CN117708792A - REE application credibility authentication method and system in TEE environment - Google Patents
REE application credibility authentication method and system in TEE environment Download PDFInfo
- Publication number
- CN117708792A CN117708792A CN202311624390.5A CN202311624390A CN117708792A CN 117708792 A CN117708792 A CN 117708792A CN 202311624390 A CN202311624390 A CN 202311624390A CN 117708792 A CN117708792 A CN 117708792A
- Authority
- CN
- China
- Prior art keywords
- application
- ree
- characteristic information
- tee
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000010801 machine learning Methods 0.000 claims description 16
- 238000012549 training Methods 0.000 claims description 16
- 238000012795 verification Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 8
- 238000004590 computer program Methods 0.000 claims description 6
- 238000005516 engineering process Methods 0.000 claims description 5
- 238000007637 random forest analysis Methods 0.000 claims description 5
- 230000006978 adaptation Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Abstract
The invention discloses a REE application credible authentication method and system in a TEE environment. The method comprises the following steps: when REE application applies for TEE service, REE application feature information is collected; in the REE environment, after the authenticity and integrity protection of REE application characteristic information is carried out, the REE application characteristic information is transmitted to the TEE environment; in the TEE environment, after the REE application characteristic information subjected to authenticity and integrity protection is verified, the verified REE application characteristic information is analyzed by using an application authentication model so as to determine the identity of the REE application. The invention supports the trusted identity authentication of REE application under the offline condition.
Description
Technical Field
The invention relates to the technical field of information transmission, in particular to a REE application trusted authentication method and system in a TEE environment.
Background
The terminal contains a large amount of sensitive services such as mobile payment, biological identification, mobile banking and the like. To better secure data and operations on the end system, end manufacturers provide a hardware isolation technique (i.e., TEE) to isolate and protect sensitive data. However, merely passing through a trusted execution environment is not enough to ensure system security, and if any application can access the TEE, there is a significant security risk. Thus, only applications authenticated and user authorized can access sensitive data and run sensitive operations. The application authentication in the TEE environment mainly depends on the result that the ui information of the application is matched with the ui information in the TEE, and since the re is unsafe, when an attacker has the authority to modify the system file, the ui information in the re is easy to tamper. In addition, there is a semantic gap between REE and TEE, the operating system kernel in the TEE cannot authenticate the application, once the REE's application authentication mechanism is bypassed by an attacker, the TEE's authentication of the application is bypassed as well. One existing solution is to bind the uid information and public key together in the TEE, which sends a random number as a challenge response when the REE initiates a response request. The REE is unsafe and can not store the private key, the private key can be stored at the back end of the remote server corresponding to the application, and the back end of the REE makes a digital signature based on the private key for the identity authentication of the TEE. The scheme can only be used in the networking condition, and how to perform trusted identity authentication on the application in REE in an offline environment is a problem to be solved urgently, and the invention is developed based on the scheme.
Disclosure of Invention
The invention aims at the technical problem and provides a REE application credibility identification method and a REE application credibility identification system in a TEE environment, wherein an application identification model is constructed by utilizing execution characteristic information when the REE application applies for a TEE service, and credibility identity identification of the REE application under an offline condition is supported.
The technical scheme of the invention comprises the following contents:
a method of crediting a re application in a TEE environment, comprising:
when REE application applies for TEE service, REE application feature information is collected;
in the REE environment, after the authenticity and integrity protection of the REE application characteristic information is carried out, the REE application characteristic information is transmitted to the TEE environment;
in a TEE environment, after verifying REE application characteristic information subjected to authenticity and integrity protection, analyzing the verified REE application characteristic information by using an application authentication model so as to determine the identity of REE application; wherein the application authentication model is derived using a machine learning model.
Further, the REE application feature information includes: a system call list and call time of REE application execution process, REE application uid and Appip.
Further, the machine learning model includes: random forest models or TextCNN.
Further, performing authenticity and integrity protection on the REE application feature information, including:
and encrypting the REE application characteristic information by adopting a white-box encryption technology to obtain the REE application characteristic information subjected to authenticity and integrity protection.
A REE application trusted authentication system in a TEE environment, comprising:
the data acquisition module is used for acquiring REE application characteristic information when the REE application applies for the TEE service;
the white box protection module is used for transmitting the REE application characteristic information to the TEE environment after carrying out authenticity and integrity protection in the REE environment;
the white box verification module is used for verifying REE application characteristic information subjected to authenticity and integrity protection in a TEE environment;
the real-time application authentication module is used for analyzing the verified REE application characteristic information by using the application authentication model in the TEE environment so as to determine the identity of the REE application; wherein the application authentication model is derived using a machine learning model.
Further, the REE application feature information includes: a system call list, call time, and REE application uid and App of REE application execution process.
Further, an application authentication model training module is used for training the training data set by using the machine learning model to obtain an application authentication model; wherein the machine learning model comprises: random forest models or TextCNN.
Further, the white box protection module is further configured to:
and encrypting the REE application characteristic information by adopting a white-box encryption technology to obtain the REE application characteristic information subjected to authenticity and integrity protection.
A computer device, the computer device comprising: a processor and a memory storing computer program instructions; the processor, when executing the computer program instructions, implements the method for trusted authentication of the REEs application in the TEE environment described in any one of the above.
A computer readable storage medium, wherein computer program instructions are stored on the computer readable storage medium, which when executed by a processor, implement a method of trusted authentication of a re application in a TEE environment as described in any one of the above.
Compared with the prior art, the invention builds the trusted authentication model by utilizing the execution characteristic information of the REE application and the machine learning model, and when the REE application applies for the TEE service, the trusted authentication model judges whether to provide the TEE service or not through the classification label output by the model, so that the attacked REE application can be effectively authenticated. Even if some information of the REE application, such as uid information, is tampered, since other execution characteristics of the REE application are not changed when the application TEE service is applied, the trusted authentication model does not output a label corresponding to the tampered uid, and illegal access of a secret key is effectively prevented. In addition, through a trusted authentication model in the TEE, the method and the system allow the user to perform trusted identity authentication under the offline condition, and are very friendly to the application with the trusted identity authentication under the offline condition instead of the online background assistance. Finally, the invention uses the white box protection module to protect the execution characteristic information of the REE application in REE, and uses the white box verification module to verify the execution characteristic information of the REE application in TEE, thereby ensuring the authenticity and integrity of the characteristic information.
Drawings
FIG. 1 is a flow chart of a method of applying the authentication model training phase of the present invention.
FIG. 2 is a flow chart of a method for applying an authentication phase in real time according to the present invention.
Fig. 3 is a block diagram of a re application trusted authentication system in the TEE environment of the present invention.
Detailed Description
In order that those skilled in the art can understand and practice the present invention, the present invention will be further described with reference to the accompanying drawings.
The REE application credible identification method in the TEE environment comprises two stages, namely an application identification model training stage and a real-time application identification stage. In the application authentication model training stage, the machine learning model is utilized to train the execution characteristic information when the REE application applies for the TEE service, so as to obtain an application authentication model, and the model is stored in the TEE. In the real-time application authentication stage, when a user applies for a TEE service, characteristic information of an application execution process is extracted in REE and transmitted to the TEE, and an application authentication model in the TEE authenticates an application identity based on the characteristic information.
The REE application credibility authentication method under the TEE environment provided by the invention has the following specific steps that a method flow chart of an application authentication model training stage is shown in figure 1:
(1-1) in the REEs, monitoring the execution characteristic information when the REEs application applies for the TEE service and collecting the application execution characteristic information;
after extracting the characteristic information, training the information by using a machine learning model to obtain a multi-classification application identification model, wherein the model exists in the TEE;
the REE application trusted authentication method under the TEE environment provided by the invention has the following specific steps, and a method flow chart of an actual application authentication stage is shown in fig. 2:
(2-1) collecting execution characteristic information when the REE application applies for the TEE service;
(2-2) in the REEs, performing authenticity and integrity protection on the acquired REEs application feature information by using a white box protection module;
(2-3) transmitting the characteristic information of the REE passing through the white box protection module to the TEE;
(2-4) verifying the authenticity and integrity of the feature information with a white-box verification module in the TEE;
(2-5) determining the identity of the re application in the TEE by analyzing the feature information verified by the white-box using the application authentication model. If the application authentication model outputs the correct classification label, providing service; otherwise, refusing to provide service.
The feature information in the application program executing process in the step (1-1) of the above-mentioned trusted authentication method includes, but is not limited to, a system call list, call time, application uid, app ip, etc. of the application program executing process.
The machine learning model in step (1-2) of the above-described trusted authentication method includes, but is not limited to, a random forest model, textCNN, and the like. And (3) inputting the machine learning model into the feature information obtained by the white box verification module in the step (2-2), outputting the feature information into classification labels, and enabling each REE application to correspond to one label.
In the step (2-2) of the trusted authentication method, the white-box protection module adopts a white-box encryption technology to protect REE application characteristic information. And (2-4) decrypting the REE application characteristic information encrypted by the white box verification module.
The input of the application authentication model in the step (2-5) of the above-mentioned trusted authentication method is the feature information which is verified by the white box verification module in the step (2-4), and output as the classification label.
The application authentication model in the step (2-5) of the above trusted authentication method is stored in the TEE, and any TEE service needing identity authentication can train a corresponding application authentication model by using the step (1).
In the step (2-5) of the trusted authentication method, the identity of the REE application is that the trusted authentication model stored in the TEE is used for performing trusted identity authentication on the REE application, the feature information which is verified by the white box verification module is used as the input of the model, if the REE application information is not tampered, the model outputs a correct classification label, and the identity authentication is successful; if some information of the REE application is tampered, if the uid of the attacker application program is exchanged with the uid of the target application program, the information is disguised as the target application program, and because other information of the attacker application program is not matched, the model does not output a label corresponding to the target application program, but outputs an error label, and the identity authentication fails.
The REE application trusted authentication system under the TEE environment provided by the invention has a structural block diagram shown in figure 3:
(1) And the data acquisition module is used for monitoring the execution process of the REE application TEE service and acquiring the characteristic information of application execution.
(2) And the application authentication model training module is used for training the characteristic information extracted from the data acquisition module by using a machine learning model to obtain an application authentication model which can be used for multi-classification, and storing the model in the TEE.
(3) And the white box protection module is used for carrying out white box processing on the characteristic information extracted from the data acquisition module when a user applies for a TEE service in REE, protecting the authenticity and the integrity of the application characteristic information and transmitting the processed data to the white box verification module.
(4) And the white box verification module is used for verifying the characteristic information processed by the white box protection module in the TEE, ensuring the authenticity and the integrity of the application characteristic information and transmitting the verified information to the real-time application authentication module.
(5) The real-time application authentication module is used for determining the identity of the REE application according to the characteristic information verified by the application authentication module and the white box verification module, and returning the result to the REE application applying for the TEE service.
In the trusted authentication system (2), the model training in the application authentication model training module can be performed in REE or TEE, and the trained model is stored in the TEE.
In the above-mentioned trusted authentication system, the application authentication model training phase includes (1) and (2), and the real-time application authentication phase includes (1), (3), (4), (5).
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. The specification and embodiments are to be regarded as exemplary only, and the disclosure is not limited to the exact construction illustrated and described above, and various modifications and changes may be made without departing from the scope thereof.
Claims (10)
1. A method for trusted authentication of a REE application in a TEE environment, the method comprising:
when REE application applies for TEE service, REE application feature information is collected;
in the REE environment, after the authenticity and integrity protection of the REE application characteristic information is carried out, the REE application characteristic information is transmitted to the TEE environment;
in a TEE environment, after verifying REE application characteristic information subjected to authenticity and integrity protection, analyzing the verified REE application characteristic information by using an application authentication model so as to determine the identity of REE application; wherein the application authentication model is derived using a machine learning model.
2. The method of claim 1, wherein the REE application feature information comprises: a system call list and call time of REE application execution process, REE application uid and Appip.
3. The method of claim 1, wherein the machine learning model comprises: random forest models or TextCNN.
4. The method of claim 1, wherein the authenticity and integrity protection of the reeapplication feature information comprises:
and encrypting the REE application characteristic information by adopting a white-box encryption technology to obtain the REE application characteristic information subjected to authenticity and integrity protection.
5. A REE application trusted authentication system in a TEE environment, the system comprising:
the data acquisition module is used for acquiring REE application characteristic information when the REE application applies for the TEE service;
the white box protection module is used for transmitting the REE application characteristic information to the TEE environment after carrying out authenticity and integrity protection in the REE environment;
the white box verification module is used for verifying REE application characteristic information subjected to authenticity and integrity protection in a TEE environment;
the real-time application authentication module is used for analyzing the verified REE application characteristic information by using the application authentication model in the TEE environment so as to determine the identity of the REE application; wherein the application authentication model is derived using a machine learning model.
6. The system of claim 5, wherein the REE application feature information comprises: a system call list, call time, and REE application uid and App of REE application execution process.
7. The system of claim 5, wherein the system further comprises:
the application authentication model training module is used for training the training data set by using the machine learning model to obtain an application authentication model; wherein the machine learning model comprises: random forest models or TextCNN.
8. The system of claim 5, wherein the whitepack protection module is further configured to:
and encrypting the REE application characteristic information by adopting a white-box encryption technology to obtain the REE application characteristic information subjected to authenticity and integrity protection.
9. A computer device, the computer device comprising: a processor and a memory storing computer program instructions; the processor, when executing the computer program instructions, implements the method for crediting a re application in a TEE environment of any one of claims 1 to 4.
10. A computer readable storage medium, characterized in that it has stored thereon computer program instructions which, when executed by a processor, implement the method of re application trusted authentication in the TEE environment of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311624390.5A CN117708792A (en) | 2023-11-30 | 2023-11-30 | REE application credibility authentication method and system in TEE environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311624390.5A CN117708792A (en) | 2023-11-30 | 2023-11-30 | REE application credibility authentication method and system in TEE environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117708792A true CN117708792A (en) | 2024-03-15 |
Family
ID=90147037
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311624390.5A Pending CN117708792A (en) | 2023-11-30 | 2023-11-30 | REE application credibility authentication method and system in TEE environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117708792A (en) |
-
2023
- 2023-11-30 CN CN202311624390.5A patent/CN117708792A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3005202B1 (en) | System and method for biometric authentication with device attestation | |
| CN110677418B (en) | Trusted voiceprint authentication method and device, electronic equipment and storage medium | |
| CN110493202B (en) | Login token generation and verification method and device and server | |
| US11917074B2 (en) | Electronic signature authentication system based on biometric information and electronic signature authentication method | |
| US9584543B2 (en) | Method and system for web integrity validator | |
| CN112926092A (en) | Privacy-protecting identity information storage and identity authentication method and device | |
| US7194759B1 (en) | Used trusted co-servers to enhance security of web interaction | |
| US9940446B2 (en) | Anti-piracy protection for software | |
| CN101163009A (en) | System, server, terminal and tamper resistant device for authenticating a user | |
| CN111460525A (en) | Data processing method and device based on block chain and storage medium | |
| CN104618307B (en) | Network bank business Verification System based on credible calculating platform | |
| US20100125734A1 (en) | Encrypted image with matryoshka structure and mutual agreement authentication system and method using the same | |
| CN106953731A (en) | The authentication method and system of a kind of terminal management person | |
| CN117708792A (en) | REE application credibility authentication method and system in TEE environment | |
| He et al. | Understanding mobile banking applications’ security risks through blog mining and the workflow technology | |
| CN106533685B (en) | Identity authentication method, device and system | |
| Elhag | Enhancing online banking transaction authentication by using tamper proof & cloud computing | |
| CN115186286B (en) | Model processing method, device, equipment, readable storage medium and program product | |
| CN114466358B (en) | User identity continuous authentication method and device based on zero trust | |
| TW201901510A (en) | User verification system implemented along with a mobile device and method thereof | |
| Badhwar | Biometrics–Commentary on Data Breach Notification, Threats, and Data Security | |
| Salaiwarakul et al. | Verification of integrity and secrecy properties of a biometric authentication protocol | |
| Khubrani | Mobile Device Forensics, challenges and Blockchain-based Solution | |
| Salaiwarakul | Verification of secure biometric authentication protocols | |
| Wang et al. | Living a Lie: Security Analysis of Facial Liveness Detection Systems in Mobile Apps |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |