WO2020034907A1 - 认证信息传输方法、密钥管理客户端及计算机设备 - Google Patents
认证信息传输方法、密钥管理客户端及计算机设备 Download PDFInfo
- Publication number
- WO2020034907A1 WO2020034907A1 PCT/CN2019/100004 CN2019100004W WO2020034907A1 WO 2020034907 A1 WO2020034907 A1 WO 2020034907A1 CN 2019100004 W CN2019100004 W CN 2019100004W WO 2020034907 A1 WO2020034907 A1 WO 2020034907A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authentication information
- key management
- application
- client
- abstraction layer
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/32—User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
- H04L9/3231—Biological data, e.g. fingerprint, voice or retina
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Definitions
- the present application relates to the field of communication technologies, and in particular, to a method for transmitting authentication information, a key management client, and a computer device.
- a third-party application client can send biometric authentication information to a corresponding application server for verification, so as to implement functions such as payment, opening a private file, or an application after the application server verifies the validity.
- the embodiment of the present application proposes an authentication information transmission method, a key management client, a computer device, an authentication information transmission system, and a computer-readable storage medium.
- An embodiment of one aspect of the present application provides a method for transmitting authentication information, which is executed by a computing device.
- the method includes: a key management client receives authentication information sent by an application client through a preset hardware abstraction layer interface; the key A management client, sending the authentication information to a key management server, so that the key management server sends the authentication information to a trusted application in a trusted execution environment; the key management client To obtain the signed authentication information forwarded by the trusted application forwarded by the key management server; the key management client sends the signed authentication information through the preset hardware abstraction layer interface To an application server corresponding to the application client, so that the application server performs a validity check on the authentication information.
- the key management client includes: a receiving module, configured to receive authentication information sent by an application client through a preset hardware abstraction layer interface; a first sending A module configured to send the authentication information to a key management server, so that the key management server sends the authentication information to a trusted application in a trusted execution environment; a first acquisition module, configured to: Acquiring the signed authentication information forwarded by the trusted management server and signed by the trusted application; a second sending module, configured to send the signed authentication information to the server through the preset hardware abstraction layer interface; An application server corresponding to the application client, so that the application server performs a validity check on the authentication information.
- the method includes: a key management client receives, through a system service interface, an authentication information collection request sent by an application client; the key management client The authentication information collection request is encapsulated into a hardware abstraction layer interface instruction, and the hardware abstraction layer interface instruction is sent to a key management server through the hardware abstraction layer interface, so that the key management server will use the authentication information
- the collection request is sent to a trusted application in a trusted execution environment; a key management client receives a result of a hardware abstraction layer instruction from the key management server, and the instruction result of the hardware abstraction layer includes the available Trust the application-signed authentication information; the key management client parses the signed authentication information from the instruction result of the hardware abstraction layer, and sends the signed authentication information to the application client corresponding to the application client An application server, so that the application server performs a validity check on the authentication information.
- Another embodiment of the present application provides a computer device including a memory, a processor, and a computer program stored on the memory and executable on the processor.
- the processor executes the program, the foregoing embodiment is implemented.
- Authentication information transmission method When the processor executes the program, the foregoing embodiment is implemented.
- Another embodiment of the present application provides an authentication information transmission system including an application client, an application server, a key management server, a trusted application, and the key management client described in the foregoing embodiment.
- Another embodiment of the present application provides a computer-readable storage medium on which a computer program is stored.
- the program is executed by a processor, the authentication information transmission method according to the foregoing embodiment is implemented.
- Fig. 1 is a schematic flowchart of an authentication information transmission method according to an exemplary embodiment of the present application
- Fig. 2 is a schematic flowchart of an authentication information transmission method according to another exemplary embodiment of the present application.
- Fig. 3 is a schematic flowchart of a method for transmitting authentication information according to another exemplary embodiment of the present application
- Fig. 4 is a signaling interaction diagram of an authentication information transmission method according to an exemplary embodiment of the present application.
- FIG. 5 is an application scenario diagram of an authentication information transmission method shown in an exemplary embodiment of the present application.
- Fig. 6A is a schematic flowchart of an authentication information transmission method according to an exemplary embodiment of the present application.
- Fig. 6B is a schematic flowchart of an authentication information transmission method according to still another exemplary embodiment of the present application.
- Fig. 7 is a schematic structural diagram of a key management client according to an exemplary embodiment of the present application.
- Fig. 8 is a schematic structural diagram of a computer device according to an exemplary embodiment of the present application.
- Fig. 9 is a schematic structural diagram of a computer device according to another exemplary embodiment of the present application.
- a trusted application in a security zone (Trusted Execution Environment (TEE) of a terminal device) can be used to sign biometric authentication information obtained by a third-party application. Then verify the information through the application server corresponding to the third-party application.
- TEE Trusted Execution Environment
- a third-party application performs data interaction with a trusted application, it usually needs to go through the application framework layer interface in the terminal system. This requires the third-party application to define the interface function of the application framework layer so that the new interface can be redefined.
- the corresponding algorithm is executed to call the Hardware Abstraction Layer (HAL), and then access the TA in the TEE.
- HAL Hardware Abstraction Layer
- the authentication information transmission method provided in the embodiment of the present application can define a key management client and a key management server at a hardware abstraction layer in advance, so that when performing information authentication, the application client can pass through a preset hardware abstraction layer interface, Send the authentication information to the key management client, and then after receiving the authentication information, the key management client can send the authentication information to the trusted application in the trusted execution environment through the key management server. After the trusted application signs the authentication information and sends the signed authentication information to the key management server, the key management client can forward the signed authentication information of the trusted application forwarded by the key management server through presets.
- the hardware abstraction layer interface is sent to the application server corresponding to the application client, so that the application server verifies the validity of the authentication information. Therefore, the problems of complex, tedious, and high cost of establishing the information authentication path due to frequent system updates can be avoided, the transmission time of the authentication information can be reduced, and the reliability of the authentication information can be improved.
- Fig. 1 is a schematic flowchart of an authentication information transmission method according to an exemplary embodiment of the present application.
- the authentication information transmission method may include the following steps:
- Step 101 The key management client receives the authentication information sent by the application client through a preset hardware abstraction layer interface.
- the authentication information transmission method provided in the embodiment of the present application may be executed by a key management client provided in the embodiment of the present application.
- the key management client can be configured in any computer device.
- the computer device in this embodiment may be any hardware device having a data processing function, such as a smart phone, a personal digital assistant, a tablet computer, a desktop computer, and the like.
- the authentication information may be any information that can be used for user identity authentication, such as fingerprints, passwords, and digital certificates.
- the application client can be a third-party application in the terminal device.
- the third-party application refers to an application different from a system application on a terminal device, for example, it can be an instant messaging application, a social application, a payment application, and the like.
- an authentication such as a fingerprint or a password can be entered in the terminal device information.
- the application client can send the authentication information to the key management client through a preset hardware abstraction layer interface after obtaining the authentication information.
- the hardware abstraction layer is an interface layer between the operating system kernel and the hardware circuit, and its purpose is to abstract the hardware.
- the method may further include:
- the key management client sends a preset identifier of the hardware abstraction layer interface to the application client.
- the identifier of the hardware abstraction layer interface can be arbitrarily set as required.
- the key management client can identify the preset hardware abstraction according to the preset hardware abstraction layer interface identifier.
- Layer interface and receives the authentication information sent by the application client through a preset hardware abstraction layer interface.
- Step 102 The key management client sends the authentication information to the key management server, so that the key management server sends the authentication information to the trusted application in the trusted execution environment.
- Step 103 The key management client obtains the authentication information signed by the trusted application forwarded by the key management server.
- a security area is generally provided, that is, a trusted execution environment in the embodiment of the present application.
- This area is a trusted environment, which can ensure that the data stored and processed inside it is independent of the external environment. of.
- the trusted application is an application (TA) running in a trusted execution environment (TEE).
- TEE trusted execution environment
- a trusted application can sign the authentication information, so that the authentication information is not easily tampered with by other applications, and the security and reliability of the authentication information during transmission are guaranteed.
- the key management client can send the authentication information to the key management server, so that the key management server sends the authentication information to the trusted execution environment. Trusted applications. After the trusted application signs the received authentication information, the signed authentication information can be sent to the key management server, so that the key management client can obtain the signed application's authenticated certificate forwarded by the key management server. information.
- a link path needs to exist between the key management client and the key management server, that is, in step Before 102, it can also include:
- the key management client and the key management server establish a link path at the hardware abstraction layer.
- a link path between the key management client and the key management server at the hardware abstraction layer can be established in advance. Once the link path is established, it can always exist, so that the key management client and the key can be realized through the link path. Manage server communication.
- Step 104 The key management client sends the signed authentication information to an application server corresponding to the application client through a preset hardware abstraction layer interface, so that the application server performs validity check on the authentication information.
- the key management client After the key management client receives the signed authentication information of the trusted application forwarded by the key management server, it can send the signed authentication information to the application client through a preset hardware abstraction layer interface. Corresponding application server, so that the application server can verify the validity of the authentication information.
- the application client and the application server corresponding to the application client can communicate with the key management client through a predefined hardware abstraction layer interface.
- the key management client can The link path established by the hardware abstraction layer communicates with the key management server, and the key management server can communicate with the trusted application (TA) in the trusted execution environment (TEE). Therefore, after the key management client receives the authentication information sent by the application client, it can send the authentication information to the TA through the key management server to implement the use of the TA to sign the authentication information sent by the application client.
- TA trusted application
- TEE trusted execution environment
- the signed authentication information can be sent to the application server corresponding to the application client through the key management server and the key management client, so that the application server performs the TA-signed authentication information. Validity check, thereby realizing authentication of authentication information.
- the key management client and key management server are defined directly in the hardware abstraction layer to provide a path for the transmission of authentication information for third-party applications, avoiding frequent system updates
- the authentication information is directly sent by the application client to the key management client through the interface of the hardware abstraction layer, it does not need to be forwarded through the interface in the application framework layer, which reduces the transmission time of the authentication information and reduces the tampering of the authentication information. The possibility of improving the reliability of authentication information.
- the key management client after receiving the authentication information sent by the application client through a preset hardware abstraction layer interface, the key management client first sends the authentication information to the key management server to make the secret
- the key management server sends the authentication information to the trusted application in the trusted execution environment, and then the key management client obtains the authentication information signed by the trusted application forwarded by the key management server, and finally abstracts through the preset hardware
- the layer interface sends the signed authentication information to the application server corresponding to the application client, so that the application server checks the validity of the authentication information.
- the key management client and key management server directly at the hardware abstraction layer, it provides a path for the transmission of authentication information for third-party applications, and avoids the complex and complicated process of establishing the information authentication path due to frequent system updates. Cumbersome and costly issues. And because the authentication information is directly sent by the application client to the key management client through the interface of the hardware abstraction layer, it does not need to be forwarded through the interface in the application framework layer, which reduces the transmission time of the authentication information and reduces the tampering of the authentication information. The possibility of improving the reliability of authentication information.
- the key management client can receive the authentication information sent by the application client through the preset hardware abstraction layer interface and send the authentication information to the key management server.
- the key management server can then authenticate The information is sent to a trusted application in the trusted execution environment for signature, and after the trusted application signs the authentication information, the signed authentication information is forwarded to the key management client, so that the key management client can pass the preset
- the hardware abstraction layer interface sends the signed authentication information to the application server corresponding to the application client, so that the application server checks the validity of the authentication information.
- the application server also needs to verify the signed authentication information after obtaining the signed authentication information of the trusted application to obtain the authentication information, and then verify the validity of the authentication information.
- Fig. 2 is a schematic flowchart of an authentication information transmission method according to another exemplary embodiment of the present application.
- the authentication information transmission method may include the following steps:
- Step 201 The key management client sends a preset identifier of a hardware abstraction layer interface to an application client.
- Step 202 The key management client receives the authentication information sent by the application client through a preset hardware abstraction layer interface.
- Step 203 The key management client and the key management server establish a link path at a hardware abstraction layer.
- step 203 may be performed after step 202, or may be performed before step 202, or may be performed simultaneously with step 202, and need only be performed before step 204, which is not limited in this application.
- Step 204 The key management client sends the authentication information to the key management server through the link path of the hardware abstraction layer, so that the key management server sends the authentication information to the trusted application in the trusted execution environment.
- Step 205 The key management client obtains the authentication information signed by the trusted application forwarded by the key management server.
- Step 206 The key management client obtains a signature key value of the application server sent by the key management server, where the signature key value is generated by a trusted application.
- the key management client may obtain the signature information of the application server while obtaining the authentication information signed by the trusted application forwarded by the key management server.
- Step 207 The key management client sends the signature key value to the application server through a preset hardware abstraction layer interface.
- Step 208 The key management client sends the signed authentication information to the application server corresponding to the application client through a preset hardware abstraction layer interface, so that the application server checks the validity of the authentication information.
- the application server obtains the authentication information after the trusted application signs the authentication information through the preset hardware abstraction layer interface.
- the application server also needs to first obtain the signature. After the authentication information is checked, the authentication information is obtained.
- the trusted application may first generate the signature key value of the application server, and send the signature key value of the application server to the key management server, so that the key management client may The client obtains the signature key value of the application server, and sends the signature key value to the application server through a preset hardware abstraction layer interface, so that the application server can verify the obtained signed authentication information according to the obtained signature key value. To get authentication information.
- the verification of the obtained signed authentication information can be completed, thereby obtaining authentication. Information, and then the application server can verify the validity of the authentication information.
- steps 206-207 can be performed after step 205, or before step 205, or at the same time as step 205, and only need to be performed before the application server performs legality verification on the authentication information. This application does not limit this.
- the key management client sends the signature key value of the application server generated by the trusted application to the application server through a preset hardware abstraction layer interface, so that the application server obtains the trusted application signature sent by the key management client. After the subsequent authentication information, the authentication information can be obtained according to the obtained signature key value, and then the validity of the authentication information can be checked.
- the key management client sends a preset identifier of the hardware abstraction layer interface to the application client, and receives the authentication information sent by the application client through the preset hardware abstraction layer interface.
- the authentication information can be sent to the key management server through the link path established in the hardware abstraction layer in advance, so that the key management server sends the authentication information to the trusted application in the trusted execution environment, and then the key
- the management client then obtains the authentication information signed by the trusted application forwarded by the key management server, and the key management client abstracts the signature key value of the application server obtained from the key management server through a preset hardware abstraction.
- the signed authentication information is sent to the application server corresponding to the application client through a preset hardware abstraction layer interface, so that the application server checks the validity of the authentication information. Therefore, the problems of complex, tedious and high cost of the information authentication path establishment process caused by frequent system updates are avoided, the transmission time of the authentication information is reduced, and the reliability of the authentication information is improved.
- the key management client can receive the authentication information sent by the application client through the preset hardware abstraction layer interface and send the authentication information to the key management server.
- the key management server can then authenticate The information is sent to a trusted application in the trusted execution environment for signature, and after the trusted application signs the authentication information, the signed authentication information is forwarded to the key management client, so that the key management client can pass the preset
- the hardware abstraction layer interface sends the signed authentication information to the application server corresponding to the application client, so that the application server checks the validity of the authentication information.
- there may be multiple application clients that need to perform information authentication so the key management client may obtain authentication information sent by multiple application clients. The following describes the authentication information transmission method of the present application with reference to FIG. 3 for the foregoing situation.
- Fig. 3 is a schematic flowchart of a method for transmitting authentication information according to another exemplary embodiment of the present application.
- the authentication information transmission method may include the following steps:
- Step 301 The key management client sends a preset identifier of a hardware abstraction layer interface to an application client.
- Step 302 The key management client receives the authentication information sent by the application client and the identity of the application client corresponding to the authentication information through a preset hardware abstraction layer interface.
- Step 303 The key management client and the key management server establish a link path at a hardware abstraction layer.
- Step 304 The key management client sends the authentication information to the key management server, so that the key management server sends the authentication information to the trusted application in the trusted execution environment.
- Step 305 The key management client obtains the authentication information signed by the trusted application forwarded by the key management server.
- Step 306 The key management client determines a target application server corresponding to the application client according to the identity of the application client.
- step 306 may be performed after step 305, or may be performed before step 305, or may be performed simultaneously with step 305, and need only be performed before step 307, which is not limited here.
- Step 307 The key management client sends the signed authentication information to the target application server through a preset hardware abstraction layer interface, so that the target application server checks the validity of the authentication information.
- the application client sends authentication information to the key management client through a preset hardware abstraction layer interface, it can simultaneously send the identity of the application client corresponding to the authentication information to the key management client.
- the key management client sends authentication information to the trusted application through the key management server, it can simultaneously send the identity of the application client corresponding to the authentication information to the trusted application.
- the trusted application signs the authentication information, the signed authentication information and the identity of the application client corresponding to the authentication information can be sent to the key management server at the same time, so that the key management client can forward it to the key management server.
- the target application server corresponding to the application client can be determined according to the identity of the application client, and through a preset hardware abstraction layer interface, The signed authentication information is sent to the target application server, so that the target application server checks the validity of the authentication information.
- the key management client sends the preset hardware abstraction layer interface identifier to application client A and application client B, and then application client A sends the key to the key through the preset hardware abstraction layer interface.
- the management client sends the authentication information a and the identity "A" of the application client A, and the application client B sends the authentication information b to the key management client through a preset hardware abstraction layer interface, and at the same time Application client B's identity "B".
- the key management client After receiving the authentication information a and the corresponding identification "A”, the authentication information b and the corresponding identification "B", the key management client can change the authentication information a and the corresponding identification "A", the authentication information b and the corresponding The identifier "B" is sent to the key management server, so that the key management server sends the authentication information a and the corresponding identifier "A", the authentication information b, and the corresponding identifier "B" to the trusted execution environment. Trusted applications, so trusted applications can sign authentication information a and authentication information b, respectively.
- the trusted application signs the authentication information a and the authentication information b respectively, the authentication information a 'and the corresponding identifier "A" after the authentication information a is signed, and the authentication information b' and the corresponding identifier after the authentication information b is signed " B "is sent to the key management server, so that the key management client can obtain the authentication information a 'and the corresponding identifier" A ", the authentication information b' and the corresponding identifier” B "forwarded by the key management server, and
- the target application servers corresponding to application clients A and B are respectively determined, so that the signed authentication information a ′ is sent to the target application server corresponding to application client A, and the signed The authentication information b 'is sent to the target application server corresponding to the application client B, so that the target application server corresponding to the application client A performs the validity check of the authentication information a, and the target application server corresponding to the application client B performs the authentication information b.
- the key management client sends a preset identifier of the hardware abstraction layer interface to the application client, and receives the authentication information sent by the application client through the preset hardware abstraction layer interface.
- the authentication information can be sent to the key management server through the link path established in the hardware abstraction layer in advance, so that the key management server sends the authentication information to the trusted application in the trusted execution environment, and then the key
- the management client obtains the authentication information signed by the trusted application forwarded by the key management server, and after determining the target application server corresponding to the application client according to the identity of the application client, it passes the preset hardware abstraction layer interface to The signed authentication information is sent to the target application server, so that the target application server checks the validity of the authentication information.
- the key management client determines the target application server corresponding to the application client according to the identity of the application client, and then sends the signed authentication information to the target application server, so that the target application server checks the validity of the authentication information.
- Information authentication is simultaneously performed on the authentication information sent by multiple target clients, thereby improving the efficiency of information authentication.
- the following describes the authentication information transmission method provided in the embodiment of the present application with reference to the signaling interaction diagram of the authentication information transmission method shown in FIG. 4.
- Fig. 4 is a signaling interaction diagram of an authentication information transmission method according to an exemplary embodiment of the present application.
- the authentication information transmission method includes an application client M, an application server N corresponding to the application client M, a key management client P, a key management server S, and a trusted application in a trusted execution environment.
- TA execution As shown in FIG. 4, the authentication information transmission method includes an application client M, an application server N corresponding to the application client M, a key management client P, a key management server S, and a trusted application in a trusted execution environment. TA execution.
- Step 401 P sends the identifier of the preset hardware abstraction layer interface to M.
- Step 402 P receives the authentication information sent by M through a preset hardware abstraction layer interface.
- Step 403 P sends the authentication information to S.
- Step 404 S sends the authentication information to the trusted application TA in the trusted execution environment.
- Step 405 The TA signs the authentication information.
- Step 406 The TA sends the signed authentication information to S.
- Step 407 S forwards the signed authentication information to P.
- Step 408 P sends the signed authentication information to N through a preset hardware abstraction layer interface, so that N performs a validity check on the authentication information.
- the authentication information sent by the application client M can be sent to the trusted application TA in the trusted execution environment for signature, and after the TA signs the authentication information, the signed authentication information is sent to the application client.
- Application server N corresponding to M so that application server N performs legality verification on the authentication information, thereby avoiding the complicated, tedious, and high-cost problems of the information authentication path establishment process caused by frequent system updates, reducing authentication information.
- the transmission time improves the reliability of authentication information.
- the authentication information transmission method provided in the foregoing embodiment can be applied to various scenarios such as fingerprint payment, public account / applet fingerprint authorization interface, and the like.
- the fingerprint payment scenario is taken as an example to describe the authentication information transmission method provided in the embodiment of the present application.
- Fig. 5 is an application scenario diagram of an authentication information transmission method shown in an exemplary embodiment of the present application.
- the application client M is to use the fingerprint payment function for payment, and the application client M corresponds to the application server N.
- the application client M After the user inputs the fingerprint into the terminal device through the fingerprint collection device in the terminal device (step 1)
- the application client M can send the obtained fingerprint to the key management client P through the predefined hardware abstraction layer (step 2-3), and then the key management client P sends the fingerprint through the pre-established link path.
- the key management server S To the key management server S (step 4), the key management server S then sends the fingerprint to the trusted application TA in the trusted execution environment (step 5).
- the signed fingerprint can be sent to the key management server S (step 7), and then the key management server S passes the pre-established link path.
- the signed fingerprint is forwarded to the key management client P (step 8), and the key management client P sends the signed fingerprint to the application server N through a preset hardware abstraction layer interface (step 9).
- the application server N obtains the signed fingerprint, it can perform signature verification on the signed fingerprint, and then verify the validity of the fingerprint obtained after the signature verification (step 10). After the application server N determines that the fingerprint is valid, the payment can be completed.
- Fig. 6A is a schematic flowchart of an authentication information transmission method according to an exemplary embodiment of the present application.
- the authentication information transmission method may include the following steps:
- Step 601 The key management client receives the authentication information collection request sent by the application client through the system service interface.
- the key management client may be a system service provided in an operating system of the terminal device.
- the key management client includes the system service interface.
- the application client may call a system service interface of the key management client to initiate an authentication information collection request.
- a system service link path is established between the key management client and the application client through the system service interface in advance.
- the system service interface may be an interface defined by a system interface definition language, and is configured to communicate between an application client and a key management client in an inter-process (IPC) manner.
- the system interface definition language is, for example, the Android Interface Definition Language (AIDL), and the system service interface is, for example, an AIDL interface.
- the authentication information collection request may be, for example, a fingerprint collection request.
- the authentication information collection request may include an identity of the application client.
- Step 602 The key management client encapsulates the authentication information collection request into a hardware abstraction layer interface instruction, and sends the hardware abstraction layer interface instruction to the key management server through the hardware abstraction layer interface.
- the key management server may include the hardware abstraction layer interface, and the key management client may call the hardware abstraction layer interface of the key management server to interface the hardware abstraction layer.
- An instruction is sent to the key management server.
- the key management server is set in a secure area of a terminal device, for example.
- a hardware abstraction layer link path is established between the key management client and the key management server through the hardware abstraction layer interface in advance.
- the hardware abstraction layer interface is, for example, an interface defined by a hardware abstraction layer interface definition language (HIDL).
- Step 603 The key management server parses the authentication information collection request from the received hardware abstraction layer interface instruction and sends it to the trusted application.
- the key management server sends the authentication information collection request to a trusted application in a pass-through manner.
- Step 604 The trusted application invokes an authentication information acquisition device according to the authentication information acquisition request, collects authentication information, and signs the acquired authentication information.
- the authentication information acquisition device is, for example, a fingerprint acquisition device in a terminal device.
- the signed authentication information may include an identity of the application client.
- the signed authentication information may also have a signature key value.
- Step 605 The trusted application sends the signed authentication information to the key management server.
- Step 606 The key management server encapsulates the signed authentication information into a command result of a hardware abstraction layer, and sends the command result of the hardware abstraction layer to the key management layer through the hardware abstraction layer interface. Client.
- Step 607 The key management client parses the signed authentication information from the instruction result of the hardware abstraction layer, and sends the signed authentication information to an application server corresponding to the application client. So that the application server performs a validity check on the authentication information.
- the key management client may determine the application server corresponding to the application client according to the identity of the application client included in the signed authentication information, and then send the signed authentication information to the corresponding application server. .
- the authentication information transmission method in the embodiment of the present application can avoid the problems of complex, tedious and high cost of the information authentication path establishment process caused by frequent system updates, reduce the transmission time of authentication information, and improve the reliability of authentication information .
- Fig. 6B is a schematic flowchart of a method for transmitting authentication information according to still another exemplary embodiment of the present application. This process is a method of transmitting authentication information at the key management client. As shown in FIG. 6B, the method may include the following steps:
- Step 610 The key management client receives the authentication information collection request sent by the application client through the system service interface.
- Step 611 The key management client encapsulates the authentication information collection request into a hardware abstraction layer interface instruction, and sends the hardware abstraction layer interface instruction to the key management server through the hardware abstraction layer interface, so that all The key management server sends the authentication information collection request to a trusted application in a trusted execution environment.
- Step 612 The key management client receives an instruction result of a hardware abstraction layer from the key management server, wherein the instruction result of the hardware abstraction layer includes authentication information signed by the trusted application.
- Step 613 The key management client parses the signed authentication information from the instruction result of the hardware abstraction layer, and sends the signed authentication information to an application server corresponding to the application client, so that The application server performs a validity check on the authentication information.
- the authentication information transmission method in FIG. 6A and FIG. 6B and the authentication information transmission method in other embodiments of the present application may be used as a reference for each other.
- a key management client is also provided.
- Fig. 7 is a schematic structural diagram of a key management client according to an exemplary embodiment of the present application.
- the key management client of the present application includes a receiving module 110, a first sending module 120, a first obtaining module 130, and a second sending module 140.
- the receiving module 110 is configured to receive authentication information sent by an application client through a preset hardware abstraction layer interface
- a first sending module 120 configured to send the authentication information to the key management server, so that the key management server sends the authentication information to a trusted application in a trusted execution environment;
- a first obtaining module 130 configured to obtain authentication information signed by a trusted application forwarded by a key management server;
- the second sending module 140 is configured to send the signed authentication information to an application server corresponding to the application client through a preset hardware abstraction layer interface, so that the application server checks the validity of the authentication information.
- the key management client provided in the embodiment of the present application may execute the authentication information transmission method provided in the embodiment of the present application.
- the key management client can be configured in any computer device with data processing functions.
- the foregoing key management client further includes:
- a second obtaining module configured to obtain a signature key value of the application server sent by the key management server, where the signature key value is generated by a trusted application
- the third sending module is configured to send the signature key value to the application server through a preset hardware abstraction layer interface.
- the foregoing key management client further includes:
- a link path establishing module is used to establish a link path between a key management client and a key management server at a hardware abstraction layer.
- the receiving module 110 is further configured to:
- the above key management client also includes:
- a determining module configured to determine a target application server corresponding to the application client according to the identity of the application client;
- the foregoing second sending module 140 is specifically configured to:
- the signed authentication information is sent to the target application server through a preset hardware abstraction layer interface.
- the foregoing key management client further includes:
- a fourth sending module is configured to send a preset identifier of a hardware abstraction layer interface to an application client.
- the key management client provided in the embodiment of the present application can receive the authentication information sent by the application client through a preset hardware abstraction layer interface, and then can first send the authentication information to the key management server to enable the key management service.
- the client sends the authentication information to the trusted application in the trusted execution environment, and then the key management client obtains the signed authentication information of the trusted application forwarded by the key management server, and finally sends it through the preset hardware abstraction layer interface.
- the signed authentication information is sent to an application server corresponding to the application client, so that the application server checks the validity of the authentication information. Therefore, the problems of complex, tedious and high cost of the information authentication path establishment process caused by frequent system updates are avoided, the transmission time of the authentication information is reduced, and the reliability of the authentication information is improved.
- a computer device is also provided.
- Fig. 8 is a schematic structural diagram of a computer device according to an exemplary embodiment of the present application.
- the computer device shown in FIG. 8 is merely an example, and should not impose any limitation on the functions and scope of use of the embodiments of the present application.
- the computer device 200 includes: a memory 210 and a processor 220.
- the memory 210 stores a computer program.
- the processor 220 is caused to execute as described in the foregoing embodiment. Authentication information transmission method.
- the computer device 200 may further include: a memory 210 and a processor 220, a bus 230 connecting different components (including the memory 210 and the processor 220), and the memory 210 stores There is a computer program that implements the authentication information transmission method described in the embodiment of the present application when the processor 220 executes the program.
- the bus 230 represents one or more of several types of bus structures, including a memory bus or a memory controller, a peripheral bus, a graphics acceleration port, a processor, or a local area bus using any of a variety of bus structures.
- these architectures include, but are not limited to, the Industry Standard Architecture (ISA) bus, the Micro Channel Architecture (MAC) bus, the enhanced ISA bus, the Video Electronics Standards Association (VESA) local area bus, and peripheral component interconnects ( PCI) bus.
- Computer device 200 typically includes a variety of computer device-readable media. These media can be any available media that can be accessed by the computer device 200, including volatile and non-volatile media, removable and non-removable media.
- the memory 210 may also include computer system readable media in the form of volatile memory, such as random access memory (RAM) 240 and / or cache memory 250.
- Computer device 200 may further include other removable / non-removable, volatile / nonvolatile computer system storage media.
- the storage system 260 may be used to read and write non-removable, non-volatile magnetic media (not shown in FIG. 9 and is commonly referred to as a “hard drive”).
- a disk drive for reading and writing to a removable non-volatile disk (for example, a “floppy disk”), and a removable non-volatile optical disk (for example, CD-ROM, DVD-ROM) may be provided. Or other optical media).
- each drive may be connected to the bus 230 through one or more data medium interfaces.
- the memory 210 may include at least one program product having a set (for example, at least one) of program modules configured to perform the functions of the embodiments of the present application.
- a program / utility tool 280 having a set (at least one) of program modules 270 may be stored in, for example, the memory 210.
- Such program modules 270 include, but are not limited to, an operating system, one or more applications, other programs Modules and program data, each or some combination of these examples may include an implementation of a network environment.
- Program module 270 typically performs the functions and / or methods in the embodiments described herein.
- the computer device 200 may also communicate with one or more external devices 290 (such as a keyboard, pointing device, display 291, etc.), and may also communicate with one or more devices that enable a user to interact with the computer device 200, and / or with Any device (eg, network card, modem, etc.) that enables the computer device 200 to communicate with one or more other computing devices. This communication can be performed through an input / output (I / O) interface 292. Moreover, the computer device 200 may also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN), and / or a public network, such as the Internet) through the network adapter 293. As shown in FIG.
- LAN local area network
- WAN wide area network
- public network such as the Internet
- the network adapter 293 communicates with other modules of the computer device 200 through the bus 230. It should be understood that although not shown in FIG. 9, other hardware and / or software modules may be used in conjunction with the computer device 200, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tapes Drives and data backup storage systems.
- the key management client in the computer device After receiving the authentication information sent by the application client through a preset hardware abstraction layer interface, the key management client in the computer device provided in the embodiment of the present application may first send the authentication information to the key management server so that The key management server sends the authentication information to the trusted application in the trusted execution environment, and then the key management client obtains the authentication information signed by the trusted application forwarded by the key management server, and finally passes the preset hardware
- the abstract layer interface sends the signed authentication information to the application server corresponding to the application client, so that the application server checks the validity of the authentication information. Therefore, the problems of complex, tedious and high cost of the information authentication path establishment process caused by frequent system updates are avoided, the transmission time of the authentication information is reduced, and the reliability of the authentication information is improved.
- the present application also proposes an authentication information transmission system including an application client, an application server, a key management server, a trusted application, and the key management client according to the foregoing embodiment. .
- the authentication information transmission system includes an application client, an application server, a key management server, a trusted application, and the key management client described in the foregoing embodiment.
- the hardware abstraction layer interface is designed. After receiving the authentication information sent by the application client, it can use the key management server to send the authentication information to the trusted application in the trusted execution environment to sign and authenticate the authentication in the trusted application. After the information is signed, the signed management information is received by the key management server, and the signed authentication information is sent to the application server corresponding to the application client, so that the application server checks the validity of the authentication information. Therefore, the problems of complex, tedious and high cost of the information authentication path establishment process caused by frequent system updates are avoided, the transmission time of the authentication information is reduced, and the reliability of the authentication information is improved.
- the present application also proposes a computer-readable storage medium.
- the computer-readable storage medium stores a computer program thereon, and when the program is executed by a processor, the authentication information transmission method is implemented.
- the computer-readable storage medium provided in the embodiments of the present application can be configured in any computer device capable of performing information authentication.
- performing information authentication by executing the authentication information transmission method stored thereon, it can be avoided due to frequent system updates.
- the complex, tedious, and costly process of establishing an information authentication channel reduces the transmission time of authentication information and improves the reliability of authentication information.
- the present application also proposes a computer program product that, when instructions in the computer program product are executed by a processor, executes the authentication information transmission method as in the foregoing embodiment.
- the computer program product provided in the embodiment of the present application can be written into any computer equipment capable of information authentication.
- information authentication by executing a program corresponding to an authentication information transmission method, an information authentication path caused by frequent system updates can be avoided.
- the complex, tedious and high cost of the establishment process reduces the transmission time of the authentication information and improves the reliability of the authentication information.
- first and second are used for descriptive purposes only, and cannot be understood as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Therefore, the features defined as “first” and “second” may explicitly or implicitly include one or more of the features. In the description of the present application, the meaning of "a plurality" is two or more, unless specifically defined otherwise.
- Any process or method description in a flowchart or otherwise described herein can be understood as a module, fragment, or portion of code that includes one or more executable instructions for implementing a particular logical function or step of a process
- the scope of the preferred embodiments of this application includes additional implementations in which the functions may be performed out of the order shown or discussed, including performing the functions in a substantially simultaneous manner or in the reverse order according to the functions involved, which should It is understood by those skilled in the art to which the embodiments of the present application pertain.
- Logic and / or steps represented in a flowchart or otherwise described herein, for example, a sequenced list of executable instructions that may be considered to implement a logical function, may be embodied in any computer-readable medium, For use by, or in combination with, an instruction execution system, device, or device (such as a computer-based system, a system that includes a processor, or another system that can fetch and execute instructions from an instruction execution system, device, or device) Or equipment.
- a "computer-readable medium” may be any device that can contain, store, communicate, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device.
- computer-readable media include the following: electrical connections (electronic devices) with one or more wirings, portable computer disk cartridges (magnetic devices), random access memory (RAM), Read-only memory (ROM), erasable and editable read-only memory (EPROM or flash memory), fiber optic devices, and portable optical disk read-only memory (CDROM).
- the computer-readable medium may even be paper or other suitable medium on which the program can be printed, because, for example, by optically scanning the paper or other medium, followed by editing, interpretation, or other suitable Processing to obtain the program electronically and then store it in computer memory.
- each part of the application may be implemented by hardware, software, firmware, or a combination thereof.
- multiple steps or methods may be implemented by software or firmware stored in a memory and executed by a suitable instruction execution system.
- a suitable instruction execution system For example, if implemented in hardware, as in another embodiment, it may be implemented using any one or a combination of the following techniques known in the art: Discrete logic circuits, application-specific integrated circuits with suitable combinational logic gate circuits, programmable gate arrays (PGA), field programmable gate arrays (FPGA), etc.
- a person of ordinary skill in the art can understand that all or part of the steps carried by the methods in the foregoing embodiments can be implemented by a program instructing related hardware.
- the program can be stored in a computer-readable storage medium.
- the program is When executed, one or a combination of the steps of the method embodiment is included.
- each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may exist separately physically, or two or more units may be integrated into one module.
- the above integrated modules may be implemented in the form of hardware or software functional modules. If the integrated module is implemented in the form of a software functional module and sold or used as an independent product, it may also be stored in a computer-readable storage medium.
- the aforementioned storage medium may be a read-only memory, a magnetic disk, or an optical disk.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Life Sciences & Earth Sciences (AREA)
- Biodiversity & Conservation Biology (AREA)
- Biomedical Technology (AREA)
- Telephonic Communication Services (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
本申请涉及一种认证信息传输方法、密钥管理客户端及计算机设备,属于通信技术领域。所述方法包括:密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息;密钥管理客户端,将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用;密钥管理客户端,获取密钥管理服务端转发的可信应用签名后的认证信息;密钥管理客户端,通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。
Description
本申请要求于2018年08月16日提交的申请号为201810936092.2、发明名称为“认证信息传输方法、密钥管理客户端及计算机设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及通信技术领域,特别涉及一种认证信息传输方法、密钥管理客户端及计算机设备。
目前,在用户利用手机、电脑等终端设备中的第三方应用进行支付,或打开手机、电脑等终端设备中的隐私文件或应用时,经常会需要采用安全认证技术,对人脸、指纹等生物认证信息进行验证,以验证用户身份。
通常,第三方应用客户端可以将生物认证信息发送给对应的应用服务器进行校验,以在应用服务器验证合法后,实现付款、打开隐私文件或应用等功能。
发明内容
本申请实施例提出一种认证信息传输方法、密钥管理客户端、计算机设备、认证信息传输系统及计算机可读存储介质。
本申请一方面实施例提供一种认证信息传输方法,由计算设备执行,该方法包括:密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息;所述密钥管理客户端,将所述认证信息发送给密钥管理服务端,以使所述密钥管理服务端将所述认证信息发送给可信执行环境中的可信应用;所述密钥管理客户端,获取所述密钥管理服务端转发的所述可信应用签名后的认证信息;所述密钥管理客户端,通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给与所述应用客户端对应的应用服务器,以使所述应用服务器对所述认证信息进行合法性校验。
本申请另一方面实施例提供一种密钥管理客户端,该密钥管理客户端包 括:接收模块,用于通过预设的硬件抽象层接口,接收应用客户端发送的认证信息;第一发送模块,用于将所述认证信息发送给密钥管理服务端,以使所述密钥管理服务端将所述认证信息发送给可信执行环境中的可信应用;第一获取模块,用于获取所述密钥管理服务端转发的所述可信应用签名后的认证信息;第二发送模块,用于通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给与所述应用客户端对应的应用服务器,以使所述应用服务器对所述认证信息进行合法性校验。
本申请实施例再一方面实施例提供一种认证信息传输方法,该方法包括:密钥管理客户端通过系统服务接口,接收应用客户端发送的认证信息采集请求;密钥管理客户端,将所述认证信息采集请求封装为硬件抽象层接口指令,并将所述硬件抽象层接口指令通过硬件抽象层接口,发送给密钥管理服务端,以使所述密钥管理服务端将所述认证信息采集请求发送给可信执行环境中的可信应用;密钥管理客户端,从所述密钥管理服务端接收硬件抽象层的指令结果,其中所述硬件抽象层的指令结果中包括所述可信应用签名后的认证信息;所述密钥管理客户端从所述硬件抽象层的指令结果中解析出签名后的认证信息,并将签名后的认证信息发送给与所述应用客户端对应的应用服务器,以使所述应用服务器对所述认证信息进行合法性校验。
本申请又一方面实施例提供一种计算机设备,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时,实现前述实施例所述的认证信息传输方法。
本申请再一方面实施例提供一种认证信息传输系统,包括应用客户端、应用服务器、密钥管理服务端、可信应用,及前述实施例所述的密钥管理客户端。
本申请再一方面实施例提供一种计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时,实现前述实施例所述的认证信息传输方法。
应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。
附图简要说明
此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本申请 的实施例,并与说明书一起用于解释本申请的原理。
图1是根据本申请一个示例性实施例示出的认证信息传输方法的流程示意图;
图2是根据本申请另一个示例性实施例示出的认证信息传输方法的流程示意图;
图3是根据本申请又一个示例性实施例示出的认证信息传输方法的流程示意图;
图4是根据本申请一个示例性实施例示出的认证信息传输方法的信令交互图;
图5是本申请一个示例性实施例示出的认证信息传输方法的应用场景图;
图6A是根据本申请一个示例性实施例示出的认证信息传输方法的流程示意图;
图6B是根据本申请再一个示例性实施例示出的认证信息传输方法的流程示意图;
图7是根据本申请一个示例性实施例示出的密钥管理客户端的结构示意图;
图8是根据本申请一个示例性实施例示出的计算机设备的结构示意图;
图9是根据本申请另一个示例性实施例示出的计算机设备的结构示意图。
通过上述附图,已示出本申请明确的实施例,后文中将有更详细的描述。这些附图和文字描述并不是为了通过任何方式限制本申请构思的范围,而是通过参考特定实施例为本领域技术人员说明本申请的概念。
实施本发明的方式
这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本申请相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本申请的一些方面相一致的装置和方法的例子。
目前,为了提高生物认证信息安全性,可以由终端设备的安全区域(Trusted Execution Environment,简称TEE)中的可信应用(Trusted Application,简称TA)对第三方应用获取的生物认证信息进行签名后,再通过第三方应用对应的应用服务器进行信息校验。而第三方应用在与可信应用进行数据交互时,通常需要经过终端系统中的应用框架层接口,这就需要第三方应用对应用框架层的接口功能进行定义,以使重新定义新的接口可以执行相应的算法,以调用硬件抽象层(Hardware Abstract Layer,HAL),进而访问TEE中的TA。
由于通常终端系统的更新速度很快,这就导致了传统的信息认证方法,需要随系统中应用框架层的频繁更新,而频繁进行接口定义,且由于应用框架层开放的各接口是碎片化的,互相耦合的,从而导致利用上述方式进行信息认证的通路建立过程复杂、繁琐,且成本高。
本申请实施例提供的认证信息传输方法,可以预先在硬件抽象层定义密钥管理客户端及密钥管理服务端,从而在进行信息认证时,应用客户端可以通过预设的硬件抽象层接口,向密钥管理客户端发送认证信息,进而密钥管理客户端接收到认证信息后,可以通过密钥管理服务端将认证信息发送给可信执行环境中的可信应用。在可信应用对认证信息签名并将签名后的认证信息发送给密钥管理服务端后,密钥管理客户端可以将密钥管理服务端转发的可信应用签名后的认证信息,通过预设的硬件抽象层接口发送给应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性验证。由此,可以避免由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少认证信息的传输时长,提高认证信息的可靠性。
下面结合附图,对本申请提供的认证信息传输方法、密钥管理客户端、计算机设备、认证信息传输系统及计算机可读存储介质进行详细说明。
首先结合图1,对本申请实施例提供的认证信息传输方法进行详细说明。
图1是根据本申请一个示例性实施例示出的认证信息传输方法的流程示意图。
如图1所示,该认证信息传输方法,可以包括以下步骤:
步骤101,密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息。
可选地,本申请实施例提供的认证信息传输方法,可以由本申请实施例提供的密钥管理客户端执行。其中,密钥管理客户端可以被配置在任意计算机设 备中。具体地,本实施例的计算机设备可以是任一具有数据处理功能的硬件设备,比如智能手机、个人数字助理、平板电脑、台式计算机等等。
其中,认证信息,可以是指纹、密码、数字证书等任意能够用于用户身份认证的信息。
应用客户端,可以是终端设备中的第三方应用。第三方应用是指有别于终端设备上的系统应用的应用,例如,可以为即时通信应用、社交应用、支付应用等。
可以理解的是,在用户需要利用第三方应用进行支付(例如,打开第三方应用的支付确认页面)、或打开终端设备中的隐私应用或文件时,可以在终端设备中输入指纹、密码等认证信息。在本申请实施例中,通过预先定义一个硬件抽象层接口,应用客户端即可在获取认证信息后,通过预设的硬件抽象层接口,将认证信息发送给密钥管理客户端。硬件抽象层是位于操作系统内核与硬件电路之间的接口层,其目的在于将硬件抽象化。
需要说明的是,为了使应用客户端可以通过预设的硬件抽象层接口,向密钥管理客户端发送认证信息,需要将硬件抽象层接口开放给应用客户端。那么,在本申请实施例中,步骤101之前,还可以包括:
密钥管理客户端,将预设的硬件抽象层接口的标识发送给应用客户端。
其中,硬件抽象层接口的标识,可以根据需要任意设置。
具体地,密钥管理客户端,将预设的硬件抽象层接口的标识发送给应用客户端后,密钥管理客户端即可根据预设的硬件抽象层接口的标识,识别预设的硬件抽象层接口,并通过预设的硬件抽象层接口,接收应用客户端发送的认证信息。
步骤102,密钥管理客户端,将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用。
步骤103,密钥管理客户端,获取密钥管理服务端转发的可信应用签名后的认证信息。
可以理解的是,在终端设备中,通常设置有安全区域,即本申请实施例中的可信执行环境,此区域为一个受信环境,可以保证在其内部存储、处理的数据是独立于外部环境的。终端设备中的某些对保密性、安全性或可靠性要求较高的特殊应用均可在此环境中运行。
本申请实施例中,可信应用即为运行在可信执行环境(TEE)中的应用(TA)。可信应用可以对认证信息进行签名,从而使认证信息不易被其它应用篡改,保证认证信息在传输过程中的安全性和可靠性。
具体地,密钥管理客户端在接收到应用客户端发送的认证信息后,即可将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用。可信应用对接收到的认证信息签名后,即可将签名后的认证信息发送给密钥管理服务端,从而密钥管理客户端可以获取密钥管理服务端转发的可信应用签名后的认证信息。
需要说明的是,在本申请实施例中,为了实现密钥管理客户端与密钥管理服务端的通信,还需要密钥管理客户端与密钥管理服务端之间存在链接通路,即,在步骤102之前,还可以包括:
密钥管理客户端与密钥管理服务端在硬件抽象层建立链接通路。
具体地,可以预先建立密钥管理客户端与密钥管理服务端在硬件抽象层的链接通路,链接通路一旦建立,即可永远存在,从而可以通过链接通路,实现密钥管理客户端与密钥管理服务端的通信。
步骤104,密钥管理客户端,通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。
具体地,密钥管理客户端接收到密钥管理服务端转发的可信应用签名后的认证信息后,即可通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,从而应用服务器即可对认证信息进行合法性校验。
可以理解的是,在本申请实施例中,应用客户端及应用客户端对应的应用服务器,可以通过预先定义的硬件抽象层接口,与密钥管理客户端通信,密钥管理客户端可以通过在硬件抽象层建立的链接通路,与密钥管理服务端通信,密钥管理服务端可以与可信执行环境(TEE)中的可信应用(TA)进行通信。从而在密钥管理客户端接收到应用客户端发送的认证信息后,可以将认证信息通过密钥管理服务端发送给TA,实现利用TA对应用客户端发送的认证信息进行签名。在TA对认证信息签名后,可以通过密钥管理服务端及密钥管理客户端,将签名后的认证信息发送给应用客户端对应的应用服务器,以使应用服务 器对TA签名后的认证信息进行合法性校验,从而实现对认证信息的认证。
由于系统更新的过程通常不涉及硬件抽象层,从而通过直接在硬件抽象层定义密钥管理客户端和密钥管理服务端,来为第三方应用的认证信息传输提供通路,避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题。且由于认证信息直接由应用客户端通过硬件抽象层的接口发送给密钥管理客户端,而无需经过应用框架层中的接口进行转发,减少了认证信息的传输时长,且降低了认证信息被篡改的可能性,提高了认证信息的可靠性。
本申请实施例提供的认证信息传输方法,密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息后,先将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用,然后密钥管理客户端再获取密钥管理服务端转发的可信应用签名后的认证信息,最后通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。由此,通过直接在硬件抽象层定义密钥管理客户端和密钥管理服务端,来为第三方应用的认证信息传输提供通路,避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题。且由于认证信息直接由应用客户端通过硬件抽象层的接口发送给密钥管理客户端,而无需经过应用框架层中的接口进行转发,减少了认证信息的传输时长,且降低了认证信息被篡改的可能性,提高了认证信息的可靠性。
通过上述分析可知,密钥管理客户端在通过预设的硬件抽象层接口,接收应用客户端发送的认证信息,并将认证信息发送给密钥管理服务端后,密钥管理服务端可以将认证信息发送给可信执行环境中的可信应用进行签名,并在可信应用对认证信息签名后,将签名后的认证信息转发给密钥管理客户端,从而密钥管理客户端可以通过预设的硬件抽象层接口,将签名后的认证信息发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。在一种可能的实现形式中,应用服务器还需要在获取可信应用签名后的认证信息后,对签名后的认证信息进行验签,以得到认证信息,进而对认证信息进行合法性校验。下面结合图2,针对上述情况,对本申请的认证信息传输方 法进行进一步说明。
图2是根据本申请另一个示例性实施例示出的认证信息传输方法的流程示意图。
如图2所示,该认证信息传输方法可以包括以下步骤:
步骤201,密钥管理客户端,将预设的硬件抽象层接口的标识发送给应用客户端。
步骤202,密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息。
步骤203,密钥管理客户端与密钥管理服务端在硬件抽象层建立链接通路。
需要说明的是,步骤203可以在步骤202之后执行,也可以在步骤202之前执行,还可以与步骤202同时执行,只需在步骤204之前执行即可,本申请对此不作限制。
步骤204,密钥管理客户端,通过硬件抽象层的链接通路,将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用。
步骤205,密钥管理客户端,获取密钥管理服务端转发的可信应用签名后的认证信息。
需要说明的是,上述步骤201-步骤205的具体实现过程及原理,可以参照上述实施例的相关描述,此处不再赘述。
步骤206,密钥管理客户端,获取密钥管理服务端发送的应用服务器的签名键值,其中,签名键值是可信应用产生的。
其中,密钥管理客户端可以是在获取密钥管理服务端转发的可信应用签名后的认证信息的同时,获取应用服务器的签名键值。
步骤207,密钥管理客户端,通过预设的硬件抽象层接口将签名键值发送给应用服务器。
步骤208,密钥管理客户端,通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。
可以理解的是,应用服务器通过预设的硬件抽象层接口,获取的是可信应 用对认证信息签名后的认证信息,为了对认证信息进行合法性校验,应用服务器还需要先对获取的签名后的认证信息进行验签,以得到认证信息。那么,在本申请实施例中,可信应用可以先产生应用服务器的签名键值,并将应用服务器的签名键值发送给密钥管理服务端,从而密钥管理客户端可以从密钥管理服务端获取应用服务器的签名键值,并将签名键值通过预设的硬件抽象层接口发送给应用服务器,以使应用服务器可以根据获取的签名键值,对获取的签名后的认证信息进行验签,从而得到认证信息。
具体地,若应用服务器获取到的可信应用产生的签名键值,与获取到的签名后的认证信息对应的签名匹配,即可完成对获取的签名后的认证信息的验签,从而得到认证信息,进而应用服务器可以对认证信息进行合法性校验。
需要说明的是,步骤206-207可以在步骤205之后执行,也可以在步骤205之前执行,也可以与步骤205同时执行,只需在应用服务器对认证信息进行合法性校验之前执行即可,本申请对此不作限制。
通过密钥管理客户端将可信应用产生的应用服务器的签名键值,通过预设的硬件抽象层接口发送给应用服务器,从而使得应用服务器在获取到密钥管理客户端发送的可信应用签名后的认证信息后,可以根据获取的签名键值,得到认证信息,进而对认证信息进行合法性校验。
本申请实施例提供的认证信息传输方法,密钥管理客户端将预设的硬件抽象层接口的标识发送给应用客户端,并通过预设的硬件抽象层接口,接收应用客户端发送的认证信息后,可以先将认证信息通过预先在硬件抽象层建立的链接通路发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用,然后密钥管理客户端再获取密钥管理服务端转发的可信应用签名后的认证信息,并在密钥管理客户端将从密钥管理服务端获取的应用服务器的签名键值,通过预设的硬件抽象层接口发送给应用服务器后,通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。由此,避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少了认证信息的传输时长,提高了认证信息的可靠性。
通过上述分析可知,密钥管理客户端在通过预设的硬件抽象层接口,接收 应用客户端发送的认证信息,并将认证信息发送给密钥管理服务端后,密钥管理服务端可以将认证信息发送给可信执行环境中的可信应用进行签名,并在可信应用对认证信息签名后,将签名后的认证信息转发给密钥管理客户端,从而密钥管理客户端可以通过预设的硬件抽象层接口,将签名后的认证信息发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。在实际应用中,可能存在多个应用客户端需要进行信息认证,从而密钥管理客户端可能会获取到多个应用客户端发送的认证信息。下面结合图3,针对上述情况,对本申请的认证信息传输方法进行进一步说明。
图3是根据本申请又一个示例性实施例示出的认证信息传输方法的流程示意图。
如图3所示,该认证信息传输方法可以包括以下步骤:
步骤301,密钥管理客户端,将预设的硬件抽象层接口的标识发送给应用客户端。
步骤302,密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息,及认证信息对应的应用客户端的标识。
步骤303,密钥管理客户端与密钥管理服务端在硬件抽象层建立链接通路。
步骤304,密钥管理客户端,将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用。
步骤305,密钥管理客户端,获取密钥管理服务端转发的可信应用签名后的认证信息。
其中,步骤301-步骤305的具体实现过程及原理,可以参照上述实施例的相关描述,此处不再赘述。
步骤306,密钥管理客户端,根据应用客户端的标识,确定与应用客户端对应的目标应用服务器。
需要说明的是,步骤306可以在步骤305之后执行,也可以在步骤305之前执行,还可以与步骤305同时执行,只需在步骤307之前执行即可,此处不作限制。
步骤307,密钥管理客户端,通过预设的硬件抽象层接口将签名后的认证信息,发送给目标应用服务器,以使目标应用服务器对认证信息进行合法性校 验。
具体地,应用客户端在通过预设的硬件抽象层接口,向密钥管理客户端发送认证信息的同时,可以将认证信息对应的应用客户端的标识同时发送给密钥管理客户端,从而在密钥管理客户端通过密钥管理服务端向可信应用发送认证信息时,可以将认证信息对应的应用客户端的标识同时发送给可信应用。可信应用在对认证信息签名后,可以将签名后的认证信息和认证信息对应的应用客户端的标识同时发送给密钥管理服务端,从而密钥管理客户端在获取到密钥管理服务端转发的可信应用签名后的认证信息,及认证信息对应的应用客户端的标识后,可以根据应用客户端的标识,确定与应用客户端对应的目标应用服务器,并通预设的硬件抽象层接口,将签名后的认证信息发送给目标应用服务器,以使目标应用服务器对认证信息进行合法性校验。
举例来说,假设密钥管理客户端,将预设的硬件抽象层接口的标识发送给应用客户端A和应用客户端B后,应用客户端A通过预设的硬件抽象层接口,向密钥管理客户端发送了认证信息a,同时发送了应用客户端A的标识“A”,应用客户端B通过预设的硬件抽象层接口,向密钥管理客户端发送了认证信息b,同时发送了应用客户端B的标识“B”。
则密钥管理客户端在接收到认证信息a及对应的标识“A”、认证信息b及对应的标识“B”后,可以将认证信息a及对应的标识“A”、认证信息b及对应的标识“B”发送给密钥管理服务端,以使密钥管理服务端将认证信息a及对应的标识“A”、认证信息b及对应的标识“B”发送给可信执行环境中的可信应用,从而可信应用可以分别对认证信息a和认证信息b进行签名。
可信应用分别对认证信息a和认证信息b签名后,可以将认证信息a签名后的认证信息a’及对应的标识“A”、认证信息b签名后的认证信息b’及对应的标识“B”发送给密钥管理服务端,从而密钥管理客户端可以获取密钥管理服务端转发的认证信息a’及对应的标识“A”、认证信息b’及对应的标识“B”,并分别根据标识“A”和“B”,确定应用客户端A和B分别对应的目标应用服务器,从而将签名后的认证信息a’发送给应用客户端A对应的目标应用服务器,将签名后的认证信息b’发送给应用客户端B对应的目标应用服务器,以使应用客户端A对应的目标应用服务器对认证信息a进行合法性校验,应用客户端B对应的目标应用服务器对认证信息b进行合法性校验。
本申请实施例提供的认证信息传输方法,密钥管理客户端将预设的硬件抽象层接口的标识发送给应用客户端,并通过预设的硬件抽象层接口,接收应用客户端发送的认证信息后,可以先将认证信息通过预先在硬件抽象层建立的链接通路发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用,然后密钥管理客户端再获取密钥管理服务端转发的可信应用签名后的认证信息,并在根据应用客户端的标识,确定与应用客户端对应的目标应用服务器后,通过预设的硬件抽象层接口将签名后的认证信息,发送给目标应用服务器,以使目标应用服务器对认证信息进行合法性校验。由此,避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少了认证信息的传输时长,提高了认证信息的可靠性。且通过密钥管理客户端根据应用客户端的标识,确定应用客户端对应的目标应用服务器,进而将签名后的认证信息发送给目标应用服务器,以使目标应用服务器对认证信息进行合法性校验,实现了对多个目标客户端发送的认证信息同时进行信息认证,从而提高了信息认证的效率。
下面结合图4所示的认证信息传输方法的信令交互图,对本申请实施例提供的认证信息传输方法进行进一步说明。
图4是根据本申请一个示例性实施例示出的认证信息传输方法的信令交互图。
如图4所示,该认证信息传输方法由应用客户端M、应用客户端M对应的应用服务器N、密钥管理客户端P、密钥管理服务端S及可信执行环境中的可信应用TA执行。
步骤401,P将预设的硬件抽象层接口的标识发送给M。
步骤402,P通过预设的硬件抽象层接口,接收M发送的认证信息。
步骤403,P将认证信息发送给S。
步骤404,S将认证信息发送给可信执行环境中的可信应用TA。
步骤405,TA对认证信息进行签名。
步骤406,TA将签名后的认证信息发送给S。
步骤407,S将签名后的认证信息转发给P。
步骤408,P通过预设的硬件抽象层接口将签名后的认证信息发送给N, 以使N对认证信息进行合法性校验。
通过上述过程,即可将应用客户端M发送的认证信息发送给可信执行环境中的可信应用TA进行签名,并在TA对认证信息签名后,将签名后的认证信息发送给应用客户端M对应的应用服务器N,以使应用服务器N对认证信息进行合法性校验,从而避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少了认证信息的传输时长,提高了认证信息的可靠性。
上述实施例提供的认证信息传输方法,可以应用于指纹支付、公众号/小程序指纹授权接口等各场景。下面以指纹支付场景为例,对本申请实施例提供的认证信息传输方法进行说明。
图5是本申请一个示例性实施例示出的认证信息传输方法的应用场景图。
如图5所示,假设应用客户端M要使用指纹支付功能进行支付,应用客户端M对应应用服务器N,则在用户通过终端设备中的指纹采集装置,将指纹输入终端设备后(步骤1),应用客户端M可以通过预先定义的硬件抽象层,将获取的指纹发送给密钥管理客户端P(步骤2-3),然后由密钥管理客户端P通过预先建立的链接通路将指纹发送给密钥管理服务端S(步骤4),密钥管理服务端S再将指纹发送给可信执行环境中的可信应用TA(步骤5)。
可信应用TA对获取的指纹进行签名后(步骤6),可以将签名后的指纹发送给密钥管理服务端S(步骤7),再由密钥管理服务端S通过预先建立的链接通路,将签名后的指纹转发给密钥管理客户端P(步骤8),密钥管理客户端P再通过预设的硬件抽象层接口将签名后的指纹发送给应用服务器N(步骤9)。应用服务器N获取到签名后的指纹后,即可对签名后的指纹进行验签,再对验签后得到的指纹进行合法性校验(步骤10)。在应用服务器N确定指纹合法后,即可完成支付。
图6A是根据本申请一个示例性实施例示出的认证信息传输方法的流程示意图。
如图6A所示,该认证信息传输方法可以包括以下步骤:
步骤601,密钥管理客户端通过系统服务接口,接收应用客户端发送的认 证信息采集请求。
根据本申请实施例,所述密钥管理客户端可以是设置在终端设备的操作系统中的一个系统服务。所述密钥管理客户端包括所述系统服务接口。所述应用客户端可以调用所述密钥管理客户端的系统服务接口,发起认证信息采集请求。
所述密钥管理客户端和所述应用客户端之间预先通过所述系统服务接口建立了系统服务链接通路。所述系统服务接口可以是通过系统接口定义语言定义的接口,用于通过跨进程(Inter-process Communication,IPC)的方式,在应用客户端与密钥管理客户端之间进行通信。所述系统接口定义语言例如是Android接口定义语言(AIDL),所述系统服务接口例如是AIDL接口。
其中,所述认证信息采集请求例如可以是指纹采集请求。所述认证信息采集请求可以包括所述应用客户端的标识。
步骤602,密钥管理客户端,将所述认证信息采集请求封装为硬件抽象层接口指令,并将所述硬件抽象层接口指令通过硬件抽象层接口,发送给密钥管理服务端。
根据本申请实施例,所述密钥管理服务端可以包括所述硬件抽象层接口,所述密钥管理客户端可以调用所述密钥管理服务端的硬件抽象层接口,将所述硬件抽象层接口指令发送给所述密钥管理服务端。所述密钥管理服务端例如是设置在终端设备的安全区域内。
所述密钥管理客户端和所述密钥管理服务端之间预先通过所述硬件抽象层接口建立了硬件抽象层链接通路。所述硬件抽象层接口例如是通过硬件抽象层接口定义语言(HIDL)定义的接口。
步骤603,密钥管理服务端从接收的硬件抽象层接口指令中解析出所述认证信息采集请求,发送给可信应用。
根据本申请实施例,所述密钥管理服务端通过透传(Pass-through)的方式,将所述认证信息采集请求发送给可信应用。
步骤604,可信应用根据所述认证信息采集请求,调用认证信息采集设备,采集认证信息,并对采集的认证信息进行签名。
其中,所述认证信息采集设备例如是终端设备中的指纹采集装置。所述签名后的认证信息可以包括所述应用客户端的标识。所述签名后的认证信息还可 以具有签名键值。
步骤605,可信应用将所述签名后的认证信息发送给所述密钥管理服务端。
步骤606,所述密钥管理服务端将所述签名后的认证信息封装为硬件抽象层的指令结果,并将所述硬件抽象层的指令结果通过所述硬件抽象层接口,发送给密钥管理客户端。
步骤607,所述密钥管理客户端从所述硬件抽象层的指令结果中解析出所述签名后的认证信息,并将签名后的认证信息发送给与所述应用客户端对应的应用服务器,以使所述应用服务器对所述认证信息进行合法性校验。
具体地,所述密钥管理客户端可以根据所述签名后的认证信息中包括的应用客户端的标识,确定与应用客户端对应的应用服务器,再将签名后的认证信息发送给对应的应用服务器。
通过本申请实施例的认证信息传输方法,可以避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少了认证信息的传输时长,提高了认证信息的可靠性。
图6B是根据本申请再一个示例性实施例示出的认证信息传输方法的流程示意图。该流程是在密钥管理客户端的认证信息传输方法。如图6B所示,该方法可以包括以下步骤:
步骤610,密钥管理客户端通过系统服务接口,接收应用客户端发送的认证信息采集请求。
步骤611,密钥管理客户端,将所述认证信息采集请求封装为硬件抽象层接口指令,并将所述硬件抽象层接口指令通过硬件抽象层接口,发送给密钥管理服务端,以使所述密钥管理服务端将所述认证信息采集请求发送给可信执行环境中的可信应用。
步骤612,密钥管理客户端,从所述密钥管理服务端接收硬件抽象层的指令结果,其中所述硬件抽象层的指令结果中包括所述可信应用签名后的认证信息。
步骤613,所述密钥管理客户端从所述硬件抽象层的指令结果中解析出签名后的认证信息,并将签名后的认证信息发送给与所述应用客户端对应的应用 服务器,以使所述应用服务器对所述认证信息进行合法性校验。
图6B的各个步骤可以参考图6A的相应步骤的具体描述。
图6A、图6B的认证信息传输方法和本申请其他实施例中的认证信息传输方法可以互为参考使用。
在示例性实施例中,还提供了一种密钥管理客户端。
图7是根据本申请一个示例性实施例示出的密钥管理客户端的结构示意图。
参照图7所示,本申请的密钥管理客户端包括:接收模块110、第一发送模块120、第一获取模块130、第二发送模块140。
其中,接收模块110,用于通过预设的硬件抽象层接口,接收应用客户端发送的认证信息;
第一发送模块120,用于将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用;
第一获取模块130,用于获取密钥管理服务端转发的可信应用签名后的认证信息;
第二发送模块140,用于通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。
具体地,本申请实施例提供的密钥管理客户端,可以执行本申请实施例提供的认证信息传输方法。该密钥管理客户端可以被配置在任意具有数据处理功能的计算机设备中。
在一种可能的实现形式中,上述密钥管理客户端,还包括:
第二获取模块,用于获取密钥管理服务端发送的应用服务器的签名键值,其中,签名键值是可信应用产生的;
第三发送模块,用于通过预设的硬件抽象层接口将签名键值发送给应用服务器。
在另一种可能的实现形式中,上述密钥管理客户端,还包括:
链接通路建立模块,用于建立密钥管理客户端与密钥管理服务端在硬件抽象层的链接通路。
在另一种可能的实现形式中,接收模块110,还用于:
通过预设的硬件抽象层接口,接收应用客户端发送的所述认证信息对应的应用客户端的标识;
上述密钥管理客户端,还包括:
确定模块,用于根据应用客户端的标识,确定与应用客户端对应的目标应用服务器;
相应的,上述第二发送模块140,具体用于:
通过预设的硬件抽象层接口将签名后的认证信息,发送给目标应用服务器。
在另一种可能的实现形式中,上述密钥管理客户端,还包括:
第四发送模块,用于将预设的硬件抽象层接口的标识发送给应用客户端。
需要说明的是,前述对认证信息传输方法实施例的解释说明也适用于该实施例的密钥管理客户端,其实现原理类似,此处不再赘述。
本申请实施例提供的密钥管理客户端,通过预设的硬件抽象层接口,接收应用客户端发送的认证信息后,可以先将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用,然后密钥管理客户端再获取密钥管理服务端转发的可信应用签名后的认证信息,最后通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。由此,避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少了认证信息的传输时长,提高了认证信息的可靠性。
在示例性实施例中,还提供了一种计算机设备。
图8是根据本申请一个示例性实施例示出的计算机设备的结构示意图。图8显示的计算机设备仅仅是一个示例,不应对本申请实施例的功能和使用范围带来任何限制。
参照图8,该计算机设备200包括:存储器210及处理器220,所述存储器210存储有计算机程序,所述计算机程序被处理器220执行时,使得所述处理器220执行如前述实施例所述的认证信息传输方法。
在一种可选的实现形式中,如图9所示,该计算机设备200还可以包括: 存储器210及处理器220,连接不同组件(包括存储器210和处理器220)的总线230,存储器210存储有计算机程序,当处理器220执行所述程序时实现本申请实施例所述的认证信息传输方法。
总线230表示几类总线结构中的一种或多种,包括存储器总线或者存储器控制器,外围总线,图形加速端口,处理器或者使用多种总线结构中的任意总线结构的局域总线。举例来说,这些体系结构包括但不限于工业标准体系结构(ISA)总线,微通道体系结构(MAC)总线,增强型ISA总线、视频电子标准协会(VESA)局域总线以及外围组件互连(PCI)总线。
计算机设备200典型地包括多种计算机设备可读介质。这些介质可以是任何能够被计算机设备200访问的可用介质,包括易失性和非易失性介质,可移动的和不可移动的介质。
存储器210还可以包括易失性存储器形式的计算机系统可读介质,例如随机存取存储器(RAM)240和/或高速缓存存储器250。计算机设备200可以进一步包括其它可移动/不可移动的、易失性/非易失性计算机系统存储介质。仅作为举例,存储系统260可以用于读写不可移动的、非易失性磁介质(图9未显示,通常称为“硬盘驱动器”)。尽管图9中未示出,可以提供用于对可移动非易失性磁盘(例如“软盘”)读写的磁盘驱动器,以及对可移动非易失性光盘(例如CD-ROM,DVD-ROM或者其它光介质)读写的光盘驱动器。在这些情况下,每个驱动器可以通过一个或者多个数据介质接口与总线230相连。存储器210可以包括至少一个程序产品,该程序产品具有一组(例如至少一个)程序模块,这些程序模块被配置以执行本申请各实施例的功能。
具有一组(至少一个)程序模块270的程序/实用工具280,可以存储在例如存储器210中,这样的程序模块270包括——但不限于——操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。程序模块270通常执行本申请所描述的实施例中的功能和/或方法。
计算机设备200也可以与一个或多个外部设备290(例如键盘、指向设备、显示器291等)通信,还可与一个或者多个使得用户能与该计算机设备200交互的设备通信,和/或与使得该计算机设备200能与一个或多个其它计算设备进行通信的任何设备(例如网卡,调制解调器等等)通信。这种通信可以 通过输入/输出(I/O)接口292进行。并且,计算机设备200还可以通过网络适配器293与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图9所示,网络适配器293通过总线230与计算机设备200的其它模块通信。应当明白,尽管图9中未示出,可以结合计算机设备200使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理单元、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。
需要说明的是,前述对认证信息传输方法实施例的解释说明也适用于该实施例的计算机设备,其实现原理类似,此处不再赘述。
本申请实施例提供的计算机设备中的密钥管理客户端,通过预设的硬件抽象层接口,接收应用客户端发送的认证信息后,可以先将认证信息发送给密钥管理服务端,以使密钥管理服务端将认证信息发送给可信执行环境中的可信应用,然后密钥管理客户端再获取密钥管理服务端转发的可信应用签名后的认证信息,最后通过预设的硬件抽象层接口将签名后的认证信息,发送给与应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。由此,避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少了认证信息的传输时长,提高了认证信息的可靠性。
在示例性实施例中,本申请还提出了一种认证信息传输系统,包括应用客户端、应用服务器、密钥管理服务端、可信应用,及如前述实施例所述的密钥管理客户端。
本申请实施例提供的认证信息传输系统,包括应用客户端、应用服务器、密钥管理服务端、可信应用,及如前述实施例所述的密钥管理客户端,密钥管理客户端通过预设的硬件抽象层接口,接收到应用客户端发送的认证信息后,可以通过密钥管理服务端,将认证信息发送给可信执行环境中的可信应用进行签名,并在可信应用对认证信息签名后,通过密钥管理服务端,接收签名后的认证信息,并将签名后的认证信息发送给应用客户端对应的应用服务器,以使应用服务器对认证信息进行合法性校验。由此,避免了由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少了认证信息的传输时长,提高了认证信息的可靠性。
在示例性实施例中,本申请还提出了一种计算机可读存储介质。
上述计算机可读存储介质,其上存储有计算机程序,该程序被处理器执行时,实现所述的认证信息传输方法。
需要说明的是,前述对认证信息传输方法实施例的解释说明也适用于该实施例的计算机可读存储介质,其实现原理类似,此处不再赘述。
本申请实施例提供的计算机可读存储介质,可以被配置在任意能够进行信息认证的计算机设备中,在进行信息认证时,通过执行其上存储的认证信息传输方法,能够避免由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少认证信息的传输时长,提高认证信息的可靠性。
在示例性实施例中,本申请还提出了一种计算机程序产品,当计算机程序产品中的指令由处理器执行时,执行如前述实施例中的认证信息传输方法。
本申请实施例提供的计算机程序产品,可以写入任意能够进行信息认证的计算机设备中,在进行信息认证时,通过执行对应认证信息传输方法的程序,能够避免由于系统频繁更新造成的信息认证通路建立过程的复杂、繁琐及成本高的问题,减少认证信息的传输时长,提高认证信息的可靠性。
在本申请的描述中,需要理解的是,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括一个或者更多个该特征。在本申请的描述中,“多个”的含义是两个或两个以上,除非另有明确具体的限定。
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征或者特点包含于本申请的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。
流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表 示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本申请的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本申请的实施例所属技术领域的技术人员所理解。
在流程图中表示或在此以其他方式描述的逻辑和/或步骤,例如,可以被认为是用于实现逻辑功能的可执行指令的定序列表,可以具体实现在任何计算机可读介质中,以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用,或结合这些指令执行系统、装置或设备而使用。就本说明书而言,"计算机可读介质"可以是任何可以包含、存储、通信、传播或传输程序以供指令执行系统、装置或设备或结合这些指令执行系统、装置或设备而使用的装置。计算机可读介质的更具体的示例(非穷尽性列表)包括以下:具有一个或多个布线的电连接部(电子装置),便携式计算机盘盒(磁装置),随机存取存储器(RAM),只读存储器(ROM),可擦除可编辑只读存储器(EPROM或闪速存储器),光纤装置,以及便携式光盘只读存储器(CDROM)。另外,计算机可读介质甚至可以是可在其上打印所述程序的纸或其他合适的介质,因为可以例如通过对纸或其他介质进行光学扫描,接着进行编辑、解译或必要时以其他合适方式进行处理来以电子方式获得所述程序,然后将其存储在计算机存储器中。
应当理解,本申请的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。
本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组 合。
此外,在本申请各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。
上述提到的存储介质可以是只读存储器,磁盘或光盘等。尽管上面已经示出和描述了本申请的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本申请的限制,本领域的普通技术人员在本申请的范围内可以对上述实施例进行变化、修改、替换和变型。
Claims (10)
- 一种认证信息传输方法,由计算设备执行,其特征在于,包括:密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息;所述密钥管理客户端,将所述认证信息发送给密钥管理服务端,以使所述密钥管理服务端将所述认证信息发送给可信执行环境中的可信应用;所述密钥管理客户端,获取所述密钥管理服务端转发的所述可信应用签名后的认证信息;所述密钥管理客户端,通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给与所述应用客户端对应的应用服务器,以使所述应用服务器对所述认证信息进行合法性校验。
- 如权利要求1所述的方法,其特征在于,所述密钥管理客户端,通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给与所述应用客户端对应的应用服务器之前,还包括:所述密钥管理客户端,获取所述密钥管理服务端发送的所述应用服务器的签名键值,其中,所述签名键值是所述可信应用产生的;所述密钥管理客户端,通过所述预设的硬件抽象层接口将所述签名键值发送给所述应用服务器。
- 如权利要求1所述的方法,其特征在于,所述密钥管理客户端,将所述认证信息发送给密钥管理服务端之前,还包括:所述密钥管理客户端与所述密钥管理服务端在硬件抽象层建立链接通路。
- 如权利要求1所述的方法,其特征在于,还包括:密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的所述认证信息对应的应用客户端的标识;所述密钥管理客户端,通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给与所述应用客户端对应的应用服务器之前,还包括:所述密钥管理客户端,根据所述应用客户端的标识,确定与所述应用客户 端对应的目标应用服务器;相应的,所述密钥管理客户端,通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给与所述应用客户端对应的应用服务器,包括:所述密钥管理客户端,通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给所述目标应用服务器。
- 如权利要求1-4任一所述的方法,其特征在于,所述密钥管理客户端通过预设的硬件抽象层接口,接收应用客户端发送的认证信息之前,还包括:所述密钥管理客户端,将所述预设的硬件抽象层接口的标识发送给所述应用客户端。
- 一种密钥管理客户端,其特征在于,包括:接收模块,用于通过预设的硬件抽象层接口,接收应用客户端发送的认证信息;第一发送模块,用于将所述认证信息发送给密钥管理服务端,以使所述密钥管理服务端将所述认证信息发送给可信执行环境中的可信应用;第一获取模块,用于获取所述密钥管理服务端转发的所述可信应用签名后的认证信息;第二发送模块,用于通过所述预设的硬件抽象层接口将所述签名后的认证信息,发送给与所述应用客户端对应的应用服务器,以使所述应用服务器对所述认证信息进行合法性校验。
- 如权利要求6所述的密钥管理客户端,其特征在于,还包括:第二获取模块,用于获取所述密钥管理服务端发送的所述应用服务器的签名键值,其中,所述签名键值是所述可信应用产生的;第三发送模块,用于通过所述预设的硬件抽象层接口将所述签名键值发送给所述应用服务器。
- 一种计算机设备,其特征在于,包括存储器、处理器及存储在存储器上并可在处理器上运行的计算机程序,所述处理器执行所述程序时,以实现如 权利要求1-5任一所述的认证信息传输方法。
- 一种认证信息传输系统,其特征在于,包括应用客户端、应用服务器、密钥管理服务端、可信应用,及如权利要求6或7所述的密钥管理客户端。
- 一种计算机可读存储介质,其上存储有计算机程序,其特征在于,该程序被处理器执行时,实现如权利要求1-5任一所述的认证信息传输方法。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP19849693.7A EP3754934B1 (en) | 2018-08-16 | 2019-08-09 | Authentication information transmission method, key management client and computer device |
JP2020550824A JP6982199B2 (ja) | 2018-08-16 | 2019-08-09 | 認証情報伝送方法、キー管理クライアントおよびコンピュータ装置 |
US17/018,559 US20200412535A1 (en) | 2018-08-16 | 2020-09-11 | Authentication information transmission method, apparatus, and storage medium |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810936092.2A CN109040088B (zh) | 2018-08-16 | 2018-08-16 | 认证信息传输方法、密钥管理客户端及计算机设备 |
CN201810936092.2 | 2018-08-16 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/018,559 Continuation US20200412535A1 (en) | 2018-08-16 | 2020-09-11 | Authentication information transmission method, apparatus, and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2020034907A1 true WO2020034907A1 (zh) | 2020-02-20 |
Family
ID=64631697
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2019/100004 WO2020034907A1 (zh) | 2018-08-16 | 2019-08-09 | 认证信息传输方法、密钥管理客户端及计算机设备 |
Country Status (5)
Country | Link |
---|---|
US (1) | US20200412535A1 (zh) |
EP (1) | EP3754934B1 (zh) |
JP (1) | JP6982199B2 (zh) |
CN (1) | CN109040088B (zh) |
WO (1) | WO2020034907A1 (zh) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111414638A (zh) * | 2020-04-23 | 2020-07-14 | 飞天诚信科技股份有限公司 | 一种区分密钥生成方式的实现方法及装置 |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109040088B (zh) * | 2018-08-16 | 2022-02-25 | 腾讯科技(深圳)有限公司 | 认证信息传输方法、密钥管理客户端及计算机设备 |
US11327782B2 (en) * | 2019-07-19 | 2022-05-10 | Vmware, Inc. | Supporting migration of virtual machines containing enclaves |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016057086A2 (en) * | 2014-06-10 | 2016-04-14 | Qualcomm Incorporated | Common modulus rsa key pairs for signature generation and encryption/decryption |
CN105574720A (zh) * | 2015-12-14 | 2016-05-11 | 联想(北京)有限公司 | 安全的信息处理方法以及信息处理装置 |
CN107067250A (zh) * | 2015-09-09 | 2017-08-18 | 三星电子株式会社 | 用于执行支付的方法和装置 |
CN107133794A (zh) * | 2017-05-08 | 2017-09-05 | 奇酷互联网络科技(深圳)有限公司 | Ifaa指纹支付装置、系统、方法和移动终端 |
CN108282466A (zh) * | 2017-12-29 | 2018-07-13 | 北京握奇智能科技有限公司 | 用于在tee中提供数字证书功能的方法、系统 |
CN109040088A (zh) * | 2018-08-16 | 2018-12-18 | 腾讯科技(深圳)有限公司 | 认证信息传输方法、密钥管理客户端及计算机设备 |
Family Cites Families (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4053628B2 (ja) * | 1997-06-13 | 2008-02-27 | インターシア ソフトウェア エルエルシー | 電子透かしを利用するデジタルコンテンツ管理システム |
JP4763866B2 (ja) * | 1998-10-15 | 2011-08-31 | インターシア ソフトウェア エルエルシー | 2重再暗号化によりデジタルデータを保護する方法及び装置 |
US7694121B2 (en) * | 2004-06-30 | 2010-04-06 | Microsoft Corporation | System and method for protected operating system boot using state validation |
US9436804B2 (en) * | 2005-04-22 | 2016-09-06 | Microsoft Technology Licensing, Llc | Establishing a unique session key using a hardware functionality scan |
US7644264B1 (en) * | 2006-10-17 | 2010-01-05 | Symantec Corporation | Method and system for creating and deploying disk images |
US20100058450A1 (en) * | 2008-08-28 | 2010-03-04 | Gene Fein | Pass code provision |
US9183361B2 (en) * | 2011-09-12 | 2015-11-10 | Microsoft Technology Licensing, Llc | Resource access authorization |
US10270748B2 (en) * | 2013-03-22 | 2019-04-23 | Nok Nok Labs, Inc. | Advanced authentication techniques and applications |
JP5876190B2 (ja) * | 2013-04-19 | 2016-03-02 | インテル コーポレイション | ロケーション・アプリケーションおよびロケーション・プロバイダによって信頼できる通信をおこなうための技術 |
FR3018972B1 (fr) * | 2014-03-18 | 2016-04-15 | Proton World Int Nv | Secure nfc routing |
CN106487511B (zh) * | 2015-08-27 | 2020-02-04 | 阿里巴巴集团控股有限公司 | 身份认证方法及装置 |
CN106899551B (zh) * | 2015-12-21 | 2020-04-17 | 中国电信股份有限公司 | 认证方法、认证终端以及系统 |
US10031760B1 (en) * | 2016-05-20 | 2018-07-24 | Xilinx, Inc. | Boot and configuration management for accelerators |
US20180019986A1 (en) * | 2016-07-12 | 2018-01-18 | Qualcomm Incorporated | User privacy protected location-based authentication on mobile devices |
CN107733636B (zh) * | 2016-08-11 | 2021-03-02 | 中国电信股份有限公司 | 认证方法以及认证系统 |
US11036870B2 (en) * | 2016-08-22 | 2021-06-15 | Mastercard International Incorporated | Method and system for secure device based biometric authentication scheme |
CN107066885A (zh) * | 2016-10-11 | 2017-08-18 | 深圳市华威世纪科技股份有限公司 | 跨平台可信中间件的实现系统及实现方法 |
CN107066861B (zh) * | 2017-03-20 | 2020-01-14 | Oppo广东移动通信有限公司 | 一种指纹事件的处理方法及移动终端 |
CN107038363B (zh) * | 2017-03-20 | 2020-01-14 | Oppo广东移动通信有限公司 | 一种指纹消息的处理方法及移动终端 |
US10452381B2 (en) * | 2017-04-04 | 2019-10-22 | OpenPath Security Inc. | Fragmented updating of a distributed device using multiple clients |
US10721130B2 (en) * | 2017-05-15 | 2020-07-21 | Citrix Systems, Inc. | Upgrade/downtime scheduling using end user session launch data |
US10999081B2 (en) * | 2018-04-12 | 2021-05-04 | Microsoft Technology Licensing, Llc | Dynamic certificate management for a distributed authentication system |
US10841291B2 (en) * | 2018-05-31 | 2020-11-17 | Vmware, Inc. | Method for block authentication using embedded virtual machines |
CN109960582B (zh) * | 2018-06-19 | 2020-04-28 | 华为技术有限公司 | 在tee侧实现多核并行的方法、装置及系统 |
US10754952B2 (en) * | 2018-07-23 | 2020-08-25 | Vmware, Inc. | Host software metadata verification during remote attestation |
-
2018
- 2018-08-16 CN CN201810936092.2A patent/CN109040088B/zh active Active
-
2019
- 2019-08-09 WO PCT/CN2019/100004 patent/WO2020034907A1/zh unknown
- 2019-08-09 JP JP2020550824A patent/JP6982199B2/ja active Active
- 2019-08-09 EP EP19849693.7A patent/EP3754934B1/en active Active
-
2020
- 2020-09-11 US US17/018,559 patent/US20200412535A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016057086A2 (en) * | 2014-06-10 | 2016-04-14 | Qualcomm Incorporated | Common modulus rsa key pairs for signature generation and encryption/decryption |
CN107067250A (zh) * | 2015-09-09 | 2017-08-18 | 三星电子株式会社 | 用于执行支付的方法和装置 |
CN105574720A (zh) * | 2015-12-14 | 2016-05-11 | 联想(北京)有限公司 | 安全的信息处理方法以及信息处理装置 |
CN107133794A (zh) * | 2017-05-08 | 2017-09-05 | 奇酷互联网络科技(深圳)有限公司 | Ifaa指纹支付装置、系统、方法和移动终端 |
CN108282466A (zh) * | 2017-12-29 | 2018-07-13 | 北京握奇智能科技有限公司 | 用于在tee中提供数字证书功能的方法、系统 |
CN109040088A (zh) * | 2018-08-16 | 2018-12-18 | 腾讯科技(深圳)有限公司 | 认证信息传输方法、密钥管理客户端及计算机设备 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111414638A (zh) * | 2020-04-23 | 2020-07-14 | 飞天诚信科技股份有限公司 | 一种区分密钥生成方式的实现方法及装置 |
CN111414638B (zh) * | 2020-04-23 | 2023-03-24 | 飞天诚信科技股份有限公司 | 一种区分密钥生成方式的实现方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
CN109040088A (zh) | 2018-12-18 |
EP3754934A4 (en) | 2021-05-26 |
JP6982199B2 (ja) | 2021-12-17 |
JP2021516918A (ja) | 2021-07-08 |
CN109040088B (zh) | 2022-02-25 |
EP3754934B1 (en) | 2023-11-08 |
US20200412535A1 (en) | 2020-12-31 |
EP3754934A1 (en) | 2020-12-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102382474B1 (ko) | 보안 전송 프로토콜을 사용하여 신뢰를 설정하기 위한 시스템 및 방법 | |
US10503919B2 (en) | Electronic signature framework with keystroke biometric authentication | |
US9871821B2 (en) | Securely operating a process using user-specific and device-specific security constraints | |
EP2441208B1 (en) | Access control to secured application features using client trust levels | |
KR101671351B1 (ko) | 통합 보안 엔진을 사용하는 웹 서비스 제공자를 위한 프라이버시 강화 키 관리 | |
TWI667586B (zh) | 用以核對uefi認證變量變化之系統及方法 | |
US9166786B2 (en) | Personal portable secured network access system | |
CN110826043B (zh) | 一种数字身份申请系统及方法、身份认证系统及方法 | |
US9032496B2 (en) | Secure single sign-on | |
US11394712B2 (en) | Secure account access | |
US9569602B2 (en) | Mechanism for enforcing user-specific and device-specific security constraints in an isolated execution environment on a device | |
US9185086B1 (en) | Apparatus, system and method for secure data exchange | |
US20130276131A1 (en) | Privacy from cloud operators | |
WO2020034907A1 (zh) | 认证信息传输方法、密钥管理客户端及计算机设备 | |
US11777942B2 (en) | Transfer of trust between authentication devices | |
KR102112897B1 (ko) | 신뢰 및 비신뢰 플랫폼에 걸쳐 인터넷 액세스가능 애플리케이션 상태를 로밍하는 기법 | |
US20240073024A1 (en) | Passkey integration techniques for identity management | |
US11689923B2 (en) | Method and system for generating a secure one-time passcode using strong authentication | |
US12039527B2 (en) | Service providing system, service providing device, service providing method, and service providing program | |
US10425395B2 (en) | Single sign on system for secure networks | |
CN112187786A (zh) | 网络服务的业务处理方法、装置、服务器及存储介质 | |
US11917087B2 (en) | Transparent short-range wireless device factor in a multi-factor authentication system | |
US20230246829A1 (en) | Implementing enhanced computer security standard for secure cryptographic key storage using a software-based keystore | |
US20220376927A1 (en) | Method and apparatus for delivering signed content | |
CN113987461A (zh) | 身份认证方法、装置和电子设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19849693 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020550824 Country of ref document: JP Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2019849693 Country of ref document: EP Effective date: 20200916 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |