprises:
and loading a first private key corresponding to the first public key to the first set TA through a first TSM in the TEE, and loading a second private key corresponding to the second public key to the second set TA through a second TSM in the SIM card.
And the public and private key pair generated by the first TSM and the public and private key pair generated by the second TSM use the same cryptographic algorithm.
Illustratively, an operator negotiates with a terminal manufacturer to use an SM2 algorithm, a TSM of the terminal manufacturer generates a group of SM2 public and private key pair 1, retains a private key 1 of the SM2 public and private key pair 1 on the TSM, and synchronizes a public key 1 of the SM2 public and private key pair 1 with the TSM of the operator. Likewise, the TSM of the operator generates a set of SM2 public-private key pair 2, retains the private key 2 of SM2 public-private key pair 2 on the TSM, and synchronizes the public key 2 of SM2 public-private key pair 2 with the TSM of the terminal vendor. Before the terminal leaves a factory, a public key 1 and a public key 2 are obtained from a TSM of a terminal manufacturer and pre-stored in the terminal, and before the SIM card leaves the factory, the public key 1 and the public key 2 are obtained from a TSM of an operator and pre-stored in the SIM card. When the terminal runs, based on the mode of air loading, the TEE downloads the private key 1 to the first set TA through the TSM of the terminal manufacturer, and the SIM card downloads the private key 2 to the second set TA through the TSM of the operator.
Through the acquisition mode of the public and private key pair, a safe private key transmission channel can be established between the TEE and the corresponding TSM and between the SIM card and the corresponding TSM, so that the information safety of the private key in the transmission process is effectively ensured.
In an embodiment, before the encrypting the received first information based on the first TA in the TEE, the method further includes:
receiving the first information based on a third set TA in a TEE; wherein the content of the first and second substances,
the third setting TA is used for receiving the first information input by the user in the TEE. .
Here, in case the terminal application initiates the first request, the first information input by the user is received in the TEE based on the third setting TA. The third setting TA is operated in the TEE, and the received first information includes, but is not limited to, fingerprint, voiceprint, password, iris image and other characteristic information capable of representing the identity of the user. By receiving the first information based on the third setting TA in the TEE, the information representing the user identity can be ensured to be input in a trusted environment, and information leakage is avoided.
In an embodiment, before receiving the first information based on a third set TA in a TEE, the method further comprises:
after the terminal application initiates the first request, sending a second request to a SIM card access agent in the REE through the terminal application; the second request is used for requesting a user to input the first information;
and sending the second request to the TEE through the SIM card access agent.
Here, the SIM card access agent provided in the REE serves as a communication interface between the REE and the TEE, and transmits the second request to the TEE, thereby receiving the first information input by the user in the TEE based on the third setting TA.
Step 202: and decrypting the second information in the SIM card based on a second set TA to obtain the first information.
Here, the second information obtained by encrypting the first information based on the first setting TA in the TEE is transmitted to the SIM card, and the second information is decrypted based on the second setting TA in the SIM card, thereby restoring the first information. In actual application, when a direct access interface does not exist between the TEE and the SIM card, the TEE and the SIM card communicate through the REE. Based on this, in an embodiment, the method further comprises:
and sending the second information generated by the first set TA to an SIM card through an SIM card access agent in the REE.
Here, the SIM card access agent provided in the REE serves as a communication interface between the TEE and the SIM card, and transmits the second information encrypted in the TEE to the SIM card, so that the SIM card decrypts the second information based on the second setting TA, and restores the first information.
Step 203: and verifying the first information through the SIM card application so as to determine whether to perform access authorization on the SIM card application on the terminal application according to a verification result.
In an embodiment, the method further comprises:
sending the verification result to an SIM card access agent in the REE;
and sending the verification result to the terminal application through the SIM card access agent.
Here, the SIM card access agent disposed in the REE serves as a communication interface between the REE and the SIM card, and sends a verification result of the SIM application in the SIM card on the first information to the terminal application in the REE, so that the terminal application can access the SIM card application when the verification result indicates that the terminal application is authorized by the SIM card application, and the terminal application cannot access the SIM card application when the verification result indicates that the terminal application is not authorized by the SIM card application.
According to the authorized access method, under the condition that a terminal application initiates a first request for requesting access to an SIM card application, encryption operation is carried out on received first information representing user identity in a TEE based on a first set TA to obtain second information, then the second information is decrypted in the SIM card based on the second set TA to obtain the first information, the first information is verified through the SIM card application, and whether access authorization related to the SIM card application is carried out on the terminal application or not is determined according to a verification result. In the access authorization process, the first information representing the user identity is encrypted and transmitted between the TEE and the SIM card, so that the information leakage risk when the information is transmitted between the TEE and the SIM card is reduced, and the information safety hidden danger is avoided.
Fig. 3 shows a schematic diagram of a terminal architecture related to the embodiment of the present application, and as can be seen from comparing fig. 1, in the embodiment of the present application, an SIM card authorized access management TA is respectively added in a TEE and an SIM card, so that first information representing a user identity is encrypted in the SIM card authorized access management TA of the TEE, and after the SIM card is transmitted, the first information is decrypted in the SIM card authorized access management TA of the SIM card, thereby implementing encrypted transmission of the first information between the TEE and the SIM card.
