CN115801270A - Information authentication method and device, electronic equipment and storage medium - Google Patents
Information authentication method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115801270A CN115801270A CN202211358241.4A CN202211358241A CN115801270A CN 115801270 A CN115801270 A CN 115801270A CN 202211358241 A CN202211358241 A CN 202211358241A CN 115801270 A CN115801270 A CN 115801270A
- Authority
- CN
- China
- Prior art keywords
- certificate
- execution environment
- trusted execution
- private key
- service request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000000007 visual effect Effects 0.000 claims description 18
- 238000012795 verification Methods 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 8
- 230000007246 mechanism Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses an information authentication system and method. The method is characterized by comprising the following steps: the terminal equipment is provided with a client application, a trusted execution environment and a secure element; the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user; the trusted execution environment is configured to receive the service request, create a security domain in the secure element based on an initial private key, write the initial key into the security domain, obtain an element identifier of the secure element, update the initial key stored in the secure element based on the user identifier and the element identifier, and obtain a private key to access the security domain based on the private key. The embodiment of the invention realizes the establishment of a trusted security domain in the security element and improves the security level of the terminal equipment.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to an information authentication method and apparatus, an electronic device, and a storage medium.
Background
With the development of information technology, mobile information transmission is widely applied to daily life scenes, but with the wide application of terminal equipment, the phenomena of information leakage caused by the attack on the terminal equipment information, the stealing of personal information and virus invasion are more and more, and when a user uses the terminal equipment application, especially banking financial application, if a safe and reliable environment cannot be established, the property of the user has serious security risks, so that the requirement of the user on the security of the mobile information is higher and higher.
In the prior art, a digital certificate is generally used in a software environment of a terminal device for security authentication, so that the security is not high, the terminal device is easy to attack and crack, and a high-security-level and trusted environment cannot be provided.
Disclosure of Invention
The invention provides an information authentication system and method, which solve the technical problem that the prior art cannot provide a high-security-level and trusted environment.
According to an aspect of the present invention, there is provided an information authentication system including:
the terminal equipment is provided with a client application, a trusted execution environment and a secure element; wherein,
the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user;
the trusted execution environment is configured to receive the service request, create a security domain in the secure element based on an initial private key, write the initial key into the security domain, obtain an element identifier of the secure element, update the initial key stored in the secure element based on the user identifier and the element identifier, and obtain a private key to access the security domain based on the private key.
According to another aspect of the present invention, there is provided an information authentication method including:
the method is applied to an information authentication system, the information authentication system comprises terminal equipment, and the terminal equipment is provided with a client application, a trusted execution environment and a secure element; the information authentication method comprises the following steps:
generating a service request through the client application, and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user;
receiving, by the trusted execution environment, the service request, creating a security domain in the secure element based on an initial private key, writing the initial key into the security domain, and obtaining an element identity of the secure element, updating the initial key stored in the secure element based on the user identity and the element identity, resulting in a private key, to access the security domain based on the private key.
According to the technical scheme of the embodiment of the invention, the client application, the trusted execution environment and the secure element are deployed on the terminal equipment; the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user; the mobile terminal client application and the trusted execution environment are independent of each other, and when a service is requested, the mobile terminal client application wants the trusted execution environment to send a request, so that the safety of the trusted execution environment is improved. The trusted execution environment is used for receiving the service request, creating a security domain in the secure element based on an initial private key, writing the initial key into the security domain, acquiring an element identifier of the secure element, updating the initial key stored in the secure element based on the user identifier and the element identifier to obtain a private key, accessing the security domain based on the private key, creating a security domain in the secure element according to the request, performing security protection at a hardware level by introducing the secure element, further isolating an application in the secure element through the security domain, improving the security level of the terminal device through the security domain private to the user, and solving the technical problem that an environment with high and trusted security level cannot be provided in the prior art. The embodiment of the invention realizes the establishment of a trusted security domain in the security element and improves the security level of the terminal equipment.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a structural diagram of an information authentication system according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of the information authentication system of FIG. 1 according to an embodiment of the present invention;
FIG. 3 is a block diagram of another information authentication system according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of the information authentication system of FIG. 3 according to an embodiment of the present invention;
fig. 5 is a flowchart of an information authentication method according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first", "second", and the like in the description and the claims of the present invention and the drawings are used for distinguishing similar users and not necessarily for describing a particular order or sequence. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a structural diagram of an information authentication system according to an embodiment of the present invention, and fig. 2 is a schematic diagram of an operation of the information authentication system in fig. 1. The embodiment can be applicable to the situations of low security level and lack of security protection of the terminal device, and the system can be executed by an information authentication device which can be implemented in the form of hardware and/or software and can be configured in the electronic device. As shown in fig. 1 and 2, the system includes: the method comprises the following steps: a terminal device having deployed thereon a client application 110, a trusted execution environment 120, and a secure element 130; wherein,
the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user; the trusted execution environment is configured to receive the service request, create a security domain in the secure element based on an initial private key, write the initial key into the security domain, obtain an element identifier of the secure element, update the initial key stored in the secure element based on the user identifier and the element identifier, and obtain a private key to access the security domain based on the private key.
The client application may be an application installed in the client. The service request may be a service request generated by a client application for a security service. The user identifier may be a user identifier for identifying a user sending the service request, and the user identifier may be used to uniquely identify the user. Illustratively, the user identification may be represented by a user DN (Distinguished Name).
Wherein the trusted execution environment may be a pre-built secure trusted execution environment. For example, the Trusted Execution Environment may be a separate area TEE (Trusted Execution Environment) provided at a chip level.
The security element can be a chip-type element which provides security protection, prevents external malicious analysis attack and protects data security; the safety element comprises a microprocessor, storage, encryption and decryption hardware and the like, has logical processing capacity and can realize an isolated operation environment of a hardware layer. The security domain may be a space that creates security in the secure element. The component identifier may be a component identifier issued by a manufacturer when the secure element leaves a factory. Illustratively, the secure element may be provided in a SIM (Subscriber Identity Module) card of the handset.
The initial private key may be a secret key issued by a manufacturer of the secure element.
Specifically, when a user uses the client application to perform security service, the client application obtains a user identifier of the user, generates a service request carrying the user identifier, and sends the service request to a trusted execution environment of the terminal device, where the trusted execution environment obtains an initial private key issued by a secure element manufacturer after receiving the service request, creates a security domain in the secure element by using the initial private key, and writes the initial private key into the security domain. And the trusted execution environment analyzes the service request, acquires the user identifier, acquires the element identifier of the secure element, updates the initial key stored in the secure element according to the user identifier and the element identifier, obtains a private key associated with the security domain and the user, and can access the security domain based on the private key.
Optionally, in another optional embodiment of the present invention, the trusted execution environment is configured to, after creating a security domain by using the private key, download an application program running on the secure element, install the application program into the secure element by using the private key, and initialize the application program so that the application program runs on the secure element.
Wherein the application may be software running on the secure element for interacting with the secure element. For example, the application may be run in the secure element in the form of an Applet.
Specifically, the trusted execution environment downloads the application program running on the secure element after creating the security domain by using the private key, installs the application program into the secure element by using the private key after completing the downloading of the application program, and initializes the application program so as to run the application program on the secure element.
Optionally, in another optional embodiment of the present invention, the trusted execution environment is further configured to generate a visual interface, and display the visual interface based on the trusted security interface, where the visual interface includes service association information corresponding to the service request.
Wherein the trusted secure interface may be an interface trusted by the trusted execution environment. It should be noted that, in the trusted execution environment, only the interface trusted by the trusted execution environment can perform information interaction, and other interfaces that are not trusted by the trusted execution environment cannot access the trusted execution environment.
Specifically, the trusted execution environment may further generate a visual interface, the visual interface is displayed through a trusted security interface of the trusted execution environment, and service association information corresponding to the service request is displayed through the visual interface.
Optionally, in another optional embodiment of the present invention, the trusted execution environment is further configured to store a personal identification password in the secure domain based on the private key, and receive the personal identification password input by the service request user based on the visual interface, and obtain the personal identification password stored in the secure domain based on the private key, so as to verify the input personal identification password and the personal identification password stored in the secure domain.
The personal identification code can be an identification code for confirming the identity of the user; the personal identification number may be an identification number set by the user.
Specifically, the trusted execution environment stores a personal identification password set by a user in a security domain based on a private key, and after the user sends a service request through the client application, the trusted execution environment receives the service request and displays an input region of the personal identification password on a visual interface; and in the personal identification password input by the user through the visual interface, the trusted execution environment acquires the personal identification password stored in the security domain based on the private key, acquires the personal identification password input by the visual interface, and verifies the input personal identification password with the personal identification password stored in the security domain.
According to the technical scheme of the embodiment of the invention, the client application, the trusted execution environment and the secure element are deployed on the terminal equipment; the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user; the mobile terminal client application and the trusted execution environment are independent of each other, and when a service is requested, the mobile terminal client application wants the trusted execution environment to send a request, so that the safety of the trusted execution environment is improved. The trusted execution environment is used for receiving the service request, creating a security domain in the secure element based on an initial private key, writing the initial key into the security domain, acquiring an element identifier of the secure element, updating the initial key stored in the secure element based on the user identifier and the element identifier to obtain a private key, accessing the security domain based on the private key, creating a security domain in the secure element according to the request, performing security protection at a hardware level by introducing the secure element, further isolating an application in the secure element through the security domain, improving the security level of the terminal device through the security domain private to the user, and solving the technical problem that an environment with high and trusted security level cannot be provided in the prior art. The embodiment of the invention realizes the establishment of a trusted security domain in the security element and improves the security level of the terminal equipment.
Optionally, fig. 3 is a block diagram of another information authentication system according to an embodiment of the present invention. Fig. 4 is a schematic diagram of the operation of the information authentication system in fig. 3. As shown in fig. 3 and 4, the information authentication system further includes a certificate authority 140; the client application is further configured to generate a certificate downloading request, and send the certificate downloading request to the trusted execution environment; the trusted execution environment is used for receiving a certificate downloading request, generating an application certificate corresponding to the certificate downloading request and sending the application certificate to the client application; the client application is further configured to receive the application certificate sent by the trusted execution environment, and send the application certificate to a certificate authority; the certificate authority is used for verifying the application certificate, generating a digital certificate under the condition that the application certificate passes the verification, and feeding the digital certificate back to the client application; the client application is further configured to receive the digital certificate and transmit the digital certificate to the trusted execution environment; the trusted execution environment is further configured to receive the digital certificate transmitted by the client application, verify the digital certificate, and write the digital certificate into the security domain through the private key when the digital certificate is verified.
Where the certificate authority may be a trusted digital certificate authority that may be used to verify issuance and management of digital certificates. The certificate download request may be a request for a client application to apply for a certificate from the trusted execution environment. The application certificate may be a certificate for applying a digital certificate to a certificate authority.
Specifically, when the client application acquires a digital certificate of a certificate issuing mechanism, the client application generates a certificate downloading request, sends the certificate downloading request to a trusted execution environment, the trusted execution environment receives the certificate downloading request, generates an application certificate corresponding to the certificate downloading request, and sends the application certificate to the client application sending the certificate downloading request, after receiving the application certificate, the client application sends the application certificate to the certificate issuing mechanism, the certificate issuing mechanism receives the application certificate and verifies the application certificate, and under the condition that the application certificate passes verification, the client application generates a digital certificate corresponding to the application certificate through a private key of the certificate issuing mechanism and feeds the digital certificate back to the client application, and the client application receives the digital certificate and transmits the digital certificate to the trusted execution environment; after receiving the digital certificate transmitted by the client application, the trusted execution environment verifies the digital certificate by using a public key issued by a certificate authority, and writes the digital certificate into a security domain through a private key under the condition that the digital certificate passes verification
Optionally, in another optional embodiment of the present invention, the trusted execution environment is specifically configured to generate, based on a device public key corresponding to the certificate download request, an application certificate corresponding to the certificate download request based on the device public key, the user identifier, and the element identifier.
The device public key may be a public key used by the trusted execution environment to generate the application certificate.
Specifically, the trusted execution environment receives the certificate download request, and obtains an equipment public key, a user identifier, and an element identifier, and the trusted execution environment generates an application certificate corresponding to the certificate download request according to the equipment public key, the user identifier, and the element identifier.
Optionally, in another optional embodiment of the present invention, the client application is specifically configured to perform download environment detection on the mobile device, determine whether the mobile device has a download condition, and if so, generate a certificate download request.
The downloading environment monitoring may be environment monitoring of the mobile device, and is used to determine whether the mobile device has a downloading condition.
Specifically, the client application performs download environment detection on the mobile device, determines whether the mobile device has a download condition, and if the mobile device has the download condition, the client application generates a certificate download request and sends the certificate download request to the trusted execution environment.
Optionally, in another optional embodiment of the present invention, the trusted execution environment specifically accesses the secure domain based on the private key to obtain a device public key, the user identifier, and the secure identifier stored in the secure domain, verifies the device public key in the digital certificate based on the device public key stored in the secure domain, verifies an application user in the digital certificate based on the user identifier stored in the secure domain, verifies a certificate authority corresponding to the digital certificate based on a preset trusted certificate authority, and verifies a device identity identifier in the digital certificate based on the secure identifier.
Specifically, the trusted execution environment receives the digital certificate, determines a user and a user identifier corresponding to the certificate downloading request, accesses the security domain based on a private key corresponding to the user identifier to obtain an equipment public key, the user identifier and a security identifier stored in the security domain, and then verifies the equipment public key in the digital certificate based on the equipment public key stored in the security domain, verifies an application user in the digital certificate based on the user identifier stored in the security domain, verifies a certificate authority corresponding to the digital certificate based on a preset trusted certificate authority, and verifies an equipment identity identifier in the digital certificate based on the security identifier.
Optionally, in another optional embodiment of the present invention, the trusted execution environment is further configured to store the user identifier, the element identifier, and the device public key in the secure domain based on the private key.
Specifically, the trusted execution environment obtains a user identifier, an element identifier, and a device public key, and stores the user identifier, the element identifier, and the device public key in the secure domain via a private key.
According to the technical scheme of the embodiment of the invention, the client application, the trusted execution environment and the secure element are deployed on the terminal equipment; the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user; the mobile terminal client application and the trusted execution environment are independent of each other, and when a service is requested, the mobile terminal client application wants the trusted execution environment to send a request, so that the safety of the trusted execution environment is improved. The trusted execution environment is used for receiving the service request, creating a security domain in the secure element based on an initial private key, writing the initial key into the security domain, acquiring an element identifier of the secure element, updating the initial key stored in the secure element based on the user identifier and the element identifier to obtain a private key, accessing the security domain based on the private key, creating a security domain in the secure element according to the request, performing security protection at a hardware level by introducing the secure element, further isolating an application in the secure element through the security domain, improving the security level of the terminal device through the security domain private to the user, and solving the technical problem that an environment with high and trusted security level cannot be provided in the prior art. The embodiment of the invention realizes the establishment of a trusted security domain in the security element and improves the security level of the terminal equipment.
Fig. 5 is a flowchart of an information authentication method according to an embodiment of the present invention, where the method is applicable to a situation where a terminal device has a low security level and lacks security protection, and the method may be executed by an information authentication system, where the information authentication system may be implemented in a form of hardware and/or software, the information authentication system includes a terminal device, and a client application, a trusted execution environment, and a secure element are deployed on the terminal device, where as shown in fig. 5, the information authentication method includes:
s210, generating a service request through the client application, and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user.
S220, receiving, by the trusted execution environment, the service request, creating a security domain in the secure element based on an initial private key, writing the initial key into the security domain, obtaining an element identifier of the secure element, updating the initial key stored in the secure element based on the user identifier and the element identifier, and obtaining a private key, so as to access the security domain based on the private key.
Optionally, the method further includes:
the information authentication system further comprises a certificate authority; wherein,
the client application is further configured to generate a certificate downloading request, and send the certificate downloading request to the trusted execution environment;
the trusted execution environment is used for receiving a certificate downloading request, generating an application certificate corresponding to the certificate downloading request and sending the application certificate to the client application;
the client application is further configured to receive the application certificate sent by the trusted execution environment, and send the application certificate to a certificate authority;
the certificate authority is used for verifying the application certificate, generating a digital certificate under the condition that the application certificate passes the verification, and feeding the digital certificate back to the client application;
the client application is further configured to receive the digital certificate and transmit the digital certificate to the trusted execution environment;
the trusted execution environment is further configured to receive the digital certificate transmitted by the client application, verify the digital certificate, and write the digital certificate into the security domain through the private key when the digital certificate is verified.
Optionally, the method further includes:
the trusted execution environment is specifically configured to generate, based on the device public key corresponding to the certificate download request, an application certificate corresponding to the certificate download request based on the device public key, the user identifier, and the component identifier.
Optionally, the method further includes:
the client application is specifically used for detecting a downloading environment of the mobile terminal, determining whether the mobile terminal has a downloading condition, and if so, generating a certificate downloading request.
Optionally, the method further includes:
the trusted execution environment specifically accesses the security domain based on the private key to obtain an equipment public key stored in the security domain, the user identifier and the security identifier, verifies the equipment public key in the digital certificate based on the equipment public key stored in the security domain, verifies an application user in the digital certificate based on the user identifier stored in the security domain, verifies a certificate authority corresponding to the digital certificate based on a preset trusted root certificate authority, and verifies an equipment identity identifier in the digital certificate based on the security identifier.
Optionally, the method further includes:
the trusted execution environment is further configured to store the user identification, the element identification, and the device public key in the secure domain based on the private key.
Optionally, the method further includes:
the trusted execution environment is used for downloading the application program running on the secure element after a security domain is created through the secure channel, installing the application program into the secure element through the secure channel, and initializing the application program to enable the application program to run on the secure element.
Optionally, the method further includes:
the trusted execution environment is further used for generating a visual interface and displaying the visual interface based on the trusted security interface, wherein the visual interface comprises service association information corresponding to the service request.
Optionally, the method further includes:
the trusted execution environment is further configured to store a personal identification password in the security domain based on the private key, receive a personal identification password input by a service request user based on the visual interface, and obtain the personal identification password stored in the security domain based on the private key, so as to verify the input personal identification password and the input personal identification password based on the personal identification password stored in the security domain.
According to the technical scheme of the embodiment of the invention, the client application, the trusted execution environment and the secure element are deployed on the terminal equipment; the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user; the mobile terminal client application and the trusted execution environment are independent of each other, and when a service is requested, the mobile terminal client application wants the trusted execution environment to send a request, so that the safety of the trusted execution environment is improved. The trusted execution environment is used for receiving the service request, creating a security domain in the secure element based on an initial private key, writing the initial key into the security domain, acquiring an element identifier of the secure element, updating the initial key stored in the secure element based on the user identifier and the element identifier to obtain a private key, accessing the security domain based on the private key, creating a security domain in the secure element according to the request, performing security protection on a hardware level by introducing the secure element, further isolating an application in the secure element through the security domain, improving the security level of the terminal equipment through the security domain private to solve the technical problem that a high-security-level and trusted environment cannot be provided in the prior art. The embodiment of the invention realizes the establishment of a trusted security domain in the security element and improves the security level of the terminal equipment.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations, and substitutions are possible in light of design conditions and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. An information authentication system, comprising: the terminal equipment is provided with a client application, a trusted execution environment and a secure element; wherein,
the client application is used for generating a service request and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user;
the trusted execution environment is configured to receive the service request, create a security domain in the secure element based on an initial private key, write the initial key into the security domain, obtain an element identifier of the secure element, update the initial key stored in the secure element based on the user identifier and the element identifier, and obtain a private key, so as to access the security domain based on the private key.
2. The information authentication system of claim 1, further comprising a certificate authority; wherein,
the client application is further configured to generate a certificate downloading request, and send the certificate downloading request to the trusted execution environment;
the trusted execution environment is used for receiving a certificate downloading request, generating an application certificate corresponding to the certificate downloading request and sending the application certificate to the client application;
the client application is further configured to receive the application certificate sent by the trusted execution environment, and send the application certificate to a certificate authority;
the certificate authority is used for verifying the application certificate, generating a digital certificate under the condition that the application certificate passes the verification, and feeding the digital certificate back to the client application;
the client application is further configured to receive the digital certificate and transmit the digital certificate to the trusted execution environment;
the trusted execution environment is further configured to receive the digital certificate transmitted by the client application, verify the digital certificate, and write the digital certificate into the security domain through the private key when the digital certificate is verified.
3. The information authentication system according to claim 2, wherein the trusted execution environment is specifically configured to generate, based on a device public key corresponding to the certificate download request, an application certificate corresponding to the certificate download request based on the device public key, the user identifier, and the component identifier.
4. The information authentication system of claim 2, wherein the client application is specifically configured to perform download environment detection on the terminal device, determine whether the terminal device has a download condition, and if so, generate a certificate download request.
5. The method according to claim 2, wherein the trusted execution environment accesses the secure domain, in particular based on the private key, to obtain the device public key, the user identifier and the secure identifier stored in the secure domain, verifies the device public key in the digital certificate based on the device public key stored in the secure domain, verifies an application user in the digital certificate based on the user identifier stored in the secure domain, verifies a certificate authority corresponding to the digital certificate based on a pre-established trusted certificate authority, and verifies a device identity in the digital certificate based on the secure identifier.
6. The method of claim 5, wherein the trusted execution environment is further configured to store the user identification, the element identification, and the device public key in the secure domain based on the private key.
7. The method of claim 1, wherein the trusted execution environment is configured to download an application running on the secure element after creating a secure domain with the private key, install the application into the secure element with the private key, and initialize the application to run on the secure element.
8. The method of claim 1, wherein the trusted execution environment is further configured to generate a visual interface, and to display the visual interface based on a trusted security interface, wherein the visual interface includes service association information corresponding to the service request.
9. The method of claim 8, wherein the trusted execution environment is further configured to store a personal identification number in the secure domain based on the private key, and receive the personal identification number input by the service requesting user based on the visual interface, and obtain the personal identification number stored in the secure domain based on the private key to verify the input personal identification number with the personal identification number stored in the secure domain.
10. An information authentication method, comprising: the method is applied to an information authentication system, the information authentication system comprises terminal equipment, and the terminal equipment is provided with a client application, a trusted execution environment and a secure element; the information authentication method comprises the following steps:
generating a service request through the client application, and sending the service request to a trusted execution environment, wherein the service request carries a user identifier of a service request user;
receiving, by the trusted execution environment, the service request, creating a security domain in the secure element based on an initial private key, writing the initial key into the security domain, and obtaining an element identifier of the secure element, updating the initial key stored in the secure element based on the user identifier and the element identifier, and obtaining a private key to access the security domain based on the private key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211358241.4A CN115801270A (en) | 2022-11-01 | 2022-11-01 | Information authentication method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211358241.4A CN115801270A (en) | 2022-11-01 | 2022-11-01 | Information authentication method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115801270A true CN115801270A (en) | 2023-03-14 |
Family
ID=85434870
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211358241.4A Pending CN115801270A (en) | 2022-11-01 | 2022-11-01 | Information authentication method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115801270A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117332442A (en) * | 2023-09-28 | 2024-01-02 | 浙江大学 | Safe and reliable fingerprint authentication method for three-party equipment |
-
2022
- 2022-11-01 CN CN202211358241.4A patent/CN115801270A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117332442A (en) * | 2023-09-28 | 2024-01-02 | 浙江大学 | Safe and reliable fingerprint authentication method for three-party equipment |
| CN117332442B (en) * | 2023-09-28 | 2024-05-17 | 浙江大学 | Safe and reliable fingerprint authentication method for three-party equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2482221B1 (en) | Secure software updates | |
| CN104010044B (en) | Application based on credible performing environment technology is limited installation method, manager and terminal | |
| CN104023032B (en) | Application based on credible performing environment technology is limited discharging method, server and terminal | |
| CN111404696B (en) | Collaborative signature method, security service middleware, related platform and system | |
| US20080003980A1 (en) | Subsidy-controlled handset device via a sim card using asymmetric verification and method thereof | |
| US20090319793A1 (en) | Portable device for use in establishing trust | |
| EP1770586A1 (en) | Account management in a system and method for providing code signing services | |
| EP2107490B9 (en) | System and method for providing code signing services | |
| WO2007138488A2 (en) | A method of patching applications on small resource-contrained secure devices | |
| KR20050053668A (en) | Loading data onto an electronic device | |
| BRPI0209741B1 (en) | secure application deployment and execution in a wireless environment | |
| CN107566413B (en) | Smart card security authentication method and system based on data short message technology | |
| CN109639427A (en) | A kind of method and apparatus that data are sent | |
| CN110135149A (en) | A kind of method and relevant apparatus of application installation | |
| CN107171814A (en) | A kind of digital certificate updating method and device | |
| KR100660641B1 (en) | Secure booting method for mobile terminal and mobile terminal for adopting the same | |
| CN115129332A (en) | Firmware burning method, computer equipment and readable storage medium | |
| CN110661797B (en) | Data protection method, terminal and computer readable storage medium | |
| CN115801270A (en) | Information authentication method and device, electronic equipment and storage medium | |
| KR20090001385A (en) | Method of generation for a multiple of one time password and smartcard and terminal therefor | |
| CN112514323A (en) | Electronic device for processing digital key and operation method thereof | |
| CN107257361A (en) | A kind of method and mobile terminal for downloading application program | |
| KR20160146146A (en) | Method of integrity verification and apparatus thereof | |
| EP2993608A1 (en) | A method for changing the ownership of a secure element | |
| AU2011202785B2 (en) | Secure software updates |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |