WO2014117648A1 - Procédé et dispositif d'accès aux applications - Google Patents

Procédé et dispositif d'accès aux applications Download PDF

Info

Publication number
WO2014117648A1
WO2014117648A1 PCT/CN2014/070668 CN2014070668W WO2014117648A1 WO 2014117648 A1 WO2014117648 A1 WO 2014117648A1 CN 2014070668 W CN2014070668 W CN 2014070668W WO 2014117648 A1 WO2014117648 A1 WO 2014117648A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
access device
digital certificate
server
access request
Prior art date
Application number
PCT/CN2014/070668
Other languages
English (en)
Chinese (zh)
Inventor
刘小元
孙增才
何庆建
Original Assignee
华为终端有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为终端有限公司 filed Critical 华为终端有限公司
Publication of WO2014117648A1 publication Critical patent/WO2014117648A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model

Definitions

  • the present invention relates to communication technologies, and in particular, to an application access method and device.
  • a special encryption device such as a USB key is usually used to implement a security scheme such as encryption and decryption in the transaction process to ensure the security of the transaction process, that is, to enhance the security when accessing the application.
  • the above-mentioned dedicated encryption device generally stores some security information corresponding to the application, such as a digital certificate, a private key, etc.; during the access process of the application, the application uses the above security in the dedicated encryption device. The information is processed by security authentication, data encryption, etc. to ensure application access security.
  • the drawback of this method is that the security of the application access is too dependent on the peripherals of the dedicated encryption device. If the user does not carry the dedicated encryption device, the application access cannot be performed securely, and the user may work. It is very inconvenient to make an impact; and, for different applications, you need to use a dedicated encryption device customized for the application. If you want to use both the online banking client and the securities trading client, you may need to carry and use two. One Too strong and inconvenient for application access.
  • the present invention provides an application access method and apparatus to reduce reliance on secure peripherals.
  • the first aspect provides an application access method, where the method includes: an application access device generates a security access request, where the security access request is used to request an application security service for an application running on the application access device;
  • the application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key;
  • the application access device uses the public key to apply for obtaining a digital certificate to the certificate server, and the application accesses
  • the device establishes a connection with the application server by using the digital certificate; after the connection is established with the application server, the application access device encrypts data transmitted between the application access device and the application server by using the private key.
  • the method further includes: the application access device storing a correspondence between the digital certificate and the application.
  • the method further includes: The application access device detects, according to the correspondence, whether a digital certificate corresponding to the application has been stored; when the detection result is yes, directly establishing a connection with the application server by using the stored digital certificate.
  • the second aspect provides an application access method, where the method includes: the application access device receives a security access request sent by the application running device, where the security access request is used to generate a key pair for running the security access request, The key pair includes a public key and a private key; the application access device sends the public key to the application running device, so that the application running device uses the public key to apply for obtaining a digital certificate to the certificate server. And the application running device establishes a connection with the application server by using the digital certificate; the application access device is transported in the application After the row device establishes a connection with the application server, the private key is used to encrypt data transmitted between the application running device and the application server.
  • the receiving, by the application running device, the security access request includes: receiving, by the application access device, a USB connection, a WIFI connection, and an NFC connection with the application access device Any one of the connected applications running the secure access request sent by the device.
  • the application accessing device when receiving the security access request sent by the application running device, includes: the application accessing the device
  • the PKCS#11 interface receives the security access request sent by the application running device.
  • the method further includes: The application access device receives the digital certificate sent by the application running device, and stores a correspondence between the digital certificate and the application.
  • the application access device after the application access device receives the security access request sent by the application running device, generate a key pair according to the security access request.
  • the method further includes: detecting, by the application access device, whether a digital certificate corresponding to the application has been stored according to the correspondence; and performing, when the detection result is yes, directly sending the stored digital certificate to the application Run the device so that
  • the third aspect provides an application access device, including: an interface unit, an encryption unit, and an application processing unit, where the interface unit is configured to receive a security access request generated by an application access device, where the security access request is used for the request to run
  • the application on the application access device provides an application security service
  • the encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key
  • the application processing unit is configured to apply for obtaining a digital certificate to the certificate server by using the public key. And establishing a connection with the application server through the digital certificate.
  • the encryption unit is further And configured to store a correspondence between the digital certificate and the application.
  • the encryption unit is further configured to: after the interface unit receives the secure access request, according to the secure access request Before generating the key pair, detecting, according to the stored correspondence, whether the digital certificate corresponding to the application has been stored; the application processing unit is further configured to directly execute when the detection result of the encryption unit is yes Establishing a connection with the application server through the stored digital certificate.
  • the fourth aspect provides an application access device, where the application access device establishes a communication connection with an application running device, where the application access device includes: an interface unit and an encryption unit, and the interface unit is configured to receive the application running device. Sending a secure access request, the entire service; and transmitting, by the encryption unit, the public key to the application running device, so that the application running device applies for the digital certificate to the certificate server using the public key, and
  • the encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and after the application running device establishes a connection with the application server, using the The private key encrypts data transmitted between the application running device and the application server.
  • the interface unit is configured to receive, by using the application access device, the application running by using any one of a USB connection, a WIFI connection, and an NFC connection. A secure access request sent by the device.
  • the interface unit is a PKCS#11 interface.
  • the interface unit is further configured to: after sending the public key to the application running device Receiving the digital certificate sent by the application running device;
  • the encryption unit is further configured to: after the interface unit receives the secure access request sent by the application running device, before generating the key pair according to the secure access request, according to the stored correspondence, detecting whether the storage unit has been stored
  • the interface unit is further configured to: when the detection result of the encryption unit is YES, directly send the digital certificate stored by the encryption unit to the application running device, so that The application running device establishes a connection with an application server using the digital certificate.
  • the technical effect of the application access method and device provided by the present invention is: generating a key pair by the application access device according to the secure access request of the application, so that the application can use the key pair to apply for the digital certificate and encrypt the data.
  • the security capability of the application access device itself is enhanced, so that the application access device can provide security guarantee for application access, no need to additionally increase the use of security peripherals outside the application access device, and reduce the security peripherals. rely.
  • FIG. 1 is a schematic structural diagram of an application access device according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of another embodiment of an application access device according to the present invention
  • FIG. 3 is a schematic structural diagram of another embodiment of an application access device according to the present invention
  • FIG. 5 is a schematic diagram of a working principle of another embodiment of an application access device according to the present invention
  • FIG. 6 is a schematic structural diagram of another embodiment of an application access device according to the present invention.
  • a schematic structural diagram of another embodiment of an application access device according to the present invention is a schematic flowchart of an embodiment of an application access method according to the present invention
  • FIG. 9 is a schematic flowchart diagram of an embodiment of an application access method according to the present invention.
  • the embodiment of the present invention enhances the security capability of the application access device itself, so that the application is accessed without using a secure peripheral.
  • the device provides security for application access.
  • the application refers to, for example, online banking, securities trading, and the like.
  • the application access device refers to a device used by the application during use. For example, if a user launches an online banking application on his tablet and uses the online banking service, the tablet is called an application.
  • the application access device of the present embodiment refers to a device capable of providing a security protection service for an application (such as the above-mentioned tablet providing a key pair).
  • the application access method of the embodiment of the present invention is a method performed by the application access device, that is, the embodiment of the present invention improves the application access device, so that the security capability of the device is enhanced, and the access of the application is provided. Services, which also change the way applications are accessed.
  • the application access device of the embodiment of the present invention can provide an access device for an application running on the device.
  • the device can have two different structures. The following is a description of the structure of the application access device in the above two cases and the working principle of the application access device in the corresponding structure:
  • Embodiment 1 FIG. 1 is a schematic structural diagram of an application access device according to an embodiment of the present invention.
  • the application access device of the structure can provide security services for applications running on the device; as shown in FIG. 1, the application access device can include: an interface unit 11, an encryption unit 12, and an application processing unit.
  • the interface unit 11 is configured to receive a secure access request for requesting application security services.
  • the secure access request refers to, for example, when using an online banking application, when The operation of the fund transaction, for example, the user clicks to trigger a step on the online bank.
  • the device on which the online bank runs is connected to the application server corresponding to the online bank.
  • the device sends the secure access request to the application access device of the embodiment, requesting to provide a security service, for example, requesting to generate a key pair.
  • the interface unit 11 instructs the encryption unit 12 to perform an encryption process for the auxiliary application to establish the secure connection according to the secure access request.
  • the application access device installs and runs an application, and the application access device itself generates the security access request.
  • the secure access request is actually sent by the application processing unit in the application access device (the application processing unit is a module that invokes the online banking application).
  • the above security access request is specifically sent when the application access device invokes the execution of the application, such as running online banking on the notebook, and when the online banking runs to when the notebook needs to send a secure access request, the application developer may
  • the application access device of the embodiment provides a security service for the application, as long as the application is designed to automatically trigger the application access device to send a secure access request to the interface unit 11 when the application access security is required.
  • the encryption unit 12 is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and the operation of generating a key pair may use, for example, RSA (RSA public key force port)
  • RSA RSA public key force port
  • the secret algorithm was developed in 1977 by Ron Rivest, Adi Shamirh, and Len Adleman at the Massachusetts Institute of Technology, and the RSA was named from the name of the three of them. It is not detailed.
  • the generated public key will be sent by the encryption unit 12 to the interface unit 11, which in turn sends the public key to the application processing unit 13.
  • the application processing unit 13 is configured to apply, by using the public key, a certificate certificate (ie, a certificate authority (CA server)) to obtain a digital certificate (the certificate server will use the public key to generate a digital certificate)
  • a certificate certificate ie, a certificate authority (CA server)
  • CA server certificate authority
  • the digital certificate is a certificate uniquely corresponding to the application; and the application access device is established with the application server by using the digital certificate Secure connection.
  • the application access process of the present embodiment is directly stored in a dedicated encryption device such as a USB Key, and the application access device applied at runtime is directly used in the encryption device.
  • the digital certificate establishes a secure connection with the application server.
  • the application of the embodiment is generated by the encryption unit inside the application access device, and the application access device uses the public key to apply for the digital certificate and passes the certificate. Establish a connection to the application server.
  • the online banking of a bank uses the encryption device A
  • the online banking of another bank uses the encryption device B
  • the encryption device C used for the securities transaction, etc. not only requires the user to carry the encryption device with him or her
  • the encryption unit in the application access device can provide a key pair for the application in real time during the access process of the application, and the application can apply for a digital certificate in real time, and the encryption unit does not correspond to a specific application.
  • the encryption unit can be used by various applications; for example, the user's tablet is the application access device, and the tablet runs two applications of online banking and securities trading, and the two applications are at runtime tablet.
  • the encryption unit may be requested to generate a key pair for it.
  • the service for generating the key pair may be provided for any application, and each application may apply for a digital certificate corresponding to itself after obtaining the public key.
  • the application access device of the embodiment can provide services for various applications, which is very convenient, and improves the access efficiency of the application.
  • the process of establishing the connection between the application access device and the application server by using the digital certificate is a conventional technology, and the simple description is as follows:
  • the application access device sends a connection request to the application server, and carries a digital certificate corresponding to the application, and the application server will use the digital certificate.
  • the certificate is sent to the authentication server (that is, the VA server) for verification. If the authentication server passes the certificate verification, the application server returns a connection response to the application access device, and establishes a connection with the application access device.
  • the connection is established after the certificate is verified, so that the communication between the application access device and the application server can be ensured, that is, a secure connection.
  • the authentication of the certificate by the authentication server is that the authentication server uses the number received from the certificate server.
  • the certificate is compared with the certificate received from the application server. If the two are consistent, the verification is passed, and the certificate authentication server performs the verification of the certificate at this time.
  • the encryption unit 12 of the embodiment is further configured to perform encryption processing on data transmitted between the application access device and the application server by using the private key after the application access device establishes a connection with the application server.
  • the encryption process described herein includes: encrypting data transmitted between the application access device and the application server, and transmitting the data to the application server after being encrypted by the application access device side (for example, the application access device encrypts the data by using the private key, and the application server utilizes the public
  • the key decryption obtains data, and the public key is sent by the application access device to the application server, and also includes decrypting the data, and decrypting data sent by the application server to the application access device (for example, the application server encrypts the data by using the public key) , the application access device decrypts the data using the private key).
  • the application access device of this embodiment generates a key pair by the application access device according to the secure access request for requesting the application security service, so that the application access device can use the key pair to apply for the digital certificate and encrypt the data. Processing, establishing a secure connection with the application server, thereby enhancing the security capability of the application access device itself, so that the application access device can provide security guarantee for application access, and no additional need to increase the use security outside the application access device. Peripherals reduce the reliance on secure peripherals.
  • the application access device of the embodiment of the present invention can provide the working principle of the application access device in the two cases described in the second embodiment and the third embodiment for the application running on the device.
  • the second embodiment of the present invention provides a security service for an application running on the device.
  • FIG. 2 is a schematic diagram of the working principle of another embodiment of the application access device according to the present invention.
  • the application access device in this embodiment takes a tablet computer as an example, and the application uses an online banking as an example.
  • the online banking is an application running on a tablet computer. Therefore, the tablet computer is an application access device (ie, an application).
  • the device that provides the security service) is the application running device (that is, the device that installs and runs the application).
  • the application access device of this embodiment further includes an application processing unit 13 for calling and executing an online banking application; and the application office
  • the unit 13 is capable of communicating with the interface unit 11 in communication.
  • the application access device of the embodiment is also an application running device, the application access device can also communicate with the application server and the certificate server.
  • the transceiver unit 14 in the application access device communicates with the server. of.
  • the application processing unit 13 calls to execute the online banking, and the online banking starts running on the tablet; during the running process (for example, the user starts using the online banking on the tablet), according to the setting of the online banking, at a certain
  • the runtime application processing unit 13 will initiate a secure access request based on the pre-set of the online banking, which will be sent to the interface unit 11.
  • the tablet computer of the embodiment is installed with an android system, and an application such as an online bank running in the system may send a secure access request to the interface unit 11 at runtime.
  • the interface unit 11 instructs the encryption unit 12 to perform a service for generating a key pair according to the secure access request, and the public key generated by the encryption unit 12 is returned to the application processing unit 13 through the interface unit 11.
  • the application processing unit 13 sends the public key to the transceiver unit 14, instructing the transceiver unit 14 to apply for a digital certificate to the certificate server using the public key, and establish a secure connection with the application server using the certificate.
  • the transceiver unit 14 is only an interface between the tablet computer and the server.
  • the actual data transmission with the server is still the application processing unit 13.
  • the data is transmitted to the application server, which is sent by the application processing unit 13 to the transceiver unit 14, which is only responsible for forwarding the data to the application server, essentially still the communication between the application processing unit 13 and the application server.
  • the data may be sent to the encryption unit 12 through the interface unit 11, and the data is encrypted by the encryption unit 12 and then passed through the interface.
  • the unit 11 returns to the application processing unit 13, which in turn instructs the transceiver unit 14 to transmit the data to the application server.
  • the application processing unit 13 may send the data to the encryption unit 12 through the interface unit 11, decrypt the data by the encryption unit 12, and then return it to the application processing through the interface unit 11.
  • Unit 13 the application processing unit 13 obtains the data, and continues to run the online banking through the data.
  • FIG. 3 is a schematic structural diagram of another embodiment of an application access device according to the present invention.
  • the device in the embodiment may be referred to as an application running device.
  • the application access device may include: an interface unit 31 and an encryption unit 32.
  • the interface unit 31 is configured to receive a secure access request for requesting to provide an application security service, where the secure access request refers to, for example, when using an application of the online banking, when the funds are involved In the transaction operation, for example, the user clicks to trigger a certain step on the online banking.
  • the device on which the online banking is running must be connected to the application server corresponding to the online banking.
  • the connection is sent, so the device sends the secure access request to the application access device of the embodiment, requesting to provide a security service, for example, requesting to generate a key pair.
  • the interface unit 31 instructs the encryption unit 32 to perform an encryption process for the auxiliary application to establish the secure connection according to the secure access request.
  • the device that sends the foregoing security access request is an application running device that installs and runs an application, and the application running device is other devices than the application access device in this embodiment.
  • the secure access request is sent by the notebook to the embodiment.
  • the interface unit 31 of the access device is applied.
  • the above security access request is specifically sent when the application running device invokes the execution of the application, such as running online banking on the notebook, and when the online banking runs to when the notebook needs to send a secure access request, the application developer may
  • the application access device of the present embodiment provides security for the application by the application access device of the embodiment, as long as the application is configured to automatically trigger the application running device to send a secure access request to the interface unit 31 of the application access device of the embodiment. service.
  • the encryption unit 32 is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and the operation of generating the key pair may use a conventional technology such as RSA, no longer Detailed.
  • the generated public key will be sent by the encryption unit 32 to the interface unit 31, and then the interface unit 31 sends the public key to the application running device, so that the application running device uses the public key to apply for obtaining a digital certificate from the certificate server.
  • the digital certificate is a certificate that uniquely corresponds to the application.
  • the application running device will establish a secure connection with the application server through the digital certificate.
  • the application access process of the present embodiment is directly stored in a dedicated encryption device such as a USB Key, and the application running device used in the runtime is directly used in the encryption device.
  • the digital certificate establishes a secure connection with the application server.
  • the application of the embodiment is requested by the application running device to request an encryption unit in the application access device to generate a public key, and the application running device uses the public key to apply for the digital certificate. And establish a connection with the application server through the certificate.
  • the digital certificate is equivalent to the application ID card and the different applications correspond to different digital certificates
  • the manner in which the digital certificate is pre-stored in an encryption device such as a USB Key in the prior art also enables the encryption device.
  • the online banking of a bank uses the encryption device A
  • the online banking of another bank uses the encryption device B
  • the encryption device C used for the securities transaction, etc. not only requires the user to carry the encryption device with him or her
  • the encryption unit in the application access device can provide a key pair for the application in real time during the access process of the application, and the application can apply for a digital certificate in real time, and the encryption unit does not correspond to a specific application.
  • the encryption unit can be used by various applications; for example, the user's tablet is the application access device, and the tablet runs two applications of online banking and securities trading, and the two applications are at runtime tablet.
  • the encryption unit may be requested to generate a key pair for it.
  • the service for generating the key pair may be provided for any application, and each application may apply for a digital certificate corresponding to itself after obtaining the public key.
  • the application access device of the embodiment can provide services for various applications, which is very convenient and improves the access efficiency of the application.
  • the application running device sends a connection request to the application server, and carries a digital certificate corresponding to the application, and the application server sends the digital certificate to the authentication server (ie, the VA server) for verification, if the authentication server After the certificate is verified, the application server returns a connection response to the application running device, and establishes a connection with the running device of the application. Since the connection is established after the certificate verification is passed, the application running device and the device can be guaranteed.
  • the communication security between the application servers is a secure connection.
  • the authentication of the certificate by the authentication server is performed by the authentication server by using the digital certificate received from the certificate server and the certificate received from the application server, and if the two are consistent, the verification is passed.
  • the authentication server performs the verification of the certificate at this time.
  • the encryption unit 32 of the embodiment is further configured to perform encryption processing on data transmitted between the application running device and the application server by using the private key after the application running device establishes a connection with the application server.
  • the encryption process described herein includes: encrypting data transmitted between the application running device and the application server, and transmitting the data to the application server after the application running device side encrypts (for example, the application running device encrypts the data by using the private key, and the application server utilizes the public
  • the key decryption obtains data, and the public key is sent by the application running device to the application server, and also includes decrypting the data, and decrypting data sent by the application server to the application running device (for example, the application server encrypts the data by using the public key) , the application running device decrypts the data by using the private key).
  • the application access device of this embodiment generates a key pair by the application access device according to the secure access request for requesting the application security service, so that the application running device can use the key pair to apply for the digital certificate and encrypt the data. Processing, establishing a secure connection with the application server, thereby enhancing the security capability of the application access device itself, so that the application access device can provide security guarantee for application access, and no additional need to increase the use security outside the application access device. Peripherals reduce the reliance on secure peripherals.
  • Embodiment 4 The application access device of this embodiment provides a security service for an application running on another device, and the other device is a device that communicates with the application access device of the embodiment through an external connection.
  • FIG. 4 is a schematic diagram of a working principle of still another embodiment of an application access device according to the present invention.
  • the application access device of this embodiment takes a tablet computer as an example, and the external device uses a notebook as an example, and the application uses an online banking as an example.
  • the online banking is an application running on a notebook, and therefore, the tablet is an application access.
  • the device, the notebook is the application running device.
  • the transceiver unit of the embodiment may be provided with a transceiver unit, wherein the notebook is provided with an application processing unit 21 and a transceiver unit 22, and the application processing unit 21 is configured to invoke an online banking application installed on the notebook, and the notebook can Communicating with the application server and the certificate server, and being able to communicate with the tablet computer, the transceiver unit 22 serves as an interface for the notebook to communicate with the server and the tablet.
  • the transceiver unit 22 can transfer the secure access request sent by the application processing unit 21.
  • the tablet is sent to the application processing unit 21 and the public key returned by the tablet is forwarded.
  • a transceiver unit 33 is also provided on the tablet as an interface for communication between the tablet and the notebook.
  • the application processing unit 21 on the notebook calls to execute the online banking, and the online banking starts running on the notebook; during the running process (for example, the user starts using the online banking on the tablet), according to the setting of the online banking, in a certain
  • the runtime application processing unit 21 will initiate a secure access request according to the preset of the online banking, and the secure access request will be sent to the interface on the tablet through the transceiver unit 22 on the notebook and the transceiver unit 33 on the tablet.
  • the interface unit 31 instructs the encryption unit 32 to perform a service for generating a key pair according to the secure access request, and the public key generated by the encryption unit 32 is returned to the application processing unit 21 on the notebook through the interface unit 31 and each of the above-described transceiver units.
  • the application processing unit 21 uses the public key to apply for a digital certificate to the certificate server, and uses the certificate to establish a secure connection with the application server, and the communication with the server in the process is forwarded by the transceiver unit 22.
  • the encryption unit 32 on the tablet of the embodiment may also be responsible for data encryption and decryption processing between the application processing unit 21 and the application server, and the process is similar to the previous embodiment.
  • the data encryption request may be sent to the interface unit 31 through the transceiver unit 22 on the notebook, the transceiver unit 33 on the tablet, and the data to be encrypted is carried; the interface unit 31
  • the encryption unit 32 is instructed to perform data encryption processing; the encryption unit 32 encrypts the data, and then returns it to the application processing unit 21 on the notebook through the interface unit 31 and the above-mentioned transceiver units, and the application processing unit 21 instructs the transceiver unit 22 to transmit the data.
  • the notebook and the tablet communicate with each other through an external connection, such as a Universal Serial Bus (USB) connection, a WIFI connection, and a near field communication (Near).
  • USB Universal Serial Bus
  • WIFI Wireless Fidelity
  • FIG. 5 is a schematic diagram of a working principle of another embodiment of an application access device according to the present invention.
  • This embodiment is described by taking an application running inside an application access device as an example.
  • the principle of this embodiment is also applicable to an external device.
  • the situation of operation As shown in FIG. 5, after the tablet computer applies for obtaining the digital certificate to the certificate server, the transceiver unit 14 sends the digital certificate received from the certificate server to the application processing unit 13, and then the application processing unit 13 sends the digital certificate to the interface. Unit 11, the interface unit 11 sends the certificate to the encryption unit 12.
  • the application processing unit 13 sends the digital certificate to the interface unit 11, the identifier of the online banking application can be carried, so that the interface unit 11 can send the application identifier and the digital certificate to the encryption unit 12.
  • the encryption unit 12 stores the received digital certificate and application identifier, and establishes a correspondence between the digital certificate and the application identifier, that is, establishes a correspondence between the digital certificate and the online banking application.
  • the interface unit 11 forwards the secure access request sent by the application processing unit 13 to the encryption unit 12, it is equivalent to when the interface unit 11 instructs the encryption unit 12 to generate a key pair that has stored a digital certificate corresponding to the application.
  • the above-mentioned interface unit 11 sends the identifier of the online banking application to the encryption unit 12.
  • the detection result of the encryption unit 12 is YES, that is, the digital certificate of the online banking application is stored
  • the encryption unit 12 sends the stored digital certificate to the application processing unit 13 through the interface unit 11, and the application processing is performed.
  • Unit 13 will not need to apply for a digital certificate any more, but will directly establish a connection with the application server using the digital certificate.
  • the transceiver unit 22 on the notebook can send the digital certificate to the tablet for storage;
  • the transceiver unit 22 on the notebook sends the digital certificate to the transceiver unit 33 of the tablet computer, and simultaneously transmits the application identifier of the application running on the notebook corresponding to the certificate to the transceiver unit 33; the transceiver unit 33 then digitizes The certificate and application identifier are sent to the interface unit 31, which sends it to the encryption unit 32.
  • the encryption unit 32 stores the digital certificate and the application identifier described above, and establishes a correspondence between the digital certificate and the application identifier.
  • the unit 21 instructs the transceiver unit 22 to send the application identification to the tablet, and finally sends the application identification to the encryption unit 32 of the tablet in accordance with the above-described transmission process.
  • the encryption unit 32 will query whether a digital certificate corresponding to the application identifier is stored, and if so, the encryption unit 32 can send the digital certificate to the notebook according to the reverse process described above, so that the notebook does not need to go to the certificate server again. Obtain the certificate, but use the stored certificate to establish a connection with the application server.
  • the encryption unit 32 queries that it does not store the digital certificate corresponding to the application identifier, it can directly start a security service for the notebook, generate a key pair, and return the public key to the notebook, so that the notebook uses the public key to connect to the certificate server to apply for a number.
  • the related process can be referred to the above embodiment, and will not be described in detail.
  • the method in this embodiment that is, when the application running device needs to connect to the application server for the first time, the application access device of the embodiment provides a key pair for the application running device to use the key to apply for a digital certificate; and, the application The running device sends the certificate of the application to the application access device for storage.
  • the interface unit in the application access device may use, for example, a PKCS#11 interface, and the encryption unit may be implemented by software or an encryption chip, for example.
  • 6 is a schematic structural diagram of another embodiment of an application access device according to the present invention. As shown in FIG.
  • the device is a software mode
  • the encryption unit is a soft encryption module, that is, the encryption, decryption, and the like of the encryption unit are based on Software algorithm implementation, support common encryption and decryption algorithms, such as Triple Data Encryption Algorithm (3DES), AESRC4, Message Digest Algorithm 5 (MD5), DSA and RSA.
  • the encryption, decryption, generation key pair, and security services such as signature and signature verification provided by the soft encryption module are provided to the application through the PKCS#11 interface.
  • the encryption unit may involve some data cache or data storage, and the storage medium used by the application device is an application access device.
  • FIG. 7 is a schematic structural diagram of another embodiment of an application access device according to the present invention.
  • the device is in hardware mode, and the encryption unit is an encryption chip, that is, the encryption, decryption, and the like of the encryption unit are driven by the driver.
  • the program is implemented by the encryption chip and supports a common encryption and decryption algorithm.
  • the security services provided by the encryption chip such as encryption, decryption, signature, signature verification, and key generation, are provided to the application through the PKCS#11 interface.
  • Embodiment 7 This embodiment provides an application access method, which is performed by an application access device.
  • FIG. 8 is a schematic flowchart of an application access method according to an embodiment of the present invention. The method in this embodiment is performed by an application access device that provides a security service for an application running on the device itself. This embodiment only describes the method briefly.
  • the implementation principle can be combined as described in the device embodiment. As shown in Figure 8, it can include:
  • the application access device generates a security access request, where the security access request is used to request an application security service for an application running on the application access device.
  • the application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key.
  • the application access device uses the public key to apply for obtaining a digital certificate to the certificate server, and the application access device establishes a connection with the application server by using the digital certificate.
  • the application access device encrypts data transmitted between the application access device and the application server by using the private key after establishing a connection with the application server. Further, after the application access device generates the security access request, the method further includes: the application access device storing a correspondence between the digital certificate and the application. Further, after the application access device generates the security access request, before generating the key pair according to the security access request, the method further includes: the application access device according to the pair Correspondingly, detecting whether a digital certificate corresponding to the application has been stored; when the detection result is YES, directly establishing a connection with the application server by using the stored digital certificate.
  • FIG. 9 is a schematic flowchart of an application access method according to an embodiment of the present invention. The method of the present embodiment is only described briefly. The specific implementation principle may be as described in conjunction with the device embodiment. As shown in FIG. 9, it may include:
  • the application access device receives a security access request sent by an application running device, where the service is used.
  • the application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key.
  • the application access device sends the public key to the application running device, so that the application running device requests the certificate server to obtain a digital certificate by using the public key, and the application running device passes the number.
  • the certificate establishes a connection with the application server;
  • the application access device After the application running device establishes a connection with the application server, the application access device encrypts data transmitted between the application running device and the application server by using the private key. Further, the receiving the security access request sent by the application running device includes: the application accessing device receiving the application running connected with the application access device by using any one of a USB connection, a WIFI connection, and an NFC connection. A secure access request sent by the device.
  • the application access device specifically receives the security access request sent by the application running device by using a PKCS#11 interface. Further, after the application access device sends the public key to the application running device, the method further includes: the application access device receiving the digital certificate sent by the application running device, and storing the digital certificate and The corresponding relationship of the application. Further, after the application access device receives the security access request sent by the application running device, before generating the key pair according to the security access request, the method further includes: detecting, by the application access device, whether the storage device has been stored according to the corresponding relationship. Digital certificate corresponding to the application When the detection result is YES, the stored digital certificate is directly sent to the acknowledgment connection.
  • the aforementioned program can be stored in a computer readable storage medium.
  • the program when executed, performs the steps including the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé et dispositif d'accès aux applications, comportant les étapes suivantes: un dispositif d'accès aux applications génère une demande d'accès sécurisé visant à assurer un service de sécurité d'applications pour une application s'exécutant sur le dispositif d'accès aux applications; le dispositif d'accès aux applications génère une paire de clés en fonction de la demande d'accès sécurisé, la paire de clés comportant une clé publique et une clé privée; le dispositif d'accès aux applications utilise la clé publique pour solliciter un certificat numérique auprès d'un serveur de certificats, et le dispositif d'accès aux applications établit une connexion avec un serveur d'applications via le certificat numérique; et après avoir établi une connexion avec le serveur d'applications, le dispositif d'accès aux applications utilise la clé privée pour crypter des données transmises entre le dispositif d'accès aux applications et le serveur d'applications. La présente invention réduit la dépendance par rapport à un dispositif de sécurité externe.
PCT/CN2014/070668 2013-01-31 2014-01-15 Procédé et dispositif d'accès aux applications WO2014117648A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310038423.8 2013-01-31
CN201310038423.8A CN103973647A (zh) 2013-01-31 2013-01-31 应用访问方法和设备

Publications (1)

Publication Number Publication Date
WO2014117648A1 true WO2014117648A1 (fr) 2014-08-07

Family

ID=51242697

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/070668 WO2014117648A1 (fr) 2013-01-31 2014-01-15 Procédé et dispositif d'accès aux applications

Country Status (2)

Country Link
CN (1) CN103973647A (fr)
WO (1) WO2014117648A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017015797A1 (fr) * 2015-07-24 2017-02-02 程强 Système et procédé de transmission de sécurité d'informations pour système de commande
CN106921639A (zh) * 2015-12-28 2017-07-04 航天信息股份有限公司 移动数字证书申请方法及装置
CN107359994A (zh) * 2017-07-19 2017-11-17 国家电网公司 一种量子密码与经典密码相融合的一体化加密装置
CN109639427B (zh) * 2017-10-09 2021-01-29 华为技术有限公司 一种数据发送的方法及设备
CN108769024B (zh) * 2018-05-30 2020-11-13 中国电子信息产业集团有限公司第六研究所 一种数据获取方法及多数据运营商协商服务系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1838141A (zh) * 2006-02-05 2006-09-27 刘亚威 利用移动电话增强访问计算机应用系统的安全性的技术
CN101527024A (zh) * 2008-03-06 2009-09-09 同方股份有限公司 一种安全网上银行系统及其实现方法
CN102054258A (zh) * 2010-12-16 2011-05-11 中国建设银行股份有限公司 一种基于移动设备的电子银行安全认证方法及系统

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101676925B (zh) * 2008-09-16 2011-04-27 联想(北京)有限公司 一种将认证信息置入安全芯片的方法及计算机系统
CN101527634B (zh) * 2008-12-31 2011-08-17 北京飞天诚信科技有限公司 账户信息与证书绑定的系统和方法
CN101547095B (zh) * 2009-02-11 2011-05-18 广州杰赛科技股份有限公司 基于数字证书的应用服务管理系统及管理方法
CN101957958A (zh) * 2010-09-19 2011-01-26 中兴通讯股份有限公司 一种实现网络支付的方法及手机终端
CN102904865B (zh) * 2011-07-29 2016-05-25 中国移动通信集团公司 一种基于移动终端的多个数字证书的管理方法、系统和设备
CN102523095B (zh) * 2012-01-12 2015-04-15 公安部第三研究所 具有智能卡保护的用户数字证书远程更新方法
CN102811224A (zh) * 2012-08-02 2012-12-05 天津赢达信科技有限公司 一种ssl/tls连接的实现方法、装置及系统

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1838141A (zh) * 2006-02-05 2006-09-27 刘亚威 利用移动电话增强访问计算机应用系统的安全性的技术
CN101527024A (zh) * 2008-03-06 2009-09-09 同方股份有限公司 一种安全网上银行系统及其实现方法
CN102054258A (zh) * 2010-12-16 2011-05-11 中国建设银行股份有限公司 一种基于移动设备的电子银行安全认证方法及系统

Also Published As

Publication number Publication date
CN103973647A (zh) 2014-08-06

Similar Documents

Publication Publication Date Title
CN109088889B (zh) 一种ssl加解密方法、系统及计算机可读存储介质
CN108476404B (zh) 用于配对的设备和方法
JP6797828B2 (ja) クラウドベースの暗号化マシン鍵インジェクションの方法、装置、及びシステム
EP3424195B1 (fr) Transport de mot de passe crypté à travers un réseau nuagique non sécurisé
USH2270H1 (en) Open protocol for authentication and key establishment with privacy
US11134069B2 (en) Method for authorizing access and apparatus using the method
TWI734854B (zh) 資訊安全的驗證方法、裝置和系統
RU2756040C2 (ru) Адресация доверенной среды исполнения с использованием ключа подписи
US9948616B2 (en) Apparatus and method for providing security service based on virtualization
WO2016011778A1 (fr) Procédé et appareil de traitement de données
WO2014183392A1 (fr) Procédé et système d'authentification de communication sécurisée dans un environnement distribué
WO2020042822A1 (fr) Procédé d'opération de chiffrement, procédé de création de clé de travail, et plateforme et dispositif de service de chiffrement
TWI636373B (zh) Method and device for authorizing between devices
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
US11190503B2 (en) Resource processing method, apparatus, and system, and computer-readable medium
WO2014117648A1 (fr) Procédé et dispositif d'accès aux applications
TW201638822A (zh) 進程的身份認證方法和裝置
JP5827724B2 (ja) データを入力する方法と装置
US20210328779A1 (en) Method and apparatus for fast symmetric authentication and session key establishment
WO2019120231A1 (fr) Procédé et dispositif permettant de déterminer un état de confiance d'un tpm et support de stockage
WO2023246509A1 (fr) Procédé et appareil de traitement de données génétiques, dispositif et support
US10826690B2 (en) Technologies for establishing device locality
WO2019184206A1 (fr) Procédé et appareil d'authentification d'identité
CN114065170A (zh) 平台身份证书的获取方法、装置和服务器
TW201338494A (zh) 雲端認證系統及方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14746741

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14746741

Country of ref document: EP

Kind code of ref document: A1