The present application will be described in further detail with reference to the following application examples.
Fig. 4 shows a mobile phone payment method provided in an application embodiment of the present application, specifically, a user starts a bank application on a mobile phone to perform mobile phone payment, and when the bank application needs to access an SIM card application on an SIM card for storing a bank certificate in a mobile phone payment process, the method includes the following steps:
step 1: the bank application sends a second request to the SIM card access agent in the REE, i.e. a request for the user to enter the first information characterizing the user identity.
And 2, step: the SIM card access agent sends the second request to the TEE.
And 3, step 3: the TEE sends a second request to the third set TA.
Here, the TEE transmits the second request to the third setting TA corresponding to the information type according to a difference of the information type requested to be input in the second request. For example, if the second request requests the input of the fingerprint information of the user, the third setting TA is a TA operating in the TEE for detecting and analyzing the fingerprint image input by the user.
And 4, step 4: the third setting TA receives the first information input by the user.
And 5: and the third TA sends the first information to the SIM card in the TEE to authorize the access management TA.
And 6: and the SIM card in the TEE authorizes the access management TA to carry out encryption operation on the first information to obtain second information.
And 7: and the SIM card in the TEE authorizes the access management TA to return the second information to the third set TA.
And step 8: the third TA returns the second information to the TEE.
And step 9: the TEE returns the second information to the SIM card access agent in the REE.
Step 10: the SIM card access agent in the REE sends the second information to the SIM card.
Step 11: the SIM card sends the second information to the SIM card application.
Step 12: the SIM card application sends the second information to a SIM card in the SIM card granting access to the management TA.
Step 13: and the SIM card in the SIM card authorizes the access management TA to decrypt the second information and then restores the first information.
Step 14: and the SIM card in the SIM card authorizes the access management TA to return the first information to the SIM card application.
Step 15: and the SIM card application verifies the first information to obtain a verification result.
Step 16: and returning the verification result to the bank application.
Thus, the bank application can access the SIM card application under the condition that the verification result indicates that the bank application obtains the authorization of the SIM card application, the payment is completed based on the bank certificate stored in the SIM card application, and the bank application cannot access the SIM card application and the payment fails under the condition that the verification result indicates that the bank application does not obtain the authorization of the SIM card application.
In order to implement the method of the embodiment of the present application, an embodiment of the present application further provides an authorized access device, which is disposed on a terminal, and as shown in fig. 5, the device includes:
a TEE module 501, configured to perform an encryption operation on received first information based on a first TA in a TEE to obtain second information when a terminal application initiates a first request; wherein the first request is for requesting access to a SIM card application; the first information represents the identity of a user;
the SIM card module 502 decrypts the second information in the SIM card based on a second set TA to obtain the first information; and verifying the first information through the SIM card application so as to determine whether to perform access authorization on the SIM card application on the terminal application according to a verification result.
In one embodiment, a first public key and a second public key for encryption and decryption are preset in both the TEE and the SIM card; the first public key is generated by a first TSM corresponding to the TEE; the second public key is generated by a second TSM corresponding to the SIM card;
the TEE module 501 is further configured to load a first private key corresponding to the first public key to the first set TA through a first TSM in a TEE before the terminal application initiates a first request;
the SIM card module 502 is further configured to load, in an SIM card, a second private key corresponding to the second public key to the second set TA through a second TSM before the terminal application initiates the first request.
In an embodiment, the TEE module 501 is further configured to receive the first information based on a third TA set in the TEE before the received first information is encrypted based on the first TA set in the TEE; wherein the content of the first and second substances,
the third setting TA is used for receiving the first information input by the user in the TEE. .
In one embodiment, the apparatus further comprises:
the REE module is used for sending a second request to a SIM card access agent in the REE through the terminal application after the terminal application initiates the first request before the first information is received in the TEE based on a third set TA; the second request is used for requesting a user to input the first information; and sending the second request to the TEE through the SIM card access agent.
In an embodiment, the REE module is further configured to send the second information generated by the first TA to a SIM card through a SIM card access agent in the REE.
In an embodiment, the SIM card module 502 is further configured to send the verification result to a SIM card access agent in an REE;
the REE module is also used for sending the verification result to the terminal application through the SIM card access agent.
In practice, the TEE module 501, SIM card module 502 and REE module may be implemented by a processor in an authorized access device.
It should be noted that: when the authorized access device provided in the foregoing embodiment performs the authorized access method, the division of the terminal software architecture shown in fig. 3 is used as an example, and in practical applications, the above processing distribution may be completed by different program modules according to needs, that is, the internal structure of the device is divided into different program modules, so as to complete all or part of the above-described processing. In addition, the authorized access device and the authorized access method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
Based on the hardware implementation of the program module, and in order to implement the authorized access method according to the embodiment of the present application, an embodiment of the present application further provides a terminal, as shown in fig. 6, where the terminal 600 includes:
