WO2020199028A1 - Security chip, security processing method and related device - Google Patents

Security chip, security processing method and related device Download PDF

Info

Publication number
WO2020199028A1
WO2020199028A1 PCT/CN2019/080650 CN2019080650W WO2020199028A1 WO 2020199028 A1 WO2020199028 A1 WO 2020199028A1 CN 2019080650 W CN2019080650 W CN 2019080650W WO 2020199028 A1 WO2020199028 A1 WO 2020199028A1
Authority
WO
WIPO (PCT)
Prior art keywords
wallet
security
private key
memory
processor
Prior art date
Application number
PCT/CN2019/080650
Other languages
French (fr)
Chinese (zh)
Inventor
谢美伦
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201980094248.XA priority Critical patent/CN113574828A/en
Priority to PCT/CN2019/080650 priority patent/WO2020199028A1/en
Publication of WO2020199028A1 publication Critical patent/WO2020199028A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • This application relates to the field of blockchain technology, in particular to a security chip, a security processing method and related equipment.
  • Blockchain technology is a kind of Internet database technology, which is characterized by decentralization, openness and transparency, allowing everyone to participate in database records. Its essence is a distributed public ledger. Teens can check this ledger, but there is no single user who can control it, that is, the participants in the blockchain system must maintain together in accordance with strict rules and consensus. The update of the ledger, therefore, is also called distributed ledger technology.
  • blockchain wallets are used to generate blockchain private keys, public keys, and addresses that meet a certain public chain specification. They are divided into hot wallets and cold wallets. Hot wallets are also called online wallets, such as mobile phones. Wallets, computer client wallets, browser plug-in wallets, web wallets and other wallets that have been connected to the Internet. This type of wallet is convenient to use but has low security; cold wallets are also called offline wallets, such as hardware wallets, paper wallets, brain wallets, etc. Wallets that are not connected to the Internet have high security but are inconvenient to carry and use.
  • the blockchain wallet business is carried out through a personal computer (PC), a client provided by a mobile phone, a browser plug-in, and a web page.
  • PC personal computer
  • the security mechanism depends on the system security provided by Windows and Android. If the system itself is vulnerable Many and insecure, it will cause security problems such as the leakage of the blockchain wallet key and transaction interception.
  • the cold wallet because the wallet information is stored on a physically isolated network (such as a computer, mobile phone, paper with a private key or a small notebook) that is not connected to the Internet, it is necessary to carry an extra cold wallet for each transaction and use the online
  • the terminal and the cold wallet carry out multiple signature authentication interactions, resulting in a complicated transaction process.
  • the cold wallet also has risks such as artificial copying and cracking of wallet information.
  • the embodiments of the present invention provide a secure element, a secure processing method, and related equipment to enhance the flexibility and security of a blockchain wallet.
  • an embodiment of the present invention provides a secure element, which may include: a processor, a first memory, and a second memory, the processor, the first memory, and the second memory are integrated in a semiconductor chip
  • the processor is used to run a secure operating system and a blockchain wallet program based on the secure operating system
  • the first memory is used to provide the processor to run the secure operating system and all The memory space required by the blockchain wallet program
  • the processor is also used to generate a mnemonic under the action of the blockchain wallet program, and obtain the wallet of the blockchain wallet based on the mnemonic
  • the private key is used to write the wallet private key into the second memory
  • the second memory is used to store the wallet private key.
  • the application of the blockchain wallet is run inside the secure element, and the wallet private key of the blockchain wallet (including the generation of the mnemonic) is generated inside the secure element, from the blockchain wallet private key
  • the source of generation guarantees its security, and the generated wallet private key is stored in the secure element to avoid illegal acquisition, which further improves the security of the blockchain wallet; and, because the secure element can use the
  • the communication and networking functions in the smart device perform transactions, so the above-mentioned shortcomings of the cold wallet can be overcome, making transactions more flexible and convenient. That is, the security element has both the flexibility of a hot wallet and the security of a cold wallet.
  • the processor is further configured to read the wallet private key from the second memory, and use the wallet private key to verify the blockchain in the secure element.
  • the transaction data of the wallet is decrypted or signed.
  • the wallet private key of the blockchain wallet in the secure element, when the wallet private key needs to be used for decryption or signing and other related operations, it is read from the corresponding memory and stored in the secure element. Perform decryption or signature inside, avoid exposing the wallet private key to the ordinary external environment, so as to improve the security performance of the blockchain wallet.
  • the secure element further includes: an encryption and decryption engine for performing security processing on the wallet private key after the processor generates the wallet private key, and the security processing Including at least one of security encryption or integrity protection; the processor is specifically configured to write the wallet private key after the security processing into the second memory; the second memory is specifically used To store the wallet private key after the security processing.
  • the encryption and decryption engine since the encryption and decryption engine is independent of the processor in the secure element, it is dedicated to achieving security processing/verification related functions, and can be used to perform security processing on the wallet private key after the processor generates the wallet private key to ensure The wallet private key will not be leaked or tampered with before use, which is beneficial to improve the processing performance during security verification.
  • the encryption and decryption engine may be a hardware accelerator.
  • the processor is specifically configured to read the wallet private key after the security processing from the second memory, and to transfer the wallet after the security processing
  • the private key and the transaction data of the blockchain wallet are sent to the encryption and decryption engine; the encryption and decryption engine is also used to perform security verification on the wallet private key after the security processing, and after the security verification is successful , Using the wallet private key to decrypt or sign the transaction data of the blockchain wallet, and feedback the decrypted or signed transaction data to the processor, and the security verification is the reverse operation of the security processing .
  • the processor of the secure element needs to use the wallet key to sign the blockchain assets sold, or perform the blockchain assets that need to be purchased.
  • it reads the security-processed wallet private key from the second storage and sends it to the encryption and decryption engine for security verification.
  • the wallet private key pair is used in the encryption and decryption engine.
  • the transaction data is decrypted or signed, and the result is fed back to the processor. Avoid exposing the wallet private key outside the secure element, and the performance of the security processing and verification process can be enhanced through a dedicated encryption and decryption engine.
  • the secure element further includes: a random number generator, configured to generate a random number; the processor is specifically configured to obtain the random number from the random number generator, based on the The random number generates the mnemonic.
  • the processor is further specifically configured to generate a seed of the blockchain wallet according to the mnemonic, and generate at least one wallet private key of the blockchain wallet according to the seed.
  • the random number used to generate the mnemonic is generated in the random number generator in the secure element, and the random number generated by the random number generator is random, therefore, the mnemonic can be guaranteed
  • the absolute security of the mnemonic can guarantee the security of the seed and the wallet private key generated according to the mnemonic.
  • the random number generator is a true random number generator.
  • the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is a storage space dedicated to the blockchain wallet program;
  • the processor is specifically configured to load the blockchain wallet program from the first security domain to the second security domain of the first memory for operation, and the second security domain is the zone A dedicated operating space for blockchain wallet programs.
  • the wallet private key is stored in the first security domain of the second memory.
  • the dedicated storage space and dedicated operating space of the blockchain wallet application are opened up in the storage space and memory space inside the secure element, so that other programs in the secure element are logically isolated from the blockchain wallet. It further improves the security of the storage and operation of the blockchain wallet program.
  • the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data.
  • using the wallet private key to decrypt or sign the transaction data of the blockchain wallet in the secure element may include using the wallet private key to decrypt the blockchain asset purchase data, or Including the use of the wallet private key to sign the block chain asset sale data, that is, the block chain wallet transaction data includes the two-way buying and selling process in the block chain transaction.
  • the processor is further configured to: generate a wallet public key and a wallet address according to the wallet private key.
  • the public key or wallet address used for external transactions in the blockchain wallet is generated inside the secure element to ensure the integrity and security of the blockchain wallet transaction function.
  • an embodiment of the present invention provides a security device, which may include:
  • the security element according to any one of the foregoing first aspect and at least one central processing unit coupled to the security element;
  • the at least one central processing unit is configured to run general operating system software and communicate with the secure element under the action of the general operating system software.
  • the at least one central processing unit is further configured to send transaction data of the blockchain wallet to the secure element in a trusted execution environment.
  • the security element provided in the first aspect and the central processing unit coupled with the security element are provided in the security device, so that the security element can be used as a dedicated security processing chip in the security device for processing Related sensitive data in the blockchain wallet (including the generation and use of the wallet private key, etc.), while the central processing unit runs the general operating system to process the non-sensitive data of the blockchain wallet and other application data. It not only ensures the security and isolation of the blockchain wallet program in the security device, but also realizes other common functions of the security device.
  • the at least one central processing unit is further configured to send transaction data of the blockchain wallet to the secure element in a trusted execution environment.
  • the security device is divided into a three-tier architecture of rich execution environment, trusted execution environment, and safe execution environment, so that the sub-sensitive data in the blockchain wallet can be processed through the trusted execution environment, that is, the block
  • the data of the blockchain wallet is divided into multiple security levels according to its sensitivity and importance, and the different levels of execution environment in the security device are used to make the data of the blockchain wallet complete security protection.
  • the security device further includes: a memory located outside the semiconductor chip.
  • an embodiment of the present invention provides a security processing method, which is characterized in that it includes:
  • the first memory in the secure element provides the processor with memory space required to run the secure operating system and the blockchain wallet program;
  • the processor Under the action of the blockchain wallet program, the processor generates a mnemonic, obtains the wallet private key of the blockchain wallet based on the mnemonic, and stores the wallet private key in the secure element In the second memory.
  • the method further includes: reading the wallet private key from the second memory by the processor, and using the wallet private key to register the wallet in the secure element
  • the transaction data of the blockchain wallet is decrypted or signed.
  • the method further includes: the encryption and decryption engine in the secure element performs security processing on the wallet private key after the processor generates the wallet private key, and the security The processing includes at least one of security encryption or integrity protection; the storing, by the processor, of the wallet private key in the second memory of the secure element includes: passing through the processor by the processor The securely processed wallet private key is written into the second memory.
  • the processor reads the wallet private key from the second memory, and uses the wallet private key to perform transactions on the blockchain wallet in the secure element
  • Decrypting or signing the data includes: reading the wallet private key after the security processing from the second memory by the processor, and converting the wallet private key and the area after the security processing
  • the transaction data of the blockchain wallet is sent to the encryption and decryption engine; the method further includes: the encryption and decryption engine performs security verification on the wallet private key after the security processing, and after the security verification is successful, Using the wallet private key to decrypt or sign the transaction data of the blockchain wallet, and feedback the decrypted or signed transaction data to the processor, the security verification is the reverse operation of the security processing.
  • the method further includes: generating a random number by a random number generator in the secure element; and generating the mnemonic by the processor includes: The random number is acquired from the random number generator, and the mnemonic is generated based on the random number.
  • the obtaining the wallet private key of the blockchain wallet based on the mnemonic includes: generating a seed of the blockchain wallet according to the mnemonic, and generating the blockchain according to the seed At least one of the wallet private keys of the wallet.
  • the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is a storage space dedicated to the blockchain wallet program;
  • the operation of the secure operating system and the blockchain wallet program based on the secure operating system through the processor in the secure element includes: the processor removes the blockchain wallet program from the first secure domain It is loaded into the second security domain of the first memory for operation, and the second security domain is a dedicated operating space for the blockchain wallet program.
  • the wallet private key is stored in the first security domain of the second memory.
  • the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data.
  • the method further includes: generating, by the processor, a wallet public key and a wallet address according to the wallet private key.
  • the present application provides a security device that has the function of realizing any of the foregoing security processing methods.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the present application provides a terminal that includes a secure element, and the secure element is configured to support the terminal to perform a corresponding function in a secure processing method provided in the fourth aspect.
  • the terminal may also include a memory, which is used for coupling with the secure element and stores necessary program instructions and data for the terminal.
  • the terminal may also include a communication interface for the terminal to communicate with other devices or communication networks.
  • the present application provides a computer storage medium that stores a computer program that, when executed by a secure element, implements the process of the security processing method described in any one of the foregoing fourth aspects.
  • an embodiment of the present invention provides a computer program, the computer program including instructions, when the computer program is executed by a secure element, the secure element can execute the secure processing method described in any one of the fourth aspect Process.
  • the present application provides a chip system that includes a secure element for implementing the functions involved in the process of the secure processing method described in any one of the fourth aspects.
  • the chip system further includes a memory, which is used to store program instructions and data necessary or related to the security processing method.
  • the chip system can be composed of chips, or include chips and other discrete devices.
  • FIG. 1 is a schematic structural diagram of a security element provided by an embodiment of the present invention
  • Figure 2 is a schematic structural diagram of another security element provided by an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of another security element provided by an embodiment of the present invention.
  • Figure 4 is a security device provided by an embodiment of the present invention.
  • FIG. 5 is a simplified schematic diagram of a software system architecture for secure transactions of blockchain wallets according to an embodiment of the present invention
  • Figure 6 is a diagram of a remote configuration network architecture based on a TSM architecture provided by an embodiment of the invention.
  • FIG. 7 is a schematic flowchart of a security processing method provided by an embodiment of the present invention.
  • component used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution.
  • the component may be, but is not limited to, a process, a processor, an object, an executable file, an execution thread, a program, and/or a computer running on a processor.
  • the application running on the computing device and the computing device can be components.
  • One or more components may reside in processes and/or threads of execution, and components may be located on one computer and/or distributed among two or more computers.
  • these components can be executed from various computer readable media having various data structures stored thereon.
  • the component may be based on, for example, a signal having one or more data packets (such as data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals) Communicate through local and/or remote processes.
  • a signal having one or more data packets (such as data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals) Communicate through local and/or remote processes.
  • Integrated Circuit that is, an IC chip is an integrated circuit formed by a large number of microelectronic components (transistors, resistors, capacitors, etc.) on a plastic base to make a chip.
  • Rich Execution Environment generally used to run Android and other feature-rich operating systems, and defined by Trustzone ARM that can support a fully trusted execution environment (TEE) and security-aware applications and security
  • TEE trusted execution environment
  • TEE Trusted execution environment
  • TA Trusted Application
  • Trust OS Trusted Operating System
  • Bitcoin also known as "Bit Gold”
  • Bit Gold is a virtual currency on the Internet. Netizens can use Bitcoin to buy some virtual items, such as clothes, hats, and equipment in online games. Netizens also use it to buy reality. The condition of the item.
  • Public key and private key The holder of the private key is the holder of the currency in the bank card.
  • the private key can calculate the public key, the public key can generate a wallet address through a series of digital signatures, and the data encrypted with the private key can be decrypted with the public key, and vice versa.
  • Wallet address Similar to a bank card number, one person can have multiple bank cards, and similarly, he can also have multiple wallet addresses. One wallet address can only correspond to one private key.
  • TRNG True Random Number Generator
  • API Application Protocol Data Unit
  • KDF Key Derivation Function
  • FIG. 1 is a schematic structural diagram of a secure element provided by an embodiment of the present invention.
  • the secure element 10 may include a processor 101, a first memory 102, and a second memory 103, and the processor 101, the first memory
  • the memory 102 and the second memory 103 are integrated in the semiconductor chip IC1.
  • the processor 101 is used to run a secure operating system and a blockchain wallet program based on the secure operating system.
  • This security operating system is different from ordinary operating systems, it can be an on-chip operating system (Chip Operating System, COS), which is also called COS mirroring, which can be equivalent to a resident smart card or a financial integrated circuit (IC) card Operating system software inside.
  • COS Chip Operating System
  • the secure operating system can be used to run applications installed in the secure element, such as the blockchain wallet program in this application, or other applications that require security protection, such as bank payment applications, bus payment applications, identity authentication applications, etc.
  • the blockchain wallet is software for generating and managing keys, addresses, tracking balances, and creating transactions.
  • the blockchain wallet program stored and running in the secure element 10 in this application can be a complete
  • the blockchain wallet software can also be a part of the functional programs in the blockchain wallet software.
  • the blockchain wallet program can be a small application Applet that requires high security.
  • the first memory 102 is configured to provide the processor 101 with memory space required for running the secure operating system and the blockchain wallet program. That is, the first memory 102 can store intermediate data or temporary data generated by the processor 101 running a secure operating system and a blockchain wallet program, which can also be referred to as memory data.
  • the memory data includes not only the aforementioned intermediate data or temporary data, but also various intermediate calculation result data or configuration data generated by running algorithms or processes. Since the memory data is process data generated by running a software, it does not need to be stored for a long time, and may be lost when the equipment or device is powered off.
  • the first memory 102 may be a random access memory (Random Access Memory, RAM) or a power-off volatile storage device, such as a static random access memory (Static Random Access Memory, SRAM) and a dynamic random access memory (Dynamic Random Access Memory, SRAM). Random Access Memory (DRAM) or synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double rate SDRAM (Dual Data Rate SDRAM, DDR SDRAM), etc.
  • RAM Random Access Memory
  • SRAM static random access memory
  • DRAM synchronous dynamic random access memory
  • SDRAM synchronous dynamic random access memory
  • DDR SDRAM Double rate SDRAM
  • the processor 101 is further configured to generate a mnemonic under the action of the blockchain wallet program, obtain the wallet private key of the blockchain wallet based on the mnemonic, and write the wallet private key to all In the second memory 103.
  • the backup of the wallet private key (private key for short) is very important. Once the private key is obtained, the right to use the blockchain wallet corresponding to the private key is obtained, and all the accounts on the account are obtained. Assets, therefore, users must remember and keep the private key to avoid illegal acquisition. But under normal circumstances, the private key has 256 bits and is represented by a 64-bit hexadecimal hash value string.
  • mnemonics are used to help users remember complex private keys.
  • mnemonics are generally composed of 12, 15, 18, 21 words (which can be English, French, Chinese, or even dialects, etc.) These words are all taken from a fixed vocabulary, and their generation sequence is also based on a certain algorithm. Mnemonic can be considered as another form of expression of the plaintext private key, so it is usually not stored in the blockchain wallet. On the terminal device, it is stored in other places, such as a notebook or a brain.
  • the processor 101 generates a mnemonic inside the secure element, and obtains the private key of the blockchain wallet based on the mnemonic.
  • the specific obtaining process may be based on the assistance in the processor 101
  • the wallet private key is calculated by combining the token with a preset private key algorithm (such as a hash algorithm); it can also be the processor 101 that controls other dedicated function modules (such as the encryption and decryption engine described later) inside the secure element 10 to generate the wallet
  • the private key is not specifically limited in this application. Since both the mnemonic and the wallet private key are generated inside the secure element 10, the security of the wallet private key can be ensured from the source and process of generating the wallet private key.
  • the second memory 103 is used to store the wallet private key. Since the wallet private key of the blockchain wallet is different from the intermediate data or temporary data of the processor 101 running the secure operating system and the blockchain wallet program, as a result of the data, it needs to be called in subsequent blockchain transactions for decryption or Signed, so it needs to be stored for a long time.
  • the second memory 103 may be a read-only memory (Read Only Memory, ROM) or a non-power-down volatile memory, such as a programmable ROM (Programmable ROM, PROM), an erasable programmable ROM (Erasable Programmable ROM, EPROM), electrically erasable programmable ROM (Electrically Erasable Programmable ROM, EEPROM), flash ROM (FLASH ROM), etc.
  • the wallet private key may also be stored in the second memory 103 after undergoing security processing (such as encryption or integrity protection, etc.) by the processor 101.
  • the second memory 103 may also be used to store the blockchain wallet program or other security applications in the embodiment of the present invention. Further optionally, the second storage 103 may also store related transaction information, account information, asset information, etc. of the blockchain wallet.
  • the processor 101 is further configured to read the wallet private key from the second memory 103, and use the wallet private key to perform transaction data on the blockchain wallet in the secure element 10. Decrypt or sign.
  • the private key is equivalent to the bank card password and is non-public, used to prove the identity and assets of the user, while the public key is equivalent to the bank card number, which is public and used for other users to transfer money.
  • the private key is equivalent to the bank card number, which is public and used for other users to transfer money.
  • user A sells his own blockchain assets to user B
  • he will use the private key A that can prove A’s identity to sign the blockchain asset to prove that the asset belongs to A and will be signed by the private key A
  • the blockchain asset is encrypted by user B’s public key B'(known), indicating that it is sent to user B’s address.
  • user B uses his private key B to decrypt the address and finds that the blockchain asset is Send to yourself, and then use A's public key A'(known) to verify the blockchain asset. After the verification is successful, it means that the blockchain asset is indeed issued by A. So far, user A and user B have completed the transaction of blockchain assets.
  • the seller A uses (own private key A + the other party's public key B') to securely process the sold blockchain assets, and the buyer B uses (the other party's public key A' +Own private key B) Perform security verification on the purchased blockchain assets, thereby completing the secure transaction of blockchain assets.
  • the private key is used to sign the seller
  • the private key is used to decrypt the buyer
  • the public key is used to verify the signature for the other party (buyer).
  • the public key is used to encrypt the other party (seller); that is, the public key is disclosed by the user, used to encrypt and verify the signature, and is for others; the private key is used for decryption and signature. It is for my own use.
  • the processor 101 performs the process of using the wallet private key (including decryption or signature) inside the secure element, that is, when the private key needs to be used, the processor 101 reads the private key from the second memory 103 It is then used inside the secure element 10 to avoid exposing the wallet private key to the ordinary external environment, which improves the security performance of the blockchain wallet.
  • the wallet private key including decryption or signature
  • the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data. That is, in the embodiment of the present invention, using the wallet private key to decrypt or sign the transaction data of the blockchain wallet in the secure element 10 may include using the wallet private key to decrypt the blockchain asset purchase data, It can also include using the wallet private key to sign the blockchain asset sale data, that is, the transaction data of the blockchain wallet includes the two-way buying and selling process in the blockchain transaction.
  • the secure element in the embodiment of the present invention has an independent processor 101, memory (first memory 102), and storage unit (second memory 103), the central operating system and applications of the smart device coupled with the secure element 10 can be realized
  • the physical isolation of the software execution environment therefore, can provide a higher security environment for the blockchain wallet program running inside the secure element 10, and because the secure element can use the communication and networking functions in the smart device to which it is coupled Therefore, it can overcome the shortcomings of cold wallets and make transactions flexible and convenient.
  • the security of the wallet private key generation is ensured from the source and the generation process, and at the same time, the generated wallet private key is stored in the first part of the secure element 10.
  • the leakage or illegal tampering of the private key is avoided, and the security of the wallet private key storage is ensured; further, when the blockchain wallet needs to use the private key, the processor 101 reads the storage in the second
  • the private key in the memory 103 is decrypted or signed inside the secure element 10, which ensures the security of the wallet private key.
  • the embodiment of the present invention realizes the core functions of the blockchain wallet such as secure startup, activation, storage, and transaction, and at the same time has the flexibility of a hot wallet and the security of a cold wallet, and can greatly improve the blockchain
  • the secure element 10 in this application can be applied to smart IC (integrated circuit) cards, encryption machines, smart terminals (such as smart phones, smart wearable devices, tablet computers, etc.), computers, etc. In order to support the function of blockchain wallet in various devices.
  • FIG. 2 is a schematic structural diagram of another secure element provided by an embodiment of the present invention.
  • the secure element 10 includes the processor 101, the first memory 102, and the second memory 103 in FIG. In addition to the corresponding functions of the embodiment in FIG. 1, it may also include a random number generator 104 and/or an encryption and decryption engine 105 coupled to the processor 101, and the random number generator 104 and the encryption and decryption engine 105 may also be connected to the processor 101.
  • the first memory 102 and the second memory 103 are integrated in the semiconductor chip IC1.
  • the encryption and decryption engine 105 is configured to perform security processing on the wallet private key after the processor 101 generates the wallet private key, and the security processing includes at least one of security encryption or integrity protection, for example, Integrity protection is the use of a preset hash algorithm to generate the hash value of the wallet private key, etc.
  • This application does not specifically limit the specific security processing method.
  • the processor 101 is specifically configured to write the wallet private key after the security processing into the second memory 103; the second memory 103 is specifically configured to store the wallet private key after the security processing.
  • the processor 101 is specifically configured to read the wallet private key after the security processing from the second memory 103, and to store the security processing
  • the wallet private key and the transaction data of the blockchain wallet are sent to the encryption and decryption engine 105; the encryption and decryption engine 105 is also used to perform security verification on the wallet private key after the security processing, and after the security verification is successful ,
  • the security verification is the inverse of the security processing operating.
  • the processor 101 when the processor 101 receives a related transaction instruction for a blockchain wallet and needs to use the wallet private key, the processor 101 needs to first read the wallet private key that has undergone security processing from the second memory 103, and The wallet private key is sent to the encryption and decryption engine 105 for security verification. After ensuring that the wallet private key has not been illegally tampered with after it is safely stored, it is determined that the wallet private key is used for blockchain transaction related processing. That is, after the private key is generated inside the secure element 10, the wallet private key is not directly stored in plaintext, but the wallet private key is encrypted for storage and/or integrity protection, so as to prevent the wallet private key from being easily obtained or illegally tampered with.
  • the encryption and decryption engine 105 may be a hardware accelerator that includes a circuit structure. Since the encryption and decryption engine 105 in the form of hardware is independent of the processor 101, it is dedicated to implementing related security processing or verification functions, which is beneficial to improve security processing. performance.
  • the function of the encryption and decryption engine 105 can also be replaced by the processor 101.
  • the function of the encryption and decryption engine 105 can also be replaced by the processor 101.
  • the wallet private key written in the memory 103 is used for security processing, but the processor 101 itself integrates the security function.
  • the secure element 10 may further include a random number generator 104 for generating random numbers; the processor 101 is specifically configured to obtain the random number from the random number generator 104, based on the random number generator 104.
  • the mnemonic is generated by counting, the seed of the blockchain wallet is generated according to the mnemonic, and at least one private key of the blockchain wallet is generated according to the seed.
  • the random number generator 104 may be a true random number generator (TRNG).
  • TRNG true random number generator
  • the process of generating the wallet private key inside the secure element 10 in this application can be specifically as follows:
  • a random sequence of 128 to 256 bits (which can be called entropy) is generated by the random number generator 104;
  • the processor 101 or the encryption and decryption engine 105 derives and generates a longer (512-bit) seed based on the mnemonic and adopts the key extension function (PBKDF2function), wherein the obtained seed is used to construct a deterministic wallet ( deterministic Wallet) and derive the wallet key;
  • PBKDF2function key extension function
  • the processor 101 or the encryption and decryption engine 105 uses the HMAC-SHA512 algorithm to generate a parent key according to the seed;
  • the processor 101 or the encryption and decryption engine 105 generates a large number of child keys through a child key derivation (CKD) function according to the mother secret key.
  • CKD child key derivation
  • the wallet private key in this application can be the above-mentioned parent key or one of the above-mentioned sub-keys.
  • the function of the random number generator 104 can also be replaced by the processor 101.
  • an independent random number generator 104 is not needed to generate random numbers, but the processor 101 itself integrates the Random number generation function.
  • the processor 101 is further configured to generate a wallet public key and a wallet address according to the wallet private key. Since in the blockchain wallet, the public key and the private key exist in pairs, the private key is generated by the mnemonic, and the public key is derived from the private key through an algorithm. But because the public key is too long, for simplicity and practicality, an "address" is generated. Usually, the public key is not displayed in the transaction, only the transfer between two addresses is displayed, and the address is derived from the public key. It should be noted that these derivation processes are one-way irreversible, that is, addresses cannot be derived from public keys, and public keys cannot be derived from private keys.
  • the public key or wallet address used for external transactions in the blockchain wallet is generated inside the secure element to ensure the integrity and security of the blockchain wallet transaction function.
  • the wallet public key can be stored in the second memory 103 the same as the wallet private key, or can be stored in an external memory coupled with the secure element 10, for example, can be stored in the second memory 103 coupled with the secure element 10.
  • the memory in the trusted execution environment TEE may also be stored in the memory in the rich execution environment REE coupled with the secure element 10, which is not specifically limited in the embodiment of the present invention.
  • Figure 3 is a schematic structural diagram of yet another secure element provided by an embodiment of the present invention, as a refinement of some functional modules in the secure element in Figure 1 or Figure 2 ,
  • the blockchain wallet program is stored in the first security domain 1031 in the second memory 103, the first security domain 1031 is a storage space dedicated to the blockchain wallet program; the processor 101 , Specifically used to load the blockchain wallet program from the first security domain 1031 to the second security domain 1021 of the first memory 102 for operation, and the second security domain 1021 is the zone A dedicated operating space for blockchain wallet programs. That is, inside the secure element 10, a dedicated storage area and an operating area are divided for the blockchain wallet program.
  • the storage space and the operating space inside the secure element 10 are further divided, so that different applications are divided into areas to avoid mutual interference and further secure isolation.
  • the secure element 10 also runs other applications, such as identity authentication applications, facial recognition applications, fingerprint recognition applications, etc., secure payment applications, etc., where different applications are located
  • Different security domains can correspond to different security services.
  • the security domain is a logical area that can be divided according to the business type, security level, etc. of the application. Different security domains have different security access control strategies to realize different security domains. Access control between different security domains safely isolates different security domains and ultimately protects the operation of applications in each security domain.
  • FIG. 4 is a security device 20 provided by an embodiment of the present invention.
  • the security device 20 may include any one of the security elements 10 corresponding to FIGS. 1 to 3, and a device coupled to the security element 10
  • At least one central processing unit 201 (take one as an example in FIG. 3); the at least one central processing unit 201 can be integrated in the semiconductor chip IC1 together with the security element 10, or on a different semiconductor chip.
  • the at least one central processing unit 201 is configured to run general operating system software, and communicate with the secure element 10 under the action of the general operating system software.
  • the at least one central processing unit 201 is further configured to send transaction data of the blockchain wallet to the secure element 10 in a trusted execution environment.
  • the security device 20 may also include a memory 202 that can be used to store data generated by the central processing unit 201 or the secure element 10.
  • the memory 202 can be integrated in the semiconductor with the secure element 10 and at least one central processing unit 201.
  • the chip IC1 may also be separately located on different semiconductor chips, and the memory 202 and the at least one central processing unit 201 may also be located on different semiconductor chips.
  • the secure element 10 and at least one central processing unit 201 are integrated on IC1, the memory 202 is located on IC2, or the secure element 10 is integrated on IC1, and the memory 202 and at least one central processing unit 201 are integrated on IC2. This is not specifically limited.
  • the security element 10 can be used as the security device 20.
  • a dedicated security processing chip is used to process related sensitive data in the blockchain wallet (including the generation and use of the wallet’s private key, etc.), while the central processing unit 201 runs a general operating system to prevent the The processing of sensitive data and data of other applications not only ensures the security and isolation of the blockchain wallet program in the security device 20, but also realizes other common functions of the security device 20.
  • the security device 20 can be an encryption machine, a smart terminal (such as a smart phone, a smart wearable device, a tablet computer, etc.), a smart device, a computer, and other types of devices.
  • a semiconductor chip is also referred to as a chip for short. It may be a collection of integrated circuits fabricated on an integrated circuit substrate (usually a semiconductor material such as silicon) using integrated circuit technology. Usually encapsulated by semiconductor packaging materials.
  • the integrated circuit may include a Metal-Oxide-Semiconductor (MOS) transistor, a bipolar transistor, a diode, or the like.
  • MOS Metal-Oxide-Semiconductor
  • the semiconductor chip can work independently or under the action of necessary driver software to realize various functions such as communication, calculation, or storage.
  • FIG. 5 is a simplified schematic diagram of a software system architecture for blockchain wallet secure transactions provided by an embodiment of the present invention, where REE is a rich execution environment, running security-insensitive programs and storing security-insensitive Data, there are certain security risks; TEE is a trusted execution environment, runs security-sensitive programs and saves security-sensitive data, provides a certain level of security isolation, SEE is a secure execution environment, runs high-security programs such as financial payments, and saves financial payments, etc. High security data provides a higher level of security isolation.
  • the Trusted Application (TA) in the TEE system is used to receive and process the commands on the REE side, send APDU commands to the SEE module as needed, and then the SEE module to respond to related commands.
  • TA Trusted Application
  • the Secure Element (SE) 10 described in FIGS. 1 to 3 in this application can be used as the SEE layer in the software system architecture in FIG. 5.
  • the central processing unit 201 Although run by the same central processing unit 201, there are two independent software systems between the trusted execution environment and the general operating system software, and there is security isolation, and the security isolation is very good.
  • General operating system software and running programs of general application software based on the operating system cannot freely access the trusted execution environment.
  • the trusted execution environment can exchange data with the environment formed by the processor 101 running the blockchain wallet program, that is, with the secure element 10.
  • the common application software may include various non-secure payment related software, such as instant messaging software, games, office software, e-book software, or audio and video streaming media players.
  • the management of the public key of the blockchain wallet is implemented in a trusted execution environment, including storage and use.
  • the public key may be stored in a storage part of the memory 202 corresponding to the trusted execution environment. It is also possible to use the public key to encrypt or verify the transaction data of the blockchain wallet in a trusted execution environment.
  • the trusted execution environment may also provide a visualized user interface (UI) for blockchain transactions or other financial services, so that users can input instructions and obtain visual information through the UI.
  • the UI is a trusted UI (Trust UI), which is different from the ordinary UI provided by general operating system software, so that the instructions input by the user are transmitted to the secure element 10 through the trusted execution environment, and the secure element 10 can also be made
  • the visual information that needs to be displayed on the user interface is displayed safely through the UI without being illegally tampered with, so as to ensure the safety of the user completing the information interaction with the secure element 10 through the UI.
  • the security device 20 needs to interact with the user in the scene.
  • the blockchain wallet needs to display account information (QR code information or asset information, etc.) ), in the process of opening and binding the blockchain wallet, the camera needs to be turned on to collect the user's biological characteristics, and the blockchain wallet transaction requires the user to enter confirmation information, etc., which can be processed by the trusted UI supported by the TEE or controlled by the TEE
  • Corresponding hardware devices such as cameras, physical buttons, touch screens, etc. are implemented, while meeting the requirements of high performance and high security, while ordinary software in REE cannot directly display or control the interface, preventing counterfeiting, phishing and malicious transactions on the trading interface Software counterfeiting and data theft.
  • the aforementioned security device 20 can also use the TSM remote configuration service provided by the remote comprehensive maintenance system (Tivoli Storage Manager, TSM) to improve the security of keys and algorithms, thereby improving the blockchain wallet The security of the key.
  • TSM remote comprehensive maintenance system
  • FIG. 6 is a diagram of a remote configuration network architecture based on the TSM architecture provided by an embodiment of the invention.
  • the mobile terminal 20, whether as a buyer or seller of a blockchain transaction, can use the mobile communication included in the mobile terminal 20
  • the wireless communication link 30 provided by the unit 203 is connected to a radio access network (Radio Access Network, RAN) 40, thereby connecting to the Internet, and finally interacting with the TSM on the network side.
  • RAN Radio Access Network
  • the security element 10 (such as the first security domain 1031 of the second memory 103 in the secure element 10) stores the business secret key (which may include the wallet private key, public key, etc.) and algorithm configuration of the blockchain wallet parameter. Remotely update, replace, configure, and upgrade the service key and algorithm configuration parameters stored in the first security domain 1031 through the putkey and Storedata commands of TSM 50. For example, the key can be replaced and updated through the Putkey command of TSM 50, or the previous key can be invalidated so that it can no longer be used.
  • the business secret key which may include the wallet private key, public key, etc.
  • TSM50 completes the issuance of modified configuration through Storedata commands, such as the parameters used in secret key calculations (enable, algorithm identification, key length, operation mode, filling method), so that encryption and decryption support higher security levels, the same is true It can also be configured that encryption and decryption are not available.
  • Storedata commands such as the parameters used in secret key calculations (enable, algorithm identification, key length, operation mode, filling method), so that encryption and decryption support higher security levels, the same is true
  • the mobile terminal is stolen or lost, remotely disable the secret key and algorithm stored in the secure element 10 through the putkey and Storedata commands of TSM 50, so that the blockchain mobile wallet cannot be used and avoids the blockchain wallet loss. That is, when the mobile terminal is stolen or lost, there is no need to deal with the whole machine, and the blockchain mobile wallet can be further processed accurately.
  • FIG. 7 is a schematic flowchart of a security processing method provided by an embodiment of the present invention.
  • the security processing method is applicable to any one of the security elements in FIGS. 1 to 3 and 4 and includes the Security element equipment (such as security device 20).
  • the method may include the following steps S701 to S703, wherein, step S701: run a secure operating system and a blockchain wallet program based on the secure operating system through the processor in the secure element; step S702: use the second in the secure element A memory provides the processor with the memory space required to run the secure operating system and the blockchain wallet program; step S703: under the action of the blockchain wallet program, the processor generates an assistant A token, a wallet private key of a blockchain wallet is obtained based on the mnemonic, and the wallet private key is stored in the second memory of the secure element.
  • the method further includes: reading the wallet private key from the second memory by the processor, and using the wallet private key to compare the wallet private key in the secure element
  • the transaction data of the blockchain wallet is decrypted or signed.
  • the method further includes: the encryption and decryption engine in the secure element performs security processing on the wallet private key after the processor generates the wallet private key, and the security The processing includes at least one of security encryption or integrity protection; the storing, by the processor, of the wallet private key in the second memory of the secure element includes: passing through the processor by the processor The securely processed wallet private key is written into the second memory.
  • the processor reads the wallet private key from the second memory, and uses the wallet private key to verify the blockchain wallet in the secure element.
  • Decrypting or signing the transaction data includes: reading the securely processed wallet private key from the second memory by the processor, and converting the securely processed wallet private key
  • the transaction data with the blockchain wallet is sent to the encryption and decryption engine; the method further includes: the encryption and decryption engine performs security verification on the wallet private key after the security processing, and After the verification is successful, the transaction data of the blockchain wallet is decrypted or signed using the wallet private key, and the decrypted or signed transaction data is fed back to the processor, and the security verification is the security processing
  • the inverse operation includes: reading the securely processed wallet private key from the second memory by the processor, and converting the securely processed wallet private key
  • the transaction data with the blockchain wallet is sent to the encryption and decryption engine; the method further includes: the encryption and decryption engine performs security verification on the wallet private key after the security processing, and After the verification is successful, the transaction
  • the method further includes: generating a random number by a random number generator in the secure element; and generating the mnemonic by the processor includes: The random number is acquired from the random number generator, and the mnemonic is generated based on the random number.
  • the obtaining the wallet private key of the blockchain wallet based on the mnemonic includes: generating a seed of the blockchain wallet according to the mnemonic, and generating the blockchain according to the seed At least one of the wallet private keys of the wallet.
  • the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is a storage space dedicated to the blockchain wallet program;
  • the operation of the secure operating system and the blockchain wallet program based on the secure operating system through the processor in the secure element includes: the processor removes the blockchain wallet program from the first secure domain It is loaded into the second security domain of the first memory for operation, and the second security domain is a dedicated operating space for the blockchain wallet program.
  • the wallet private key is stored in the first security domain of the second memory.
  • the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data.
  • the method further includes: generating, by the processor, a wallet public key and a wallet address according to the wallet private key.
  • the embodiment of the present invention further provides a computer storage medium, wherein the computer storage medium may store a program, and when the program is executed by the secure element, it includes part or all of the steps of any one of the above method embodiments.
  • the embodiment of the present invention also provides a computer program, which includes instructions, when the computer program is executed by a secure element, the secure element can execute part or all of the steps of any secure processing method.
  • the disclosed device may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the above-mentioned units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or integrated. To another system, or some features can be ignored, or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical or other forms.
  • the units described above as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the above integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc., specifically a processor in a computer device) execute all or part of the steps of the foregoing methods of the various embodiments of the present application.
  • the aforementioned storage medium may include: U disk, mobile hard disk, magnetic disk, optical disk, read-only memory (Read-Only Memory, abbreviation: ROM) or Random Access Memory (Random Access Memory, abbreviation: RAM), etc.
  • U disk mobile hard disk
  • magnetic disk magnetic disk
  • optical disk read-only memory
  • Read-Only Memory abbreviation: ROM
  • Random Access Memory Random Access Memory

Abstract

Disclosed are a security chip, a security processing method and a related device. A secure element comprises a processor, a first memory and a second memory, which are integrated into a semiconductor chip, wherein the processor is used for running a secure operating system and a blockchain wallet program based on the secure operating system; the first memory is used for providing, for the processor, the memory space required to run the secure operating system and the blockchain wallet program; the processor is also used for generating a mnemonic symbol under the action of the blockchain wallet program, acquiring a wallet private key of a blockchain wallet based on the mnemonic symbol, and writing the wallet private key into the second memory; and the second memory is used for storing the wallet private key. By using the present application, the security of a blockchain wallet can be improved.

Description

一种安全芯片、安全处理方法及相关设备Security chip, security processing method and related equipment 技术领域Technical field
本申请涉及区块链技术领域,尤其涉及一种安全芯片、安全处理方法及相关设备。This application relates to the field of blockchain technology, in particular to a security chip, a security processing method and related equipment.
背景技术Background technique
区块链技术(Blockchain technology)是一种互联网数据库技术,其特点是去中心化、公开透明,让每个人均可参与数据库记录。其本质是一个分布式的公共账本,任何人都可对这个账本进行核查,但不存在单一的用户可以对它控制,即区块链系统中的参与者,必须按照严格的规则和共识共同维持账本的更新,因此,也被称之为分布式账本技术。Blockchain technology is a kind of Internet database technology, which is characterized by decentralization, openness and transparency, allowing everyone to participate in database records. Its essence is a distributed public ledger. Anyone can check this ledger, but there is no single user who can control it, that is, the participants in the blockchain system must maintain together in accordance with strict rules and consensus. The update of the ledger, therefore, is also called distributed ledger technology.
随着区块链技术应用越来越广泛,基于区块链技术的交易越来越多,区块链钱包的开发和使用则会越来越频繁和重要。区块链钱包作为代币交易的工具,用于生成区块链私钥、公钥以及符合某个公链规范的地址等,分为热钱包和冷钱包,热钱包又称在线钱包,如手机钱包、电脑客户端钱包、浏览器插件钱包、网页钱包等一直处于连接互联网状态的钱包,该类型钱包使用方便但安全性低;冷钱包又称离线钱包,如硬件钱包、纸钱包、脑钱包等处于不联网状态的钱包,安全性较高但存在携带、使用不方便。As the application of blockchain technology becomes more and more widespread, and there are more and more transactions based on blockchain technology, the development and use of blockchain wallets will become more frequent and important. As a tool for token transactions, blockchain wallets are used to generate blockchain private keys, public keys, and addresses that meet a certain public chain specification. They are divided into hot wallets and cold wallets. Hot wallets are also called online wallets, such as mobile phones. Wallets, computer client wallets, browser plug-in wallets, web wallets and other wallets that have been connected to the Internet. This type of wallet is convenient to use but has low security; cold wallets are also called offline wallets, such as hardware wallets, paper wallets, brain wallets, etc. Wallets that are not connected to the Internet have high security but are inconvenient to carry and use.
例如,热钱包中,通过个人计算机(personal computer,PC)、手机提供的客户端、浏览器插件和网页进行区块链钱包业务,其安全机制依赖Windows和Android提供的系统安全,若系统本身漏洞多、不安全,则会造成区块链钱包的密钥泄露、交易拦截等安全问题。冷钱包中,由于把钱包信息存放的物理隔离的网络(如不联网的电脑、手机、写着私钥的纸张或者小本子)上,因此,每次交易时需要额外携带冷钱包,并使用在线终端与冷钱包进行多次签名认证交互,导致交易过程复杂,此外,冷钱包也存在钱包信息被人为复制、破解等风险。For example, in a hot wallet, the blockchain wallet business is carried out through a personal computer (PC), a client provided by a mobile phone, a browser plug-in, and a web page. The security mechanism depends on the system security provided by Windows and Android. If the system itself is vulnerable Many and insecure, it will cause security problems such as the leakage of the blockchain wallet key and transaction interception. In the cold wallet, because the wallet information is stored on a physically isolated network (such as a computer, mobile phone, paper with a private key or a small notebook) that is not connected to the Internet, it is necessary to carry an extra cold wallet for each transaction and use the online The terminal and the cold wallet carry out multiple signature authentication interactions, resulting in a complicated transaction process. In addition, the cold wallet also has risks such as artificial copying and cracking of wallet information.
综上,亟需提供一种便捷、灵活以及安全性高的区块链钱包,解决用户在区块链交易过程中操作繁琐和安全性不高的问题。In summary, there is an urgent need to provide a convenient, flexible, and highly secure blockchain wallet to solve the problem of cumbersome operations and low security for users in the blockchain transaction process.
发明内容Summary of the invention
本发明实施例提供一种安全元件、安全处理方法及相关设备,以增强区块链钱包的灵活性的和安全性。The embodiments of the present invention provide a secure element, a secure processing method, and related equipment to enhance the flexibility and security of a blockchain wallet.
第一方面,本发明实施例提供了一种安全元件,可包括:处理器、第一存储器和第二存储器,所述处理器、所述第一存储器和所述第二存储器集成在半导体芯片内;其中,所述处理器,用于运行安全操作系统和基于所述安全操作系统的区块链钱包程序;所述第一存储器,用于为所述处理器提供运行所述安全操作系统和所述区块链钱包程序所需的内存空间;所述处理器,还用于在所述区块链钱包程序的作用下,生成助记符,基于所述助记符获得区块链钱包的钱包私钥,将所述钱包私钥写入到所述第二存储器中;所述第二存储器,用于存储所述钱包私钥。In the first aspect, an embodiment of the present invention provides a secure element, which may include: a processor, a first memory, and a second memory, the processor, the first memory, and the second memory are integrated in a semiconductor chip Wherein, the processor is used to run a secure operating system and a blockchain wallet program based on the secure operating system; the first memory is used to provide the processor to run the secure operating system and all The memory space required by the blockchain wallet program; the processor is also used to generate a mnemonic under the action of the blockchain wallet program, and obtain the wallet of the blockchain wallet based on the mnemonic The private key is used to write the wallet private key into the second memory; the second memory is used to store the wallet private key.
本发明实施例,将区块链钱包的应用程序运行在安全元件内部,且通过在安全元件内部生成区块链钱包的钱包私钥(包括助记符的生成),从区块链钱包私钥的生成源头保证其安全性,且将生成的钱包私钥存储在安全元件内,避免被非法获取,进一步地提升了区块 链钱包的安全性;并且,由于该安全元件可以利用与其所耦合的智能设备中的通信、联网功能进行交易,因此可以克服上述冷钱包的缺陷,使得交易更加灵活方便。即该安全元件同时具备了热钱包的灵活性和冷钱包的安全性。In the embodiment of the present invention, the application of the blockchain wallet is run inside the secure element, and the wallet private key of the blockchain wallet (including the generation of the mnemonic) is generated inside the secure element, from the blockchain wallet private key The source of generation guarantees its security, and the generated wallet private key is stored in the secure element to avoid illegal acquisition, which further improves the security of the blockchain wallet; and, because the secure element can use the The communication and networking functions in the smart device perform transactions, so the above-mentioned shortcomings of the cold wallet can be overcome, making transactions more flexible and convenient. That is, the security element has both the flexibility of a hot wallet and the security of a cold wallet.
在一种可能的实现方式中,所述处理器,还用于从所述第二存储器中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对所述区块链钱包的交易数据进行解密或签名。In a possible implementation manner, the processor is further configured to read the wallet private key from the second memory, and use the wallet private key to verify the blockchain in the secure element. The transaction data of the wallet is decrypted or signed.
本发明实施例,通过将区块链钱包的钱包私钥存储在安全元件内,在需要利用钱包私钥进行解密或签名等相关操作时,则从相应的存储器中读取出来,并在安全元件内进行解密或签名,避免将钱包私钥暴露在普通的外部环境中,以提升区块链钱包的安全性能。In the embodiment of the present invention, by storing the wallet private key of the blockchain wallet in the secure element, when the wallet private key needs to be used for decryption or signing and other related operations, it is read from the corresponding memory and stored in the secure element. Perform decryption or signature inside, avoid exposing the wallet private key to the ordinary external environment, so as to improve the security performance of the blockchain wallet.
在一种可能的实现方式中,所述安全元件,还包括:加解密引擎,用于在所述处理器生成所述钱包私钥后,对所述钱包私钥进行安全处理,所述安全处理包括安全加密或完整性保护中的至少一项;所述处理器,具体用于将经过所述安全处理后的钱包私钥写入到所述第二存储器中;所述第二存储器,具体用于存储经过所述安全处理后的钱包私钥。In a possible implementation manner, the secure element further includes: an encryption and decryption engine for performing security processing on the wallet private key after the processor generates the wallet private key, and the security processing Including at least one of security encryption or integrity protection; the processor is specifically configured to write the wallet private key after the security processing into the second memory; the second memory is specifically used To store the wallet private key after the security processing.
本发明实施例,由于加解密引擎独立于所述安全元件中的处理器,专用于实现安全处理/验证相关功能,可用于在处理器生成钱包私钥后,对钱包私钥进行安全处理,确保钱包私钥在使用前不会被泄露或篡改,有利于提高安全验证时的处理性能。可选地,该加解密引擎可以是一个硬件加速器。In the embodiment of the present invention, since the encryption and decryption engine is independent of the processor in the secure element, it is dedicated to achieving security processing/verification related functions, and can be used to perform security processing on the wallet private key after the processor generates the wallet private key to ensure The wallet private key will not be leaked or tampered with before use, which is beneficial to improve the processing performance during security verification. Optionally, the encryption and decryption engine may be a hardware accelerator.
在一种可能的实现方式中,所述处理器,具体用于从所述第二存储器中读取所述经过所述安全处理后的钱包私钥,将所述经过所述安全处理后的钱包私钥和区块链钱包的交易数据发送至所述加解密引擎;所述加解密引擎,还用于对所述经过所述安全处理后的钱包私钥进行安全验证,并在安全验证成功后,利用所述钱包私钥对所述区块链钱包的交易数据进行解密或签名,并将解密或签名后的交易数据反馈至所述处理器,所述安全验证为所述安全处理的逆操作。In a possible implementation manner, the processor is specifically configured to read the wallet private key after the security processing from the second memory, and to transfer the wallet after the security processing The private key and the transaction data of the blockchain wallet are sent to the encryption and decryption engine; the encryption and decryption engine is also used to perform security verification on the wallet private key after the security processing, and after the security verification is successful , Using the wallet private key to decrypt or sign the transaction data of the blockchain wallet, and feedback the decrypted or signed transaction data to the processor, and the security verification is the reverse operation of the security processing .
本发明实施例,当钱包私钥经过加解密引擎的安全处理之后,当安全元件的处理器需要使用该钱包密钥对出售的区块链资产进行签名,或者对需要购买的区块链资产进行解密时,则从第二存储器中读取经过安全处理后的钱包私钥,并将其发送至加解密引擎进行安全验证,加解密引擎验证成功后,则在加解密引擎内利用钱包私钥对交易数据进行解密或签名,并将结果反馈至处理器。避免钱包私钥暴露在安全元件以外,并且通过专用的加解密引擎可以增强安全处理及验证过程的性能。In the embodiment of the present invention, after the wallet private key has been processed by the encryption and decryption engine, the processor of the secure element needs to use the wallet key to sign the blockchain assets sold, or perform the blockchain assets that need to be purchased. When decrypting, it reads the security-processed wallet private key from the second storage and sends it to the encryption and decryption engine for security verification. After the encryption and decryption engine is successfully verified, the wallet private key pair is used in the encryption and decryption engine. The transaction data is decrypted or signed, and the result is fed back to the processor. Avoid exposing the wallet private key outside the secure element, and the performance of the security processing and verification process can be enhanced through a dedicated encryption and decryption engine.
在一种可能的实现方式中,所述安全元件还包括:随机数生成器,用于生成随机数;所述处理器,具体用于从所述随机数生成器获取所述随机数,基于所述随机数生成所述助记符。可选的,所述处理器,还具体用于根据所述助记符生成所述区块链钱包的种子,根据所述种子生成所述区块链钱包的至少一个所述钱包私钥。In a possible implementation manner, the secure element further includes: a random number generator, configured to generate a random number; the processor is specifically configured to obtain the random number from the random number generator, based on the The random number generates the mnemonic. Optionally, the processor is further specifically configured to generate a seed of the blockchain wallet according to the mnemonic, and generate at least one wallet private key of the blockchain wallet according to the seed.
本发明实施例中,用于生成助记符的随机数是在安全元件内的随机数生成器中生成的,且由随机数生成器生成的随机数是随机的,因此,可以保证助记符的绝对安全性,也就可以保证根据该助记符生成的种子以及钱包私钥的安全性。可选的,所述随机数生成器为真随机数生成器。In the embodiment of the present invention, the random number used to generate the mnemonic is generated in the random number generator in the secure element, and the random number generated by the random number generator is random, therefore, the mnemonic can be guaranteed The absolute security of the mnemonic can guarantee the security of the seed and the wallet private key generated according to the mnemonic. Optionally, the random number generator is a true random number generator.
在一种可能的实现方式中,所述区块链钱包程序存储于所述第二存储器中的第一安全域中,所述第一安全域为所述区块链钱包程序专用的存储空间;所述处理器,具体用于将 所述区块链钱包程序从所述第一安全域中加载至所述第一存储器的第二安全域中进行运行,所述第二安全域为所述区块链钱包程序专用的运行空间。可选的,所述钱包私钥存储于所述第二存储器的所述第一安全域中。In a possible implementation, the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is a storage space dedicated to the blockchain wallet program; The processor is specifically configured to load the blockchain wallet program from the first security domain to the second security domain of the first memory for operation, and the second security domain is the zone A dedicated operating space for blockchain wallet programs. Optionally, the wallet private key is stored in the first security domain of the second memory.
本发明实施例,通过在安全元件内部的存储空间和内存空间开辟区块链钱包应用程序的专用存储空间和专用运行空间,使得安全元件内的其他程序与区块链钱包之间进行逻辑隔离,进一步提高了区块链钱包程序的存储与运行的安全性。In the embodiment of the present invention, the dedicated storage space and dedicated operating space of the blockchain wallet application are opened up in the storage space and memory space inside the secure element, so that other programs in the secure element are logically isolated from the blockchain wallet. It further improves the security of the storage and operation of the blockchain wallet program.
在一种可能的实现方式中,所述区块链钱包的交易数据包括区块链资产买入数据或区块链资产卖出数据。本发明实施例中,利用所述钱包私钥在安全元件内对所述区块链钱包的交易数据进行解密或签名,可以包括利用钱包私钥对区块链资产买入数据进行解密,也可以包括利用钱包私钥对区块链资产卖出数据进行签名,即该区块链钱包的交易数据包括了区块链交易中的双向买卖过程。In a possible implementation manner, the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data. In the embodiment of the present invention, using the wallet private key to decrypt or sign the transaction data of the blockchain wallet in the secure element may include using the wallet private key to decrypt the blockchain asset purchase data, or Including the use of the wallet private key to sign the block chain asset sale data, that is, the block chain wallet transaction data includes the two-way buying and selling process in the block chain transaction.
在一种可能的实现方式中,所述处理器,还用于:根据所述钱包私钥生成钱包公钥和钱包地址。本发明实施例,通过在安全元件内部生成区块链钱包中用于对外交易的的公钥或钱包地址,以保证区块链钱包交易功能的完整性和安全性。In a possible implementation manner, the processor is further configured to: generate a wallet public key and a wallet address according to the wallet private key. In the embodiment of the present invention, the public key or wallet address used for external transactions in the blockchain wallet is generated inside the secure element to ensure the integrity and security of the blockchain wallet transaction function.
第二方面,本发明实施例提供了一种安全装置,可包括:In the second aspect, an embodiment of the present invention provides a security device, which may include:
上述第一方面中任意一项所述的安全元件和耦合于所述安全元件的至少一个中央处理单元;The security element according to any one of the foregoing first aspect and at least one central processing unit coupled to the security element;
所述至少一个中央处理单元,用于运行通用操作系统软件,并在所述通用操作系统软件的作用下与所述安全元件通信。The at least one central processing unit is configured to run general operating system software and communicate with the secure element under the action of the general operating system software.
在一种可能的实现方式中,所述至少一个中央处理单元,还用于在可信执行环境中向所述安全元件发送所述区块链钱包的交易数据。In a possible implementation, the at least one central processing unit is further configured to send transaction data of the blockchain wallet to the secure element in a trusted execution environment.
本发明实施例,通过在安全装置中设置上述第一方面提供的安全元件,以及与该安全元件耦合的中央处理单元,使得安全元件可以作为安全装置中的一个专用的安全处理芯片,用于处理区块链钱包中相关的敏感数据(包括钱包私钥的生成以及使用等),而中央处理单元则通过运行通用操作系统,对区块链钱包的非敏感数据以及其他应用程序的数据进行处理,不仅保证了区块链钱包程序在安全装置中的安全性和隔离性,同时也可实现安全装置的其它普通功能。In the embodiment of the present invention, the security element provided in the first aspect and the central processing unit coupled with the security element are provided in the security device, so that the security element can be used as a dedicated security processing chip in the security device for processing Related sensitive data in the blockchain wallet (including the generation and use of the wallet private key, etc.), while the central processing unit runs the general operating system to process the non-sensitive data of the blockchain wallet and other application data. It not only ensures the security and isolation of the blockchain wallet program in the security device, but also realizes other common functions of the security device.
在一种可能的实现方式中,所述至少一个中央处理单元,还用于在可信执行环境中向所述安全元件发送区块链钱包的交易数据。In a possible implementation, the at least one central processing unit is further configured to send transaction data of the blockchain wallet to the secure element in a trusted execution environment.
本发明实施例中,将安全装置中划分为富执行环境、可信执行环境和安全执行环境三层架构,使得区块链钱包中的次敏感数据可通过可信执行环境来处理,即将区块链钱包的数据按照其敏感和重要程度分为多个安全等级,利用安全装置中不同层面的执行环境,来使得区块链钱包的数据得到完善的安全保护。In the embodiment of the present invention, the security device is divided into a three-tier architecture of rich execution environment, trusted execution environment, and safe execution environment, so that the sub-sensitive data in the blockchain wallet can be processed through the trusted execution environment, that is, the block The data of the blockchain wallet is divided into multiple security levels according to its sensitivity and importance, and the different levels of execution environment in the security device are used to make the data of the blockchain wallet complete security protection.
在一种可能的实现方式中,所述安全装置还包括:位于所述半导体芯片外部的存储器。In a possible implementation manner, the security device further includes: a memory located outside the semiconductor chip.
第四方面,本发明实施例提供了一种安全处理方法,其特征在于,包括:In a fourth aspect, an embodiment of the present invention provides a security processing method, which is characterized in that it includes:
通过安全元件中的处理器运行安全操作系统和基于所述安全操作系统的区块链钱包程 序;Running a secure operating system and a blockchain wallet program based on the secure operating system through the processor in the secure element;
由安全元件中的第一存储器为所述处理器提供运行所述安全操作系统和所述区块链钱包程序所需的内存空间;The first memory in the secure element provides the processor with memory space required to run the secure operating system and the blockchain wallet program;
在所述区块链钱包程序的作用下,由所述处理器生成助记符,基于所述助记符获得区块链钱包的钱包私钥,将所述钱包私钥存储至所述安全元件的第二存储器中。Under the action of the blockchain wallet program, the processor generates a mnemonic, obtains the wallet private key of the blockchain wallet based on the mnemonic, and stores the wallet private key in the secure element In the second memory.
在一种可能的实现方式中,所述方法,还包括:由所述处理器从所述第二存储器中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对区块链钱包的交易数据进行解密或签名。In a possible implementation manner, the method further includes: reading the wallet private key from the second memory by the processor, and using the wallet private key to register the wallet in the secure element The transaction data of the blockchain wallet is decrypted or signed.
在一种可能的实现方式中,所述方法还包括:所述安全元件中的加解密引擎在所述处理器生成所述钱包私钥后,对所述钱包私钥进行安全处理,所述安全处理包括安全加密或完整性保护中的至少一项;所述由所述处理器将所述钱包私钥存储至所述安全元件的第二存储器中,包括:由所述处理器将经过所述安全处理后的钱包私钥写入到所述第二存储器中。In a possible implementation, the method further includes: the encryption and decryption engine in the secure element performs security processing on the wallet private key after the processor generates the wallet private key, and the security The processing includes at least one of security encryption or integrity protection; the storing, by the processor, of the wallet private key in the second memory of the secure element includes: passing through the processor by the processor The securely processed wallet private key is written into the second memory.
在一种可能的实现方式中,所述由所述处理器从所述第二存储器中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对区块链钱包的交易数据进行解密或签名,包括:由所述处理器从所述第二存储器中读取所述经过所述安全处理后的钱包私钥,将所述经过所述安全处理后的钱包私钥和区块链钱包的交易数据发送至所述加解密引擎;所述方法还包括:由所述加解密引擎对所述经过所述安全处理后的钱包私钥进行安全验证,并在安全验证成功后,利用所述钱包私钥对所述区块链钱包的交易数据进行解密或签名,并将解密或签名后的交易数据反馈至所述处理器,所述安全验证为所述安全处理的逆操作。In a possible implementation manner, the processor reads the wallet private key from the second memory, and uses the wallet private key to perform transactions on the blockchain wallet in the secure element Decrypting or signing the data includes: reading the wallet private key after the security processing from the second memory by the processor, and converting the wallet private key and the area after the security processing The transaction data of the blockchain wallet is sent to the encryption and decryption engine; the method further includes: the encryption and decryption engine performs security verification on the wallet private key after the security processing, and after the security verification is successful, Using the wallet private key to decrypt or sign the transaction data of the blockchain wallet, and feedback the decrypted or signed transaction data to the processor, the security verification is the reverse operation of the security processing.
在一种可能的实现方式中,所述方法还包括:由所述安全元件中的随机数生成器,生成随机数;所述由所述处理器生成助记符,包括:由所述处理器从所述随机数生成器获取所述随机数,基于所述随机数生成所述助记符。可选的,所述基于所述助记符获得区块链钱包的钱包私钥,包括:根据所述助记符生成所述区块链钱包的种子,根据所述种子生成所述区块链钱包的至少一个所述钱包私钥。In a possible implementation manner, the method further includes: generating a random number by a random number generator in the secure element; and generating the mnemonic by the processor includes: The random number is acquired from the random number generator, and the mnemonic is generated based on the random number. Optionally, the obtaining the wallet private key of the blockchain wallet based on the mnemonic includes: generating a seed of the blockchain wallet according to the mnemonic, and generating the blockchain according to the seed At least one of the wallet private keys of the wallet.
在一种可能的实现方式中,所述区块链钱包程序存储于所述第二存储器中的第一安全域中,所述第一安全域为所述区块链钱包程序专用的存储空间;所述通过安全元件中的处理器运行安全操作系统和基于所述安全操作系统的区块链钱包程序,包括:由所述处理器将所述区块链钱包程序从所述第一安全域中加载至所述第一存储器的第二安全域中进行运行,所述第二安全域为所述区块链钱包程序专用的运行空间。In a possible implementation, the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is a storage space dedicated to the blockchain wallet program; The operation of the secure operating system and the blockchain wallet program based on the secure operating system through the processor in the secure element includes: the processor removes the blockchain wallet program from the first secure domain It is loaded into the second security domain of the first memory for operation, and the second security domain is a dedicated operating space for the blockchain wallet program.
在一种可能的实现方式中,所述钱包私钥存储于所述第二存储器的所述第一安全域中。In a possible implementation manner, the wallet private key is stored in the first security domain of the second memory.
在一种可能的实现方式中,所述区块链钱包的交易数据包括区块链资产买入数据或区块链资产卖出数据。In a possible implementation manner, the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data.
在一种可能的实现方式中,所述方法还包括:由所述处理器,根据所述钱包私钥生成钱包公钥和钱包地址。In a possible implementation manner, the method further includes: generating, by the processor, a wallet public key and a wallet address according to the wallet private key.
第五方面,本申请提供一种安全装置,该安全装置具有实现上述任意一种安全处理方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软 件包括一个或多个与上述功能相对应的模块。In a fifth aspect, the present application provides a security device that has the function of realizing any of the foregoing security processing methods. This function can be realized by hardware, or by hardware executing corresponding software. The hardware or software includes one or more modules corresponding to the above-mentioned functions.
第六方面,本申请提供一种终端,该终端包括安全元件,安全元件被配置为支持该终端执行第四方面提供的一种安全处理方法中相应的功能。该终端还可以包括存储器,存储器用于与安全元件耦合,其保存终端必要的程序指令和数据。该终端还可以包括通信接口,用于该终端与其它设备或通信网络通信。In a sixth aspect, the present application provides a terminal that includes a secure element, and the secure element is configured to support the terminal to perform a corresponding function in a secure processing method provided in the fourth aspect. The terminal may also include a memory, which is used for coupling with the secure element and stores necessary program instructions and data for the terminal. The terminal may also include a communication interface for the terminal to communicate with other devices or communication networks.
第七方面,本申请提供一种计算机存储介质,所述计算机存储介质存储有计算机程序,该计算机程序被安全元件执行时实现上述第四方面中任意一项所述的安全处理方法流程。In a seventh aspect, the present application provides a computer storage medium that stores a computer program that, when executed by a secure element, implements the process of the security processing method described in any one of the foregoing fourth aspects.
第八方面,本发明实施例提供了一种计算机程序,该计算机程序包括指令,当该计算机程序被安全元件执行时,使得安全元件可以执行上述第四方面中任意一项所述的安全处理方法流程。In an eighth aspect, an embodiment of the present invention provides a computer program, the computer program including instructions, when the computer program is executed by a secure element, the secure element can execute the secure processing method described in any one of the fourth aspect Process.
第九方面,本申请提供了一种芯片系统,该芯片系统包括安全元件,用于实现上述第四方面中任意一项所述的安全处理方法流程所涉及的功能。在一种可能的设计中,所述芯片系统还包括存储器,所述存储器,用于保存所述安全处理方法必要或相关的程序指令和数据。该芯片系统,可以由芯片构成,也可以包含芯片和其它分立器件。In a ninth aspect, the present application provides a chip system that includes a secure element for implementing the functions involved in the process of the secure processing method described in any one of the fourth aspects. In a possible design, the chip system further includes a memory, which is used to store program instructions and data necessary or related to the security processing method. The chip system can be composed of chips, or include chips and other discrete devices.
附图说明Description of the drawings
图1是本发明实施例提供的一种安全元件的结构示意图;FIG. 1 is a schematic structural diagram of a security element provided by an embodiment of the present invention;
图2是本发明实施例提供的另一种安全元件的结构示意图;Figure 2 is a schematic structural diagram of another security element provided by an embodiment of the present invention;
图3是本发明实施例提供的又一种安全元件的结构示意图;3 is a schematic structural diagram of another security element provided by an embodiment of the present invention;
图4是本发明实施例提供的一种安全装置;Figure 4 is a security device provided by an embodiment of the present invention;
图5为本发明实施例提供的一种用于区块链钱包安全交易的软件系统架构的简化示意图;5 is a simplified schematic diagram of a software system architecture for secure transactions of blockchain wallets according to an embodiment of the present invention;
图6为发明实施例提供的一种基于TSM架构的远程配置网络架构图;Figure 6 is a diagram of a remote configuration network architecture based on a TSM architecture provided by an embodiment of the invention;
图7是本发明实施例提供的一种安全处理方法的流程示意图。FIG. 7 is a schematic flowchart of a security processing method provided by an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例进行描述。本申请的说明书和权利要求书及所述附图中的术语“第一”、“第二”、“第三”和“第四”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。The embodiments of the present invention will be described below in conjunction with the drawings in the embodiments of the present invention. The terms "first", "second", "third" and "fourth" in the description and claims of the application and the drawings are used to distinguish different objects, rather than describing a specific order . In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product, or device that includes a series of steps or units is not limited to the listed steps or units, but optionally includes unlisted steps or units, or optionally also includes Other steps or units inherent to these processes, methods, products or equipment. Reference to "embodiments" herein means that a specific feature, structure, or characteristic described in conjunction with the embodiments may be included in at least one embodiment of the present application. The appearance of the phrase in various places in the specification does not necessarily refer to the same embodiment, nor is it an independent or alternative embodiment mutually exclusive with other embodiments. Those skilled in the art clearly and implicitly understand that the embodiments described herein can be combined with other embodiments.
在本说明书中使用的术语“部件”、“模块”、“系统”等用于表示计算机相关的实体、硬件、固件、硬件和软件的组合、软件、或执行中的软件。例如,部件可以是但不限于,在处理器上运行的进程、处理器、对象、可执行文件、执行线程、程序和/或计算机。通过图示, 在计算设备上运行的应用和计算设备都可以是部件。一个或多个部件可驻留在进程和/或执行线程中,部件可位于一个计算机上和/或分布在2个或更多个计算机之间。此外,这些部件可从在上面存储有各种数据结构的各种计算机可读介质执行。部件可例如根据具有一个或多个数据分组(例如来自与本地系统、分布式系统和/或网络间的另一部件交互的二个部件的数据,例如通过信号与其它系统交互的互联网)的信号通过本地和/或远程进程来通信。The terms "component", "module", "system", etc. used in this specification are used to denote computer-related entities, hardware, firmware, a combination of hardware and software, software, or software in execution. For example, the component may be, but is not limited to, a process, a processor, an object, an executable file, an execution thread, a program, and/or a computer running on a processor. Through the illustration, both the application running on the computing device and the computing device can be components. One or more components may reside in processes and/or threads of execution, and components may be located on one computer and/or distributed among two or more computers. In addition, these components can be executed from various computer readable media having various data structures stored thereon. The component may be based on, for example, a signal having one or more data packets (such as data from two components interacting with another component in a local system, a distributed system, and/or a network, such as the Internet that interacts with other systems through signals) Communicate through local and/or remote processes.
首先,对本申请中的部分用语进行解释说明,以便于本领域技术人员理解。First, some terms in this application are explained to facilitate the understanding of those skilled in the art.
(1)集成电路(Integrated Circuit,IC),即IC芯片是将大量的微电子元器件(晶体管、电阻、电容等)形成的集成电路放在一块塑基上,做成一块芯片。(1) Integrated Circuit (IC), that is, an IC chip is an integrated circuit formed by a large number of microelectronic components (transistors, resistors, capacitors, etc.) on a plastic base to make a chip.
(2)富执行环境(Rich Execution Environment,REE),一般用于运行Android等功能丰富的操作系统,与由Trustzone ARM定义的、能够支持完全可信执行环境(TEE)以及安全感知应用程序和安全服务的平台技术相区别。(2) Rich Execution Environment (REE), generally used to run Android and other feature-rich operating systems, and defined by Trustzone ARM that can support a fully trusted execution environment (TEE) and security-aware applications and security The service platform technology is different.
(3)可信执行环境(trusted execution environment,TEE)是与富执行环境REE相分离的安全区域。TEE由可信应用(Trusted Application,TA)、以及可信操作系统(Trusted OS,Trusted Operating System)组成。它与富执行环境以及富执行环境上面的应用相分离,确保各种敏感数据在一个可信环境中被存储、处理和受到保护,同时可信执行环境为装载在其中的可信应用提供一个安全的执行环境。(3) Trusted execution environment (TEE) is a security zone separated from the rich execution environment REE. TEE consists of a trusted application (Trusted Application, TA) and a trusted operating system (Trusted OS, Trusted Operating System). It is separated from the rich execution environment and the applications on the rich execution environment to ensure that various sensitive data are stored, processed and protected in a trusted environment. At the same time, the trusted execution environment provides a security for the trusted applications loaded in it. Execution environment.
(4)比特币,又称“比特金”,是一种网络虚拟货币,网民可以使用比特币购买一些虚拟物品,比如网络游戏当中的衣服、帽子、装备等,网民之间也有用来购买现实物品的情况。(4) Bitcoin, also known as "Bit Gold", is a virtual currency on the Internet. Netizens can use Bitcoin to buy some virtual items, such as clothes, hats, and equipment in online games. Netizens also use it to buy reality. The condition of the item.
(5)公钥和私钥:私钥的持有者才是银行卡中货币的持有者。私钥可以计算出公钥,公钥可以经过一系列数字签名生成钱包地址,使用私钥加密的数据可以用公钥解密,反之亦可。(5) Public key and private key: The holder of the private key is the holder of the currency in the bank card. The private key can calculate the public key, the public key can generate a wallet address through a series of digital signatures, and the data encrypted with the private key can be decrypted with the public key, and vice versa.
(6)钱包地址:类似于银行卡号,一个人可以拥有多张银行卡,同理他也可以拥有多个钱包地址。一个钱包地址只能对应一个私钥。(6) Wallet address: Similar to a bank card number, one person can have multiple bank cards, and similarly, he can also have multiple wallet addresses. One wallet address can only correspond to one private key.
(7)真随机数生成器(True Random Number Generator,TRNG)是一种通过物理过程而不是计算机程序来生成随机数字的设备。TRNG是一个非常灵活的随机数发生器库。它允许顺序和用于并行应用程序,库不依赖于任何特定的通信库。(7) True Random Number Generator (TRNG) is a device that generates random numbers through physical processes instead of computer programs. TRNG is a very flexible random number generator library. It allows sequential and parallel applications, and the library does not depend on any specific communication library.
(8)应用协议数据单元(Application Protocol Data Unit,APDU)是智能卡与智能卡读卡器之间传送的信息单元。(8) Application Protocol Data Unit (APDU) is an information unit transmitted between the smart card and the smart card reader.
(9)密钥导出算法(Key Derivation Function,KDF),是加解密过程使用到的密钥派生函数,作用是从一个共享的秘密比特串口派生出密钥数据,在密钥协商过程中,密钥派生函数作用在密钥交换所获动向的秘密比特串上,从中产生所需的会话密钥或进一步加密所需的密钥数据。(9) Key Derivation Function (KDF) is a key derivation function used in the encryption and decryption process. Its function is to derive key data from a shared secret bit serial port. During the key negotiation process, the key The key derivation function acts on the secret bit string obtained by the key exchange to generate the required session key or the key data required for further encryption.
请参见图1,图1是本发明实施例提供的一种安全元件的结构示意图,该安全元件10中可包括处理器101、第一存储器102和第二存储器103,且处理器101、第一存储器102和第二存储器103集成在半导体芯片IC1内。其中,处理器101,用于运行安全操作系统 和基于所述安全操作系统的区块链钱包程序。该安全操作系统不同于普通操作系统,可以是片内操作系统(Chip Operating System,COS),该COS也叫COS镜像,可以等效为是驻留智能卡或金融集成电路(Integrated Circuit,IC)卡内的操作系统软件。该安全操作系统可用于运行安装在该安全元件内部的应用程序,如本申请中的区块链钱包程序,或其他需要安全保护的应用如银行支付应用、公交支付应用、身份认证应用等。需要说明的是,区块链钱包是生成和管理密钥、地址、跟踪余额和创建交易的软件,而本申请中存储和运行于安全元件10中的区块链钱包程序,可以是一个完整的区块链钱包软件,也可以是区块链钱包软件中的部分功能程序,例如,区块链钱包程序可以为对安全性要求较高的区块链钱包秘钥小应用程序Applet。Please refer to FIG. 1, which is a schematic structural diagram of a secure element provided by an embodiment of the present invention. The secure element 10 may include a processor 101, a first memory 102, and a second memory 103, and the processor 101, the first memory The memory 102 and the second memory 103 are integrated in the semiconductor chip IC1. Among them, the processor 101 is used to run a secure operating system and a blockchain wallet program based on the secure operating system. This security operating system is different from ordinary operating systems, it can be an on-chip operating system (Chip Operating System, COS), which is also called COS mirroring, which can be equivalent to a resident smart card or a financial integrated circuit (IC) card Operating system software inside. The secure operating system can be used to run applications installed in the secure element, such as the blockchain wallet program in this application, or other applications that require security protection, such as bank payment applications, bus payment applications, identity authentication applications, etc. It should be noted that the blockchain wallet is software for generating and managing keys, addresses, tracking balances, and creating transactions. The blockchain wallet program stored and running in the secure element 10 in this application can be a complete The blockchain wallet software can also be a part of the functional programs in the blockchain wallet software. For example, the blockchain wallet program can be a small application Applet that requires high security.
第一存储器102,用于为所述处理器101提供运行所述安全操作系统和所述区块链钱包程序所需的内存空间。即第一存储器102可存储处理器101运行安全操作系统以及区块链钱包程序所生成的中间数据或临时数据,也可称之为内存数据。该内存数据不仅包括上述中间数据或临时数据,也可包括运行算法或进程产生的各类中间运算结果数据、或配置数据等。由于内存数据是运行一个软件所产生的过程数据,其无需被长期保存,可以是随着设备或装置掉电而丢失。因此,第一存储器102可以是随机存取存储器(Random Access Memory,RAM)或掉电易失性存储设备,如静态随机存取存储器(Static Random Access Memory,SRAM)、动态随机存取存储器(Dynamic Random Access Memory,DRAM)或同步动态随机存储器(Synchronous DRAM,SDRAM)、双倍速率SDRAM(Dual Data Rate SDRAM,DDR SDRAM)等。The first memory 102 is configured to provide the processor 101 with memory space required for running the secure operating system and the blockchain wallet program. That is, the first memory 102 can store intermediate data or temporary data generated by the processor 101 running a secure operating system and a blockchain wallet program, which can also be referred to as memory data. The memory data includes not only the aforementioned intermediate data or temporary data, but also various intermediate calculation result data or configuration data generated by running algorithms or processes. Since the memory data is process data generated by running a software, it does not need to be stored for a long time, and may be lost when the equipment or device is powered off. Therefore, the first memory 102 may be a random access memory (Random Access Memory, RAM) or a power-off volatile storage device, such as a static random access memory (Static Random Access Memory, SRAM) and a dynamic random access memory (Dynamic Random Access Memory, SRAM). Random Access Memory (DRAM) or synchronous dynamic random access memory (Synchronous DRAM, SDRAM), double rate SDRAM (Dual Data Rate SDRAM, DDR SDRAM), etc.
处理器101,还用于在所述区块链钱包程序的作用下,生成助记符,基于所述助记符获得区块链钱包的钱包私钥,将所述钱包私钥写入到所述第二存储器103中。由于在区块链钱包中,钱包私钥(简称私钥)的备份是非常重要的,获得了私钥就获得了该私钥对应的区块链钱包的使用权,即可获得账户上的所有资产,因此,用户必须牢记并保管好该私钥,避免被非法获取。但通常情况下私钥有256位,由64位的16进制哈希值字符串表示,用户如果直接抄录很容易出现笔误,记在脑海中又会因为字符串过长不易被记住。因此,在区块链钱包中,通过采用助记符帮助用户记忆复杂的私钥,助记符一般由12、15、18、21个单词(可以是英文、法文、中文甚至是方言等)构成,这些单词都取自一个固定词库,其生成顺序也是按照一定算法而来,助记符可以认为是明文私钥的另一种表现形式,因此通常不会被保存在区块链钱包所在的终端设备上,而是存储在其他地方,如本子或者是脑子中。在本发明实施例中,处理器101在安全元件内部生成助记符,并基于该助记符获得区块链钱包的私钥,其具体的获得过程,可以是在处理器101中基于该助记符并结合预设私钥算法(如哈希算法)计算生成的钱包私钥;也可以是处理器101控制安全元件10内部的其他专用功能模块(如后述的加解密引擎)生成该钱包私钥,本申请对此不作具体限定。由于助记符和钱包私钥均是在安全元件10内部生成,因此可以从钱包私钥的生成源头以及生成过程保证钱包私钥的安全性。The processor 101 is further configured to generate a mnemonic under the action of the blockchain wallet program, obtain the wallet private key of the blockchain wallet based on the mnemonic, and write the wallet private key to all In the second memory 103. As in the blockchain wallet, the backup of the wallet private key (private key for short) is very important. Once the private key is obtained, the right to use the blockchain wallet corresponding to the private key is obtained, and all the accounts on the account are obtained. Assets, therefore, users must remember and keep the private key to avoid illegal acquisition. But under normal circumstances, the private key has 256 bits and is represented by a 64-bit hexadecimal hash value string. It is easy for users to make clerical errors if they copy directly, and they will be difficult to remember because the string is too long. Therefore, in blockchain wallets, mnemonics are used to help users remember complex private keys. mnemonics are generally composed of 12, 15, 18, 21 words (which can be English, French, Chinese, or even dialects, etc.) These words are all taken from a fixed vocabulary, and their generation sequence is also based on a certain algorithm. Mnemonic can be considered as another form of expression of the plaintext private key, so it is usually not stored in the blockchain wallet. On the terminal device, it is stored in other places, such as a notebook or a brain. In the embodiment of the present invention, the processor 101 generates a mnemonic inside the secure element, and obtains the private key of the blockchain wallet based on the mnemonic. The specific obtaining process may be based on the assistance in the processor 101 The wallet private key is calculated by combining the token with a preset private key algorithm (such as a hash algorithm); it can also be the processor 101 that controls other dedicated function modules (such as the encryption and decryption engine described later) inside the secure element 10 to generate the wallet The private key is not specifically limited in this application. Since both the mnemonic and the wallet private key are generated inside the secure element 10, the security of the wallet private key can be ensured from the source and process of generating the wallet private key.
第二存储器103,用于存储所述钱包私钥。由于区块链钱包的钱包私钥不同于处理器101运行安全操作系统以及区块链钱包程序的中间数据或临时数据,其作为数据结果需要在后续的区块链交易中被调用以进行解密或签名,所以需要被长期保存。因此,该第二存 储器103可以是只读存储器(Read Only Memory,ROM)或非掉电易失性存储器,如可编程ROM(Programmable ROM,PROM)、可擦写可编程ROM(Erasable Programmable ROM,EPROM)、电可擦除可编程ROM(Electrically Erasable Programmable ROM,EEPROM)、快速擦写ROM(FLASH ROM)等。在一种可能的实现方式中,所述钱包私钥也可以经过处理器101的安全处理(如加密或完整性保护等)之后再存储在第二存储器103中。可选的,第二存储器103也可以用于存储本发明实施例中的区块链钱包程序或其他安全应用等。进一步可选的,第二存储器103中还可以存储区块链钱包的相关交易信息、账户信息、资产信息等。The second memory 103 is used to store the wallet private key. Since the wallet private key of the blockchain wallet is different from the intermediate data or temporary data of the processor 101 running the secure operating system and the blockchain wallet program, as a result of the data, it needs to be called in subsequent blockchain transactions for decryption or Signed, so it needs to be stored for a long time. Therefore, the second memory 103 may be a read-only memory (Read Only Memory, ROM) or a non-power-down volatile memory, such as a programmable ROM (Programmable ROM, PROM), an erasable programmable ROM (Erasable Programmable ROM, EPROM), electrically erasable programmable ROM (Electrically Erasable Programmable ROM, EEPROM), flash ROM (FLASH ROM), etc. In a possible implementation manner, the wallet private key may also be stored in the second memory 103 after undergoing security processing (such as encryption or integrity protection, etc.) by the processor 101. Optionally, the second memory 103 may also be used to store the blockchain wallet program or other security applications in the embodiment of the present invention. Further optionally, the second storage 103 may also store related transaction information, account information, asset information, etc. of the blockchain wallet.
在一种可能的实现方式中,处理器101还用于从第二存储器103中读取所述钱包私钥,利用所述钱包私钥在安全元件10内对所述区块链钱包的交易数据进行解密或签名。在区块链的交易过程中,私钥相当于银行卡密码,是非公开的,用于证明该用户的身份及资产,而公钥则相当于银行卡号,是公开的,用于其他用户转账的。例如,用户A向用户B出出售自己的区块链资产,则通过能证明A身份的私钥A对区块链资产进行签名,以证明该资产是属于A的,将经过私钥A签名的区块链资产且经过用户B的公钥B’(公知的)进行加密,表示是发送给用户B的地址,因此用户B采用自己的私钥B对地址进行解密,发现该区块链资产是发送给自己的,并且再利用A的公钥A’(公知的)对该区块链资产进行验签,验签成功之后,则表示该区块链资产确实是由A发出的。至此,用户A与用户B之间完成了区块链资产的交易。在上述区块链交易过程中,卖方A分别利用(自己的私钥A+对方的公钥B’)对出售的区块链资产进行了安全处理,买方B则分别利用(对方的公钥A’+自己的私钥B)对购买的区块链资产进行安全验证,从而完成了区块链资产的安全交易。因此,当用户为卖方角色时,私钥用于为卖方签名,当用户为买方角色时,私钥用于为买方解密;当用户为卖方时,公钥用于为对方(买方)验签,当用户为买方角色时,公钥用于为对方(卖方)加密;也即是,公钥由本人公开,用于加密和验证签名,是给别人用的;私钥用来进行解密和签名,是给自己用的。在本发明实施例中,处理器101将钱包私钥的使用过程(包括解密或签名)在安全元件内部进行,即当需要使用私钥时,处理器101将私钥从第二存储器103中读出来,然后在安全元件10内部使用,避免将钱包私钥暴露在普通的外部环境中,提升了区块链钱包的安全性能。In a possible implementation, the processor 101 is further configured to read the wallet private key from the second memory 103, and use the wallet private key to perform transaction data on the blockchain wallet in the secure element 10. Decrypt or sign. In the blockchain transaction process, the private key is equivalent to the bank card password and is non-public, used to prove the identity and assets of the user, while the public key is equivalent to the bank card number, which is public and used for other users to transfer money. . For example, if user A sells his own blockchain assets to user B, he will use the private key A that can prove A’s identity to sign the blockchain asset to prove that the asset belongs to A and will be signed by the private key A The blockchain asset is encrypted by user B’s public key B'(known), indicating that it is sent to user B’s address. Therefore, user B uses his private key B to decrypt the address and finds that the blockchain asset is Send to yourself, and then use A's public key A'(known) to verify the blockchain asset. After the verification is successful, it means that the blockchain asset is indeed issued by A. So far, user A and user B have completed the transaction of blockchain assets. In the above-mentioned blockchain transaction process, the seller A uses (own private key A + the other party's public key B') to securely process the sold blockchain assets, and the buyer B uses (the other party's public key A' +Own private key B) Perform security verification on the purchased blockchain assets, thereby completing the secure transaction of blockchain assets. Therefore, when the user is in the seller role, the private key is used to sign the seller, when the user is in the buyer role, the private key is used to decrypt the buyer; when the user is the seller, the public key is used to verify the signature for the other party (buyer). When the user is the buyer, the public key is used to encrypt the other party (seller); that is, the public key is disclosed by the user, used to encrypt and verify the signature, and is for others; the private key is used for decryption and signature. It is for my own use. In the embodiment of the present invention, the processor 101 performs the process of using the wallet private key (including decryption or signature) inside the secure element, that is, when the private key needs to be used, the processor 101 reads the private key from the second memory 103 It is then used inside the secure element 10 to avoid exposing the wallet private key to the ordinary external environment, which improves the security performance of the blockchain wallet.
在一种可能的实现方式中,所述区块链钱包的交易数据包括区块链资产买入数据或区块链资产卖出数据。即本发明实施例中,利用所述钱包私钥在安全元件10内对所述区块链钱包的交易数据进行解密或签名,可以包括利用钱包私钥对区块链资产买入数据进行解密,也可以包括利用钱包私钥对区块链资产卖出数据进行签名,即该区块链钱包的交易数据包括了区块链交易中的双向买卖过程。In a possible implementation manner, the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data. That is, in the embodiment of the present invention, using the wallet private key to decrypt or sign the transaction data of the blockchain wallet in the secure element 10 may include using the wallet private key to decrypt the blockchain asset purchase data, It can also include using the wallet private key to sign the blockchain asset sale data, that is, the transaction data of the blockchain wallet includes the two-way buying and selling process in the blockchain transaction.
由于本发明实施例中的安全元件具有独立的处理器101、内存(第一存储器102)以及存储单元(第二存储器103),可实现与安全元件10所耦合的智能设备的中央操作系统以及应用软件执行环境的物理隔离,因此,可为运行在安全元件10内部的区块链钱包程序,提供较高的安全环境,并且由于该安全元件可以利用与其所耦合的智能设备中的通信、联网功能进行交易,因此可以克服冷钱包的缺陷,使得交易灵活方便。进一步地,通过在安全元件10内部生成助记符以及钱包私钥,从源头以及生成过程上保证了钱包私钥产生的安 全性,同时,将生成的钱包私钥存储在安全元件10内的第二存储器103上,避免私钥的泄露或非法篡改,保证了钱包私钥存储的安全性;更进一步地,当区块链钱包需要使用私钥时,则通过处理器101读取存储在第二存储器103内的私钥,在安全元件10内部进行解密或签名,又保证了钱包私钥使用的安全性。综上,本发明实施例实现了区块链钱包的安全启动、开通、存储、交易等核心功能,同时具备了热钱包的灵活性和冷钱包的安全性,且可以极大的提升区块链钱包的安全性及可靠性,本申请中的安全元件10可以应用于智能IC(integrated circuit)卡、加密机、智能终端(如智能手机、智能可穿戴设备、平板电脑等)、计算机等各种类型的设备中,以支持各类设备中区块链钱包的功能。Since the secure element in the embodiment of the present invention has an independent processor 101, memory (first memory 102), and storage unit (second memory 103), the central operating system and applications of the smart device coupled with the secure element 10 can be realized The physical isolation of the software execution environment, therefore, can provide a higher security environment for the blockchain wallet program running inside the secure element 10, and because the secure element can use the communication and networking functions in the smart device to which it is coupled Therefore, it can overcome the shortcomings of cold wallets and make transactions flexible and convenient. Further, by generating a mnemonic and a wallet private key inside the secure element 10, the security of the wallet private key generation is ensured from the source and the generation process, and at the same time, the generated wallet private key is stored in the first part of the secure element 10. On the second memory 103, the leakage or illegal tampering of the private key is avoided, and the security of the wallet private key storage is ensured; further, when the blockchain wallet needs to use the private key, the processor 101 reads the storage in the second The private key in the memory 103 is decrypted or signed inside the secure element 10, which ensures the security of the wallet private key. In summary, the embodiment of the present invention realizes the core functions of the blockchain wallet such as secure startup, activation, storage, and transaction, and at the same time has the flexibility of a hot wallet and the security of a cold wallet, and can greatly improve the blockchain For the security and reliability of the wallet, the secure element 10 in this application can be applied to smart IC (integrated circuit) cards, encryption machines, smart terminals (such as smart phones, smart wearable devices, tablet computers, etc.), computers, etc. In order to support the function of blockchain wallet in various devices.
请参见图2,图2是本发明实施例提供的另一种安全元件的结构示意图,该安全元件10中除了包括图1中的处理器101、第一存储器102和第二存储器103,以及执行上述图1中实施例的对应功能以外,还可以包括与处理器101耦合的随机数生成器104和/或加解密引擎105,且随机数生成器104和加解密引擎105也可以和处理器101、第一存储器102和第二存储器103集成在半导体芯片IC1内。其中,加解密引擎105,用于在处理器101生成所述钱包私钥后,对所述钱包私钥进行安全处理,所述安全处理包括安全加密或完整性保护中的至少一项,例如,完整性保护为利用预设哈希算法生成该钱包私钥的哈希值等,本申请对具体的安全处理方式不作具体限定。而处理器101则具体用于将经过所述安全处理后的钱包私钥写入到所述第二存储器103中;第二存储器103具体用于存储经过所述安全处理后的钱包私钥。进一步地,在一种可能的实现方式中,处理器101具体用于从第二存储器103中读取所述经过所述安全处理后的钱包私钥,并将所述经过所述安全处理后的钱包私钥和所述区块链钱包的交易数据发送至所述加解密引擎105;加解密引擎105还用于对经过所述安全处理后的钱包私钥进行安全验证,并在安全验证成功后,利用所述钱包私钥对所述区块链钱包的交易数据进行解密或签名,并将解密或签名后的交易数据反馈至所述处理器101,所述安全验证为所述安全处理的逆操作。例如,当处理器101接收到针对区块链钱包的相关交易指令,且需要使用钱包私钥时,则处理器101需要先从第二存储器103中读取已经过安全处理的钱包私钥,并将钱包私钥发送至加解密引擎105中进行安全验证,在保证钱包私钥在安全存储之后没有被非法篡改,才确定使用该钱包私钥进行区块链交易的相关处理。也即是在安全元件10内部生成私钥之后,不直接将钱包私钥进行明文存储,而是将钱包私钥进行加密存储和/或完整性保护,避免钱包私钥被轻易获取或非法篡改,同时,也可以确保钱包私钥仅在验证成功后被区块链钱包程序所使用,避免钱包私钥被篡改后继续使用会对用户的区块链资产产生不可挽回的损失。因此,本发明实施例可以进一步的加强钱包私钥在安全元件10内部的存储及使用的安全性。可选的,加解密引擎105可以是一个包括电路结构的硬件加速器,由于硬件形式的加解密引擎105独立于处理器101,专用于实现相关的安全处理或验证功能,有利于提升安全处理时的性能。Please refer to FIG. 2, which is a schematic structural diagram of another secure element provided by an embodiment of the present invention. The secure element 10 includes the processor 101, the first memory 102, and the second memory 103 in FIG. In addition to the corresponding functions of the embodiment in FIG. 1, it may also include a random number generator 104 and/or an encryption and decryption engine 105 coupled to the processor 101, and the random number generator 104 and the encryption and decryption engine 105 may also be connected to the processor 101. , The first memory 102 and the second memory 103 are integrated in the semiconductor chip IC1. Wherein, the encryption and decryption engine 105 is configured to perform security processing on the wallet private key after the processor 101 generates the wallet private key, and the security processing includes at least one of security encryption or integrity protection, for example, Integrity protection is the use of a preset hash algorithm to generate the hash value of the wallet private key, etc. This application does not specifically limit the specific security processing method. The processor 101 is specifically configured to write the wallet private key after the security processing into the second memory 103; the second memory 103 is specifically configured to store the wallet private key after the security processing. Further, in a possible implementation manner, the processor 101 is specifically configured to read the wallet private key after the security processing from the second memory 103, and to store the security processing The wallet private key and the transaction data of the blockchain wallet are sent to the encryption and decryption engine 105; the encryption and decryption engine 105 is also used to perform security verification on the wallet private key after the security processing, and after the security verification is successful , Using the wallet private key to decrypt or sign the transaction data of the blockchain wallet, and feedback the decrypted or signed transaction data to the processor 101, the security verification is the inverse of the security processing operating. For example, when the processor 101 receives a related transaction instruction for a blockchain wallet and needs to use the wallet private key, the processor 101 needs to first read the wallet private key that has undergone security processing from the second memory 103, and The wallet private key is sent to the encryption and decryption engine 105 for security verification. After ensuring that the wallet private key has not been illegally tampered with after it is safely stored, it is determined that the wallet private key is used for blockchain transaction related processing. That is, after the private key is generated inside the secure element 10, the wallet private key is not directly stored in plaintext, but the wallet private key is encrypted for storage and/or integrity protection, so as to prevent the wallet private key from being easily obtained or illegally tampered with. At the same time, it can also ensure that the wallet private key is only used by the blockchain wallet program after the verification is successful, so as to avoid the irreversible loss of the user's blockchain assets if the wallet private key is tampered with. Therefore, the embodiment of the present invention can further enhance the security of the storage and use of the wallet private key inside the secure element 10. Optionally, the encryption and decryption engine 105 may be a hardware accelerator that includes a circuit structure. Since the encryption and decryption engine 105 in the form of hardware is independent of the processor 101, it is dedicated to implementing related security processing or verification functions, which is beneficial to improve security processing. performance.
可替换地,所述加解密引擎105的功能也可以被所述处理器101所代替,此时将不需要独立的硬件加解密引擎105来对从存储器第二存储器103读出的或向第二存储器103写入的钱包私钥做安全处理,而是由处理器101自身集成该安全功能。Alternatively, the function of the encryption and decryption engine 105 can also be replaced by the processor 101. In this case, there is no need for an independent hardware encryption and decryption engine 105 to read from the second memory 103 or to the second memory. The wallet private key written in the memory 103 is used for security processing, but the processor 101 itself integrates the security function.
在一种可能的实现方式中,安全元件10还可包括随机数生成器104,用于生成随机数; 处理器101则具体用于从随机数生成器104获取所述随机数,基于所述随机数生成所述助记符,并根据所述助记符生成所述区块链钱包的种子,根据所述种子生成所述区块链钱包的至少一个所述钱包私钥。可选的,随机数生成器104可以为真随机数生成器(True Random Number Generator,TRNG),TRNG是通过物理过程而不是计算机程序来生成随机数字,可根据物理信号得到不可预测的随机数。由于随机数是在安全元件10内部生成的,因此可以保证助记符产生的安全性,且由专用的随机数生成器104来生成,可以提升随机数生成的随机性。例如,本申请中在安全元件10内部生成钱包私钥的过程具体可以如下:In a possible implementation manner, the secure element 10 may further include a random number generator 104 for generating random numbers; the processor 101 is specifically configured to obtain the random number from the random number generator 104, based on the random number generator 104. The mnemonic is generated by counting, the seed of the blockchain wallet is generated according to the mnemonic, and at least one private key of the blockchain wallet is generated according to the seed. Optionally, the random number generator 104 may be a true random number generator (TRNG). The TRNG generates random numbers through a physical process rather than a computer program, and can obtain unpredictable random numbers based on physical signals. Since the random number is generated inside the secure element 10, the security of the mnemonic generation can be guaranteed, and it is generated by the dedicated random number generator 104, which can improve the randomness of random number generation. For example, the process of generating the wallet private key inside the secure element 10 in this application can be specifically as follows:
1、在安全元件10内部,通过随机数生成器104生成128到256位的随机序列(可以称之为熵);1. Inside the secure element 10, a random sequence of 128 to 256 bits (which can be called entropy) is generated by the random number generator 104;
2、处理器101取熵哈希(SHA256)后的前n位(n=熵长度/32)作为校验和,将校验和添加到随机序列的末尾,对得到的结果的每11位进行切割,将每个包含11位字节的值与预先定义的词库做匹配,生成的有顺序的单词组就是助记符;2. The processor 101 takes the first n bits (n=entropy length/32) after the entropy hash (SHA256) as the checksum, adds the checksum to the end of the random sequence, and performs every 11 bits of the result Cutting, matching each value containing 11-bit bytes with a predefined thesaurus, the generated sequenced word group is the mnemonic;
3、处理器101或加解密引擎105基于助记符并采用密钥延伸函数(PBKDF2function),推导生成较长的(512位)种子(seed),其中,所得的种子用于构建确定性钱包(deterministic Wallet)并推导钱包密钥;3. The processor 101 or the encryption and decryption engine 105 derives and generates a longer (512-bit) seed based on the mnemonic and adopts the key extension function (PBKDF2function), wherein the obtained seed is used to construct a deterministic wallet ( deterministic Wallet) and derive the wallet key;
4、处理器101或加解密引擎105根据种子,通过HMAC-SHA512算法,生成母密钥;4. The processor 101 or the encryption and decryption engine 105 uses the HMAC-SHA512 algorithm to generate a parent key according to the seed;
5、处理器101或加解密引擎105根据母秘钥,通过子秘钥推导(child key derivation,CKD)函数,生成众多子密钥。可以理解的是,本申请中的钱包私钥可以为上述母密钥,也可以为上述子密钥中的一个。5. The processor 101 or the encryption and decryption engine 105 generates a large number of child keys through a child key derivation (CKD) function according to the mother secret key. It is understandable that the wallet private key in this application can be the above-mentioned parent key or one of the above-mentioned sub-keys.
可替换地,所述随机数生成器104的功能也可以被所述处理器101所代替,此时将不需要独立的随机数生成器104来生成随机数,而是由处理器101自身集成该随机数生成功能。Alternatively, the function of the random number generator 104 can also be replaced by the processor 101. In this case, an independent random number generator 104 is not needed to generate random numbers, but the processor 101 itself integrates the Random number generation function.
在一种可能的实现方式中,所述处理器101还用于根据所述钱包私钥生成钱包公钥和钱包地址。由于在区块链钱包中,公钥与私钥是成对存在的,私钥是由助记符生成的,公钥是则是由私钥通过算法推导出来。但由于公钥太长,为了简便实用,就产生了“地址”,在交易中通常不显示公钥,只显示两个地址之间的转账,而地址则是由公钥推导出来的。需要说明的是,这些推导过程是单向不可逆的,也就是地址不能推出公钥,公钥不能推出私钥。本发明实施例,通过在安全元件内部生成区块链钱包中用于对外交易的的公钥或钱包地址,以保证区块链钱包交易功能的完整性和安全性。可选的,所述钱包公钥可以和钱包私钥一样存储在所述第二存储器103中,也可以存储在与所述安全元件10耦合的外部存储器中,例如可以存储在与安全元件10耦合的可信执行环境TEE中的存储器中,也可以存储在与安全元件10耦合的富执行环境REE中的存储器中,本发明实施例对此不作具体限定。In a possible implementation manner, the processor 101 is further configured to generate a wallet public key and a wallet address according to the wallet private key. Since in the blockchain wallet, the public key and the private key exist in pairs, the private key is generated by the mnemonic, and the public key is derived from the private key through an algorithm. But because the public key is too long, for simplicity and practicality, an "address" is generated. Usually, the public key is not displayed in the transaction, only the transfer between two addresses is displayed, and the address is derived from the public key. It should be noted that these derivation processes are one-way irreversible, that is, addresses cannot be derived from public keys, and public keys cannot be derived from private keys. In the embodiment of the present invention, the public key or wallet address used for external transactions in the blockchain wallet is generated inside the secure element to ensure the integrity and security of the blockchain wallet transaction function. Optionally, the wallet public key can be stored in the second memory 103 the same as the wallet private key, or can be stored in an external memory coupled with the secure element 10, for example, can be stored in the second memory 103 coupled with the secure element 10. The memory in the trusted execution environment TEE may also be stored in the memory in the rich execution environment REE coupled with the secure element 10, which is not specifically limited in the embodiment of the present invention.
在一种可能的实现方式中,请参见图3,图3是本发明实施例提供的又一种安全元件的结构示意图,作为对图1或图2中的安全元件中部分功能模块的细化,所述区块链钱包程序存储于所述第二存储器103中的第一安全域1031中,所述第一安全域1031为所述区块链钱包程序专用的存储空间;所述处理器101,具体用于将所述区块链钱包程序从所述第一安全域1031中加载至所述第一存储器102的第二安全域1021中进行运行,所述第二 安全域1021为所述区块链钱包程序专用的运行空间。也即是在安全元件10内部,为区块链钱包程序划分专用的存储区域和运行区域。本发明实施例中,将安全元件10内部的存储空间和运行空间,进行进一步的划分,使得各个不同的应用之间进行区域划分,避免相互干扰,进一步进行安全隔离。例如,安全元件10中除了加载运行了区块链钱包程序以外,还运行有其他的应用程序,如身份认证应用、人脸识别应用、指纹识别应用等,安全支付应用等,不同的应用程序所在的不同的安全域,可以对应不同的安全服务。需要说明的是,在本发明实施例中,安全域是可以根据应用程序的业务类型、安全级别等进行划分的逻辑区域,不同的安全域之间有不同的安全访问控制策略,实现不同安全域之间的访问控制,从而安全隔离不同的安全域,最终保护每个安全域内的应用程序的运行。In a possible implementation manner, please refer to Figure 3. Figure 3 is a schematic structural diagram of yet another secure element provided by an embodiment of the present invention, as a refinement of some functional modules in the secure element in Figure 1 or Figure 2 , The blockchain wallet program is stored in the first security domain 1031 in the second memory 103, the first security domain 1031 is a storage space dedicated to the blockchain wallet program; the processor 101 , Specifically used to load the blockchain wallet program from the first security domain 1031 to the second security domain 1021 of the first memory 102 for operation, and the second security domain 1021 is the zone A dedicated operating space for blockchain wallet programs. That is, inside the secure element 10, a dedicated storage area and an operating area are divided for the blockchain wallet program. In the embodiment of the present invention, the storage space and the operating space inside the secure element 10 are further divided, so that different applications are divided into areas to avoid mutual interference and further secure isolation. For example, in addition to loading and running the blockchain wallet program, the secure element 10 also runs other applications, such as identity authentication applications, facial recognition applications, fingerprint recognition applications, etc., secure payment applications, etc., where different applications are located Different security domains can correspond to different security services. It should be noted that, in the embodiment of the present invention, the security domain is a logical area that can be divided according to the business type, security level, etc. of the application. Different security domains have different security access control strategies to realize different security domains. Access control between different security domains safely isolates different security domains and ultimately protects the operation of applications in each security domain.
请参见图4,图4是本发明实施例提供的一种安全装置20,该安全装置20可包括上述图1-图3中对应的任意一个安全元件10,和耦合于所述安全元件10的至少一个中央处理单元201(图3中以一个为例);该至少一个中央处理单元201可以与安全元件10共同在集成在半导体芯片IC1内,也可以在不同的半导体芯片上。所述至少一个中央处理单元201,用于运行通用操作系统软件,并在所述通用操作系统软件的作用下与所述安全元件10通信。在一种可能的实现方式中,所述至少一个中央处理单元201,还用于在可信执行环境中向所述安全元件10发送所述区块链钱包的交易数据。可选的,该安全装置20还可以包括存储器202,可用于存储中央处理单元201或者安全元件10所产生的数据,该存储器202可以与安全元件10以及至少一个中央处理单元201共同在集成在半导体芯片IC1内,也可以单独位于不同的半导体芯片上,且存储器202与至少一个中央处理单元201之间也可以置于不同的半导体芯片上。例如,安全元件10和至少一个中央处理单元201集成在IC1上,存储器202位于IC2上,或者安全元件10集成在IC1上,存储器202与至少一个中央处理单元201集成在IC2上等,本申请对此不作具体限定。本发明实施例,通过在安全装置20中设置图1-图3中对应的任意一个安全元件10,以及与该安全元件10耦合的中央处理单元201,使得安全元件10可以作为安全装置20中的一个专用的安全处理芯片,用于处理区块链钱包中相关的敏感数据(包括钱包私钥的生成以及使用等),而中央处理单元201则通过运行通用操作系统,对区块链钱包的非敏感数据以及其他应用程序的数据进行处理,不仅保证了区块链钱包程序在安全装置20中的安全性和隔离性,同时也可实现安全装置20的其它普通功能。该安全装置20可以为加密机、智能终端(如智能手机、智能可穿戴设备、平板电脑等)、智能设备、计算机等各种类型的设备。Please refer to FIG. 4, which is a security device 20 provided by an embodiment of the present invention. The security device 20 may include any one of the security elements 10 corresponding to FIGS. 1 to 3, and a device coupled to the security element 10 At least one central processing unit 201 (take one as an example in FIG. 3); the at least one central processing unit 201 can be integrated in the semiconductor chip IC1 together with the security element 10, or on a different semiconductor chip. The at least one central processing unit 201 is configured to run general operating system software, and communicate with the secure element 10 under the action of the general operating system software. In a possible implementation, the at least one central processing unit 201 is further configured to send transaction data of the blockchain wallet to the secure element 10 in a trusted execution environment. Optionally, the security device 20 may also include a memory 202 that can be used to store data generated by the central processing unit 201 or the secure element 10. The memory 202 can be integrated in the semiconductor with the secure element 10 and at least one central processing unit 201. The chip IC1 may also be separately located on different semiconductor chips, and the memory 202 and the at least one central processing unit 201 may also be located on different semiconductor chips. For example, the secure element 10 and at least one central processing unit 201 are integrated on IC1, the memory 202 is located on IC2, or the secure element 10 is integrated on IC1, and the memory 202 and at least one central processing unit 201 are integrated on IC2. This is not specifically limited. In the embodiment of the present invention, by setting any one of the security elements 10 corresponding to FIGS. 1 to 3 in the security device 20, and the central processing unit 201 coupled with the security element 10, the security element 10 can be used as the security device 20. A dedicated security processing chip is used to process related sensitive data in the blockchain wallet (including the generation and use of the wallet’s private key, etc.), while the central processing unit 201 runs a general operating system to prevent the The processing of sensitive data and data of other applications not only ensures the security and isolation of the blockchain wallet program in the security device 20, but also realizes other common functions of the security device 20. The security device 20 can be an encryption machine, a smart terminal (such as a smart phone, a smart wearable device, a tablet computer, etc.), a smart device, a computer, and other types of devices.
在本发明的各个实施例中,半导体芯片也简称为芯片,其可以是利用集成电路工艺制作在集成电路衬底(通常是例如硅一类的半导体材料)上的集成电路的集合,其外层通常被半导体封装材料封装。所述集成电路可以包括金属氧化物半导体(Metal-Oxide-Semiconductor,MOS)晶体管、双极晶体管或二极管等。半导体芯片可以独立工作或者在必要的驱动软件的作用下工作,实现通信、计算、或存储等各类功能。In the various embodiments of the present invention, a semiconductor chip is also referred to as a chip for short. It may be a collection of integrated circuits fabricated on an integrated circuit substrate (usually a semiconductor material such as silicon) using integrated circuit technology. Usually encapsulated by semiconductor packaging materials. The integrated circuit may include a Metal-Oxide-Semiconductor (MOS) transistor, a bipolar transistor, a diode, or the like. The semiconductor chip can work independently or under the action of necessary driver software to realize various functions such as communication, calculation, or storage.
下面基于上述安全装置20(例如为移动终端)的相关功能描述,并结合REE+TEE+SEE的三层安全架构,对安全装置20在该安全架构下的具体应用进行描述。请参见图5,图5为本发明实施例提供的一种用于区块链钱包安全交易的软件系统架构的简化示意图,其中 REE为富执行环境,运行安全不敏感的程序和保存安全不敏感数据,存在一定的安全风险;TEE为可信执行环境,运行安全敏感程序和保存安全敏感数据,提供一定级别的安全隔离,SEE为安全执行环境,运行金融支付等高安全程序和保存金融支付等高安全数据,提供更高级别的安全隔离。TEE系统中的可信应用(Trusted Application,TA)用于接收REE侧的命令,并进行处理,根据需要发送APDU命令至SEE模块中,再由SEE模块进行相关命令的响应。The following describes the specific application of the security device 20 under the security architecture based on the relevant functional description of the security device 20 (for example, a mobile terminal) and combined with the three-layer security architecture of REE+TEE+SEE. Please refer to Figure 5. Figure 5 is a simplified schematic diagram of a software system architecture for blockchain wallet secure transactions provided by an embodiment of the present invention, where REE is a rich execution environment, running security-insensitive programs and storing security-insensitive Data, there are certain security risks; TEE is a trusted execution environment, runs security-sensitive programs and saves security-sensitive data, provides a certain level of security isolation, SEE is a secure execution environment, runs high-security programs such as financial payments, and saves financial payments, etc. High security data provides a higher level of security isolation. The Trusted Application (TA) in the TEE system is used to receive and process the commands on the REE side, send APDU commands to the SEE module as needed, and then the SEE module to respond to related commands.
本申请中图1-图3中所述的安全元件(Secure Element,SE)10可以作为图5中的软件系统架构中的SEE层。而被中央处理单元201执行的可信执行环境与同样被中央处理单元201运行的通用操作系统软件(如安卓系统环境)则分别作为图5中的软件系统架构中的TEE层和REE层。虽然由同一个中央处理单元201运行,但可信执行环境与通用操作系统软件之间分别是两个独立的软件系统,存在安全隔离,且安全隔离性很好。通用操作系统软件和基于该操作系统的普通应用软件的运行程序,不能随意访问该可信执行环境。可信执行环境则可以与由处理器101运行区块链钱包程序所形成的环境,即与安全元件10之间进行数据交互。因此,通用操作系统软件、可信执行环境和安全元件10三者之间均存在安全隔离,使得通用操作系统软件或基于该软件的普通应用软件的运行程序对可信执行环境和安全元件10的访问不是随意的,即便所述访问被执行,也需要经过特定的软件或硬件的安全接口,并且可信执行环境和安全元件10之间的安全隔离度相对更低,操作相对方便。所述普通应用软件可以包括各类非安全支付相关的软件,如即时通信软件、游戏、办公软件、电子书软件或音视频流媒体播放器等。The Secure Element (SE) 10 described in FIGS. 1 to 3 in this application can be used as the SEE layer in the software system architecture in FIG. 5. The trusted execution environment executed by the central processing unit 201 and the general operating system software (such as the Android system environment) also executed by the central processing unit 201 respectively serve as the TEE layer and the REE layer in the software system architecture in FIG. 5. Although run by the same central processing unit 201, there are two independent software systems between the trusted execution environment and the general operating system software, and there is security isolation, and the security isolation is very good. General operating system software and running programs of general application software based on the operating system cannot freely access the trusted execution environment. The trusted execution environment can exchange data with the environment formed by the processor 101 running the blockchain wallet program, that is, with the secure element 10. Therefore, there is a security isolation between the general operating system software, the trusted execution environment, and the secure element 10, so that the general operating system software or the running program of the common application software based on the software can affect the trusted execution environment and the secure element 10 The access is not random. Even if the access is executed, it needs to pass through a specific software or hardware security interface, and the security isolation between the trusted execution environment and the secure element 10 is relatively low, and the operation is relatively convenient. The common application software may include various non-secure payment related software, such as instant messaging software, games, office software, e-book software, or audio and video streaming media players.
在一种可能的实现方式中,在可信执行环境中来实现对区块链钱包的公钥的管理,包括存储和使用等。具体地,公钥可以存储在存储器202中与可信执行环境对应的存储部分。也可以在可信执行环境中,利用所述公钥进对所述区块链钱包的交易数据进行加密或验签。In a possible implementation, the management of the public key of the blockchain wallet is implemented in a trusted execution environment, including storage and use. Specifically, the public key may be stored in a storage part of the memory 202 corresponding to the trusted execution environment. It is also possible to use the public key to encrypt or verify the transaction data of the blockchain wallet in a trusted execution environment.
可选的,可信执行环境还可以提供可视化的区块链交易或其他金融业务的用户界面(User interface,UI),以便用户通过该UI输入指令和获取可视化信息。该UI是一个可信UI(Trust UI),其区别于通用操作系统软件提供的普通UI,使得用户输入的所述指令通过可信执行环境传输至安全元件10,同理也可以使得安全元件10中需要显示在用户界面的可视化信息,通过该UI进行安全显示而不会被非法篡改,保障用户通过该UI完成与安全元件10的信息交互的安全性。比如,在区块链交易的取、存、付、收和查询等过程中,安全装置20需要和用户进行场景交互,例如,区块链钱包需要显示账号信息(二维码信息或资产信息等)、在区块链钱包开通、绑定的过程中需要打开摄像头采集用户生物特征、区块链钱包交易时需要用户输入确认信息等,均可由TEE支持的可信UI进行处理、或由TEE控制对应的硬件设备(如摄像头、物理按键、触摸屏等)来实现,同时满足高性能和高安全的需求,而REE中的普通软件则不能直接进行界面显示或控制,杜绝交易界面假冒、钓鱼和恶意软件假冒和窃取数据。Optionally, the trusted execution environment may also provide a visualized user interface (UI) for blockchain transactions or other financial services, so that users can input instructions and obtain visual information through the UI. The UI is a trusted UI (Trust UI), which is different from the ordinary UI provided by general operating system software, so that the instructions input by the user are transmitted to the secure element 10 through the trusted execution environment, and the secure element 10 can also be made The visual information that needs to be displayed on the user interface is displayed safely through the UI without being illegally tampered with, so as to ensure the safety of the user completing the information interaction with the secure element 10 through the UI. For example, in the process of fetching, depositing, paying, receiving and querying blockchain transactions, the security device 20 needs to interact with the user in the scene. For example, the blockchain wallet needs to display account information (QR code information or asset information, etc.) ), in the process of opening and binding the blockchain wallet, the camera needs to be turned on to collect the user's biological characteristics, and the blockchain wallet transaction requires the user to enter confirmation information, etc., which can be processed by the trusted UI supported by the TEE or controlled by the TEE Corresponding hardware devices (such as cameras, physical buttons, touch screens, etc.) are implemented, while meeting the requirements of high performance and high security, while ordinary software in REE cannot directly display or control the interface, preventing counterfeiting, phishing and malicious transactions on the trading interface Software counterfeiting and data theft.
进一步的,上述安全装置20(例如为移动终端)还可以通过远程的全面维护系统(Tivoli Storage Manager,TSM)提供的TSM远程配置服务,提高密钥和算法的安全性,从而提高区块链钱包密钥的安全性。请参见图6,图6为发明实施例提供的一种基于TSM架构的远程配置网络架构图,移动终端20无论作为区块链交易的买方或是卖方均可通过移动终端 20中包括的移动通信单元203所提供的无线通信链路30接入到无线接入网(Radio Access Network,RAN)40,从而接入到互联网中,最终与网络侧的TSM进行交互,同理,若网络侧还有其它区块链的相关服务系统,则也与该TSM在图6中所处的位置相同,且与移动终端20的交互流程类似,此处不一一介绍。具体地,在安全元件10(如安全元件10中的第二存储器103的第一安全域1031)中存储区块链钱包的业务秘钥key(可包括钱包私钥、公钥等)和算法配置参数。通过TSM 50的putkey和Storedata命令远程对第一安全域1031中存储的业务key和算法配置参数进行更新、替换、配置、升级等。例如,可通过TSM 50的Putkey命令完成key的替换、更新,也可作废以前的key,使其不能再使用。又例如TSM50通过Storedata命令完成修改配置的下发,如,秘钥运算使用的参数(使能、算法标识、密钥长度、运算模式、填充方式),使加解密支持更高安全级别,同理也可配置加解密不可用。可选的,在移动终端被盗和丢失情况下,通过TSM 50的putkey和Storedata命令远程disable存储在安全元件10里面的秘钥和算法,使区块链手机钱包不能使用,避免区块链钱包损失。即移动终端被盗和丢失时,无需针对整机进行处理,可以进一步对区块链手机钱包进行精准处理。Further, the aforementioned security device 20 (for example, a mobile terminal) can also use the TSM remote configuration service provided by the remote comprehensive maintenance system (Tivoli Storage Manager, TSM) to improve the security of keys and algorithms, thereby improving the blockchain wallet The security of the key. Please refer to FIG. 6, which is a diagram of a remote configuration network architecture based on the TSM architecture provided by an embodiment of the invention. The mobile terminal 20, whether as a buyer or seller of a blockchain transaction, can use the mobile communication included in the mobile terminal 20 The wireless communication link 30 provided by the unit 203 is connected to a radio access network (Radio Access Network, RAN) 40, thereby connecting to the Internet, and finally interacting with the TSM on the network side. For the same reason, if there is another The related service systems of other blockchains are also in the same position as the TSM in FIG. 6 and similar to the interaction process of the mobile terminal 20, so they will not be introduced here. Specifically, the security element 10 (such as the first security domain 1031 of the second memory 103 in the secure element 10) stores the business secret key (which may include the wallet private key, public key, etc.) and algorithm configuration of the blockchain wallet parameter. Remotely update, replace, configure, and upgrade the service key and algorithm configuration parameters stored in the first security domain 1031 through the putkey and Storedata commands of TSM 50. For example, the key can be replaced and updated through the Putkey command of TSM 50, or the previous key can be invalidated so that it can no longer be used. For example, TSM50 completes the issuance of modified configuration through Storedata commands, such as the parameters used in secret key calculations (enable, algorithm identification, key length, operation mode, filling method), so that encryption and decryption support higher security levels, the same is true It can also be configured that encryption and decryption are not available. Optionally, when the mobile terminal is stolen or lost, remotely disable the secret key and algorithm stored in the secure element 10 through the putkey and Storedata commands of TSM 50, so that the blockchain mobile wallet cannot be used and avoids the blockchain wallet loss. That is, when the mobile terminal is stolen or lost, there is no need to deal with the whole machine, and the blockchain mobile wallet can be further processed accurately.
请参见图7,图7是本发明实施例提供的一种安全处理方法的流程示意图,该安全处理方法,适用于上述图1-图3和图4中的任意一种安全元件以及包含所述安全元件的设备(如安全装置20)。该方法可以包括以下步骤S701-步骤S703,其中,步骤S701:通过安全元件中的处理器运行安全操作系统和基于所述安全操作系统的区块链钱包程序;步骤S702:由安全元件中的第一存储器为所述处理器提供运行所述安全操作系统和所述区块链钱包程序所需的内存空间;步骤S703:在所述区块链钱包程序的作用下,由所述处理器生成助记符,基于所述助记符获得区块链钱包的钱包私钥,将所述钱包私钥存储至所述安全元件的第二存储器中。Please refer to FIG. 7. FIG. 7 is a schematic flowchart of a security processing method provided by an embodiment of the present invention. The security processing method is applicable to any one of the security elements in FIGS. 1 to 3 and 4 and includes the Security element equipment (such as security device 20). The method may include the following steps S701 to S703, wherein, step S701: run a secure operating system and a blockchain wallet program based on the secure operating system through the processor in the secure element; step S702: use the second in the secure element A memory provides the processor with the memory space required to run the secure operating system and the blockchain wallet program; step S703: under the action of the blockchain wallet program, the processor generates an assistant A token, a wallet private key of a blockchain wallet is obtained based on the mnemonic, and the wallet private key is stored in the second memory of the secure element.
在一种可能的实现方式中,所述方法还包括:由所述处理器从所述第二存储器中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对所述区块链钱包的交易数据进行解密或签名。In a possible implementation manner, the method further includes: reading the wallet private key from the second memory by the processor, and using the wallet private key to compare the wallet private key in the secure element The transaction data of the blockchain wallet is decrypted or signed.
在一种可能的实现方式中,所述方法还包括:所述安全元件中的加解密引擎在所述处理器生成所述钱包私钥后,对所述钱包私钥进行安全处理,所述安全处理包括安全加密或完整性保护中的至少一项;所述由所述处理器将所述钱包私钥存储至所述安全元件的第二存储器中,包括:由所述处理器将经过所述安全处理后的钱包私钥写入到所述第二存储器中。In a possible implementation, the method further includes: the encryption and decryption engine in the secure element performs security processing on the wallet private key after the processor generates the wallet private key, and the security The processing includes at least one of security encryption or integrity protection; the storing, by the processor, of the wallet private key in the second memory of the secure element includes: passing through the processor by the processor The securely processed wallet private key is written into the second memory.
在一种可能的实现方式中,所述由所述处理器从所述第二存储器中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对所述区块链钱包的交易数据进行解密或签名,包括:由所述处理器从所述第二存储器中读取所述经过所述安全处理后的钱包私钥,将所述经过所述安全处理后的钱包私钥和所述区块链钱包的交易数据发送至所述加解密引擎;所述方法还包括:由所述加解密引擎对所述经过所述安全处理后的钱包私钥进行安全验证,并在安全验证成功后,利用所述钱包私钥对所述区块链钱包的交易数据进行解密或签名,并将解密或签名后的交易数据反馈至所述处理器,所述安全验证为所述安全处理的逆操作。In a possible implementation manner, the processor reads the wallet private key from the second memory, and uses the wallet private key to verify the blockchain wallet in the secure element. Decrypting or signing the transaction data includes: reading the securely processed wallet private key from the second memory by the processor, and converting the securely processed wallet private key The transaction data with the blockchain wallet is sent to the encryption and decryption engine; the method further includes: the encryption and decryption engine performs security verification on the wallet private key after the security processing, and After the verification is successful, the transaction data of the blockchain wallet is decrypted or signed using the wallet private key, and the decrypted or signed transaction data is fed back to the processor, and the security verification is the security processing The inverse operation.
在一种可能的实现方式中,所述方法还包括:由所述安全元件中的随机数生成器,生成随机数;所述由所述处理器生成助记符,包括:由所述处理器从所述随机数生成器获取所述随机数,基于所述随机数生成所述助记符。可选的,所述基于所述助记符获得区块链钱包的钱包私钥,包括:根据所述助记符生成所述区块链钱包的种子,根据所述种子生成所述区块链钱包的至少一个所述钱包私钥。In a possible implementation manner, the method further includes: generating a random number by a random number generator in the secure element; and generating the mnemonic by the processor includes: The random number is acquired from the random number generator, and the mnemonic is generated based on the random number. Optionally, the obtaining the wallet private key of the blockchain wallet based on the mnemonic includes: generating a seed of the blockchain wallet according to the mnemonic, and generating the blockchain according to the seed At least one of the wallet private keys of the wallet.
在一种可能的实现方式中,所述区块链钱包程序存储于所述第二存储器中的第一安全域中,所述第一安全域为所述区块链钱包程序专用的存储空间;所述通过安全元件中的处理器运行安全操作系统和基于所述安全操作系统的区块链钱包程序,包括:由所述处理器将所述区块链钱包程序从所述第一安全域中加载至所述第一存储器的第二安全域中进行运行,所述第二安全域为所述区块链钱包程序专用的运行空间。In a possible implementation, the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is a storage space dedicated to the blockchain wallet program; The operation of the secure operating system and the blockchain wallet program based on the secure operating system through the processor in the secure element includes: the processor removes the blockchain wallet program from the first secure domain It is loaded into the second security domain of the first memory for operation, and the second security domain is a dedicated operating space for the blockchain wallet program.
在一种可能的实现方式中,所述钱包私钥存储于所述第二存储器的所述第一安全域中。In a possible implementation manner, the wallet private key is stored in the first security domain of the second memory.
在一种可能的实现方式中,所述区块链钱包的交易数据包括区块链资产买入数据或区块链资产卖出数据。In a possible implementation manner, the transaction data of the blockchain wallet includes blockchain asset purchase data or blockchain asset sale data.
在一种可能的实现方式中,所述方法还包括:由所述处理器,根据所述钱包私钥生成钱包公钥和钱包地址。In a possible implementation manner, the method further includes: generating, by the processor, a wallet public key and a wallet address according to the wallet private key.
需要说明的是,本发明实施例中所描述的安全处理方法的具体流程,可参见上述图1-图6中所述的发明实施例中的相关描述,此处不再赘述。It should be noted that, for the specific flow of the security processing method described in the embodiment of the present invention, refer to the related description in the embodiment of the present invention described in FIG. 1 to FIG. 6, which will not be repeated here.
本发明实施例还提供一种计算机存储介质,其中,该计算机存储介质可存储有程序,该程序被安全元件执行时包括上述方法实施例中记载的任意一种的部分或全部步骤。The embodiment of the present invention further provides a computer storage medium, wherein the computer storage medium may store a program, and when the program is executed by the secure element, it includes part or all of the steps of any one of the above method embodiments.
本发明实施例还提供一种计算机程序,该计算机程序包括指令,当该计算机程序被安全元件执行时,使得所述安全元件可以执行任意一种安全处理方法的部分或全部步骤。The embodiment of the present invention also provides a computer program, which includes instructions, when the computer program is executed by a secure element, the secure element can execute part or all of the steps of any secure processing method.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其它实施例的相关描述。In the above-mentioned embodiments, the description of each embodiment has its own emphasis. For parts that are not described in detail in an embodiment, reference may be made to related descriptions of other embodiments.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可能可以采用其它顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本申请所必须的。It should be noted that for the foregoing method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should know that this application is not limited by the described sequence of actions. Because according to this application, some steps may be performed in other order or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by this application.
在本申请所提供的几个实施例中,应该理解到,所揭露的装置,可通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如上述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed device may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the above-mentioned units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or integrated. To another system, or some features can be ignored, or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical or other forms.
上述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described above as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。In addition, the functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
上述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以为个人计算机、服务器或者网络设备等,具体可以是计算机设备中的处理器)执行本申请各个实施例上述方法的全部或部分步骤。其中,而前述的存储介质可包括:U盘、移动硬盘、磁碟、光盘、只读存储器(Read-Only Memory,缩写:ROM)或者随机存取存储器(Random Access Memory,缩写:RAM)等各种可以存储程序代码的介质。If the above integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc., specifically a processor in a computer device) execute all or part of the steps of the foregoing methods of the various embodiments of the present application. Among them, the aforementioned storage medium may include: U disk, mobile hard disk, magnetic disk, optical disk, read-only memory (Read-Only Memory, abbreviation: ROM) or Random Access Memory (Random Access Memory, abbreviation: RAM), etc. A medium that can store program codes.
以上所述,以上实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围。As mentioned above, the above embodiments are only used to illustrate the technical solutions of the present application, not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, a person of ordinary skill in the art should understand that: The technical solutions recorded in the embodiments are modified, or some of the technical features are equivalently replaced; these modifications or replacements do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (21)

  1. 一种安全元件,其特征在于,包括处理器、第一存储器和第二存储器,所述处理器、所述第一存储器和所述第二存储器集成在半导体芯片内;其中A security element, characterized by comprising a processor, a first memory and a second memory, the processor, the first memory and the second memory are integrated in a semiconductor chip; wherein
    所述处理器,用于运行安全操作系统和基于所述安全操作系统的区块链钱包程序;The processor is configured to run a secure operating system and a blockchain wallet program based on the secure operating system;
    所述第一存储器,用于为所述处理器提供运行所述安全操作系统和所述区块链钱包程序所需的内存空间;The first memory is configured to provide the processor with memory space required to run the secure operating system and the blockchain wallet program;
    所述处理器,还用于在所述区块链钱包程序的作用下,生成助记符,基于所述助记符获得区块链钱包的钱包私钥,将所述钱包私钥写入到所述第二存储器中;The processor is also used to generate a mnemonic under the action of the blockchain wallet program, obtain the wallet private key of the blockchain wallet based on the mnemonic, and write the wallet private key to In the second memory;
    所述第二存储器,用于存储所述钱包私钥。The second memory is used to store the wallet private key.
  2. 根据权利要求1所述的安全元件,其特征在于,所述处理器,还用于从所述第二存储器中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对区块链钱包的交易数据进行解密或签名。The secure element according to claim 1, wherein the processor is further configured to read the wallet private key from the second memory, and use the wallet private key to pair in the secure element The transaction data of the blockchain wallet is decrypted or signed.
  3. 根据权利要求2所述的安全元件,其特征在于,所述安全元件,还包括:The security element according to claim 2, wherein the security element further comprises:
    加解密引擎,用于在所述处理器生成所述钱包私钥后,对所述钱包私钥进行安全处理,所述安全处理包括安全加密或完整性保护中的至少一项;The encryption and decryption engine is configured to perform security processing on the wallet private key after the processor generates the wallet private key, and the security processing includes at least one of security encryption or integrity protection;
    所述处理器,具体用于将经过所述安全处理后的钱包私钥写入到所述第二存储器中;The processor is specifically configured to write the wallet private key after the security processing into the second memory;
    所述第二存储器,具体用于存储经过所述安全处理后的钱包私钥。The second memory is specifically used to store the wallet private key after the security processing.
  4. 根据权利要求3所述的安全元件,其特征在于,The security element according to claim 3, wherein:
    所述处理器,具体用于从所述第二存储器中读取所述经过所述安全处理后的钱包私钥,将所述经过所述安全处理后的钱包私钥和区块链钱包的交易数据发送至所述加解密引擎;The processor is specifically configured to read the wallet private key after the security processing from the second memory, and perform the transaction between the wallet private key after the security processing and the blockchain wallet Sending data to the encryption and decryption engine;
    所述加解密引擎,还用于对所述经过所述安全处理后的钱包私钥进行安全验证,并在安全验证成功后,利用所述钱包私钥对所述区块链钱包的交易数据进行解密或签名,并将解密或签名后的交易数据反馈至所述处理器,所述安全验证为所述安全处理的逆操作。The encryption and decryption engine is also used to perform security verification on the wallet private key after the security processing, and after the security verification is successful, use the wallet private key to perform transaction data on the blockchain wallet Decrypt or sign, and feed the decrypted or signed transaction data to the processor, and the security verification is the reverse operation of the security processing.
  5. 根据权利要求1-4任意一项所述的安全元件,其特征在于,所述安全元件还包括:随机数生成器,用于生成随机数;The security element according to any one of claims 1 to 4, wherein the security element further comprises: a random number generator for generating random numbers;
    所述处理器,具体用于从所述随机数生成器获取所述随机数,基于所述随机数生成所述助记符。The processor is specifically configured to obtain the random number from the random number generator, and generate the mnemonic based on the random number.
  6. 根据权利要求1-5任意一项所述的安全元件,其特征在于,所述区块链钱包程序存储于所述第二存储器中的第一安全域中,所述第一安全域为所述区块链钱包程序专用的存储空间;The security element according to any one of claims 1-5, wherein the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is the Storage space dedicated to blockchain wallet program;
    所述处理器,具体用于将所述区块链钱包程序从所述第一安全域中加载至所述第一存储器的第二安全域中进行运行,所述第二安全域为所述区块链钱包程序专用的运行空间。The processor is specifically configured to load the blockchain wallet program from the first security domain to the second security domain of the first memory for operation, and the second security domain is the zone A dedicated operating space for blockchain wallet programs.
  7. 根据权利要求6所述安全元件,所述钱包私钥存储于所述第二存储器的所述第一安全域中。According to the secure element of claim 6, the wallet private key is stored in the first secure domain of the second memory.
  8. 根据权利要求1-7任意一项所述的安全元件,其特征在于,所述处理器,还用于:The security element according to any one of claims 1-7, wherein the processor is further configured to:
    根据所述钱包私钥生成钱包公钥和钱包地址。Generate a wallet public key and wallet address according to the wallet private key.
  9. 一种安全装置,其特征在于,包括:A safety device, characterized by comprising:
    如权利要求1至8中任一所述的安全元件和耦合于所述安全元件的至少一个中央处理单元;The security element according to any one of claims 1 to 8 and at least one central processing unit coupled to the security element;
    所述至少一个中央处理单元,用于运行通用操作系统软件,并在所述通用操作系统软件的作用下与所述安全元件通信。The at least one central processing unit is configured to run general operating system software and communicate with the secure element under the action of the general operating system software.
  10. 根据权利要求9所述的安全装置,其特征在于,所述至少一个中央处理单元,还用于在可信执行环境中向所述安全元件发送区块链钱包的交易数据。The security device according to claim 9, wherein the at least one central processing unit is further configured to send transaction data of the blockchain wallet to the secure element in a trusted execution environment.
  11. 根据权利要求9或10所述的安全装置,其特征在于,还包括:The safety device according to claim 9 or 10, further comprising:
    位于所述半导体芯片外部的存储器。A memory located outside the semiconductor chip.
  12. 一种安全处理方法,其特征在于,包括:A safe processing method, characterized in that it comprises:
    通过安全元件中的处理器运行安全操作系统和基于所述安全操作系统的区块链钱包程序;Run a secure operating system and a blockchain wallet program based on the secure operating system through the processor in the secure element;
    由安全元件中的第一存储器为所述处理器提供运行所述安全操作系统和所述区块链钱包程序所需的内存空间;The first memory in the secure element provides the processor with memory space required to run the secure operating system and the blockchain wallet program;
    在所述区块链钱包程序的作用下,由所述处理器生成助记符,基于所述助记符获得区块链钱包的钱包私钥,将所述钱包私钥存储至所述安全元件的第二存储器中。Under the action of the blockchain wallet program, the processor generates a mnemonic, obtains the wallet private key of the blockchain wallet based on the mnemonic, and stores the wallet private key in the secure element In the second memory.
  13. 根据权利要求12所述的方法,其特征在于,所述方法,还包括:The method according to claim 12, wherein the method further comprises:
    由所述处理器从所述第二存储器中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对区块链钱包的交易数据进行解密或签名。The processor reads the wallet private key from the second memory, and uses the wallet private key to decrypt or sign the transaction data of the blockchain wallet in the secure element.
  14. 根据权利要求13所述的方法,其特征在于,所述方法还包括:所述安全元件中的加解密引擎在所述处理器生成所述钱包私钥后,对所述钱包私钥进行安全处理,所述安全处理包括安全加密或完整性保护中的至少一项;The method according to claim 13, wherein the method further comprises: after the processor generates the wallet private key, the encryption and decryption engine in the secure element performs security processing on the wallet private key , The security processing includes at least one of security encryption or integrity protection;
    所述由所述处理器将所述钱包私钥存储至所述安全元件的第二存储器中,包括:由所述处理器将经过所述安全处理后的钱包私钥写入到所述第二存储器中。The storing, by the processor, the wallet private key in the second memory of the secure element includes: writing, by the processor, the wallet private key after the security processing into the second In the memory.
  15. 根据权利要求14所述的方法,其特征在于,所述由所述处理器从所述第二存储器 中读取所述钱包私钥,利用所述钱包私钥在所述安全元件内对区块链钱包的交易数据进行解密或签名,包括:由所述处理器从所述第二存储器中读取所述经过所述安全处理后的钱包私钥,将所述经过所述安全处理后的钱包私钥和区块链钱包的交易数据发送至所述加解密引擎;The method according to claim 14, wherein the processor reads the wallet private key from the second memory, and uses the wallet private key to check the block in the secure element. Decrypting or signing the transaction data of the chain wallet includes: reading the wallet private key after the security processing from the second memory by the processor, and storing the wallet after the security processing The private key and the transaction data of the blockchain wallet are sent to the encryption and decryption engine;
    所述方法还包括:由所述加解密引擎对所述经过所述安全处理后的钱包私钥进行安全验证,并在安全验证成功后,利用所述钱包私钥对所述区块链钱包的交易数据进行解密或签名,并将解密或签名后的交易数据反馈至所述处理器,所述安全验证为所述安全处理的逆操作。The method also includes: performing security verification on the wallet private key after the security processing by the encryption and decryption engine, and after the security verification is successful, using the wallet private key to verify the blockchain wallet The transaction data is decrypted or signed, and the decrypted or signed transaction data is fed back to the processor, and the security verification is the reverse operation of the security processing.
  16. 根据权利要求12-15任意一项所述的方法,其特征在于,所述方法还包括:由所述安全元件中的随机数生成器,生成随机数;The method according to any one of claims 12-15, wherein the method further comprises: generating a random number by a random number generator in the secure element;
    所述由所述处理器生成助记符,包括:The generating of the mnemonic by the processor includes:
    由所述处理器从所述随机数生成器获取所述随机数,基于所述随机数生成所述助记符。The processor obtains the random number from the random number generator, and generates the mnemonic based on the random number.
  17. 根据权利要求12-16任意一项所述的方法,其特征在于,所述区块链钱包程序存储于所述第二存储器中的第一安全域中,所述第一安全域为所述区块链钱包程序专用的存储空间;The method according to any one of claims 12-16, wherein the blockchain wallet program is stored in a first security domain in the second memory, and the first security domain is the zone Dedicated storage space for blockchain wallet programs;
    所述通过安全元件中的处理器运行安全操作系统和基于所述安全操作系统的区块链钱包程序,包括:The running a secure operating system and a blockchain wallet program based on the secure operating system through the processor in the secure element includes:
    由所述处理器将所述区块链钱包程序从所述第一安全域中加载至所述第一存储器的第二安全域中进行运行,所述第二安全域为所述区块链钱包程序专用的运行空间。The processor loads the blockchain wallet program from the first security domain to the second security domain of the first memory for operation, and the second security domain is the blockchain wallet Run space dedicated to the program.
  18. 根据权利要求17所述的方法,其特征在于,所述钱包私钥存储于所述第二存储器的所述第一安全域中。The method of claim 17, wherein the wallet private key is stored in the first security domain of the second memory.
  19. 根据权利要求12-18任意一项所述的方法,其特征在于,所述方法还包括:由所述处理器,根据所述钱包私钥生成钱包公钥和钱包地址。The method according to any one of claims 12-18, wherein the method further comprises: generating, by the processor, a wallet public key and a wallet address according to the wallet private key.
  20. 一种计算机存储介质,其特征在于,所述计算机存储介质存储有计算机程序,该计算机程序被安全元件执行时实现上述权利要求12-19任意一项所述的方法。A computer storage medium, characterized in that the computer storage medium stores a computer program, and when the computer program is executed by a secure element, the method according to any one of claims 12-19 is realized.
  21. 一种计算机程序,其特征在于,所述计算机程序包括指令,当所述计算机程序被安全元件执行时,使得所述安全元件执行如权利要求12-19中任意一项所述的方法。A computer program, characterized in that, the computer program includes instructions that, when the computer program is executed by a secure element, cause the secure element to execute the method according to any one of claims 12-19.
PCT/CN2019/080650 2019-03-29 2019-03-29 Security chip, security processing method and related device WO2020199028A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201980094248.XA CN113574828A (en) 2019-03-29 2019-03-29 Security chip, security processing method and related equipment
PCT/CN2019/080650 WO2020199028A1 (en) 2019-03-29 2019-03-29 Security chip, security processing method and related device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2019/080650 WO2020199028A1 (en) 2019-03-29 2019-03-29 Security chip, security processing method and related device

Publications (1)

Publication Number Publication Date
WO2020199028A1 true WO2020199028A1 (en) 2020-10-08

Family

ID=72664861

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/080650 WO2020199028A1 (en) 2019-03-29 2019-03-29 Security chip, security processing method and related device

Country Status (2)

Country Link
CN (1) CN113574828A (en)
WO (1) WO2020199028A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112200565A (en) * 2020-10-26 2021-01-08 成都商通时代数字科技有限公司 Application method and application system of usbKey in block chain digital liquor certificate wallet
CN112950196A (en) * 2021-03-11 2021-06-11 杭州复杂美科技有限公司 Block chain wallet system and using method, equipment and storage medium thereof
CN113824681A (en) * 2021-08-11 2021-12-21 西安电子科技大学 Image data encryption transmission system based on compressed sensing

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174125A (en) * 2022-09-07 2022-10-11 北京笔新互联网科技有限公司 Method and device for acquiring trusted true random number in trusted execution environment
CN116028958B (en) * 2023-02-21 2024-04-12 广州万协通信息技术有限公司 Key encryption and decryption method and device, security machine and medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150046337A1 (en) * 2013-08-06 2015-02-12 Chin-hao Hu Offline virtual currency transaction
CN105741095A (en) * 2016-01-29 2016-07-06 彭军红 Dynamic compression and access method of block chain
CN106533661A (en) * 2016-10-25 2017-03-22 北京大学 Online generation method for cryptographic currency address based on combined public key

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103414564A (en) * 2013-08-07 2013-11-27 成都卫士通信息产业股份有限公司 Secrete key card, secrete key device and method for protecting private key
CN107820238A (en) * 2016-09-12 2018-03-20 国民技术股份有限公司 SIM card, block chain application security module, client and its method for safely carrying out
CN108665250B (en) * 2018-05-21 2022-05-31 北京橙鑫数据科技有限公司 Information processing method, device, hardware wallet and system
CN109118186A (en) * 2018-08-21 2019-01-01 甲骨文科技时代(深圳)有限公司 A kind of digital cash method of commerce based on hardware chip
CN109523261B (en) * 2018-11-29 2022-02-15 北京元心科技有限公司 Transaction verification method of block chain terminal, related device and readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150046337A1 (en) * 2013-08-06 2015-02-12 Chin-hao Hu Offline virtual currency transaction
CN105741095A (en) * 2016-01-29 2016-07-06 彭军红 Dynamic compression and access method of block chain
CN106533661A (en) * 2016-10-25 2017-03-22 北京大学 Online generation method for cryptographic currency address based on combined public key

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112200565A (en) * 2020-10-26 2021-01-08 成都商通时代数字科技有限公司 Application method and application system of usbKey in block chain digital liquor certificate wallet
CN112950196A (en) * 2021-03-11 2021-06-11 杭州复杂美科技有限公司 Block chain wallet system and using method, equipment and storage medium thereof
CN113824681A (en) * 2021-08-11 2021-12-21 西安电子科技大学 Image data encryption transmission system based on compressed sensing
CN113824681B (en) * 2021-08-11 2022-09-09 西安电子科技大学 Image data encryption transmission system based on compressed sensing

Also Published As

Publication number Publication date
CN113574828A (en) 2021-10-29

Similar Documents

Publication Publication Date Title
US10491379B2 (en) System, device, and method of secure entry and handling of passwords
WO2020199028A1 (en) Security chip, security processing method and related device
Dai et al. SBLWT: A secure blockchain lightweight wallet based on trustzone
EP3962020B1 (en) Information sharing methods and systems
TWI445380B (en) Mass storage device with automated credentials loading
ES2599985T3 (en) Validation at any time for verification tokens
US10148648B1 (en) Virtual smart card to perform security-critical operations
US11258591B2 (en) Cryptographic key management based on identity information
CN109074466A (en) Platform for server proves and registration
US20050044377A1 (en) Method of authenticating user access to network stations
JP7332087B2 (en) Systems and methods for signing transactions using air-gapped private keys
WO2020020329A1 (en) Digital wallet allowing anonymous or real-name offline transaction and usage method
WO2012055166A1 (en) Removable storage device, and data processing system and method based on the device
US20200082388A1 (en) Authenticating server and method for transactions on blockchain
US20210273814A1 (en) Multi-signature security account control system
TWI728587B (en) Computer-implemented methods, systems, apparatus for securely performing cryptographic operations
WO2021057168A1 (en) Method and apparatus for realizing virtual machine operation on the basis of fpga
CN113015991A (en) Secure digital wallet processing system
CN107395589A (en) Finger print information acquisition methods and terminal
CN114667713A (en) Security authentication based on passport data stored in contactless card
TWI818679B (en) Non-fungible token login verification system and method
JP2001118038A (en) Computer, computer system, and recording medium
WO2024035529A1 (en) Methods and arrangements for proof of purchase
Chung Design of Smart Card Enabled Protocols for Micro-Payment and Rapid Application Development Builder for E-Commerce
Krellenstein The commercial view: shipping the digital library V1. 0

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19923705

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19923705

Country of ref document: EP

Kind code of ref document: A1