TWI636373B - Method and device for authorizing between devices - Google Patents

Method and device for authorizing between devices Download PDF

Info

Publication number
TWI636373B
TWI636373B TW105137495A TW105137495A TWI636373B TW I636373 B TWI636373 B TW I636373B TW 105137495 A TW105137495 A TW 105137495A TW 105137495 A TW105137495 A TW 105137495A TW I636373 B TWI636373 B TW I636373B
Authority
TW
Taiwan
Prior art keywords
authorization information
authorization
encrypted
tee
ree
Prior art date
Application number
TW105137495A
Other languages
Chinese (zh)
Other versions
TW201719476A (en
Inventor
李定洲
周鈺
郭偉
陳成錢
嚴翔翔
曾望年
Original Assignee
中國銀聯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中國銀聯股份有限公司 filed Critical 中國銀聯股份有限公司
Publication of TW201719476A publication Critical patent/TW201719476A/en
Application granted granted Critical
Publication of TWI636373B publication Critical patent/TWI636373B/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

在設備之間進行授權的方法的裝置。方法包括授權過程,該授權過程包括:在第一設備的TEE端生成並加密授權信息,在第一設備的REE端將經加密的授權信息傳輸到第二設備,在第二設備的REE端接收經加密的授權信息,在第二設備的TEE端解密並驗證經加密的授權信息,在第二設備存儲該授權信息。 A device for a method of authorizing between devices. The method includes an authorization process, including: generating and encrypting authorization information on a TEE end of the first device, transmitting the encrypted authorization information to the second device at the REE end of the first device, and receiving the REE end of the second device The encrypted authorization information decrypts and verifies the encrypted authorization information at the TEE end of the second device, and stores the authorization information at the second device.

Description

一種在設備之間進行授權的方法和裝置 Method and device for authorizing between devices

本發明的實施例涉及在設備之間進行授權的方法和裝置。 Embodiments of the present invention relate to methods and apparatus for authorizing between devices.

授權設備向被授權設備進行授權,從而被授權設備可以代理授權設備進行授權的操作,例如執行授權設備指定的功能、獲取授權設備指定的資源。 The authorized device authorizes the authorized device, so that the authorized device can proxy the authorized device for the authorized operation, for example, performing the function specified by the authorized device, and acquiring the resource specified by the authorized device.

目前,授權設備通過伺服器向被授權設備進行授權。由於授權過程涉及伺服器,授權設備在進行授權前需要向伺服器發送申請,然後由伺服器向被授權設備推送授權信息。這會降低授權效率,導致較高成本。另一方面,由於授權過程涉及伺服器,授權信息必須經過網路傳輸,這將降低授權的安全性,而且這還要求被授權設備線上才能接收推送的授權信息。另外,授權設備的不安全的作業系統也會導致授權信息處於風險。 Currently, the authorized device authorizes the authorized device through the server. Since the authorization process involves the server, the authorized device needs to send an application to the server before authorizing, and then the server pushes the authorization information to the authorized device. This will reduce the efficiency of the authorization and result in higher costs. On the other hand, since the authorization process involves the server, the authorization information must be transmitted over the network, which will reduce the security of the authorization, and this also requires the authorized device line to receive the push authorization information. In addition, the unsafe operating system of the authorized device can also cause the authorization information to be at risk.

一種在設備之間進行授權的方法,該方法包括授權過 程,該授權過程包括:在第一設備的TEE端生成並加密授權信息,在第一設備的REE端將經加密的授權信息傳輸到第二設備,在第二設備的REE端接收經加密的授權信息,在第二設備的TEE端解密並驗證經加密的授權信息,在第二設備存儲該授權信息。 A method of authorizing between devices, the method including authorizing The authorization process includes: generating and encrypting authorization information on the TEE end of the first device, transmitting the encrypted authorization information to the second device on the REE end of the first device, and receiving the encrypted content on the REE end of the second device Authorization information, decrypting and verifying the encrypted authorization information at the TEE end of the second device, and storing the authorization information at the second device.

在設備之間進行授權的裝置,其包括授權過程裝置,該授權裝置包括:用於在第一設備的TEE端生成並加密授權信息的裝置,用於在第一設備的REE端將經加密的授權信息傳輸到第二設備的裝置,用於在第二設備的REE端接收經加密的授權信息的裝置,用於在第二設備的TEE端解密並驗證經加密的授權信息的裝置,用於在第二設備存儲該授權信息的裝置。 An apparatus for authorizing between devices, comprising an authorization process device, the authorization device comprising: means for generating and encrypting authorization information at a TEE end of the first device for being encrypted at a REE end of the first device Means for transmitting authorization information to the second device, means for receiving the encrypted authorization information at the REE end of the second device, means for decrypting and verifying the encrypted authorization information at the TEE end of the second device, for A device that stores the authorization information at the second device.

本發明的優勢包括:設備間的授權不限於聯網設備與伺服器端的認證;設備授權信息的傳輸、當地語系化存儲的安全通過結合TEE安全技術方案得到保障;支援傳統的伺服器認證方式。 The advantages of the present invention include: the authorization between the devices is not limited to the authentication of the networked device and the server; the transmission of the device authorization information and the security of the local language storage are guaranteed by the TEE security technology solution; and the traditional server authentication mode is supported.

當結合附圖閱讀以下描述時也將理解本發明的實施例的其它特徵和優勢,其中附圖借助於實例示出了本發明的實施例的原理。 Other features and advantages of the embodiments of the present invention will be understood from the description of the appended claims.

201、202、203、204、205、206、207、208、209、301、302、303、304、305、306‧‧‧步驟 201, 202, 203, 204, 205, 206, 207, 208, 209, 301, 302, 303, 304, 305, 306 ‧ ‧ steps

圖1是根據本發明實施例的在設備之間進行授權的示意圖。 1 is a schematic diagram of authorization between devices in accordance with an embodiment of the present invention.

圖2是根據本發明實施例的在設備之間進行授權的流 程圖。 2 is a flow of authorization between devices in accordance with an embodiment of the present invention. Cheng Tu.

圖3是根據本發明實施例的在設備之間進行授權的流程圖。 3 is a flow diagram of authorizing between devices in accordance with an embodiment of the present invention.

在下文中,將結合實施例描述本發明的原理。應當理解的是,給出的實施例只是為了本領域技術人員更好地理解並且實踐本發明,而不是限制本發明的範圍。例如,本說明書中包含許多具體的實施細節不應被解釋為對發明的範圍或可能被要求保護的範圍的限制,而是應該被視為特定於實施例的描述。例如,在各實施例的上下文描述的特徵可被組合在單一實施例中來實施。在單一實施例的上下文中描述的特可在多個實施例來實施。 Hereinafter, the principles of the present invention will be described in conjunction with the embodiments. It is to be understood that the present invention is not limited by the scope of the invention. For example, many specific implementation details are included in the description, and should not be construed as limiting the scope of the invention or the scope of the invention. For example, features described in the context of various embodiments can be implemented in a single embodiment. The features described in the context of a single embodiment can be implemented in various embodiments.

圖1是根據本發明實施例的在設備之間進行授權的示意圖。圖1示出了授權設備、被授權設備、伺服器。在該實施例中,伺服器是可選的。授權過程和執行授權操作可以僅通過授權設備和被授權設備之間的交互完成。授權設備和被授權設備各自能夠運行可信執行環境TEE(Trusted Execution Environment)和多媒體執行環境REE(Rich Execution Environment)下。TEE技術能夠為諸如移動通信終端等智慧終端機提供受到硬體隔離保護的作業系統。TEE獨立於REE(例如,Android作業系統),並執行與安全相關的應用。智慧終端機上與安全相關的敏感操作將在TEE中執行,而除安全應用以外的其它應用在REE中 執行。如圖所示,授權設備和被授權設備各自在TEE中設置有可信存儲單元、授權信息驗證單元、授權信息生成單元,以及在REE中設置有TEE代理單元。 1 is a schematic diagram of authorization between devices in accordance with an embodiment of the present invention. Figure 1 shows an authorized device, an authorized device, and a server. In this embodiment, the server is optional. The authorization process and the execution of the authorization operation can be done only by the interaction between the authorized device and the authorized device. The authorized device and the authorized device are each capable of running a Trusted Execution Environment (TEE) and a Rich Execution Environment (REE). TEE technology can provide a hard-isolated operating system for smart terminals such as mobile communication terminals. TEE is independent of REE (for example, Android operating system) and performs security-related applications. Security-related sensitive operations on smart terminals will be performed in the TEE, while applications other than security applications are in the REE carried out. As shown in the figure, the authorized device and the authorized device are each provided with a trusted storage unit, an authorization information verification unit, an authorization information generation unit, and a TEE proxy unit in the REE.

在授權設備中,授權信息生成單元中可以根據使用者的指令生成授權信息。授權信息可以包括授權的操作、時間、地點或者設備ID。在一個實例中,授權信息可以包括授權信息生成時的時間和地點。在另一個實例中,授權信息可以進一步限定授權的操作,例如授權的操作可以發送的時間和地點。授權信息驗證單元用於驗證授權信息。可信存儲單元用於在TEE下安全存儲授權信息。TEE代理單元,處於REE下,用於輔助與被授權設備之間的信息傳輸。TEE代理單元例如可以使用移動網路、藍牙、紅外線、近場通信與被授權設備的REE下的TEE代理單元通信。可以理解的是,被授權設備也可以包括類似的單元以便作為扮演授權設備的角色。 In the authorized device, the authorization information generating unit may generate authorization information according to the user's instruction. The authorization information may include an authorized operation, time, location, or device ID. In one example, the authorization information can include the time and location at which the authorization information was generated. In another example, the authorization information may further define an authorized operation, such as when and where the authorized operation may be sent. The authorization information verification unit is used to verify the authorization information. The trusted storage unit is used to securely store authorization information under the TEE. The TEE proxy unit, under the REE, is used to assist in the transmission of information between the authorized device and the authorized device. The TEE proxy unit can communicate with the TEE proxy unit under the REE of the authorized device, for example, using a mobile network, Bluetooth, infrared, near field communication. It will be appreciated that the authorized device may also include similar units in order to function as an authorizing device.

圖1中,可選的伺服器可以包括授權信息驗證單元,在被授權設備與授權設備無法完成點對點通信時用於補充驗證授權信息。 In FIG. 1, the optional server may include an authorization information verification unit for supplementing the verification authorization information when the authorized device and the authorized device cannot complete the point-to-point communication.

在一個實例中,授權設備通過REE下的TEE代理單元向被授權設備發送在TEE下加密的授權信息。被授權設備通過REE下的TEE代理單元接收該加密的授權信息,並且在TEE下解密並且驗證該授權信息。被解密並驗證通過的授權信息被存儲在被授權設備的可信存儲單元中。之後,被授權設備將可以根據該授權信息代理授權設 備執行被授權的操作。由此,在保證安全的前提下,可以提高設備之間的授權與代理的效率。 In one example, the authorizing device transmits the authorization information encrypted under the TEE to the authorized device through the TEE proxy unit under the REE. The authorized device receives the encrypted authorization information through the TEE proxy unit under the REE, and decrypts and verifies the authorization information under the TEE. The authorization information that is decrypted and verified is stored in the trusted storage unit of the authorized device. After that, the authorized device will be authorized to act according to the authorization information. Be prepared to perform authorized operations. Therefore, under the premise of ensuring security, the efficiency of authorization and proxy between devices can be improved.

圖2是根據本發明實施例的在設備之間進行授權的流程圖。該實施例示出在設備之間進行授權的方法的授權過程。該授權過程包括:步驟201:在第一設備的TEE端生成並加密授權信息;步驟202:在第一設備的REE端將經加密的授權信息傳輸到第二設備;步驟203:該步驟是可選的,在該步驟中判斷是否將授權信息備份到伺服器;當在步驟203中判斷不將授權信息備份到伺服器時,進入步驟204:在該步驟中在在第二設備的REE端接收經加密的授權信息;步驟205:在第二設備的TEE端解密並驗證經加密的授權信息;步驟206:在第二設備存儲該授權信息,至此作為授權的設備的第一設備完成了對於作為被授權設備的第二設備的授權;當在步驟203中判斷將授權信息備份到伺服器時,進入步驟207:在該步驟中從第一設備將經加密的授權信息發送並存儲到伺服器;步驟208:在伺服器解密並且驗證經加密的授權信息; 步驟209:在伺服器存儲經驗證的授權信息,至此完成授權信息在伺服器的備份。 2 is a flow diagram of authorizing between devices in accordance with an embodiment of the present invention. This embodiment shows an authorization process for a method of authorizing between devices. The authorization process includes: Step 201: Generate and encrypt authorization information on the TEE end of the first device; Step 202: Transfer the encrypted authorization information to the second device at the REE end of the first device; Step 203: This step is Optionally, in this step, it is determined whether the authorization information is backed up to the server; when it is determined in step 203 that the authorization information is not backed up to the server, the process proceeds to step 204: in the step, the REE end of the second device is received. Encrypted authorization information; Step 205: Decrypt and verify the encrypted authorization information at the TEE end of the second device; Step 206: Store the authorization information at the second device, and the first device as the authorized device is thus completed Authorization of the second device of the authorized device; when it is determined in step 203 that the authorization information is backed up to the server, proceeding to step 207: in this step, the encrypted authorization information is transmitted and stored from the first device to the server; Step 208: Decrypt and verify the encrypted authorization information at the server; Step 209: The verified authorization information is stored in the server, and the backup of the authorization information on the server is completed.

在一個實例中,在第一設備的TEE端使用私密金鑰對授權信息進行簽名,在第二設備的TEE端使用公開金鑰解密並驗證經加密的授權信息。 In one example, the authorization information is signed using the private key at the TEE end of the first device, and the encrypted authorization information is decrypted and verified using the public key at the TEE end of the second device.

在一個實例中,授權信息包括授權操作,並且還包括以下一個或多個:進行授權操作的時間、地點、設備ID。 In one example, the authorization information includes an authorization operation and also includes one or more of the following: the time, location, and device ID at which the authorization operation was performed.

圖3是根據本發明實施例的在設備之間進行授權的流程圖。該實施例示出在設備之間進行授權的方法的授權操作的過程。該進行授權操作的過程包括:步驟301:從第一設備向第二設備發送請求,請求第二設備代理第一設備進行授權操作,步驟302:在第二設備的REE端接收該請求,步驟303:在第二設備的TEE端加密授權信息,並通過REE端將經加密的授權信息發送給第一設備,步驟304:在第一設備的REE端接收經加密的授權信息,步驟305:在第一設備的TEE端解密並驗證經加密的授權信息,步驟306:在驗證成功後,在第一設備響應來自第二設備的授權操作。例如,第一設備可以根據來自第二設備的請求進行相應的操作。 3 is a flow diagram of authorizing between devices in accordance with an embodiment of the present invention. This embodiment shows the process of authorizing operations of a method of authorizing between devices. The process of performing the authorization operation includes: Step 301: Send a request from the first device to the second device, request the second device to proxy the first device to perform the authorization operation, and step 302: receive the request at the REE end of the second device, step 303 Transmitting the authorization information on the TEE end of the second device, and transmitting the encrypted authorization information to the first device through the REE terminal, step 304: receiving the encrypted authorization information at the REE end of the first device, step 305: The TEE side of a device decrypts and verifies the encrypted authorization information, step 306: After the verification is successful, the first device responds to the authorization operation from the second device. For example, the first device can perform corresponding operations according to a request from the second device.

在一個實例中,該請求包括設備ID。 In one example, the request includes a device ID.

在一個實例中,在第二設備的TEE端使用公開金鑰加密授權信息,在第一設備的TEE端使用私密金鑰解密並驗證經加密的授權信息。 In one example, the public key is used to encrypt the authorization information at the TEE end of the second device, and the encrypted authorization information is decrypted and verified using the private key at the TEE end of the first device.

在一個實例中,該進行授權操作的過程還包括:在第二設備的TEE端加密授權信息,並通過REE端將經加密的授權信息發送給伺服器,在第一設備的TEE端解密並驗證經加密的授權信息,在驗證成功後,通過伺服器通知第一設備響應來自第二設備的授權操作。 In an example, the performing the authorization operation further includes: encrypting the authorization information on the TEE end of the second device, and sending the encrypted authorization information to the server through the REE terminal, and decrypting and verifying at the TEE end of the first device. The encrypted authorization information, after the verification is successful, notifies the first device to respond to the authorization operation from the second device through the server.

在本發明的上述實施例中,所述第一設備和所述第二設備是移動通信終端。 In the above embodiment of the invention, the first device and the second device are mobile communication terminals.

在本發明的上述實施例中,使用以下方式的一種在第一設備的REE端和第二設備的REE端之間通信:移動網路、藍牙、紅外線、近場通信。 In the above-described embodiment of the present invention, one of the following methods is used to communicate between the REE terminal of the first device and the REE terminal of the second device: mobile network, Bluetooth, infrared, near field communication.

圖2和圖3所示的各個框可被視為方法步驟、和/或被視為由於運行電腦程式代碼而導致的操作、和/或被視為構建為實施相關功能的多個耦合的邏輯電路元件。儘管操作按特定的順序在圖中被描繪,但這不應被理解為要求按照所示的特定順序或按依次順序來執行這些操作,或要求所有例示的操作被執行,以達到理想的結果。在某些情況下,多工並行處理可能是有利的。 The various blocks shown in Figures 2 and 3 can be considered as method steps, and/or considered to be operations due to running computer program code, and/or as multiple coupled logics constructed to implement related functions. Circuit component. Although the operations are depicted in the figures in a particular order, this should not be construed as requiring that the operations are performed in the particular order shown or in the order of the order, or that all illustrated operations are performed to achieve the desired results. In some cases, multiplex parallel processing may be advantageous.

以下描述在設備之間進行授權的裝置,其包括授權過程裝置,該授權裝置包括:用於在第一設備的TEE端生成並加密授權信息的裝置,用於在第一設備的REE端將經加密的授權信息傳輸到第二設備的裝置,用於在第二設 備的REE端接收經加密的授權信息的裝置,用於在第二設備的TEE端解密並驗證經加密的授權信息的裝置,用於在第二設備存儲該授權信息的裝置。 The following describes an apparatus for authorizing between devices, which includes an authorization process device, the authorization device comprising: means for generating and encrypting authorization information at a TEE end of the first device for use at the REE end of the first device The encrypted authorization information is transmitted to the device of the second device for use in the second device The device at the standby REE receives the encrypted authorization information, means for decrypting and verifying the encrypted authorization information at the TEE end of the second device, and means for storing the authorization information at the second device.