a first communication interface 601, which is capable of performing information interaction with other network nodes;
the first processor 602 is connected to the first communication interface 601 to implement information interaction with other network nodes, and is configured to execute the method provided by one or more of the above technical solutions when running a computer program. And the computer program is stored on the first memory 603.
Specifically, the first processor 602 is configured to, when a terminal application initiates a first request, perform an encryption operation on received first information based on a first TA in a TEE to obtain second information; wherein the first request is for requesting access to a SIM card application; the first information represents the identity of a user; decrypting the second information in the SIM card based on a second set TA to obtain the first information; and verifying the first information through the SIM card application so as to determine whether to perform access authorization on the SIM card application on the terminal application according to a verification result.
In one embodiment, a first public key and a second public key for encryption and decryption are preset in both the TEE and the SIM card; the first public key is generated by a first TSM corresponding to the TEE; the second public key is generated by a second TSM corresponding to the SIM card;
the first processor 602 is further configured to: before the terminal application initiates a first request, a first private key corresponding to the first public key is loaded to the first set TA through a first TSM in a TEE, and a second private key corresponding to the second public key is loaded to the second set TA through a second TSM in an SIM card.
In an embodiment, the first processor 602 is further configured to: receiving the first information based on a third setting TA in the TEE before the received first information is encrypted based on the first setting TA in the TEE; wherein the content of the first and second substances,
the third setting TA is used to receive the first information input by the user in the TEE.
In an embodiment, the first processor 602 is further configured to: before receiving the first information based on a third set TA in the TEE, after the terminal application initiates the first request, sending a second request to a SIM card access agent in the REE through the terminal application; and sending the second request to a TEE through the SIM card access agent; the second request is for requesting a user to input the first information.
In an embodiment, the first processor 602 is further configured to:
and sending the second information to the SIM card through the SIM card access agent in the REE.
In an embodiment, the first processor 602 is further configured to:
sending the verification result to an SIM card access agent in the REE;
and sending the verification result to the terminal application through the SIM card access agent.
It should be noted that: the specific processing of the first processor 602 may be understood with reference to the above-described method.
Of course, in practice, the various components in the terminal 600 are coupled together by a bus system 604. It is understood that the bus system 604 is used to enable communications among the components. The bus system 604 includes a power bus, a control bus, and a status signal bus in addition to a data bus. For clarity of illustration, however, the various buses are labeled as bus system 604 in fig. 6.
The first memory 603 in the embodiment of the present application is used to store various types of data to support the operation of the terminal 600. Examples of such data include: any computer program for operating on the terminal 600.
The method disclosed in the embodiment of the present application may be applied to the first processor 602, or implemented by the first processor 602. The first processor 602 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be implemented by integrated logic circuits of hardware or instructions in the form of software in the first processor 602. The first Processor 602 may be a general purpose Processor, a Digital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, etc. The first processor 602 may implement or perform the methods, steps and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in a storage medium located in the first memory 603, and the first processor 602 reads the information in the first memory 603 and, in conjunction with its hardware, performs the steps of the foregoing method.
In an exemplary embodiment, the terminal 600 may be implemented by one or more Application Specific Integrated Circuits (ASICs), DSPs, programmable Logic Devices (PLDs), complex Programmable Logic Devices (CPLDs), field-Programmable Gate arrays (FPGAs), general purpose processors, controllers, micro Controllers (MCUs), microprocessors (microprocessors), or other electronic components for performing the aforementioned methods.
It is to be understood that the first memory 603 of the embodiments of the present application may be a volatile memory or a non-volatile memory, and may also include both volatile and non-volatile memories. Among them, the nonvolatile Memory may be a Read Only Memory (ROM), a Programmable Read Only Memory (PROM), an Erasable Programmable Read-Only Memory (EPROM), an Electrically Erasable Programmable Read-Only Memory (EEPROM), a magnetic random access Memory (FRAM), a magnetic random access Memory (Flash Memory), a magnetic surface Memory, an optical Disc, or a Compact Disc Read-Only Memory (CD-ROM); the magnetic surface storage may be disk storage or tape storage. Volatile Memory can be Random Access Memory (RAM), which acts as external cache Memory. By way of illustration and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), synchronous Static Random Access Memory (SSRAM), dynamic Random Access Memory (DRAM), synchronous Dynamic Random Access Memory (SDRAM), double Data Rate Synchronous Dynamic Random Access Memory (DDRSDRAM), enhanced Synchronous Dynamic Random Access Memory (ESDRAM), enhanced Synchronous Dynamic Random Access Memory (Enhanced DRAM), synchronous Dynamic Random Access Memory (SLDRAM), direct Memory (DRmb Access), and Random Access Memory (DRAM). The memories described in the embodiments of the present application are intended to comprise, without being limited to, these and any other suitable types of memory.
In an exemplary embodiment, the present application further provides a storage medium, specifically a computer storage medium, for example, a first memory 603 storing a computer program, which is executable by the first processor 602 of the terminal 600 to perform the steps of the foregoing authorized access method. The computer readable storage medium may be Memory such as FRAM, ROM, PROM, EPROM, EEPROM, flash Memory, magnetic surface Memory, optical disk, or CD-ROM.
It should be noted that: "first," "second," and the like are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
The technical means described in the embodiments of the present application may be arbitrarily combined without conflict.
The above description is only a preferred embodiment of the present application, and is not intended to limit the scope of the present application.

