WO2015117523A1 - Procédé et dispositif de contrôle d'accès - Google Patents

Procédé et dispositif de contrôle d'accès Download PDF

Info

Publication number
WO2015117523A1
WO2015117523A1 PCT/CN2014/094852 CN2014094852W WO2015117523A1 WO 2015117523 A1 WO2015117523 A1 WO 2015117523A1 CN 2014094852 W CN2014094852 W CN 2014094852W WO 2015117523 A1 WO2015117523 A1 WO 2015117523A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
key
whitelist
public key
data
Prior art date
Application number
PCT/CN2014/094852
Other languages
English (en)
Chinese (zh)
Inventor
沙爽
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015117523A1 publication Critical patent/WO2015117523A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to the field of communications, and in particular to an access control method and apparatus.
  • the embodiment of the invention provides an access control method and device, so as to at least solve the problem that the access control method for accessing data in the related art has limitations.
  • an access control method comprising: obtaining an identification key of an application accessing specified data, wherein the identification key is based on an identification of the application and a slave register or an independent Generating a hardware key read in the security chip; determining whether the application is legal according to the identity identification key, and controlling access of the application to the specified data according to the determination result.
  • Determining whether the application is legal according to the identity identification key includes: determining whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determining that the application is legal.
  • the method further includes: reading an RSA public key from the register or a separate security chip; and verifying by using the RSA public key
  • the whitelist data corresponding to the application whitelist after the signature of the RSA private key is used, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
  • the method further includes: encrypting the application whitelist by aes_cbc_128, and signing the whitelist data by using an RSA private key; and the RSA private key
  • the corresponding RSA public key is stored in the register or a separate security chip.
  • the method further includes: authenticating the interaction signaling between the application client and the server by using an RSA public key of the server, wherein the public key of the server is stored in the register or a separate security chip, and the public key corresponds to The private key of the server is stored on the server side.
  • an access control apparatus comprising: an obtaining module configured to acquire an identification key of an application accessing specified data, wherein the identification key is based on an identifier of the application And generating a hardware key read from a register or a separate security chip; the control module is configured to determine whether the application is legal according to the identification key, and control the application to the specified data according to the determination result access.
  • the control module includes: a determining unit, configured to determine whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determine that the application is legal.
  • the apparatus further includes: a reading module configured to read an RSA public key from the register or a separate security chip; and a decryption module configured to verify, by using the RSA public key, the RSA private key signature
  • the whitelist data corresponding to the whitelist is applied, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
  • the device further includes: an encryption module, configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature; and the saving module is configured to set an RSA public key corresponding to the RSA private key Stored in the register or in a separate security chip.
  • an encryption module configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature
  • the saving module is configured to set an RSA public key corresponding to the RSA private key Stored in the register or in a separate security chip.
  • the device further includes: an authentication module configured to authenticate the interaction signaling between the application client and the server by using an RSA public key of the server, where the public key of the server is stored in the register or a separate security chip, The private key of the server corresponding to the public key is stored on the server side.
  • an authentication module configured to authenticate the interaction signaling between the application client and the server by using an RSA public key of the server, where the public key of the server is stored in the register or a separate security chip, The private key of the server corresponding to the public key is stored on the server side.
  • an identity identification key of an application for accessing specified data is used, wherein the identity identification key is generated according to an identifier of the application and a hardware key read from a register or a separate security chip; Determining whether the application is legal according to the identity identification key, and controlling the application pair according to the determination result.
  • FIG. 1 is a flow chart of an access control method according to an embodiment of the present invention.
  • FIG. 2 is a block diagram showing the structure of an access control apparatus according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a system of application software according to a preferred embodiment of the present invention.
  • FIG. 4 is a flow chart of application identity authentication in accordance with a preferred embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a verification process of an application whitelist according to a preferred embodiment of the present invention.
  • FIG. 6 is a schematic diagram of an application client and server signaling encryption process in accordance with a preferred embodiment of the present invention.
  • this control mode only controls the above specific categories of rights and data access, has limitations, and cannot secure any sensitive data. Protection; Secondly, this control method does not have access control from the application identity authentication, there is no whitelist mechanism, there is no complete solution; in addition, there is no authentication protection for the instruction transmission between the application client and the server. .
  • FIG. 1 is a flowchart of an access control method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step S102 Acquire an identity identification key of an application that accesses the specified data, where the identity identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip;
  • Step S104 Determine, according to the identity identification key, whether the application is legal, and control access by the application to the specified data according to the determination result.
  • the identification key of the application is generated by using the identifier of the application and the hardware key read from the register or the independent security chip, and determining whether the application is legal according to the identification key and controlling according to the judgment result.
  • the access to the specified data is applied, so that the access control mode is controlled by the authority for the application, and the access control is controlled according to the controlled designated data, and the permission control is associated with the hardware key, thereby solving the permission control of accessing data in the related art.
  • the method has limitations, making the access control of accessing data more flexible and more secure.
  • the method may be determined by using a whitelist. Specifically, it may be determined whether the application corresponding to the identity identification key belongs to a preset application whitelist. If yes, it is determined that the application is legal.
  • the whitelist may also be signed and encrypted using a hardware key.
  • the application whitelist may be encrypted by aes_cbc_128, and the whitelist data may be obtained by using an RSA private key signature;
  • the corresponding RSA public key is stored in the register or a separate security chip.
  • the RSA public key may be read from the register or the independent security chip before determining whether the application corresponding to the identity key belongs to the preset application whitelist;
  • the whitelist data corresponding to the application whitelist signed by the RSA private key is verified by the RSA public key, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
  • the interaction key signaling between the application client and the server may be signed and encrypted by using the hardware key, as follows: the interaction signaling between the application client and the server is authenticated by using the RSA public key of the server, where The public key of the server is stored in the register or a separate security chip, and the private key of the server corresponding to the public key is stored on the server side.
  • an access control device is also provided in the embodiment, and the device is configured to implement the above-mentioned embodiments and preferred embodiments, and the description thereof has been omitted.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of an access control apparatus according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes an acquisition module 22 and a control module 24. The following describes each module in detail:
  • An obtaining module 22 configured to obtain an identification key of an application that accesses the specified data, wherein the identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip;
  • the control module 24 is connected to the obtaining module 22, and is configured to determine whether the application is legal according to the identity identification key, and control the application to access the specified data according to the determination result.
  • control module 24 may be configured to: determine whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determine that the application is legal.
  • the device may further include: a reading module, connected to the control module 24, configured to read the RSA public key from the register or a separate security chip; and the decryption module is connected to the reading module and configured to be used
  • the RSA public key verifies the whitelist data corresponding to the application whitelist after being signed by the RSA private key, and decrypts the whitelist data by aes_cbc_128 to obtain the application whitelist.
  • the device may further include: an encryption module, configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature; the saving module is connected to the reading module, and is set to be The RSA public key corresponding to the RSA private key is stored in the register or a separate security chip.
  • an encryption module configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature
  • the saving module is connected to the reading module, and is set to be
  • the RSA public key corresponding to the RSA private key is stored in the register or a separate security chip.
  • the apparatus further comprises: an authentication module configured to authenticate the interaction signaling between the application client and the server using the RSA public key of the server, wherein the public key of the server is stored in the register or independent security In the chip, the private key of the server corresponding to the public key is stored on the server side.
  • an authentication module configured to authenticate the interaction signaling between the application client and the server using the RSA public key of the server, wherein the public key of the server is stored in the register or independent security In the chip, the private key of the server corresponding to the public key is stored on the server side.
  • the terminal device On the terminal device, some data only needs to be accessed by the specified application, and other applications access to the data are considered illegal and dangerous, for example, including personal finance, private files, social accounts, etc. If it can be read by any application, it is easily stolen by malware.
  • the data may be encrypted, but the encryption key and the encrypted data are stored in a common storage area, and the application authentication for data access is also lacking.
  • the preferred embodiment is designed with a hardware device-based application identity authentication mechanism, which not only ensures that the legitimate application accesses the specified data, but also increases the protection of the application wireless signaling interaction, thereby greatly reducing the possibility of losing key data.
  • a method and apparatus for applying rights systemized authentication is provided.
  • the solution saves the key used to authenticate the application in a register or security chip, is physically isolated from normal data, greatly reduces the possibility of being stolen and tampered by Trojans and malicious viruses, and adds authentication measures from the access mechanism.
  • the rights management through the whitelist can not only provide the scalability of the application list, but also ensure the effectiveness of the management.
  • the identity authentication key stored by the hardware is used to strengthen the instruction interaction authentication between the application client and the server, and the key used during the period is read through the security interface, so that the application that performs the reading action is authenticated. Certified.
  • the preferred embodiment is based on the ARM Trust Zone (also known as the Whitelist, TrustZone) technology, and the TrustZone(TM) technology appears in the ARMv6KZ and later application core architectures. It provides a low-cost solution for adding a dedicated security core to a system-on-a-chip (SoC), and two virtual processors supported by hardware-built access control. This approach allows the application core to switch between two states (usually referred to as worlds to avoid confusion with names in other functional areas), which prevents information from leaking from more trusted core areas. Less secure areas. This kind of switching between kernel domains is usually completely unrelated to other functions of the processor, so each domain can operate independently but still use the same kernel.
  • SoC system-on-a-chip
  • the preferred embodiment provides a method and apparatus for applying identity authentication.
  • the key in the hardware chip is used to authenticate the access rights of the application, thereby ensuring legal application access.
  • Legal data. 3 is a schematic structural diagram of a system of application software according to a preferred embodiment of the present invention.
  • an application client on the left side of the figure is embedded with a security module, and the security module uses a unique secret of each application in advance. The key is signed.
  • the security module invokes the encapsulated interface of the device system to access the protected data.
  • the client access interface is applied, the device system will call the authentication module to verify the identity of the application.
  • FIG. 4 is a flow chart of application identity authentication according to a preferred embodiment of the present invention. The process of applying identity authentication is as shown in FIG. 4 .
  • FIG. 5 is a schematic diagram of a verification process of an application whitelist according to a preferred embodiment of the present invention. As shown in FIG. 5, the verification method of the application whitelist is as follows:
  • the application whitelist is first encrypted by aes_cbc_128, and then signed with the RSA private key.
  • the RSA public key is stored in the hardware register, and the signed data is built into the software system device.
  • the checksum matching process is started. .
  • FIG. 6 is a schematic diagram of an application client and server signaling encryption process according to a preferred embodiment of the present invention.
  • the RSA public key of the server is stored in a hardware register, and the application accesses the public key through the security module, and the server private key Save on the server side.
  • the identity of both parties is authenticated by the public key in the hardware register, thereby ensuring the security of the communication, and the software interaction process is as shown in FIG. 6.
  • the mechanism for applying identity authentication in the preferred embodiment can be applied in many scenarios, especially in applications with strong privacy such as banking, shopping, and social networking.
  • the data may be encrypted, but the encryption key and the encrypted data are stored in a common storage area, and the application authentication for data access is also lacking.
  • the hardware device-based application identity authentication mechanism designed in the preferred embodiment not only ensures that the legitimate application accesses the specified data, but also increases the protection of the application wireless signaling interaction, thereby greatly reducing the possibility of key data loss.
  • the key is stored in the hardware register, which reduces the risk of leakage, and the identity between the client and the server is mutually authenticated through the set of keys. It is more secure to ensure communication.
  • a software is provided that is configured to perform the technical solutions described in the above embodiments and preferred embodiments.
  • a storage medium in which the above software is stored, including but not limited to an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • an access control method and apparatus provided by an embodiment of the present invention have the following beneficial effects: solving the problem that the access control method for accessing data in the related art has limitations, and making the access control of the access data more flexible and diverse. And more secure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé et un dispositif de contrôle d'accès. Le procédé consiste : à acquérir une clé de reconnaissance d'identité d'une application servant à accéder à des données désignées, cette clé de reconnaissance d'identité étant générée en fonction d'un identificateur de l'application et d'une clé matérielle lue dans un registre ou une puce de sécurité indépendante ; et à déterminer si l'application est valide selon la clé de reconnaissance d'identité, puis à contrôler l'accès de l'application aux données désignées suivant le résultat de la détermination. La présente invention résout le problème posé dans l'état de la technique par les limites de la régulation des autorisations d'accès à des données, de sorte que la régulation des autorisations permettant d'accéder à des données devient plus souple et plus variée et que la sécurité est plus grande.
PCT/CN2014/094852 2014-07-21 2014-12-24 Procédé et dispositif de contrôle d'accès WO2015117523A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410346485.X 2014-07-21
CN201410346485.XA CN105282117A (zh) 2014-07-21 2014-07-21 访问控制方法及装置

Publications (1)

Publication Number Publication Date
WO2015117523A1 true WO2015117523A1 (fr) 2015-08-13

Family

ID=53777324

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/094852 WO2015117523A1 (fr) 2014-07-21 2014-12-24 Procédé et dispositif de contrôle d'accès

Country Status (2)

Country Link
CN (1) CN105282117A (fr)
WO (1) WO2015117523A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243311A (zh) * 2015-10-19 2016-01-13 广东欧珀移动通信有限公司 一种指纹信息的安全调用方法、装置及移动终端
CN111797430A (zh) * 2020-06-30 2020-10-20 平安国际智慧城市科技股份有限公司 数据校验方法、装置、服务器及存储介质

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790178B (zh) * 2016-12-30 2019-10-25 网宿科技股份有限公司 防入侵认证方法、系统及装置
CN107358114A (zh) * 2017-06-12 2017-11-17 深圳市金立通信设备有限公司 一种防止用户数据丢失的方法及终端
CN110990331B (zh) * 2019-12-03 2023-09-05 飞腾信息技术有限公司 片上系统密钥管理方法、装置、设备及可读存储介质
CN110941820A (zh) * 2019-12-04 2020-03-31 福尔达车联网(深圳)有限公司 一种车辆安全的检测方法及装置、汽车、可读存储介质
CN111783113A (zh) * 2020-06-22 2020-10-16 济南浪潮高新科技投资发展有限公司 一种基于SAS Controller的数据访问权限控制方法
CN114091027B (zh) * 2021-12-01 2023-08-29 海光信息技术股份有限公司 信息配置方法、数据访问方法及相关装置、设备

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546172A (zh) * 2011-12-16 2012-07-04 北京握奇数据系统有限公司 智能卡的访问控制方法、智能卡、终端和系统

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4473256B2 (ja) * 2006-12-27 2010-06-02 インターナショナル・ビジネス・マシーンズ・コーポレーション アプリケーションプログラムによるリソースアクセスを制御するための情報処理装置、方法、及びプログラム
CN101655892A (zh) * 2009-09-22 2010-02-24 成都市华为赛门铁克科技有限公司 一种移动终端和访问控制方法
CN101938563B (zh) * 2010-09-09 2013-08-14 宇龙计算机通信科技(深圳)有限公司 一种sim卡信息的保护方法、系统及移动终端
CN202551356U (zh) * 2012-02-02 2012-11-21 厦门欣嘉朗光电科技有限公司 物联网接入传输模块
CN103455520A (zh) * 2012-06-04 2013-12-18 北京三星通信技术研究有限公司 安卓数据库访问的方法及设备
CN102693395B (zh) * 2012-06-07 2015-02-11 北京奇虎科技有限公司 一种用于拦截应用程序对服务的调用的方法和装置
CN103812649B (zh) * 2012-11-07 2017-05-17 中国电信股份有限公司 机卡接口的安全访问控制方法与系统、手机终端

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546172A (zh) * 2011-12-16 2012-07-04 北京握奇数据系统有限公司 智能卡的访问控制方法、智能卡、终端和系统

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243311A (zh) * 2015-10-19 2016-01-13 广东欧珀移动通信有限公司 一种指纹信息的安全调用方法、装置及移动终端
CN105243311B (zh) * 2015-10-19 2017-02-22 广东欧珀移动通信有限公司 一种指纹信息的安全调用方法、装置及移动终端
US10713381B2 (en) 2015-10-19 2020-07-14 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method and apparatus for securely calling fingerprint information, and mobile terminal
CN111797430A (zh) * 2020-06-30 2020-10-20 平安国际智慧城市科技股份有限公司 数据校验方法、装置、服务器及存储介质
CN111797430B (zh) * 2020-06-30 2023-10-03 平安国际智慧城市科技股份有限公司 数据校验方法、装置、服务器及存储介质

Also Published As

Publication number Publication date
CN105282117A (zh) 2016-01-27

Similar Documents

Publication Publication Date Title
CN107743133B (zh) 移动终端及其基于可信安全环境的访问控制方法和系统
KR102399582B1 (ko) 모바일 디바이스를 사용한 시스템 액세스
US9875368B1 (en) Remote authorization of usage of protected data in trusted execution environments
WO2015117523A1 (fr) Procédé et dispositif de contrôle d'accès
JP6114832B2 (ja) 仮想マシンのための管理制御方法、装置及びシステム
CN105745661B (zh) 对权限管理的内容的基于策略的受信任的检测
JP6612322B2 (ja) データ処理方法およびデータ処理装置
TWI515601B (zh) 電子器件、用於建立及強制實行與一存取控制元件相關聯之一安全性原則之方法及安全元件
JP5361894B2 (ja) マルチファクタコンテンツの保護
CN113168476A (zh) 操作系统中个性化密码学安全的访问控制
US20160125180A1 (en) Near Field Communication Authentication Mechanism
US20160323264A1 (en) Secure Import and Export of Keying Material
US20150089589A1 (en) Secure data processing
US10747885B2 (en) Technologies for pre-boot biometric authentication
Wessel et al. Improving mobile device security with operating system-level virtualization
CN111191217B (zh) 一种密码管理方法及相关装置
US20150264047A1 (en) Method and system for providing secure communication between multiple operating systems in a communication device
CN112765637A (zh) 数据处理方法、密码服务装置和电子设备
Mayrhofer An architecture for secure mobile devices
CN106992978B (zh) 网络安全管理方法及服务器
WO2019226510A1 (fr) Procédés et systèmes pour de multiples racines de confiance indépendantes
Kim et al. Secure user authentication based on the trusted platform for mobile devices
Kim et al. Secure mobile device management based on domain separation
Akram et al. Recovering from a lost digital wallet: A smart cards perspective extended abstract
CN113468610A (zh) 去中心化可信访问控制框架及其运行方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14881895

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14881895

Country of ref document: EP

Kind code of ref document: A1