在一個實施例中,該授權裝置還包括:用於從第一設備將經加密的授權信息發送並存儲到伺服器的裝置。用於在第一設備的TEE端使用私密金鑰對授權信息進行簽名的裝置,用於在第二設備的TEE端使用公開金鑰解密並驗證經加密的授權信息的裝置。 In one embodiment, the authorizing device further comprises: means for transmitting and storing the encrypted authorization information from the first device to the server. Means for signing the authorization information using the private key at the TEE end of the first device, means for decrypting and verifying the encrypted authorization information using the public key at the TEE end of the second device.

在一個實施例中,授權信息包括授權操作,並且還包括以下一個或多個:進行授權操作的時間、地點、設備ID。 In one embodiment, the authorization information includes an authorization operation, and further includes one or more of the following: a time, a place, and a device ID at which the authorization operation is performed.

在一個實施例中,該裝置還包括進行授權操作的裝置,該進行授權操作的裝置包括:用於從第一設備向第二設備發送請求的裝置,請求第二設備代理第一設備進行授權操作,用於在第二設備的REE端接收該請求的裝置,用於在第二設備的TEE端加密授權信息,並通過REE端將經加密的授權信息發送給第一設備的裝置,用於在第一設備的REE端接收經加密的授權信息的裝置,用於在第一設備的TEE端解密並驗證經加密的授權信息的裝置,用於在驗證成功後,在第一設備響應來自第二設備的授權操作的裝置。 In one embodiment, the apparatus further includes means for performing an authorization operation, the means for performing an authorization operation comprising: means for transmitting a request from the first device to the second device, requesting the second device to proxy the first device for authorization operation Means for receiving the request at the REE end of the second device, for encrypting the authorization information at the TEE end of the second device, and transmitting the encrypted authorization information to the device of the first device through the REE terminal, for Means for receiving the encrypted authorization information by the REE end of the first device, means for decrypting and verifying the encrypted authorization information at the TEE end of the first device, after the verification succeeds, the response from the first device is from the second A device that authorizes the operation of the device.

在一個實施例中,該請求包括設備ID。 In one embodiment, the request includes a device ID.

在一個實施例中,該裝置還包括:用於在第二設備的TEE端使用公開金鑰加密授權信息的裝置,用於在第一設 備的TEE端使用私密金鑰解密並驗證經加密的授權信息的裝置。 In one embodiment, the apparatus further comprises: means for encrypting the authorization information using the public key at the TEE end of the second device, for the first setting The device at the standby TEE end uses a private key to decrypt and verify the encrypted authorization information.

在一個實施例中,該進行授權操作的裝置還包括:用於在第二設備的TEE端加密授權信息,並通過REE端將經加密的授權信息發送給伺服器的裝置,用於在第一設備的TEE端解密並驗證經加密的授權信息的裝置,用於在驗證成功後,通過伺服器通知第一設備響應來自第二設備的授權操作的裝置。 In an embodiment, the apparatus for performing the authorization operation further includes: means for encrypting the authorization information at the TEE end of the second device, and transmitting the encrypted authorization information to the server by using the REE end, for the first The device at the TEE end of the device decrypts and verifies the encrypted authorization information for notifying the first device in response to the authorized operation of the device from the second device by the server after the verification is successful.

示例性實施例可在硬體、軟體或其組合中來實施。例如,本發明的某些方面可在硬體中實施,而其它方面則可在軟體中實施。儘管本發明的示例性實施例的方面可被示出和描述為框圖、流程圖,但很好理解的是,這裡描述的這些裝置、或方法可在作為非限制性實例的系統中被實現為功能模組。此外,上述裝置不應被理解為要求在所有的實施例中進行這種分離,而應該被理解為所描述的程式元件和系統通常可以被集成在單一的軟體產品中或打包成多個軟體產品。 Exemplary embodiments can be implemented in hardware, software, or a combination thereof. For example, certain aspects of the invention may be implemented in a hardware, while other aspects may be implemented in a software. Although aspects of the exemplary embodiments of the present invention may be shown and described as a block diagram, a flowchart, it is well understood that the devices, or methods described herein may be implemented in a system that is a non-limiting example It is a function module. Furthermore, the above-described apparatus should not be construed as requiring such separation in all embodiments, but it should be understood that the described program elements and systems can generally be integrated into a single software product or packaged into multiple software products. .

相關領域的技術人員當結合附圖閱讀前述說明書時,對本發明的前述示例性實施例的各種修改和變形對於相關領域的技術人員會變得明顯。因此,本發明的實施例不限於所公開的特定實施例,並且變形例和其它實施例意在涵蓋在所附權利要求的範圍內。 Various modifications and variations of the above-described exemplary embodiments of the present invention will become apparent to those skilled in Therefore, the embodiments of the invention are not limited to the specific embodiments disclosed, and the modifications and other embodiments are intended to be included within the scope of the appended claims.

Claims (15)

一種在設備之間進行授權的方法,該方法包括授權過程,該授權過程包括:從第一設備向第二設備發送請求,請求第二設備代理第一設備進行授權操作,在第二設備的REE端接收該請求,在第二設備的TEE端生成並加密授權信息,在第二設備的REE端將經加密的授權信息傳輸到第一設備,在第一設備的REE端接收經加密的授權信息,在第一設備的TEE端解密並驗證經加密的授權信息,在第一設備存儲該授權信息;其中,所述第一設備和所述第二設備是移動通信裝置,所述第一設備不在線上。 A method for authorizing between devices, the method comprising an authorization process, the authorization process comprising: sending a request from a first device to a second device, requesting the second device to proxy the first device for performing an authorization operation, and the REE at the second device Receiving the request, generating and encrypting the authorization information on the TEE end of the second device, transmitting the encrypted authorization information to the first device at the REE end of the second device, and receiving the encrypted authorization information at the REE end of the first device Decrypting and verifying the encrypted authorization information at the TEE end of the first device, storing the authorization information at the first device; wherein the first device and the second device are mobile communication devices, the first device is absent on-line. 如申請專利範圍第1項所述的方法,其中,該授權過程還包括:從第二設備將經加密的授權信息發送並存儲到伺服器。 The method of claim 1, wherein the authorization process further comprises: transmitting and storing the encrypted authorization information from the second device to the server. 如申請專利範圍第1項所述的方法,其中,在第二設備的TEE端使用私密金鑰對授權信息進行簽名,在第一設備的TEE端使用公開金鑰解密並驗證經加密的授權信息。 The method of claim 1, wherein the authorization information is signed by the private key at the TEE end of the second device, and the encrypted authorization information is decrypted and verified using the public key at the TEE end of the first device. . 如申請專利範圍第1項所述的方法,其中,授權信息包括授權操作,並且還包括以下一個或多個:進行授權操作的時間、地點、設備ID。 The method of claim 1, wherein the authorization information includes an authorization operation, and further includes one or more of the following: a time, a place, and a device ID at which the authorization operation is performed. 如申請專利範圍第1項所述的方法,其中,該請求包括設備ID。 The method of claim 1, wherein the request includes a device ID. 如申請專利範圍第1項所述的方法,其中,在第二設備的TEE端使用公開金鑰加密授權信息,在第一設備的TEE端使用私密金鑰解密並驗證經加密的授權信息。 The method of claim 1, wherein the public key is used to encrypt the authorization information at the TEE end of the second device, and the encrypted authorization information is decrypted and verified using the private key at the TEE end of the first device. 如申請專利範圍第1項所述的方法,其中,該進行授權操作的過程還包括:在第二設備的TEE端加密授權信息,並通過REE端將經加密的授權信息發送給伺服器,在第一設備的TEE端解密並驗證經加密的授權信息,在驗證成功後,通過伺服器通知第一設備響應來自第二設備的授權操作。 The method of claim 1, wherein the performing the authorization operation further comprises: encrypting the authorization information on the TEE end of the second device, and transmitting the encrypted authorization information to the server through the REE terminal, The TEE end of the first device decrypts and verifies the encrypted authorization information, and after the verification succeeds, the first device is notified by the server to respond to the authorization operation from the second device. 如申請專利範圍第1至7項中任意一項所述的方法,其中,使用以下方式的一種在第一設備的REE端和第二設備的REE端之間通信:移動網路、藍牙、紅外線、近場通信。 The method of any one of claims 1 to 7, wherein the communication between the REE end of the first device and the REE end of the second device is performed using a mobile network, Bluetooth, infrared Near field communication. 一種用於在設備之間進行授權的授權過程裝置,包括:用於在第二設備的TEE端生成並加密授權信息的裝 置,用於在第二設備的REE端將經加密的授權信息傳輸到第一設備的裝置,用於在第一設備的REE端接收經加密的授權信息的裝置,用於在第一設備的TEE端解密並驗證經加密的授權信息的裝置,用於在第一設備存儲該授權信息的裝置;其中,所述第一設備和所述第二設備是移動通信裝置,所述第一設備不在線上。 An authorization process apparatus for authorizing between devices, comprising: an apparatus for generating and encrypting authorization information on a TEE end of a second device And means for transmitting the encrypted authorization information to the first device at the REE end of the second device, means for receiving the encrypted authorization information at the REE end of the first device, for use in the first device Means for decrypting and verifying the encrypted authorization information by the TEE terminal, for storing the authorization information in the first device; wherein the first device and the second device are mobile communication devices, the first device is absent on-line. 如申請專利範圍第9項所述的裝置,其中,還包括:用於從第二設備將經加密的授權信息發送並存儲到伺服器的裝置。 The apparatus of claim 9, further comprising: means for transmitting and storing the encrypted authorization information from the second device to the server. 如申請專利範圍第9項所述的裝置,其中,用於在第二設備的TEE端使用私密金鑰對授權信息進行簽名的裝置,用於在第一設備的TEE端使用公開金鑰解密並驗證經加密的授權信息的裝置。 The device of claim 9, wherein the means for signing the authorization information using the private key at the TEE end of the second device is used to decrypt the public key at the TEE end of the first device and A device that verifies encrypted authorization information. 如申請專利範圍第9項所述的裝置,其中,授權信息包括授權操作,並且還包括以下一個或多個:進行授權操作的時間、地點、設備ID。 The device of claim 9, wherein the authorization information comprises an authorization operation, and further comprising one or more of the following: a time, a place, and a device ID at which the authorization operation is performed. 如申請專利範圍第9項所述的裝置,其中,該請求包括設備ID。 The device of claim 9, wherein the request comprises a device ID. 如申請專利範圍第9項所述的裝置,其中,還包括:用於在第二設備的TEE端使用公開金鑰加密授權信息的裝置,用於在第一設備的TEE端使用私密金鑰解密並驗證經加密的授權信息的裝置。 The apparatus of claim 9, further comprising: means for encrypting the authorization information using the public key at the TEE end of the second device, for decrypting using the private key at the TEE end of the first device And verify the device of the encrypted authorization information. 如申請專利範圍第9項所述的裝置,其中,該進行授權操作的裝置還包括:用於在第二設備的TEE端加密授權信息,並通過REE端將經加密的授權信息發送給伺服器的裝置,用於在第一設備的TEE端解密並驗證經加密的授權信息的裝置,用於在驗證成功後,通過伺服器通知第一設備響應來自第二設備的授權操作的裝置。 The device of claim 9, wherein the device for performing the authorization operation further comprises: encrypting the authorization information on the TEE end of the second device, and transmitting the encrypted authorization information to the server through the REE terminal And means for decrypting and verifying the encrypted authorization information at the TEE end of the first device, for notifying the first device in response to the authorized operation of the device from the second device by the server after the verification is successful.
TW105137495A 2015-11-16 2016-11-16 Method and device for authorizing between devices TWI636373B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
??201510785827.2 2015-11-16
CN201510785827.2A CN105592071A (en) 2015-11-16 2015-11-16 Method and device for authorization between devices

Publications (2)

Publication Number Publication Date
TW201719476A TW201719476A (en) 2017-06-01
TWI636373B true TWI636373B (en) 2018-09-21

Family

ID=55931286

Family Applications (1)

Application Number Title Priority Date Filing Date
TW105137495A TWI636373B (en) 2015-11-16 2016-11-16 Method and device for authorizing between devices

Country Status (3)

Country Link
CN (1) CN105592071A (en)
TW (1) TWI636373B (en)
WO (1) WO2017084553A1 (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105592071A (en) * 2015-11-16 2016-05-18 中国银联股份有限公司 Method and device for authorization between devices
WO2018086279A1 (en) * 2016-11-14 2018-05-17 华为技术有限公司 Message pushing method and terminal
CN108419224B (en) * 2018-03-16 2020-12-18 上海百联集团股份有限公司 Beacon device, device to be authorized, server and encryption authorization method
CN110858245B (en) * 2018-08-24 2021-09-21 珠海格力电器股份有限公司 Authorization method and data processing equipment
CN109547451B (en) * 2018-11-30 2021-05-25 四川长虹电器股份有限公司 TEE-based trusted authentication service authentication method
CN110011956B (en) 2018-12-12 2020-07-31 阿里巴巴集团控股有限公司 Data processing method and device
CN111444528B (en) * 2020-03-31 2022-03-29 海信视像科技股份有限公司 Data security protection method, device and storage medium
CN111510918B (en) * 2020-04-28 2022-08-02 拉扎斯网络科技(上海)有限公司 Communication method, system, device, electronic equipment and readable storage medium
CN116049913B (en) * 2022-05-24 2023-11-03 荣耀终端有限公司 Data storage method, device, electronic equipment and computer readable storage medium

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW200604546A (en) * 2004-07-26 2006-02-01 Agilent Technologies Inc License proxy process to facilitate license sharing between a plurality of applications
US20080092211A1 (en) * 2006-10-13 2008-04-17 Microsoft Corporation UPNP authentication and authorization
TW201141177A (en) * 2009-12-23 2011-11-16 Intel Corp Hardware attestation techniques
CN102687483A (en) * 2009-12-29 2012-09-19 通用仪表公司 Temporary registration of devices
CN103186720A (en) * 2011-12-28 2013-07-03 北大方正集团有限公司 Digital rights management method, equipment and system
CN103621009A (en) * 2012-06-21 2014-03-05 Sk普兰尼特有限公司 Method for authenticating trusted platform-based open ID, and apparatus and system therefor
CN103856621A (en) * 2012-12-06 2014-06-11 北京三星通信技术研究有限公司 Method and device for authorization between user devices
US20150261950A1 (en) * 2014-03-13 2015-09-17 Intel Corporation Symmetric keying and chain of trust

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005091553A1 (en) * 2004-03-22 2005-09-29 Nokia Corporation Secure data transfer
KR20080048764A (en) * 2006-11-29 2008-06-03 삼성전자주식회사 Method and apparatus for signing right object by proxy and issuing proxy-certificate
CN104754552B (en) * 2013-12-25 2018-07-24 中国移动通信集团公司 A kind of credible performing environment TEE initial methods and equipment
US9520994B2 (en) * 2014-03-20 2016-12-13 Oracle International Corporation System and method for deriving secrets from a master key bound to an application on a device
CN105592071A (en) * 2015-11-16 2016-05-18 中国银联股份有限公司 Method and device for authorization between devices

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TW200604546A (en) * 2004-07-26 2006-02-01 Agilent Technologies Inc License proxy process to facilitate license sharing between a plurality of applications
US20080092211A1 (en) * 2006-10-13 2008-04-17 Microsoft Corporation UPNP authentication and authorization
TW201141177A (en) * 2009-12-23 2011-11-16 Intel Corp Hardware attestation techniques
CN102687483A (en) * 2009-12-29 2012-09-19 通用仪表公司 Temporary registration of devices
CN103186720A (en) * 2011-12-28 2013-07-03 北大方正集团有限公司 Digital rights management method, equipment and system
CN103621009A (en) * 2012-06-21 2014-03-05 Sk普兰尼特有限公司 Method for authenticating trusted platform-based open ID, and apparatus and system therefor
CN103856621A (en) * 2012-12-06 2014-06-11 北京三星通信技术研究有限公司 Method and device for authorization between user devices
US20150261950A1 (en) * 2014-03-13 2015-09-17 Intel Corporation Symmetric keying and chain of trust

Also Published As

Publication number Publication date
TW201719476A (en) 2017-06-01
WO2017084553A1 (en) 2017-05-26
CN105592071A (en) 2016-05-18

Similar Documents

Publication Publication Date Title
TWI636373B (en) Method and device for authorizing between devices
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
US11082224B2 (en) Location aware cryptography
EP3518458B1 (en) Method and device for secure communications over a network using a hardware security engine
US10601801B2 (en) Identity authentication method and apparatus
CN108377190B (en) Authentication equipment and working method thereof
EP3487142B1 (en) Providing and obtaining graphic payment code information
CN111028397B (en) Authentication method and device, and vehicle control method and device
CN107464109B (en) Trusted mobile payment device, system and method
CN107743067B (en) Method, system, terminal and storage medium for issuing digital certificate
CN110621014B (en) Vehicle-mounted equipment, program upgrading method thereof and server
WO2016201732A1 (en) Virtual sim card parameter management method, mobile terminal, and server
CN105915338B (en) Generate the method and system of key
CN110198295A (en) Safety certifying method and device and storage medium
CN113114668B (en) Information transmission method, mobile terminal, storage medium and electronic equipment
CN107155184B (en) WIFI module with secure encryption chip and communication method thereof
CN106411520B (en) Method, device and system for processing virtual resource data
CN110838919B (en) Communication method, storage method, operation method and device
JP2014235753A (en) Method and apparatus for inputting data
WO2014117648A1 (en) Application access method and device
CN107682380B (en) Cross authentication method and device
CN113660285A (en) Multimedia conference on-line terminal control method, device, equipment and storage medium
CN116033415A (en) Reference station data transmission method and device, reference station, server and medium
WO2013189457A2 (en) Terminal, cloud system server and interaction method and system thereof
JP2018078592A (en) Communication system, communication device, key management device, and communication method