Claims (10)

1. An access authorization method, comprising:
under the condition that a terminal application initiates a first request, encrypting the received first information based on a first set trusted application TA in a trusted execution environment TEE to obtain second information; the first request is used for requesting to access a Subscriber Identity Module (SIM) card application; the first information represents a user identity;
decrypting the second information in the SIM card based on a second set TA to obtain the first information;
and verifying the first information through the SIM card application so as to determine whether to carry out access authorization on the SIM card application for the terminal application according to a verification result.
2. The method according to claim 1, wherein a first public key and a second public key for encryption and decryption are preset in both the TEE and the SIM card; the first public key is generated by a first trusted service platform (TSM) corresponding to the TEE; the second public key is generated by a second TSM corresponding to the SIM card;
before the terminal application initiates the first request, the method further comprises:
and loading a first private key corresponding to the first public key to the first set TA through a first TSM in the TEE, and loading a second private key corresponding to the second public key to the second set TA through a second TSM in the SIM card.
3. The method according to claim 1, wherein prior to said performing an encryption operation on the received first information based on the first configured TA in the TEE, the method further comprises:
receiving the first information based on a third set TA in a TEE; wherein the content of the first and second substances,
the third setting TA is used for receiving the first information input by the user in the TEE.
4. The method of claim 3, wherein prior to receiving the first information based on a third set TA in a TEE, the method further comprises:
after the terminal application initiates the first request, sending a second request to a SIM card access agent in a Rich Execution Environment (REE) through the terminal application; the second request is used for requesting a user to input the first information;
sending the second request to the TEE through the SIM card access agent.
5. The method of claim 1, further comprising:
and sending the second information generated by the first set TA to an SIM card through an SIM card access agent in the REE.
6. The method of claim 1, further comprising:
sending the verification result to an SIM card access agent in the REE;
and sending the verification result to the terminal application through the SIM card access agent.
7. An access authorization apparatus, comprising:
the TEE module is used for carrying out encryption operation on the received first information based on a first set TA in the TEE under the condition that the terminal application initiates a first request to obtain second information; wherein the first request is for requesting access to a SIM card application; the first information represents a user identity;
the SIM card module is used for decrypting the second information in the SIM card based on a second set TA to obtain the first information; and verifying the first information through the SIM card application so as to determine whether to perform access authorization on the SIM card application on the terminal application according to a verification result.
8. A terminal, comprising: a first processor and a first communication interface; wherein, the first and the second end of the pipe are connected with each other,
the first processor is configured to, when a terminal application initiates a first request, perform an encryption operation on received first information based on a first set TA in the TEE to obtain second information; decrypting the second information in the SIM card based on a second set TA to obtain the first information; verifying the first information through the SIM card application to determine whether access authorization related to the SIM card application is performed on the terminal application according to a verification result; wherein the content of the first and second substances,
the first request is for requesting access to a SIM card application; the first information characterizes a user identity.
9. A terminal, comprising: a first processor and a first memory for storing a computer program capable of running on the processor,
wherein the first processor is adapted to perform the steps of the method of any one of claims 1 to 6 when running the computer program.
10. A storage medium having a computer program stored thereon, the computer program, when being executed by a processor, implementing the steps of the method of any one of claims 1 to 6.
CN202110298419.XA 2021-03-19 2021-03-19 Access authorization method, device, terminal and storage medium Pending CN115175179A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110298419.XA CN115175179A (en) 2021-03-19 2021-03-19 Access authorization method, device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110298419.XA CN115175179A (en) 2021-03-19 2021-03-19 Access authorization method, device, terminal and storage medium

Publications (1)

Publication Number Publication Date
CN115175179A true CN115175179A (en) 2022-10-11

Family

ID=83475743

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110298419.XA Pending CN115175179A (en) 2021-03-19 2021-03-19 Access authorization method, device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN115175179A (en)

Similar Documents

Publication Publication Date Title
KR102399582B1 (en) System access using mobile devices
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
US9294279B2 (en) User authentication system
USH2270H1 (en) Open protocol for authentication and key establishment with privacy
KR100611628B1 (en) A method for processing information in an electronic device, a system, an electronic device and a processing block
US20080077592A1 (en) method and apparatus for device authentication
US20050149722A1 (en) Session key exchange
CN111401901B (en) Authentication method and device of biological payment device, computer device and storage medium
US20120233456A1 (en) Method for securely interacting with a security element
WO2015117523A1 (en) Access control method and device
US20110154436A1 (en) Provider Management Methods and Systems for a Portable Device Running Android Platform
CN112513844A (en) Secure element for processing and authenticating digital keys and method of operation thereof
CN109150811B (en) Method and device for realizing trusted session and computing equipment
WO2022052665A1 (en) Wireless terminal and interface access authentication method for wireless terminal in uboot mode
CN109474431B (en) Client authentication method and computer readable storage medium
CN112087417B (en) Terminal authority control method and device, computer equipment and storage medium
CN113127818A (en) Block chain-based data authorization method and device and readable storage medium
US20240113898A1 (en) Secure Module and Method for App-to-App Mutual Trust Through App-Based Identity
CN115175179A (en) Access authorization method, device, terminal and storage medium
KR20150072007A (en) Method for accessing temper-proof device and apparatus enabling of the method
KR100952300B1 (en) Terminal and Memory for secure data management of storage, and Method the same
CN111246480A (en) Application communication method, system, equipment and storage medium based on SIM card
CN107862209A (en) A kind of file encryption-decryption method, mobile terminal and the device with store function
CN115361168B (en) Data encryption method, device, equipment and medium
CN117436875A (en) Service execution method and device, storage medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination