TW201939345A - Data processing method, and application method and apparatus of trusted user interface resource data - Google Patents
Data processing method, and application method and apparatus of trusted user interface resource data Download PDFInfo
- Publication number
- TW201939345A TW201939345A TW107134281A TW107134281A TW201939345A TW 201939345 A TW201939345 A TW 201939345A TW 107134281 A TW107134281 A TW 107134281A TW 107134281 A TW107134281 A TW 107134281A TW 201939345 A TW201939345 A TW 201939345A
- Authority
- TW
- Taiwan
- Prior art keywords
- user interface
- resource data
- trusted user
- trusted
- encrypted
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/82—Protecting input, output or interconnection devices
- G06F21/84—Protecting input, output or interconnection devices output devices, e.g. displays or monitors
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
Description
本發明涉及電腦技術領域,尤其涉及一種資料處理方法、可信用戶介面資源資料的應用方法及裝置。The present invention relates to the field of computer technology, and in particular, to a data processing method, a method and a device for applying trusted user interface resource data.
相關技術中,可信用戶介面(TUI,Trusted User Interface)的顯示需要用到TUI資源資料,通過利用這些資源,在可信執行環境(TEE,Trusted Execution Environment)中可顯示圖形化的用戶介面,以為用戶提供安全可信的圖形交互介面,保護用戶資訊(如,帳戶資訊、密碼資訊等)的安全。 相關技術中,TUI資源資料一般儲存在終端設備的可信記憶體上。但是,在終端設備出於成本考慮無法使用相對昂貴的可信記憶體或由於終端設備的硬體設計缺陷而無法提供可信記憶體時,終端設備將無法提供安全儲存功能,此時,如何儲存TUI資源資料以保證TUI資源資料的安全性和完整性,目前還未提出有效的解決方案。In related technologies, the display of a Trusted User Interface (TUI) requires the use of TUI resource information. By using these resources, a graphical user interface can be displayed in a Trusted Execution Environment (TEE). To provide users with a secure and trusted graphical interactive interface to protect user information (such as account information, password information, etc.). In related technologies, TUI resource data is generally stored on the trusted memory of the terminal device. However, when the terminal device cannot use the relatively expensive trusted memory due to cost considerations or cannot provide the trusted memory due to the hardware design defect of the terminal device, the terminal device cannot provide a secure storage function. At this time, how to store TUI resource data to ensure the security and integrity of TUI resource data, no effective solution has been proposed at present.
本發明旨在解決相關技術中的上述技術問題。 本發明提供一種資料處理方法、可信用戶介面資源資料的應用方法及裝置,至少能夠保證終端設備無法提供安全儲存功能時資源資料的安全和完整。 本發明採用如下技術方案。一種可信用戶介面資源資料的應用方法,包括: 在非可信用戶介面上觸發可信用戶介面的啟動,從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境; 在可信執行環境中將所述加密的可信用戶介面資源資料解密,並基於所述解密後的可信用戶介面資源資料顯示可信用戶介面。 其中,所述方法還包括:從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境之前,產生所述加密的可信用戶介面資源資料; 其中,所述產生所述加密的可信用戶介面資源資料包括如下之一: 產生可信用戶介面資源資料包,利用安全雜湊演算法和非對稱加密演算法產生所述可信用戶介面資源資料包的數位簽章,將所述數位簽章附加在所述可信用戶介面資源資料包之後,以得到所述加密的可信用戶介面資源資料; 利用高級加密標準AES加密演算法直接對可信用戶介面資源資料進行加密處理,以產生所述加密的可信用戶介面資源資料。 其中,所述在可信執行環境中將所述加密的可信用戶介面資源資料解密,包括:使用預先設定的可信用戶介面資源金鑰對所述加密的可信用戶介面資源資料進行解密。 其中,所述在可信執行環境中將所述加密的可信用戶介面資源資料解密,包括如下之一: 使用公開金鑰對所述加密的可信用戶介面資源資料的數位簽章進行驗簽; 使用AES解密演算法對所述加密的可信用戶介面資源資料進行解密。 其中,所述方法還包括:從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境之前,將所述加密的可信用戶介面資源資料存放在所述富執行環境中。 其中,所述將加密的可信用戶介面資源資料存放在富執行環境中,包括:將所述加密的可信用戶介面資源資料存放在富執行環境中不可信的儲存空間。 其中,所述在非可信用戶介面上觸發可信用戶介面的啟動,從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境,包括:非可信用戶介面上的用戶操作觸發可信用戶介面的啟動時,在富執行環境中載入所述加密的可信用戶介面資源資料並送到共用記憶體;在可信執行環境中將所述加密的可信用戶介面資源資料從所述共用記憶體複製到可信執行環境的受保護記憶體。 其中,所述從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境,包括:通過可信用戶介面程式向富執行環境發送針對可信用戶介面資源資料的請求,基於所述請求在富執行環境中載入所述加密的可信用戶介面資源資料並送到共用記憶體;通過所述可信用戶介面程式將所述加密的可信用戶介面資源資料從所述共用記憶體複製到可信執行環境的受保護記憶體。 其中,所述針對可信用戶介面資源資料的請求中攜帶可信用戶介面標識;在富執行環境中,基於所述請求中攜帶的可信用戶介面標識,載入對應的加密的可信用戶介面資源資料並送到共用記憶體。 其中,所述方法還包括:在退出所述可信用戶介面程式的過程中或退出所述可信用戶介面程式之後,清除所述可信執行環境的受保護記憶體中的所述可信用戶介面資源資料。 其中,所述方法還包括:在所述可信用戶介面程式退出後,清除所述共用記憶體中所述加密的可信用戶介面資源資料。 其中,所述基於所述解密後的可信用戶介面資源資料顯示可信用戶介面,包括:基於所述解密後的可信用戶介面資源資料顯示圖形化的可信用戶介面。 一種可信用戶介面資源資料的應用裝置,包括: 提供模組,用於在非可信用戶介面上觸發可信用戶介面的啟動,從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境; 可信用戶介面模組,用於在可信執行環境中將所述加密的可信用戶介面資源資料解密,並基於所述解密後的可信用戶介面資源資料顯示可信用戶介面。 其中,還包括: 產生模組,用於通過如下之一產生所述加密的可信用戶介面資源資料: 產生可信用戶介面資源資料包,利用安全雜湊演算法和非對稱加密演算法產生所述可信用戶介面資源資料包的數位簽章,將所述數位簽章附加在所述可信用戶介面資源資料包之後,以得到所述加密的可信用戶介面資源資料; 利用高級加密標準AES加密演算法直接對可信用戶介面資源資料進行加密處理,以產生所述加密的可信用戶介面資源資料。 其中,所述提供模組,用於在非可信用戶介面上的用戶操作觸發可信用戶介面的啟動時,在富執行環境中載入所述加密的可信用戶介面資源資料並送到共用記憶體;所述可信用戶介面模組,用於將所述加密的可信用戶介面資源資料從所述共用記憶體複製到可信執行環境的受保護記憶體中。 其中,還包括:設置於富執行環境中的儲存模組,用於存放所述加密的可信用戶介面資源資料。 一種可信用戶介面資源資料的應用裝置,包括: 顯示器; 儲存有電腦程式的記憶體; 處理器,配置為讀取所述電腦程式以執行上述可信用戶介面資源資料的應用方法的操作。 一種電腦可讀儲存介質,所述電腦可讀儲存介質上儲存有電腦程式,所述電腦程式被處理器執行時實現上述可信用戶介面資源資料的應用方法的步驟。 一種資料處理方法,包括: 從富執行環境獲取加密的資源資料並提供給可信執行環境; 在可信執行環境中將所述加密的資源資料解密; 對所述解密後的資源資料進行處理。 本發明包括以下優點: 本發明中,需要顯示TUI時REE可以從REE獲取該加密的TUI資源資料並提供給TEE,TEE將其解密即可使用該TUI資源資料顯示TUI,這樣,不僅可以保證TUI資源資料的完整性和保密性,而且可以將TUI資源資料儲存在不可信的記憶體上,避開了必須使用可信記憶體存放TUI資源資料的限制,解決某些終端設備因無法提供安全記憶體而導致TUI資源資料無法被安全儲存的問題,可有效降低終端設備使用移動安全技術的硬體成本。 當然,實施本發明的任一產品必不一定需要同時達到以上所述的所有優點。The present invention aims to solve the above technical problems in the related art. The present invention provides a data processing method, a method and a device for applying resource data of a trusted user interface, which can at least ensure the safety and integrity of resource data when a terminal device cannot provide a secure storage function. The present invention adopts the following technical scheme. A method for applying trusted user interface resource data includes: (i) triggering the activation of a trusted user interface on an untrusted user interface, obtaining encrypted trusted user interface resource data from a rich execution environment, and providing it to the trusted execution environment; The trusted execution environment decrypts the encrypted trusted user interface resource data, and displays the trusted user interface based on the decrypted trusted user interface resource data. Wherein, the method further comprises: generating the encrypted trusted user interface resource data before obtaining the encrypted trusted user interface resource data from the rich execution environment and providing it to the trusted execution environment; wherein the generating the encryption The trusted user interface resource data includes one of the following: Generate a trusted user interface resource data package, use a secure hash algorithm and an asymmetric encryption algorithm to generate a digital signature of the trusted user interface resource data package, and A digital signature is attached to the trusted user interface resource data package to obtain the encrypted trusted user interface resource data; The advanced encryption standard AES encryption algorithm is used to directly encrypt the trusted user interface resource data to Generate the encrypted trusted user interface resource data. (1) Wherein, the decrypting the encrypted trusted user interface resource data in a trusted execution environment includes: using a preset trusted user interface resource key to decrypt the encrypted trusted user interface resource data. Wherein, the decrypting the encrypted trusted user interface resource data in a trusted execution environment includes one of the following: using a public key to verify the digital signature of the encrypted trusted user interface resource data Decrypt the encrypted trusted user interface resource data using an AES decryption algorithm. Wherein, the method further comprises: storing the encrypted trusted user interface resource data in the rich execution environment before obtaining the encrypted trusted user interface resource data from the rich execution environment and providing it to the trusted execution environment. Wherein, the storing the encrypted trusted user interface resource data in the rich execution environment includes: storing the encrypted trusted user interface resource data in an untrusted storage space in the rich execution environment. The triggering of the trusted user interface on the untrusted user interface, obtaining encrypted trusted user interface resource data from the rich execution environment, and providing the trusted user interface resource to the trusted execution environment includes users on the untrusted user interface. When the operation triggers the start of the trusted user interface, the encrypted trusted user interface resource data is loaded in a rich execution environment and sent to a shared memory; the encrypted trusted user interface resource is loaded in the trusted execution environment. Data is copied from the shared memory to the protected memory of the trusted execution environment. Wherein, obtaining encrypted trusted user interface resource data from the rich execution environment and providing it to the trusted execution environment includes: sending a request for the trusted user interface resource data to the rich execution environment through a trusted user interface program, based on the The request loads the encrypted trusted user interface resource data in a rich execution environment and sends the encrypted trusted user interface resource data to the shared memory; and the encrypted trusted user interface resource data is transferred from the shared memory through the trusted user interface program. To protected memory of the trusted execution environment. The request for trusted user interface resource information carries a trusted user interface identifier; in a rich execution environment, a corresponding encrypted trusted user interface is loaded based on the trusted user interface identifier carried in the request. Resource data is sent to shared memory. Wherein, the method further comprises: clearing the trusted user in the protected memory of the trusted execution environment during the process of exiting the trusted user interface program or after exiting the trusted user interface program. Interface resource information. Wherein, the method further comprises: after the trusted user interface program exits, clearing the encrypted trusted user interface resource data in the shared memory. Wherein, displaying the trusted user interface based on the decrypted trusted user interface resource data includes displaying a graphical trusted user interface based on the decrypted trusted user interface resource data. An application device for trusted user interface resource data includes: (1) a providing module for triggering the activation of the trusted user interface on an untrusted user interface, obtaining encrypted trusted user interface resource data from a rich execution environment, and providing the Trusted execution environment; Trusted user interface module for decrypting the encrypted trusted user interface resource data in a trusted execution environment, and displaying trusted users based on the decrypted trusted user interface resource data interface. Among them, it also includes: (1) a generating module for generating the encrypted trusted user interface resource data by one of the following: (1) generating a trusted user interface resource data packet, and generating the encrypted hash algorithm and asymmetric encryption algorithm The digital signature of the trusted user interface resource data package, and the digital signature is attached to the trusted user interface resource data package to obtain the encrypted trusted user interface resource data; Encryption using the advanced encryption standard AES The algorithm directly encrypts the trusted user interface resource data to generate the encrypted trusted user interface resource data. Wherein, the providing module is configured to load the encrypted trusted user interface resource data in a rich execution environment and send the shared trusted user interface resource data when a user operation on the untrusted user interface triggers the startup of the trusted user interface. Memory; the trusted user interface module, configured to copy the encrypted trusted user interface resource data from the shared memory to the protected memory of a trusted execution environment. It also includes: a storage module set in a rich execution environment for storing the encrypted trusted user interface resource data. An application device of trusted user interface resource data, comprising: a display; 记忆 a memory storing a computer program; a processor configured to read the computer program to execute the operation of the application method of the trusted user interface resource data. (2) A computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the method for applying the above-mentioned trusted user interface resource data. A data processing method, which includes: 获取 Obtaining encrypted resource data from a rich execution environment and providing it to a trusted execution environment; 解密 Decrypting the encrypted resource data in a trusted execution environment; 处理 Processing the decrypted resource data. The present invention includes the following advantages: In the present invention, when the TUI needs to be displayed, the REE can obtain the encrypted TUI resource information from the REE and provide it to the TEE. After the TEE decrypts it, the TUI resource information can be used to display the TUI. The integrity and confidentiality of resource data, and TUI resource data can be stored on untrusted memory, which avoids the limitation of having to use trusted memory to store TUI resource data, and solves the problem that some terminal devices cannot provide secure memory The problem that the TUI resource data cannot be stored securely can effectively reduce the hardware cost of the mobile device using mobile security technology. Of course, it is not necessary for any product implementing the present invention to achieve all the advantages described above at the same time.
下面將結合圖式及實施例對本發明的技術方案進行更詳細的說明。 需要說明的是,如果不衝突,本發明實施例以及實施例中的各個特徵可以相互結合,均在本發明的保護範圍之內。另外,雖然在流程圖中示出了邏輯順序,但是在某些情況下,可以以不同於此處的循序執行所示出或描述的步驟。 在一個典型的配置中,用戶端或伺服器的計算設備可包括一個或多個處理器(CPU)、輸入/輸出介面、網路介面和記憶體(memory)。 記憶體可能包括電腦可讀介質中的非永久性記憶體,隨機存取記憶體(RAM)和/或非揮發性記憶體等形式,如唯讀記憶體(ROM)或快閃記憶體(flash RAM)。記憶體是電腦可讀介質的示例。記憶體可能包括模組1,模組2,……,模組N(N為大於2的整數)。 電腦可讀介質包括永久性和非永久性、可移動和非卸除式存放裝置介質。儲存介質可以由任何方法或技術來實現資訊儲存。資訊可以是電腦可讀指令、資料結構、程式的模組或其他資料。電腦的儲存介質的例子包括,但不限於相變記憶體(PRAM)、靜態隨機存取記憶體(SRAM)、動態隨機存取記憶體(DRAM)、其他類型的隨機存取記憶體(RAM)、唯讀記憶體(ROM)、電可擦除可程式設計唯讀記憶體(EEPROM),快閃記憶體或其他記憶體技術、唯讀光碟唯讀記憶體(CD-ROM)、數位多功能光碟(DVD)或其他光學儲存、磁盒式磁帶,磁帶磁磁片儲存或其他磁性存放裝置或任何其他非傳輸介質,可用於儲存可以被計算設備存取的資訊。按照本發明中的界定,電腦可讀介質不包括非暫存電腦可讀媒體(transitory media),如調變的資料信號和載波。 本發明中所述的終端設備可以是手機、平板電腦、移動網際網路設備、可穿戴設備或其他可部署CPU的硬體實體或虛擬裝置。 本發明涉及術語解釋如下: 可信執行環境(TEE,Trusted Execution Environment):提供一種相對於REE隔離的執行環境,提供代碼的保護執行及資料的機密性、隱私管理功能。 富執行環境(REE,Rich Execution Environment):提供給富作業系統執行和管理的運行環境,它在可信執行環境之外,在該環境執行的應用被認為是不可信的。 富作業系統(ROS,Rich OS):在REE中執行,相對於TEE內執行的作業系統,富作業系統將提供更多豐富功能,它對於應用的安裝使用相較於可信作業系統更為開放。 可信作業系統(TOS,Trusted OS):在TEE中執行,使用TEE安全特性相關的硬體、軟體或兩者結合的技術來保護執行的代碼和資料,提供對TA的載入、執行和管理等功能。 可信用戶介面(TUI,Trusted User Interface):在TEE中提供可信的用戶介面,以保護比如密碼、身份等敏感的資訊不被TEE之外的程式探知。 可信用戶介面的代理程式(TUI Agent):是在REE側運行的TUI代理程式,負責接收應用程式對TUI的服務請求並轉發給TUI、以及載入TUI資源資料。 安全硬體平臺(Platform Hardware):具備可以運行TEE的硬體和配套軟體的完整系統。比如,ARM CPU通過信任區(TrustZone)技術來支持TEE,並通過配套的可信韌體(ARM trusted firmware)來支持REE與TEE的切換和資訊的傳遞,包含TrustZone、可信韌體的ARM CPU可以為Platform Hardware的一個示例。 共用記憶體:供REE和TEE共同使用的記憶體。 REE側專用記憶體:僅在REE下使用的記憶體。 TEE的受保護記憶體:僅在TEE下使用的記憶體。 安全雜湊演算法(SHA,Secure Hash Algorithm):是美國國家標準技術研究所發佈的國家標準FIPS PUB 180,最新的標準已經於2008年更新到FIPS PUB 180-3。其中規定了SHA-1,SHA-224,SHA-256,SHA-384,和SHA-512這幾種單向散列演算法。SHA-1,SHA-224和SHA-256適用於長度不超過2^64二進位位元的消息。SHA-384和SHA-512適用於長度不超過2^128二進位位元的消息。 高級加密標準(AES,Advanced Encryption Standard):AES是由NIST(美國國家標準與技術研究院)於2001年11月26日發佈於FIPS PUB 197,並在2002年5月26日成為有效的標準。AES演算法是一種對稱式金鑰密碼編譯演算法,AES是一個反覆運算的、對稱金鑰分組的密碼,可以使用128、192和256位金鑰,並且用128位元(16位元組)分組加密和解密資料。IEEE 802.15.4採用固定的128位金鑰,記為AES-128。不論對於AES加密演算法還是解密演算法,都是使用輪變換的操作。工作模式包括電碼本模式(ECB,Electronic Codebook Book)、密碼分組連結模式(CBC)、密碼回饋模式(CFB)、輸出回饋模式(OFB)、計數器模式(CTR,Counter)。 RSA(RSA algorithm):一種非對稱加密演算法,是目前加解密技術中最優秀的公開金鑰演算法之一。 如圖1所示,為相關技術中支援TEE的系統架構。其中,所述系統包含REE下的ROS、TUI Agent、可信記憶體(Trusted Storage)以及TEE下的TOS、TUI,ROS與TOS共用Platform Hardware,ROS與TOS之間可交互資訊 (Messages),TUI資源資料儲存在可信記憶體中,TEE使用安全儲存的金鑰(Trusted storage key)解密獲得TUI資源資料並將TUI資源資料提供給TUI使用。此方式依賴於可信記憶體的存在,然而可信記憶體需要硬體提供支援,比如嵌入式多媒體儲存卡(eMMC,Embedded Multi Media Card)的RPMB分區或受硬體保護的片內flash等。在終端設備出於成本考慮無法使用相對昂貴的eMMC,或者由於終端設備的硬體設計缺陷而無法提供硬體保護的可信存放裝置、只能使用外部普通的flash時,終端設備將無法提供可信記憶體或不具備該可信記憶體,此時,上述方案將無法使用,TUI資源資料將無法得到有效保護。 為解決上述問題,本發明提出如下技術方案,該技術方案適用於無安全存放裝置時需要使用資源資料的應用場景。 本發明的技術方案包括:一種資料處理方法,該方法可以包括:從REE獲取加密的資源資料並提供給TEE;在TEE中將所述加密的資源資料解密;對所述解密後的資源資料進行處理。這裡,該資源資料包括但不限於TUI資源資料,該TUI資源資料用於呈現TUI,適用於無安全存放裝置時需要使用TUI資源資料的應用場景。對資源資料進行處理包括但不限於TUI在TEE下的呈現。應當理解,本發明的技術方案中,資源資料還可以是其他類型,相應的處理也不限於TUI的呈現。對於資源資料的類型及其處理方式,視具體應用場景而定,本發明不予限制。 下面對本發明技術方案的實現方式進行詳細說明。 實施例一 一種TUI資源資料的應用方法,如圖2所示,可包括: 步驟201,在非TUI上觸發TUI的啟動,從REE獲取加密的可信用戶介面資源資料並提供給TEE; 步驟202,在TEE中將所述加密的TUI資源資料解密,並基於所述解密後的TUI資源資料顯示TUI。 本實施例中,需要顯示TUI時從REE獲取加密的TUI資源資料並提供給TEE,TEE將其解密即可使用該TUI資源資料顯示TUI,這樣,不僅可以保證TUI資源資料的完整性和保密性,而且可以將TUI資源資料儲存在不可信的記憶體上,避開了必須使用可信記憶體存放TUI資源資料的限制,解決了某些終端設備因無法提供安全記憶體而導致TUI資源資料無法被安全儲存的問題,可有效降低終端設備使用移動安全技術的硬體成本。 本實施例中,還可以包括:從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境之前,將加密的TUI資源資料存放在REE中。 由於本實施例採用加密的TUI資源資料,因此存放時可以存放在REE中的任何記憶體中,也就是說,既可以存放在可信記憶體中,也可以存放在不可信的記憶體中,具體使用何種類型的記憶體存放該加密的TUI資源資料,可根據實際應用的需要或終端設備的硬體設定靈活調整。一種實現方式中,可以將所述加密的TUI資源資料存放在REE中不可信的儲存空間中,以降低記憶體的成本。實際應用中,該不可信的儲存空間還可以稱之為非安全儲存區域。這裡,儲存空間可以是一個記憶體,也可以是記憶體中的一個區域。比如,可以將該加密的TUI資源資料儲存到終端設備外接的Flash。 本實施例中,TUI資源資料可以包括字體、字元、圖片等。該TUI資源資料可以是TUI靜態資源資料,也可以是TUI動態資源資料。其中,TUI靜態資源資料可隨應用程式的安裝預存到終端設備上,TUI動態資源資料則需要即時通過網路下發。對於TUI靜態資源資料,可以在應用程式安裝時預先將加密的TUI資源資料存放在REE中。對於TUI動態資源資料,可以由網路側動態下發加密的TUI資源資料到終端設備,終端設備將該加密的TUI資源資料暫存在REE中。本實施例中的方法較佳用於TUI靜態資源資料。 本實施例中,可以通過非可信用戶介面上的用戶操作觸發可信用戶介面的啟動。也就是說,用戶可以在終端設備顯示非TUI時在該非TUI上進行操作,以觸發TUI的啟動。實際應用中,該操作可以是按鍵操作、語音操作、觸控操作或其他用戶操作。比如,用戶在使用終端設備的某個應用程式時,可以先進入該應用程式的非TUI,在顯示非TUI時用戶可以在該非TUI上進行操作,觸發TUI顯示請求,終端設備在TUI顯示請求的指示下執行REE到TEE的切換,REE可以在此切換的執行過程中向TEE提供加密的TUI資源資料,TEE將其解密後使用該TUI資源資料顯示TUI。 本實施例中,所述方法還可以包括:從富執行環境獲取加密的可信用戶介面資源資料並提供給可信執行環境之前,產生所述加密的TUI資源資料;其中,所述產生所述加密的TUI資源資料的方式可以包括如下之一:1)產生TUI資源資料包,利用安全雜湊演算法和非對稱加密演算法產生所述TUI資源資料包的數位簽章,將所述數位簽章附加在所述TUI資源資料包之後,以得到所述加密的TUI資源資料;2)利用AES加密演算法直接對TUI資源資料進行加密處理,以產生所述加密的TUI資源資料。實際應用中,可基於應用環境的需求選擇合適的加密演算法加密TUI資源資料,以確保TUI資源資料的完整性和保密性。 實際應用中,一個應用程式的所有用戶介面的TUI資源資料可統一加密,這些TUI資源資料全部採用同一加密演算法和同一金鑰。對應不同應用程式的TUI資源資料可採用不同的加密演算法,也可採用相同的加密演算法,但採用相同的加密演算法時需要使用不同的金鑰。 本實施例中,在TEE中將所述加密的TUI資源資料解密,可以包括:使用預先設定的TUI資源金鑰對所述加密的TUI資源資料進行解密。一種實現方式中,在TEE中將所述加密的TUI資源資料解密的方式可以包括如下之一:1)使用公開金鑰對所述加密的TUI資源資料的數位簽章進行驗簽;2)利用AES解密演算法對所述加密的TUI資源資料進行解密。 實際應用中,如果加密TUI資源資料時使用的是數位簽章,那麼TEE使用公開金鑰對所述加密的TUI資源資料進行驗簽,此時,上述預先設定的TUI資源金鑰即是指該公開金鑰。如果加密TUI資源資料時採用AES加密演算法,那麼TEE使用相應的AES解密演算法對所述加密的TUI資源資料進行解密,此時,上述預先設定的TUI資源金鑰即是指該AES解密演算法的金鑰。 具體的,TUI資源資料的加解密演算法可以採用如下方案: 1)先使用SHA-1、SHA-224、SHA-256、SHA-384、SHA-512中之一對所述TUI資源資料包進行數位摘要,然後通過非對稱加密演算法(比如,RSA演算法)對該數位摘要進行加密,產生所述TUI資源資料包的數位簽章,將所述數位簽章附加在所述TUI資源資料包之後,得到所述加密的TUI資源資料。在TEE使用被加密的TUI資源資料時,只需要使用公開金鑰對該數位簽章進行驗證,即可保證該TUI資源是未被篡改的資料。 2)使用ECB、CBC、CFB、OFB、CTR的AES加密演算法對TUI資源資料進行直接加密。在TEE使用被加密的TUI資源時,直接使用相應的AES解密演算法解密即可使用TUI資源資料。 實際操作中,可以由應用程式開發者通過資源產生工具並利用上述加密演算法產生TUI資源資料並進行加密處理。對TUI資源資料進行加密處理時涉及的私密金鑰可以由應用程式開發者自行保護其安全性。 比如,應用程式開發者在開發過程中通過TUI資源產生工具產生TUI資源資料包,並通過SHA256對資源包進行數位摘要,然後通過RSA2048對摘要進行加密,產生TUI資源資料包的數位簽章,將該數位簽章附加所述TUI資源資料包後即可得到加密的TUI資源資料包。當應用程式安裝時,將加密的TUI資源資料包存放在REE的記憶體上。TUI顯示時,TEE使用公開金鑰來驗簽該加密的TUI資源資料包,驗簽通過則將TUI資源資料存放於TEE的受保護記憶體中,顯示TUI時使用。這裡,TUI資源工具是專門用於人工編碼的工具。 再比如,應用程式開發者在開發過程中,通過TUI資源產生工具產生TUI資源資料並利用AES CTR演算法直接對該TUI資源資料進行加密處理,產生加密的TUI資源資料包。當應用程式安裝時,將該加密的TUI資源資料包存放在REE的記憶體上。TUI顯示時,TEE獲取到該加密的TUI資源資料包之後,通過AES CTR演算法的金鑰解密該加密的TUI資源資料包,並存放於TEE的受保護記憶體中,供顯示TUI時使用。 實際應用中,上述應用程式的安裝依照終端設備的具體情況而定,可以是終端設備在生產階段便預置其中,也可以是用戶通過網路手動下載到終端設備。比如,對於二維條碼支付設備,其應用程式在設備的生產階段便預置其中,相應的,加密的TUI資源資料也可以在生產階段便預先存放在二維條碼支付設備的記憶體中。 本實施例中,在非TUI上觸發TUI的啟動,從REE獲取加密的可信用戶介面資源資料並提供給TEE,可以包括:非TUI上的用戶操作觸發TUI的啟動時,在REE中載入所述加密的TUI資源資料並送到共用記憶體;在TEE中將所述加密的TUI資源資料從所述共用記憶體複製到TEE的受保護記憶體。一種實現方式中,將所述加密的TUI資源資料提供給TEE,可以包括:通過TUI程式向REE發送針對TUI資源資料的請求,基於所述請求在REE中載入所述加密的TUI資源資料並送到共用記憶體;通過所述TUI程式將所述加密的TUI資源資料從所述共用記憶體複製到TEE的受保護記憶體。這裡,所述針對TUI資源資料的請求中可以攜帶TUI標識;在REE中,基於所述請求中攜帶的TUI標識,載入對應的加密的TUI資源資料並送到共用記憶體。實際應用中,該TUI標識可以是通用唯一識別碼(UUID,Universally Unique Identifier)或其他類似的資訊。 實際應用中,應用程式請求打開TUI時,先開啟TUI代理程式(TUI Agent),然後應用程式調用TUI Agent發送TUI啟動命令給TEE,在TEE中根據該TUI啟動命令的要求開啟TUI程式,TUI程式啟動時發送針對TUI資源資料的請求給REE中的TUI Agent,TUI Agent基於請求載入相應的加密TUI資源資料到共用記憶體,TEE中的TUI程式從共用記憶體讀取該加密TUI資源資料,解密後將TUI資源資料存放在TEE側的受保護記憶體中,提供給TUI程式呈現TUI時使用。 本實施例中,可以通過不同命令來區分TUI程式向REE請求的資料。一種實現方式中,上述針對TUI資源資料的請求可以表示為指定的命令。比如,可以預先設定CMD=1 為TUI資源資料的打開命令,那麼,TEE中的TUI程式將該“CMD =1”的命令發送給REE中的TUI Agent,TUI Agent即會在該命令的指示下載入相應的加密TUI資源資料到共用記憶體。 實際應用中,如果終端設備存在多個TUI程式,那麼,相應的TUI資源資料與TUI程式之間可以通過TUI標識(比如,UUID)綁定。這裡,對應某個TUI程式的TUI標識(比如,UUID)包含在加密TUI資源資料中。比如,如果TUI_A程式需要載入TUI_A資源資料,向TUI Agent可以發送了攜帶TUI_A的UUID的針對TUI資源資料的請求,那麼TUI Agent可以根據該針對TUI資源資料的請求中攜帶的UUID查找記憶體中存放的眾多加密TUI資源資料中哪個加密TUI資源資料的UUID符合該TUI_A的UUID,找到與TUI_A的UUID相匹配的加密TUI資源資料之後再載入。 實際應用中,本實施例中的TUI可以是任何類型。一種實現方式中,該TUI較佳為圖像化的TUI,比如,該TUI可以是包含商家支付二維條碼的TUI。也就是說,本實施例的一種實現方式中,可以基於所述解密後的TUI資源資料顯示圖形化的TUI。 本實施例中,上述方法還可以包括:在退出所述TUI程式的過程中或退出所述TUI程式之後,清除所述TEE的受保護記憶體中的所述TUI資源資料。比如,TEE中的TOS接收到來自REE側的針對所述TUI程式的關閉命令後,可以清除所述TEE的受保護記憶體中的所述TUI資源資料,以釋放TEE受保護內中的空間。換言之,本實施例在顯示TUI的過程中會將解密後的TUI資源資料存放在TEE側的受保護記憶體中,持續整個TUI顯示的生命期,直到用戶將TUI關閉。TUI被關閉後,該解密後的TUI資源資料從TEE側的受保護記憶體中清除,以釋放其佔用的記憶體。 本實施例中,上述方法還可以包括:在所述TUI程式退出後,清除所述共用記憶體中所述加密的TUI資源資料。比如,在REE側的TUI Agent發出針對所述TUI程式的關閉命令後,可以將共用記憶體中的加密TUI資源資料刪除,以及時釋放該加密TUI資源資料在共用記憶體中佔用的空間。換言之,本實施例在顯示TUI的過程中,會將加密TUI資源資料存於REE側的共用記憶體以便TEE側即時讀取。在TUI關閉後,可以將該加密TUI資源資料從該共用記憶體中清除,以釋放其佔用的記憶體。 本實施例的上述方法可通過任何能夠提供TEE安全能力的終端設備實現。尤其是,可適用於無法提供安全儲存但能夠提供TEE安全能力的終端設備。比如低成本的線下二維條碼支付設備等。 如圖3所示,為本實施例的上述方法應用於無法提供安全儲存但能夠提供TEE安全能力的終端設備時,該終端設備的系統架構示例圖,如圖4所示為該終端設備系統架構的另一示例性圖。 如圖5所示,本實施例的上述方法可以通過如下的示例性流程實現: 步驟501,在TUI資源資料被安裝到終端設備之前,通過加密軟體對TUI資源資料進行加密處理,產生加密TUI資源資料(TUI En-Rsc,TUI encrypted resource); 步驟502,在應用程式安裝時,將該應用程式的加密TUI資源資料儲存到終端設備REE側的記憶體(比如,不可信記憶體)中; 步驟503,需要啟動TUI時,TUI Agent將加密TUI資源資料從REE側的記憶體載入到共用記憶體,以將所載入的加密TUI資源資料(通過Platform中的共用記憶體)提供給TEE側。 步驟504,TEE側,TUI程式從共用記憶體獲取加密TUI資源資料之後,通過預先設定的TUI資源金鑰(TUI resource key)進行解密,得到解密後的TUI資源資料(TUI De-Rsc,TUI decrypted resource),並將解密後的TUI資源資料存放在TEE側的受保護記憶體中; 步驟505,TUI程式使用解密後的TUI資源資料,顯示圖形化的TUI,以便用戶在安全的TEE中進行操作(比如,輸入帳號密碼;比如,輸入身份證資訊等)。 需要說明的是,上述圖3、圖4和圖5為本實施例方法的示例性實現形式,在其他應用場景中本實施例的上述方法還可以通過其他方式來實現。 實施例二 本實施例提供一種TUI資源資料的應用裝置,可以包括:提供模組和處理模組;其中,提供模組,可用於從REE獲取加密的資源資料並提供給TEE;處理模組,可用於在TEE中將所述加密的資源資料解密;對所述解密後的資源資料進行處理。該處理模組包括但不限於下文所述的TUI模組。 具體來講,本實施例中TUI資源資料的應用裝置如圖6所示,可以包括: 提供模組62,用於在非TUI上觸發TUI的啟動,從REE獲取加密的可信用戶介面資源資料並提供給TEE; TUI模組63,用於在TEE中將所述加密的TUI資源資料解密,並基於所述解密後的TUI資源資料顯示TUI。 本實施例的上述應用裝置,還可以包括:產生模組64,用於通過如下之一產生所述加密的TUI資源資料:1)產生TUI資源資料包,利用安全雜湊演算法和非對稱加密演算法產生所述TUI資源資料包的數位簽章,將所述數位簽章附加在所述TUI資源資料包之後,得到所述加密的TUI資源資料;2)利用高級加密標準AES加密演算法直接對TUI資源資料進行加密處理,產生所述加密的TUI資源資料。 本實施例的上述應用裝置,還可以包括:設置於REE中的儲存模組61,用於存放所述加密的TUI資源資料。一種實現方式中,該儲存模組61可以是REE中不可信的儲存空間。 本實施例中的上述應用裝置中,所述提供模組62,可用於在非TUI上的用戶操作觸發TUI的啟動時,在REE中載入所述加密的TUI資源資料並送到共用記憶體;所述TUI模組,可用於將所述加密的TUI資源資料從所述共用記憶體複製到TEE的受保護記憶體中。 實際應用中,本實施例的上述應用裝置可設置於任何能夠提供TEE安全能力的終端設備中或實現為該終端設備。尤其是,本實施例的上述應用裝置可設置於無法提供安全儲存但能夠提供TEE安全能力的終端設備中或實現為該終端設備。比如,本實施例的上述應用裝置可設置於低成本的線下二維條碼支付設備中。 需要說明的是,本實施例的上述應用裝置中,設置於REE中的儲存模組61、提供模組62、TUI模組63、產生模組64分別可以是軟體、硬體或兩者的結合。一種實現方式中,設置於REE中的儲存模組61可以體現為終端設備的不可信記憶體或不可信儲存區域,提供模組62可以體現為終端設備中REE側的TUI Agent,TUI模組63可以體現為終端設備中TEE側的TUI程式,產生模組64可以體現為終端設備的外接設備,該外接設備可以是支援TUI資源產生工具、加密演算法(比如,AES演算法;比如,數位簽章相關的加密演算法等)的任何類型的設備。 實施例三 一種TUI資源資料的應用裝置,如圖7所示,可以包括: 顯示器71; 儲存有電腦程式的記憶體72; 處理器73,配置為讀取所述電腦程式以執行實施例一所述可信用戶介面資源資料的應用方法的操作。 這裡,處理器73可以配置為讀取所述電腦程式以執行如下操作:從REE獲取加密的資源資料並提供給TEE;在TEE中將所述加密的資源資料解密;對所述解密後的資源資料進行處理。 具體來講,處理器73,配置為讀取所述電腦程式以執行實施例一中的步驟201~步驟202。 本實施例中TUI資源資料的應用裝置的其他技術細節可參照上文方法部分。 實際應用中,圖7所示的TUI資源資料的應用裝置可以通過任何能夠提供TEE安全能力的終端設備來實現。 需要說明的是,圖7所示的TUI資源資料的應用裝置除包含上述的記憶體和處理器之外,還可包含其他部件。比如,TUI資源資料的應用裝置中還可以包含用於儲存用戶資料的資料記憶體(比如,不可信記憶體等);再比如,TUI資源資料的應用裝置中還可包含用於與外部設備進行通信的通信電路;再比如,TUI資源資料的應用裝置中還可以包含用於將各部分耦合連接的匯流排。又比如,TUI資源資料的應用裝置還可以包括輸出TUI相關音訊的音訊輸出部件(如,喇叭)等。除此之外,該TUI資源資料的應用裝置還可以包含其他部件。 實施例四 本實施例還提供一種電腦可讀儲存介質,所述電腦可讀儲存介質上儲存有電腦程式,所述電腦程式被處理器執行時實現如上述TUI資源資料的應用方法的步驟。 這裡,所述電腦程式被處理器執行時實現的步驟包括:從REE獲取加密的資源資料並提供給TEE;在TEE中將所述加密的資源資料解密;對所述解密後的資源資料進行處理。具體來講,所述電腦程式被處理器執行時可實現如實施例一的步驟201~步驟202。本實施例的其他技術細節可參照實施例一。 下面對上述各實施例的示例性實現方式進行詳細說明。需要說明的是,下文各實例可相互結合。並且,下文實例中各流程、執行過程等也可以根據實際應用的需要進行調整。此外,在實際應用中,上述各實施例還可以有其他的實現方式。 實例1 實際應用中存在低成本的終端設備,比如線下二維條碼支付設備,可以提供支付二維條碼顯示,但其不具備提供安全儲存的能力。因此,此類設備需要提供TUI功能時,便需要使用本實施例的方案以保護TUI資源資料的安全。 本實例中,以低成本的線下二維條碼支付設備為例對本發明各實施例的具體實現方式進行說明。 如圖8所示,為二維條碼支付設備的應用環境及其內部系統架構的示例圖。本實例中,該二維條碼支付設備可以提供商家的支付二維條碼顯示,買家可以通過手機掃描該二維條碼支付設備顯示的二維條碼完成支付。該二維條碼支付設備顯示的二維條碼需要滿足安全性、不可替代性的要求。因此,在其具備提供TEE能力的基礎上,會通過TUI來顯示二維條碼,以此保護二維條碼的安全性。 如圖9所示,二維條碼支付設備通過TUI顯示二維條碼的過程可以包括: 步驟901,商家按電源鍵啟動設備,設備啟動時通過二維條碼支付應用程式調用TUI Agent。 其中,二維條碼支付應用程式主要負責獲取商家的支付二維條碼資訊、交易資訊的上傳、交易狀態資訊的獲取以及調用TUI Agent來完成TUI的顯示和交互。 步驟902,當顯示在非TUI介面時,商家通過按下確認鍵觸發TUI Agent發送TUI開啟命令,該TUI開啟命令通過ROS驅動調用Platform Hardware服務傳遞到TOS。 步驟903,TOS接收到TUI開啟命令後,啟動TUI程式,並向TUI Agent申請被加密的資源資料即向TUI Agent發送針對TUI資源資料的請求; 步驟904,TUI Agent 接收到針對TUI資源資料的請求後,打開REE的不可信記憶體中存放的加密TUI資源資料並載入到共用記憶體。 這裡,TUI Agent還可以從網路端下載加密的TUI資源資料到共用記憶體。 步驟905,TUI程式將共用記憶體中加密的TUI資源資料複製到TEE的受保護記憶體,並利用預存的TUI資源金鑰(TUI resource key)解密該加密的TUI資源資料並將解密後的TUI資源資料存放到TEE的受保護記憶體。 步驟906,TUI程式從TEE的受保護記憶體中讀取解密後的TUI資源資料,使用該TUI資源資料產生包含商家的支付二維條碼的TUI並顯示該TUI。如圖10所示,為二維條碼支付設備顯示該TUI的示例圖。 實際應用中,在買家通過手機掃碼並完成支付之後,商家可按逸出鍵退出該TUI,或者在買家掃碼並完成之後由交易伺服器通過網路向終端設備的二維條碼支付應用程式下發交易成功資訊,二維條碼支付應用程式調用TUI Agent主動發起TUI的退出流程。主動發起TUI關閉命令給TOS。 如圖11所示,本實例中,TUI的退出流程可以包括: 步驟1101,商家在二維條碼支付設備上按下逸出鍵,TUI Agent發送關閉命令給TOS,或者二維條碼支付設備通過網路接收到來自交易伺服器的指示交易成功的交易狀態資訊後,TUI Agent直接發送關閉命令給TOS。 步驟1102,TOS接收到關閉命令後,將當前使用的TUI資源資料清除,以釋放該TUI資源資料所佔用的記憶體,並關閉TUI程式; 步驟1103,TUI Agent將已載入到共用記憶體的TUI資源資料清除,以釋放該TUI資源資料在共用記憶體中佔用的空間; 步驟1104,TUI Agent持續監控用戶操作(比如,按鍵),以在被觸發時啟動TUI程式,直到二維條碼支付設備的電源關閉。 需要說明的是,上述圖8至圖11僅為示例,並不用於限制本發明。在其他應用場景下,還可以通過其他方式實現。 本領域普通技術人員可以理解上述方法中的全部或部分步驟可通過程式來指令相關硬體完成,所述程式可以儲存於電腦可讀儲存介質中,如唯讀記憶體、磁片或光碟等。可選地,上述實施例的全部或部分步驟也可以使用一個或多個積體電路來實現。相應地,上述實施例中的各模組/單元可以採用硬體的形式實現,也可以採用軟體功能模組的形式實現。本發明不限制於任何特定形式的硬體和軟體的結合。 當然,本發明還可有其他多種實施例,在不背離本發明精神及其實質的情況下,熟悉本領域的技術人員當可根據本發明作出各種相應的改變和變形,但這些相應的改變和變形都應屬於本發明的申請專利範圍的保護範圍。The technical solution of the present invention will be described in more detail below with reference to the drawings and embodiments. It should be noted that if there is no conflict, the embodiments of the present invention and various features in the embodiments can be combined with each other, which are all within the protection scope of the present invention. In addition, although the logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than here. In a typical configuration, the client or server computing device may include one or more processors (CPUs), input / output interfaces, network interfaces, and memory. Memory may include non-permanent memory, random access memory (RAM), and / or non-volatile memory in computer-readable media, such as read-only memory (ROM) or flash memory (flash) RAM). Memory is an example of a computer-readable medium. The memory may include module 1, module 2, ..., module N (N is an integer greater than 2). Computer-readable media includes permanent and non-permanent, removable and non-removable storage device media. The storage medium can realize information storage by any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), and other types of random access memory (RAM) , Read-only memory (ROM), electrically erasable and programmable read-only memory (EEPROM), flash memory or other memory technologies, read-only disc read-only memory (CD-ROM), digital multi-function Optical discs (DVDs) or other optical storage, magnetic tape cartridges, magnetic tape storage or other magnetic storage devices or any other non-transmitting medium may be used to store information that can be accessed by computing devices. According to the definition in the present invention, computer-readable media does not include non-transitory computer-readable media (such as modulated data signals and carrier waves).终端 The terminal device described in the present invention may be a mobile phone, a tablet computer, a mobile Internet device, a wearable device, or other hardware entities or virtual devices that can deploy a CPU.术语 The terms of the present invention are explained as follows: Trusted Execution Environment (TEE, Trusted Execution Environment): Provides an execution environment that is isolated from REE, and provides code execution protection and data confidentiality and privacy management functions. Rich Execution Environment (REE): An operating environment provided to the rich operating system for execution and management. It is outside the trusted execution environment, and applications executed in that environment are considered untrusted. Rich operating system (ROS, Rich OS): Executed in REE. Compared to the operating system executed in TEE, rich operating system will provide more rich functions. It is more open to the installation and use of applications than trusted operating systems. . Trusted operating system (TOS, Trusted OS): execute in TEE, use hardware, software or a combination of technologies related to TEE security features to protect the executed code and data, and provide TA loading, execution and management And other functions. TUI (Trusted User Interface): Provide a trusted user interface in TEE to protect sensitive information such as passwords and identities from being detected by programs other than TEE. TUI Agent: It is a TUI agent running on the REE side. It is responsible for receiving application requests for TUI and forwarding them to TUI, and loading TUI resource data. Platform Hardware: A complete system with hardware and supporting software that can run TEE. For example, the ARM CPU supports TEE through TrustZone technology, and supports the switching of REE and TEE and the transmission of information through matching trusted firmware (ARM Trust firmware). The ARM CPU includes TrustZone and trusted firmware. Can be an example of Platform Hardware. Shared memory: Memory for common use of REE and TEE. REE side dedicated memory: Memory used only under REE. TEE's protected memory: Memory used only under TEE. Secure Hash Algorithm (SHA): It is the national standard FIPS PUB 180 issued by the National Institute of Standards and Technology. The latest standard has been updated to FIPS PUB 180-3 in 2008. It specifies SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 one-way hash algorithms. SHA-1, SHA-224 and SHA-256 are suitable for messages up to 2 ^ 64 binary bits in length. SHA-384 and SHA-512 are suitable for messages up to 2 ^ 128 binary bits in length. Advanced Encryption Standard (AES): AES was published by FIST PUB 197 by NIST (National Institute of Standards and Technology) on November 26, 2001, and became a valid standard on May 26, 2002. AES algorithm is a symmetric key cryptographic algorithm. AES is an iterative, symmetric key block cipher, which can use 128, 192, and 256-bit keys, and uses 128-bit (16-byte) Encrypt and decrypt data in blocks. IEEE 802.15.4 uses a fixed 128-bit key, denoted AES-128. Regardless of the AES encryption algorithm or the decryption algorithm, it is an operation using round transformation. The working modes include ECB (Electronic Codebook Book) mode, password block connection mode (CBC), password feedback mode (CFB), output feedback mode (OFB), and counter mode (CTR, Counter). RSA (RSA algorithm): an asymmetric encryption algorithm, which is one of the best public key algorithms in encryption and decryption technology. As shown in Figure 1, it is a system architecture that supports TEE in related technologies. The system includes ROS under the REE, TUI Agent, Trusted Storage, and TOS and TUI under the TEE. Platform hardware is shared by ROS and TOS, and messages and messages can be exchanged between ROS and TOS. TUI The resource data is stored in the trusted memory, and the TEE uses the secure storage key (Trusted storage key) to decrypt to obtain the TUI resource data and provide the TUI resource data to the TUI for use. This method depends on the existence of trusted memory. However, trusted memory requires hardware to provide support, such as the RPMB partition of an embedded multimedia memory card (eMMC, Embedded Multi Media Card) or on-chip flash protected by hardware. When the terminal device cannot use the relatively expensive eMMC due to cost considerations, or the trusted storage device that cannot provide hardware protection due to the hardware design defect of the terminal device, and can only use external ordinary flash, the terminal device will not be able to provide Trust memory or lack of the trusted memory. At this time, the above scheme will not be available, and TUI resource data will not be effectively protected.解决 In order to solve the above problems, the present invention proposes the following technical solution, which is applicable to an application scenario in which resource data is required when there is no secure storage device. The technical solution of the present invention includes: a data processing method, the method may include: obtaining encrypted resource data from a REE and providing it to the TEE; decrypting the encrypted resource data in the TEE; and performing the decrypted resource data deal with. Here, the resource material includes, but is not limited to, TUI resource material. The TUI resource material is used for presenting TUI, and is suitable for an application scenario in which the TUI resource material is needed when there is no secure storage device. Processing resource materials includes but is not limited to the presentation of TUI under TEE. It should be understood that in the technical solution of the present invention, the resource materials may also be of other types, and the corresponding processing is not limited to the presentation of the TUI. The types of resource materials and their processing methods depend on specific application scenarios, and the present invention is not limited. The implementation of the technical solution of the present invention is described in detail below. Embodiment 1 A method for applying TUI resource information, as shown in FIG. 2, may include: Step 201: Trigger the start of TUI on a non-TUI, obtain encrypted trusted user interface resource data from a REE and provide it to TEE; Step 202. Decrypt the encrypted TUI resource data in a TEE, and display a TUI based on the decrypted TUI resource data. In this embodiment, when the TUI needs to be displayed, the encrypted TUI resource data is obtained from the REE and provided to the TEE. The TEE decrypts it to display the TUI using the TUI resource data. In this way, not only the integrity and confidentiality of the TUI resource data can be guaranteed. Moreover, TUI resource data can be stored on untrusted memory, which avoids the restriction that the trusted memory must be used to store TUI resource data, and solves the problem that certain terminal devices cannot provide TUI resource data due to the inability to provide secure memory. The problem of being securely stored can effectively reduce the hardware cost of mobile devices using mobile security technology. In this embodiment, the method may further include: before obtaining the encrypted trusted user interface resource data from the rich execution environment and providing it to the trusted execution environment, storing the encrypted TUI resource data in the REE. Because this embodiment uses encrypted TUI resource data, it can be stored in any memory in the REE when it is stored, that is, it can be stored in either trusted memory or untrusted memory. The specific type of memory used to store the encrypted TUI resource data can be flexibly adjusted according to the needs of the actual application or the hardware settings of the terminal device. In an implementation manner, the encrypted TUI resource data may be stored in an untrusted storage space in the REE to reduce the cost of the memory. In practical applications, this untrusted storage space can also be referred to as a non-secure storage area. Here, the storage space may be a memory or an area in the memory. For example, the encrypted TUI resource data may be stored in a flash external to the terminal device. In this embodiment, the TUI resource data may include fonts, characters, pictures, and the like. The TUI resource data may be a TUI static resource data or a TUI dynamic resource data. Among them, the TUI static resource data can be pre-stored on the terminal device with the installation of the application, and the TUI dynamic resource data needs to be delivered through the network in real time. For the TUI static resource data, the encrypted TUI resource data can be stored in the REE in advance when the application is installed. For the TUI dynamic resource data, the network side can dynamically send the encrypted TUI resource data to the terminal device, and the terminal device temporarily stores the encrypted TUI resource data in the REE. The method in this embodiment is preferably used for TUI static resource data. In this embodiment, the activation of the trusted user interface may be triggered by a user operation on the untrusted user interface. That is, the user can perform operations on the non-TUI when the terminal device displays the non-TUI to trigger the start of the TUI. In practical applications, the operation may be a key operation, a voice operation, a touch operation, or other user operations. For example, when a user uses an application on a terminal device, the user can first enter the non-TUI of the application. When a non-TUI is displayed, the user can operate on the non-TUI and trigger a TUI display request. The terminal device displays the The REE to TEE switching is performed as instructed. During the execution of this switching, the REE can provide the TEE with encrypted TUI resource information. After the TEE decrypts it, the TUI resource information is used to display the TUI. In this embodiment, the method may further include: generating the encrypted TUI resource data before obtaining the encrypted trusted user interface resource data from the rich execution environment and providing it to the trusted execution environment; wherein the generating the The encrypted TUI resource data may include one of the following methods: 1) generating a TUI resource data packet, generating a digital signature of the TUI resource data packet using a secure hash algorithm and an asymmetric encryption algorithm, and signing the digital signature It is added to the TUI resource data package to obtain the encrypted TUI resource data; 2) AES encryption algorithm is used to directly encrypt the TUI resource data to generate the encrypted TUI resource data. In practical applications, an appropriate encryption algorithm can be selected to encrypt the TUI resource data based on the requirements of the application environment to ensure the integrity and confidentiality of the TUI resource data. In practical applications, the TUI resource data of all user interfaces of an application can be uniformly encrypted. All of these TUI resource data use the same encryption algorithm and the same key. The TUI resource data corresponding to different applications can use different encryption algorithms, or the same encryption algorithm, but different keys are required to use the same encryption algorithm. In this embodiment, decrypting the encrypted TUI resource data in TEE may include: using a preset TUI resource key to decrypt the encrypted TUI resource data. In an implementation manner, the method for decrypting the encrypted TUI resource data in TEE may include one of the following: 1) using a public key to verify the digital signature of the encrypted TUI resource data; 2) using The AES decryption algorithm decrypts the encrypted TUI resource data. In practice, if a digital signature is used to encrypt the TUI resource information, the TEE uses a public key to verify the encrypted TUI resource information. At this time, the preset TUI resource key refers to the Public key. If the AES encryption algorithm is used to encrypt the TUI resource data, the TEE uses the corresponding AES decryption algorithm to decrypt the encrypted TUI resource data. At this time, the preset TUI resource key refers to the AES decryption algorithm. Key to law. Specifically, the encryption and decryption algorithm of the TUI resource data may adopt the following scheme: 1) first use one of SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 to perform the TUI resource data packet A digital digest, and then encrypting the digital digest by an asymmetric encryption algorithm (such as an RSA algorithm) to generate a digital signature of the TUI resource data package, and attaching the digital signature to the TUI resource data package After that, the encrypted TUI resource data is obtained. When the TEE uses the encrypted TUI resource data, it is only necessary to verify the digital signature with the public key to ensure that the TUI resource is untampered data. 2) Use the AES encryption algorithm of ECB, CBC, CFB, OFB, CTR to directly encrypt the TUI resource data. When the TEE uses the encrypted TUI resources, the TUI resource data can be used by directly decrypting using the corresponding AES decryption algorithm. In actual operation, the application developer can use the above-mentioned encryption algorithm to generate TUI resource data and perform encryption processing through the resource generation tool. The private key involved in encrypting the TUI resource data can be protected by the application developers themselves. For example, during the development process, application developers use the TUI resource generation tool to generate TUI resource data packages, and digitally digest the resource packages through SHA256, and then encrypt the digests through RSA2048 to generate digital signatures for the TUI resource data packages. After the digital signature is added to the TUI resource information package, an encrypted TUI resource information package can be obtained. When the application is installed, the encrypted TUI resource data package is stored in the memory of the REE. When the TUI is displayed, the TEE uses the public key to verify and sign the encrypted TUI resource information package. After the verification is passed, the TUI resource information is stored in the protected memory of the TEE and used when displaying the TUI. Here, the TUI resource tool is a tool specifically for manual coding. For another example, during the development process, application developers generate TUI resource data through the TUI resource generation tool and use AES CTR algorithms to directly encrypt the TUI resource data to generate encrypted TUI resource data packages. When the application is installed, the encrypted TUI resource data package is stored in the memory of the REE. When the TUI is displayed, after the TEE obtains the encrypted TUI resource data package, the encrypted TUI resource data package is decrypted by the key of the AES CTR algorithm, and stored in the protected memory of the TEE for use when displaying the TUI. In actual application, the installation of the above application program depends on the specific conditions of the terminal device. It can be preset in the terminal device during the production stage, or it can be manually downloaded to the terminal device by the user through the network. For example, for a two-dimensional barcode payment device, its application program is preset in the production stage of the device. Correspondingly, the encrypted TUI resource data can also be stored in the memory of the two-dimensional barcode payment device in advance during the production phase. In this embodiment, triggering the start of the TUI on the non-TUI, and obtaining the encrypted trusted user interface resource information from the REE and providing it to the TEE may include: when a user operation on the non-TUI triggers the start of the TUI, loading in the REE The encrypted TUI resource data is sent to a shared memory; the encrypted TUI resource data is copied from the shared memory to the protected memory of the TEE in a TEE. In an implementation manner, providing the encrypted TUI resource data to the TEE may include: sending a request for the TUI resource data to the REE through a TUI program, and loading the encrypted TUI resource data in the REE based on the request, and To the shared memory; copy the encrypted TUI resource data from the shared memory to the protected memory of the TEE through the TUI program. Here, the request for TUI resource information may carry a TUI identifier; in the REE, based on the TUI identifier carried in the request, the corresponding encrypted TUI resource information is loaded and sent to the shared memory. In practical applications, the TUI identifier may be a universally unique identifier (UUID) or other similar information. In actual application, when the application program requests to open the TUI, the TUI agent is first opened, and then the application program calls the TUI Agent to send a TUI startup command to the TEE. In the TEE, the TUI program is started according to the requirements of the TUI startup command. The TUI program At startup, a request for TUI resource data is sent to the TUI Agent in the REE. The TUI Agent loads the corresponding encrypted TUI resource data into the shared memory based on the request. The TUI program in the TEE reads the encrypted TUI resource data from the shared memory. After decryption, the TUI resource data is stored in the protected memory on the TEE side and provided to the TUI program to use when presenting the TUI. In this embodiment, different commands can be used to distinguish the data requested by the TUI program from the REE. In an implementation manner, the above-mentioned request for TUI resource information may be expressed as a specified command. For example, CMD = 1 can be set in advance as the TUI resource data open command. Then, the TUI program in TEE sends the command of "CMD = 1" to the TUI Agent in REE, and TUI Agent will download it at the instruction of the command. Enter the corresponding encrypted TUI resource data into the shared memory. In practical applications, if there are multiple TUI programs on the terminal device, then the corresponding TUI resource data and TUI programs can be bound by a TUI identifier (for example, UUID). Here, a TUI identifier (for example, UUID) corresponding to a certain TUI program is included in the encrypted TUI resource data. For example, if the TUI_A program needs to load the TUI_A resource data, the TUI Agent may send a request for the TUI resource data carrying the UUID of the TUI_A, and then the TUI Agent may search the memory according to the UUID carried in the request for the TUI resource data. Among the stored encrypted TUI resource materials, which UUID of the encrypted TUI resource material matches the UUID of the TUI_A, find the encrypted TUI resource data that matches the UUID of the TUI_A, and then load it. In practical applications, the TUI in this embodiment may be of any type. In an implementation manner, the TUI is preferably an imaged TUI. For example, the TUI may be a TUI including a two-dimensional bar code paid by a merchant. That is, in an implementation manner of this embodiment, a graphical TUI may be displayed based on the decrypted TUI resource data. In this embodiment, the method may further include: clearing the TUI resource data in the protected memory of the TEE during the process of exiting the TUI program or after exiting the TUI program. For example, after receiving a shutdown command for the TUI program from the REE side, the TOS in the TEE may clear the TUI resource data in the protected memory of the TEE to release the space in the protected TEE. In other words, this embodiment stores the decrypted TUI resource data in the protected memory on the TEE side during the process of displaying the TUI, and lasts the entire lifetime of the TUI display until the user closes the TUI. After the TUI is closed, the decrypted TUI resource data is cleared from the protected memory on the TEE side to release the memory it occupied. In this embodiment, the method may further include: after the TUI program exits, clearing the encrypted TUI resource data in the shared memory. For example, after the TUI Agent on the REE side issues a shutdown command for the TUI program, the encrypted TUI resource data in the shared memory can be deleted, and the space occupied by the encrypted TUI resource data in the shared memory can be released in a timely manner. In other words, in this embodiment, in the process of displaying the TUI, the encrypted TUI resource data is stored in the shared memory on the REE side for immediate reading by the TEE side. After the TUI is closed, the encrypted TUI resource data can be cleared from the shared memory to release the memory it occupied.的 The above method of this embodiment can be implemented by any terminal device capable of providing TEE security capabilities. In particular, it is applicable to terminal equipment that cannot provide secure storage but can provide TEE security capabilities. Such as low-cost offline two-dimensional bar code payment equipment. As shown in FIG. 3, when the above method of this embodiment is applied to a terminal device that cannot provide secure storage but can provide TEE security capabilities, an example system system diagram of the terminal device is shown, and FIG. 4 shows a system architecture of the terminal device. Another exemplary illustration. As shown in FIG. 5, the above method in this embodiment may be implemented by using the following exemplary process: Step 501: Before the TUI resource data is installed on the terminal device, encrypt the TUI resource data by using encryption software to generate encrypted TUI resources. Data (TUI En-Rsc, TUI encrypted resource); step 502, when the application is installed, store the encrypted TUI resource data of the application in a memory (eg, untrusted memory) on the REE side of the terminal device; step 503. When the TUI needs to be started, the TUI Agent loads the encrypted TUI resource data from the memory on the REE side to the shared memory, so as to provide the loaded encrypted TUI resource data (through the shared memory in the Platform) to the TEE side. . Step 504: On the TEE side, after the TUI program obtains the encrypted TUI resource data from the shared memory, it decrypts the TUI resource key by using a preset TUI resource key to obtain the decrypted TUI resource data (TUI De-Rsc, TUI decrypted). resource) and store the decrypted TUI resource data in the protected memory on the TEE side; Step 505, the TUI program uses the decrypted TUI resource data to display a graphical TUI so that the user can operate in a secure TEE (For example, enter the account password; for example, enter ID information, etc.). It should be noted that FIG. 3, FIG. 4 and FIG. 5 above are exemplary implementation forms of the method in this embodiment, and the above method in this embodiment may also be implemented in other manners in other application scenarios. Embodiment 2 This embodiment provides a TUI resource data application device, which may include: a providing module and a processing module; wherein the providing module can be used to obtain encrypted resource data from the REE and provide it to the TEE; the processing module, It can be used to decrypt the encrypted resource data in TEE; and process the decrypted resource data. The processing module includes, but is not limited to, a TUI module described below. Specifically, as shown in FIG. 6, the application device of the TUI resource information in this embodiment may include: a providing module 62 for triggering the start of the TUI on a non-TUI, and obtaining the encrypted trusted user interface resource data from the REE And provide it to TEE; TUI module 63, for decrypting the encrypted TUI resource data in TEE, and displaying TUI based on the decrypted TUI resource data. The above-mentioned application device of this embodiment may further include: a generating module 64 for generating the encrypted TUI resource data by one of the following: 1) generating a TUI resource data packet, using a secure hash algorithm and an asymmetric encryption algorithm Method to generate a digital signature of the TUI resource information package, and attach the digital signature to the TUI resource information package to obtain the encrypted TUI resource information; 2) directly use an advanced encryption standard AES encryption algorithm to directly The TUI resource data is encrypted to generate the encrypted TUI resource data.上述 The above-mentioned application device of this embodiment may further include: a storage module 61 provided in the REE, for storing the encrypted TUI resource data. In an implementation manner, the storage module 61 may be an untrusted storage space in the REE. In the above application device in this embodiment, the providing module 62 may be used to load the encrypted TUI resource data in the REE and send it to the shared memory when a user operation on the non-TUI triggers the start of the TUI. The TUI module may be used to copy the encrypted TUI resource data from the shared memory into the protected memory of the TEE. In practical applications, the above-mentioned application device of this embodiment may be set in or implemented as any terminal device capable of providing TEE security capabilities. In particular, the above-mentioned application device of this embodiment may be provided in or implemented as a terminal device that cannot provide secure storage but can provide TEE security capabilities. For example, the above-mentioned application device of this embodiment may be provided in a low-cost offline two-dimensional barcode payment device. It should be noted that in the above-mentioned application device of this embodiment, the storage module 61, the provision module 62, the TUI module 63, and the generation module 64 provided in the REE may be software, hardware, or a combination of the two. . In an implementation manner, the storage module 61 provided in the REE may be embodied as an untrusted memory or an untrusted storage area of the terminal device, and the providing module 62 may be embodied as a TUI Agent and a TUI module 63 on the REE side of the terminal device. It can be embodied as a TUI program on the TEE side of the terminal device, and the generation module 64 can be embodied as an external device of the terminal device. The external device can be a tool that supports TUI resource generation, encryption algorithms (such as AES algorithms; for example, digital signature Chapter-related encryption algorithms, etc.) of any type of device. Embodiment 3 An application device for TUI resource data, as shown in FIG. 7, may include: a display 71; a memory 72 storing a computer program; ; a processor 73 configured to read the computer program to execute the first embodiment Operation of the application method of the trusted user interface resource data. Here, the processor 73 may be configured to read the computer program to perform the following operations: obtain the encrypted resource data from the REE and provide it to the TEE; decrypt the encrypted resource data in the TEE; and decrypt the decrypted resource Data for processing. Specifically, the processor 73 is configured to read the computer program to execute steps 201 to 202 in the first embodiment.其他 For other technical details of the application device of the TUI resource data in this embodiment, refer to the method section above. In practical applications, the application device of the TUI resource information shown in FIG. 7 can be implemented by any terminal device capable of providing TEE security capabilities. It should be noted that the application device of the TUI resource data shown in FIG. 7 may include other components in addition to the above-mentioned memory and processor. For example, the application device of the TUI resource data may also include data memory (for example, untrusted memory, etc.) for storing user data; for another example, the application device of the TUI resource data may also include data for use with external devices. A communication circuit for communication; for another example, the application device of the TUI resource information may further include a bus bar for coupling and connecting various parts. For another example, the application device of the TUI resource data may further include an audio output component (such as a speaker) that outputs TUI related audio. In addition, the application device of the TUI resource information may further include other components. Embodiment 4 实施 This embodiment also provides a computer-readable storage medium. The computer-readable storage medium stores a computer program. When the computer program is executed by a processor, the steps of the method for applying the TUI resource data are implemented. Here, the steps implemented when the computer program is executed by the processor include: obtaining the encrypted resource data from the REE and providing it to the TEE; decrypting the encrypted resource data in the TEE; and processing the decrypted resource data . Specifically, when the computer program is executed by the processor, steps 201 to 202 of the first embodiment can be implemented. For other technical details of this embodiment, refer to the first embodiment. Exemplary implementations of the foregoing embodiments are described in detail below. It should be noted that the following examples can be combined with each other. In addition, the processes and execution processes in the examples below can also be adjusted according to the needs of actual applications. In addition, in actual applications, the foregoing embodiments may have other implementation manners. Example 1 低成本 There are low-cost terminal devices in practical applications, such as offline 2D barcode payment devices, which can provide payment 2D barcode display, but it does not have the ability to provide secure storage. Therefore, when such a device needs to provide a TUI function, it is necessary to use the solution of this embodiment to protect the security of TUI resource data. In this example, a low-cost offline two-dimensional barcode payment device is taken as an example to describe the specific implementation manners of the embodiments of the present invention. As shown in Figure 8, it is an example diagram of the application environment of the two-dimensional barcode payment device and its internal system architecture. In this example, the two-dimensional barcode payment device can provide a merchant's payment two-dimensional barcode display, and the buyer can scan the two-dimensional barcode displayed by the two-dimensional barcode payment device through a mobile phone to complete the payment. The two-dimensional bar code displayed by the two-dimensional bar code payment device needs to meet the requirements of security and irreplaceability. Therefore, based on its ability to provide TEE, it will display the two-dimensional bar code through TUI to protect the security of the two-dimensional bar code. As shown in FIG. 9, the process of displaying the two-dimensional barcode by the two-dimensional barcode payment device through TUI may include: Step 901, the merchant presses the power key to start the device, and when the device starts, the two-dimensional barcode payment application calls the TUI Agent. Among them, the two-dimensional barcode payment application is mainly responsible for obtaining merchant's payment two-dimensional barcode information, uploading transaction information, obtaining transaction status information, and calling the TUI Agent to complete TUI display and interaction. Step 902, when displayed on a non-TUI interface, the merchant triggers the TUI Agent to send a TUI start command by pressing the confirmation key, and the TUI start command is transmitted to the TOS by calling the Platform Hardware service through the ROS driver. In step 903, after receiving the TUI start command, the TOS starts the TUI program and requests the TUI Agent for the encrypted resource data, and sends a request for the TUI resource data to the TUI Agent. In step 904, the TUI Agent receives the request for the TUI resource data. Then, open the encrypted TUI resource data stored in the untrusted memory of the REE and load it into the shared memory. Here, the TUI Agent can also download encrypted TUI resource data from the network to the shared memory. Step 905, the TUI program copies the encrypted TUI resource data in the shared memory to the protected memory of the TEE, and uses the pre-stored TUI resource key to decrypt the encrypted TUI resource data and decrypt the TUI after decryption. Resources are stored in TEE's protected memory. (Step 906) The TUI program reads the decrypted TUI resource data from the protected memory of the TEE, uses the TUI resource data to generate a TUI containing the payment two-dimensional barcode of the merchant, and displays the TUI. As shown in FIG. 10, an example diagram of displaying the TUI for a two-dimensional barcode payment device. In actual application, after the buyer scans the code through the mobile phone and completes the payment, the merchant can press the escape button to exit the TUI, or after the buyer scans the code and completes, the transaction server uses the network to pay for the two-dimensional barcode application on the terminal device The program issues transaction success information, and the 2D barcode payment application calls the TUI Agent to initiate the TUI exit process. Actively initiate a TUI close command to TOS. As shown in FIG. 11, in this example, the TUI exit process may include: Step 1101, the merchant presses the escape key on the two-dimensional barcode payment device, the TUI Agent sends a shutdown command to the TOS, or the two-dimensional barcode payment device passes the network. After receiving the transaction status information from the transaction server indicating that the transaction was successful, TUI Agent directly sends a close command to TOS. In step 1102, after receiving the shutdown command, the TOS clears the currently used TUI resource data to release the memory occupied by the TUI resource data and closes the TUI program. Step 1103, the TUI Agent loads the data into the shared memory. The TUI resource data is cleared to release the space occupied by the TUI resource data in the shared memory; Step 1104, the TUI Agent continuously monitors user operations (such as pressing keys) to start the TUI program when triggered until the two-dimensional barcode payment device Power off. It should be noted that the above FIG. 8 to FIG. 11 are merely examples and are not used to limit the present invention. In other application scenarios, it can also be implemented in other ways.普通 Those of ordinary skill in the art can understand that all or part of the steps in the above method can be completed by a program instructing related hardware, and the program can be stored in a computer-readable storage medium, such as a read-only memory, a magnetic disk, or an optical disc. Optionally, all or part of the steps in the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module / unit in the above embodiments may be implemented in the form of hardware, or may be implemented in the form of software functional modules. The invention is not limited to any specific form of combination of hardware and software. Of course, the present invention may have various other embodiments. Without departing from the spirit and essence of the present invention, those skilled in the art can make various corresponding changes and modifications according to the present invention, but these corresponding changes and All the deformations should belong to the protection scope of the patent application scope of the present invention.
201-202‧‧‧步驟201-202‧‧‧step
501-505‧‧‧步驟501-505‧‧‧step
61‧‧‧儲存模組61‧‧‧Storage Module
62‧‧‧提供模組62‧‧‧Provide modules
63‧‧‧TUI模組63‧‧‧TUI Module
64‧‧‧產生模組64‧‧‧ Generate Module
71‧‧‧顯示器71‧‧‧ Display
72‧‧‧記憶體72‧‧‧Memory
73‧‧‧處理器73‧‧‧ processor
901-906‧‧‧步驟901-906‧‧‧step
1101-1104‧‧‧步驟1101-1104 ‧‧‧ steps
圖1為相關技術的系統架構示意圖; 圖2為實施例一中TUI資源資料應用方法的流程示意圖; 圖3為實施例一中TUI資源資料應用方法所適用的一系統結構示例圖; 圖4為實施例一中TUI資源資料應用方法所適用的又一系統結構示例圖; 圖5為實施例一種TUI資源資料應用方法的示例性流程示意圖; 圖6為實施例二中TUI資源資料應用裝置的結構示意圖; 圖7為實施例三中TUI資源資料應用裝置的結構示意圖; 圖8為實例1中二維條碼支付設備的應用環境及內部系統架構示意圖; 圖9為實施1中二維條碼支付設備通過TUI顯示二維條碼的流程示意圖; 圖10為實例1中二維條碼支付設備的TUI顯示實例圖; 圖11為實例1中二維條碼支付設備退出TUI的流程示意圖。FIG. 1 is a schematic diagram of a related system architecture; FIG. 2 is a schematic flowchart of a TUI resource data application method in the first embodiment; FIG. 3 is an example of a system structure applicable to the TUI resource data application method in the first embodiment; FIG. 4 is Another example of a system structure applicable to the method for applying a TUI resource material in the first embodiment; FIG. 5 is an exemplary flowchart of a method for applying the TUI resource material in the embodiment; ; FIG. 6 is a structure of the TUI resource material application device in the second embodiment. Schematic diagram; FIG. 7 is a schematic structural diagram of a TUI resource data application device in Embodiment 3; FIG. 8 is a schematic diagram of an application environment and an internal system architecture of a two-dimensional barcode payment device in Example 1; FIG. Schematic diagram of TUI displaying two-dimensional bar code; FIG. 10 is a diagram of a TUI display example of a two-dimensional bar code payment device in Example 1. FIG. 11 is a schematic diagram of a process of exiting TUI of a two-dimensional bar code payment device in Example 1.
Claims (19)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711230388.4A CN109840436A (en) | 2017-11-29 | 2017-11-29 | The application method and device of data processing method, trusted user interface resource data |
| ??201711230388.4 | 2017-11-29 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| TW201939345A true TW201939345A (en) | 2019-10-01 |
Family
ID=66664700
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW107134281A TW201939345A (en) | 2017-11-29 | 2018-09-28 | Data processing method, and application method and apparatus of trusted user interface resource data |
Country Status (3)
| Country | Link |
|---|---|
| CN (1) | CN109840436A (en) |
| TW (1) | TW201939345A (en) |
| WO (1) | WO2019105290A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI694701B (en) * | 2018-06-19 | 2020-05-21 | 大陸商中國銀聯股份有限公司 | Separate switching method and system based on TEE and REE |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110442463B (en) * | 2019-07-16 | 2020-07-07 | 阿里巴巴集团控股有限公司 | Data transmission method and device in TEE system |
| CN110399235B (en) | 2019-07-16 | 2020-07-28 | 阿里巴巴集团控股有限公司 | Multithreading data transmission method and device in TEE system |
| CN110442462B (en) | 2019-07-16 | 2020-07-28 | 阿里巴巴集团控股有限公司 | Multithreading data transmission method and device in TEE system |
| US10699015B1 (en) | 2020-01-10 | 2020-06-30 | Alibaba Group Holding Limited | Method and apparatus for data transmission in a tee system |
| CN112422487A (en) * | 2019-08-23 | 2021-02-26 | 北京小米移动软件有限公司 | Data transmission method, device, system and computer readable storage medium |
| CN112612849A (en) | 2020-07-24 | 2021-04-06 | 支付宝(杭州)信息技术有限公司 | Data processing method, device, equipment and medium |
| CN111741036B (en) | 2020-08-28 | 2020-12-18 | 支付宝(杭州)信息技术有限公司 | Trusted data transmission method, device and equipment |
| CN113657960A (en) | 2020-08-28 | 2021-11-16 | 支付宝(杭州)信息技术有限公司 | Matching method, device and equipment based on trusted asset data |
| CN111814172A (en) | 2020-08-28 | 2020-10-23 | 支付宝(杭州)信息技术有限公司 | Method, device and equipment for acquiring data authorization information |
| CN111818094B (en) | 2020-08-28 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Identity registration method, device and equipment |
| CN115033919A (en) | 2020-09-04 | 2022-09-09 | 支付宝(杭州)信息技术有限公司 | Data acquisition method, device and equipment based on trusted equipment |
| CN111814196B (en) | 2020-09-04 | 2021-01-05 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
| CN113434849A (en) | 2020-09-04 | 2021-09-24 | 支付宝(杭州)信息技术有限公司 | Data management method, device and equipment based on trusted hardware |
| CN111930846B (en) | 2020-09-15 | 2021-02-23 | 支付宝(杭州)信息技术有限公司 | Data processing method, device and equipment |
| CN113012008B (en) | 2020-09-15 | 2022-06-03 | 支付宝(杭州)信息技术有限公司 | Identity management method, device and equipment based on trusted hardware |
| CN113255005A (en) | 2020-09-15 | 2021-08-13 | 支付宝(杭州)信息技术有限公司 | Block chain-based data asset transfer method, device and equipment |
| CN112286562B (en) * | 2020-10-28 | 2021-09-10 | 飞腾信息技术有限公司 | Debugging updating method and system for trusted operating system |
| CN112434306B (en) * | 2020-12-11 | 2024-04-16 | 中国科学院信息工程研究所 | Trusted measurement method, device, system, electronic equipment and storage medium |
| CN117744068A (en) * | 2022-07-29 | 2024-03-22 | 荣耀终端有限公司 | Trusted user interface display method, trusted user interface display equipment and storage medium |
| CN115174125A (en) * | 2022-09-07 | 2022-10-11 | 北京笔新互联网科技有限公司 | Method and device for acquiring trusted true random number in trusted execution environment |
| CN116382896B (en) * | 2023-02-27 | 2023-12-19 | 荣耀终端有限公司 | Calling method of image processing algorithm, terminal equipment, medium and product |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8447699B2 (en) * | 2009-10-13 | 2013-05-21 | Qualcomm Incorporated | Global secure service provider directory |
| CN103491080A (en) * | 2013-09-12 | 2014-01-01 | 深圳市文鼎创数据科技有限公司 | Information safety protecting method and system |
| CN105812332A (en) * | 2014-12-31 | 2016-07-27 | 北京握奇智能科技有限公司 | Data protection method |
| CN104581214B (en) * | 2015-01-28 | 2018-09-11 | 三星电子(中国)研发中心 | Multimedia content guard method based on ARM TrustZone systems and device |
| US20160234176A1 (en) * | 2015-02-06 | 2016-08-11 | Samsung Electronics Co., Ltd. | Electronic device and data transmission method thereof |
| CN106200891B (en) * | 2015-05-08 | 2019-09-06 | 阿里巴巴集团控股有限公司 | Show the method, apparatus and system of user interface |
| CN106997439B (en) * | 2017-04-01 | 2020-06-19 | 北京元心科技有限公司 | TrustZone-based data encryption and decryption method and device and terminal equipment |
| CN106990972B (en) * | 2017-04-13 | 2021-04-02 | 沈阳微可信科技有限公司 | Method and device for operating a trusted user interface |
-
2017
- 2017-11-29 CN CN201711230388.4A patent/CN109840436A/en active Pending
-
2018
- 2018-09-28 TW TW107134281A patent/TW201939345A/en unknown
- 2018-11-23 WO PCT/CN2018/117106 patent/WO2019105290A1/en active Application Filing
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| TWI694701B (en) * | 2018-06-19 | 2020-05-21 | 大陸商中國銀聯股份有限公司 | Separate switching method and system based on TEE and REE |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2019105290A1 (en) | 2019-06-06 |
| CN109840436A (en) | 2019-06-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019105290A1 (en) | Data processing method, and application method and apparatus of trusted user interface resource data | |
| CN107659632B (en) | File encryption and decryption method and device and computer readable storage medium | |
| KR101891420B1 (en) | Content protection for data as a service (daas) | |
| US7639819B2 (en) | Method and apparatus for using an external security device to secure data in a database | |
| CN103069428B (en) | Secure virtual machine in insincere cloud infrastructure guides | |
| US9461819B2 (en) | Information sharing system, computer, project managing server, and information sharing method used in them | |
| WO2019218919A1 (en) | Private key management method and apparatus in blockchain scenario, and system | |
| US8850216B1 (en) | Client device and media client authentication mechanism | |
| US8495383B2 (en) | Method for the secure storing of program state data in an electronic device | |
| TW201447759A (en) | System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
| TW201541923A (en) | Method and apparatus for cloud-assisted cryptography | |
| WO2021164166A1 (en) | Service data protection method, apparatus and device, and readable storage medium | |
| WO2022028289A1 (en) | Data encryption method and apparatus, data decryption method and apparatus, terminal, and storage medium | |
| WO2018177394A1 (en) | Method and device for protecting android so file | |
| CN111656345B (en) | Software module enabling encryption in container files | |
| WO2020073712A1 (en) | Method for sharing secure application in mobile terminal, and mobile terminal | |
| WO2013097209A1 (en) | Encryption method, decryption method, and relevant device and system | |
| US9292708B2 (en) | Protection of interpreted source code in virtual appliances | |
| TW202009773A (en) | Method and apparatus for activating trusted execution environment | |
| KR101952139B1 (en) | A method for providing digital right management function in gateway server communicated with user terminal | |
| CN110674525A (en) | Electronic equipment and file processing method thereof | |
| CN114788221A (en) | Wrapping key with access control predicates | |
| JP6741236B2 (en) | Information processing equipment | |
| EP4174695A1 (en) | Method to store data persistently by a software payload | |
| US11683159B2 (en) | Hybrid content protection architecture |