CN105843653A - TA (trusted application) configuration method and device - Google Patents
TA (trusted application) configuration method and device Download PDFInfo
- Publication number
- CN105843653A CN105843653A CN201610225472.6A CN201610225472A CN105843653A CN 105843653 A CN105843653 A CN 105843653A CN 201610225472 A CN201610225472 A CN 201610225472A CN 105843653 A CN105843653 A CN 105843653A
- Authority
- CN
- China
- Prior art keywords
- safety applications
- application
- untrusted
- safety
- execution environment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Stored Programmes (AREA)
Abstract
The invention provides a TA (trusted application) configuration method and device. The method comprises the following steps: a TA is deployed in a TEE (trusted execution environment) in a deployment stage; access control is performed on the TA in a use stage; the TA is updated through a trusted service management system in an update stage, wherein the step of deploying the TA in the TEE has following options: the TA is preset in a mobile phone; the TA is installed to the mobile phone in a manner of binding with certain untrusted application; the TA is set in the trusted service management system and is installed to the mobile phone by means of interaction between the trusted service management system and the mobile phone. According to the TA configuration method and device, security protection measures are taken in each stage, and more trusted security interaction service is provided for a CA (client application) in an REE (rich execution environment).
Description
Technical field
The application relates to communication technical field, particularly relates to a kind of safety applications collocation method and device.
Background technology
The development of mobile communication technology brings the fast development of mobile terminal technology, with BBP is
The traditional function type mobile terminal of core is difficult to meet the mobile service demand that people are become increasingly abundant.Have
Open high-order SOS, the Mobile solution of third party's exploitation can be installed, mobile network can be passed through
Network realizes wireless access, has powerful disposal ability and become with the mobile intelligent terminal of more memory spaces
Development trend for mobile terminal.Different from traditional functional form mobile terminal, mobile intelligent terminal is the most not
Being simple voice call instrument again, it has possessed the mobility of regular handset, telecommunications service function and PC
(Personal Computer, personal computer) disposal ability of computer, network function, take telecommunications
Business and network service merge within one device.The universal of mobile intelligent terminal brings great convenience
While, also bring great potential safety hazard.
Mobile intelligent terminal have evolved into can download from mobile Internet and install various third party should
Freeware platform, meanwhile, mobile intelligent terminal process critical services demand day by day increase.From
Multimedia service is to functions such as mobile phone remote payment and bank account management, and these development trends make mobile
Intelligent terminal becomes the target of attack of the virus such as Malware, wooden horse.Due on current mobile intelligent terminal
Lacking integrity protection mechanism, its software and hardware is easily subject to attack and distort, and operating system and third party are soft
The safe prestige that the security threat that the security breaches that part exists make mobile intelligent terminal exist exists than PC terminal
Coerce more serious.
It is non-security that common Mobile operating system Android, iOS belong to REE (untrusted execution environment)
Environment, the application that it is installed belongs to non-security application.Corresponding with REE is TEE (credible execution ring
Border), it is and REE parallel running the isolated execution environment isolated therewith, and by TA (safety
Application) provide security service for REE, REE accesses TA by CA (client application).
Traditional application software deployment way under REE insecure environments is broadly divided into two kinds: the first,
It is preset in smart machine by equipment manufacturers, such as the application software of mobile operator customization;The second,
Issued in application market or official website by application developer, download voluntarily for user and install.
Summary of the invention
There is problems of two kinds of deployment way and all need not special access right and extra safety certification measure,
Rely only on software levels protection (such as antivirus software or security guard etc.) on Mobile operating system, safety
Protection level is low.Downloading or renewal process is easily forged and distorts, it is impossible to meeting user to quick
Sense data and the demand of the high business of level of security.
In order to solve the problems referred to above, the application provides a kind of safety applications collocation method and device.
The application proposes a kind of safety applications collocation method, including:
At deployment phase, safety applications is deployed in credible execution environment;
In operational phase, conduct interviews control to safety applications;
In the more new stage, by trusted service management system, safety applications is updated;
Wherein, described safety applications is deployed in credible execution environment, including:
Safety applications is preset on mobile phone terminal;Safety applications is bundled with the application of some untrusted
The mode installed is installed to mobile phone terminal;Safety applications is placed in trusted service management system, passes through
The mode that trusted service manages system mutual with mobile phone terminal is installed to mobile phone terminal.
Preferably, described control that safety applications is conducted interviews, including:
When client application sends safety applications access request, safety applications performs ring to current untrusted
Border is detected, it may be judged whether there is risk;
Safety applications sends authenticating identity request to client application, it is judged that the security of client application;
Safety applications and client application set up escape way, are communicated by escape way.
Preferably, described safety applications deployment way safety applications being preset on mobile phone terminal includes:
Preset safety applications is in credible execution environment, and preset client application to untrusted performs in environment;
Create credible execution environment access module, be deployed to untrusted and perform in environment;
Write client application behavior script, store to client application;
Start client application and access credible execution environment;
Client application reads client application behavior script, and access behavior is sent to credible execution environment
Access modules;
Credible execution environment access module loads in credible execution environment according to client application behavior script
Safety applications.
Preferably, described the application of safety applications and some untrusted is carried out the mode that binding installs install to
Safety applications deployment way on mobile phone terminal includes:
Safety applications is bundled with untrusted application;
Install in untrusted performs environment or untrusted of upgrading is applied;
Untrusted application is run in untrusted performs environment;
The safety applications file of binding is copied under credible execution environment assigned catalogue by untrusted application;
Load the safety applications in credible execution environment.
Preferably, described safety applications is placed in trusted service management system, is managed by trusted service
The safety applications deployment way that the system mode mutual with mobile phone terminal is installed to mobile phone terminal includes:
Step S1: untrusted application of installing in untrusted performs environment or upgrade;
Step S2: run untrusted application in untrusted performs environment;
Step S3: untrusted application judges whether client has safety applications to install file, does not continue,
There is then execution step S5;
Step S4: system connects trusted service management system and obtains safety applications installation kit;
Step S5: system is opened safety applications installation kit and obtained safety applications file;
Step S6: safety applications file is copied to client by system;
Step S7: system judges whether there is safety applications file in credible execution environment, has, continues, does not has
There is then execution step S3;
Step S8: safety applications file is copied under credible execution environment assigned catalogue by system;
Step S9: the safety applications in system loads is credible execution ambient environment.
Preferably, described by trusted service management system safety applications is updated, including:
Untrusted application is run in untrusted performs environment;
Untrusted application and client application obtain the version information of safety applications by escape way;
Untrusted application connects trusted service management system and obtains the version information of safety applications installation kit;
Untrusted application comparison safety applications and the version information of safety applications installation kit, if always, move back
Go out the method, otherwise continue;
Safety applications installation kit is obtained from trusted service management system;
Open safety applications installation kit and obtain safety applications file;
Safety applications file is copied under the assigned catalogue of client credible execution environment;
Former safety applications file is deleted;
Load the safety applications in credible execution ambient environment.
The application also proposes a kind of safety applications configuration device, including:
Deployment module, at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, described deployment module, including:
Preset deployment assembly, for being preset at mobile phone terminal by safety applications;
Assembly is disposed in binding, for safety applications is carried out the mode that binding is installed with the application of some untrusted
Install to mobile phone terminal;
Remote deployment assembly, for being placed in trusted service management system by safety applications, by convincing
The business management system mode mutual with mobile phone terminal is installed to mobile phone terminal.
Access control module, in operational phase, conduct interviews control to safety applications;
Security update module, in the more new stage, is entered safety applications by trusted service management system
Row updates.
Preferably, described access control module includes:
Risk Monitoring module, is used for when client application sends safety applications access request, safety applications
Current untrusted is performed environment detect, it may be judged whether there is risk
Authentication module, sends authenticating identity for safety applications to client application and asks, it is judged that visitor
The security of family end application;
Secure communication module, sets up escape way for safety applications and client application, is led to by safety
Road communicates.
Preferably, described preset deployment assembly includes:
Application preset unit, in preset safety applications to credible execution environment, preset client application
Perform in environment to untrusted;
Module creation unit, is used for creating credible execution environment access module, is deployed to untrusted and performs ring
In border;
Script compilation unit, is used for writing client application behavior script, stores to client application;
Communication unit, is used for starting client application and accesses credible execution environment;
Data transmission unit, reads client application behavior script for client application, will access behavior
It is sent to credible execution environment access module;
First application loading unit, for credible execution environment access module according to client application behavior pin
Safety applications in this loading is credible execution environment.
Preferably, described binding deployment assembly includes:
Application bundle unit, for bundling safety applications with untrusted application;
First performs operating unit, untrusted application of installing in performing environment at untrusted or upgrade;
First runs applying unit, runs untrusted application in performing environment at untrusted;
First file transmission unit, copies to credible for untrusted application by the safety applications file of binding
Perform under environment assigned catalogue;
Second application loading unit, for loading the safety applications in credible execution environment.
Preferably, described remote deployment assembly includes:
Second performs operating unit, untrusted application of installing in performing environment at untrusted or upgrade;
Second runs applying unit, runs untrusted application in performing environment at untrusted;
For untrusted application, first file judging unit, judges whether client has safety applications to install literary composition
Part;
First installation kit acquiring unit, is used for connecting trusted service management system and obtains safety applications installation kit;
First installation kit performance element, is used for opening safety applications installation kit and obtains safety applications file;
File storage unit, for being copied to client by safety applications file;
Second file judging unit, is used for judging whether there is safety applications file in credible execution environment;
Second file transmission unit, for being copied to credible execution environment assigned catalogue by safety applications file
Under;
3rd application loading unit, for loading the safety applications in credible execution environment.
Preferably, described security update module includes:
3rd application running unit, runs untrusted application in performing environment at untrusted;
Application message acquiring unit, obtains peace with client application by escape way for untrusted application
The version information of full application;
Installation kit information acquisition unit, connects trusted service management system for untrusted application and obtains safety
The version information of application installation kit;
Information comparing unit, for the version of untrusted application comparison safety applications Yu safety applications installation kit
Information;
Second installation kit acquiring unit, for obtaining safety applications installation kit from trusted service management system;
Second installation kit performance element, is used for opening safety applications installation kit and obtains safety applications file;
3rd file transmission unit, for being copied to client credible execution environment by safety applications file
Under assigned catalogue;
Unit is deleted in application, for being deleted by former safety applications file;
4th application loading unit, for loading the safety applications in credible execution environment.
A kind of safety applications collocation method of the invention described above proposition and device, it is thus achieved that techniques below effect:
The safety applications collocation method of the application proposition and device, all be have employed TA by each stage
Safety prevention measure, provides more believable secure interactive service to the CA in REE.
Accompanying drawing explanation
In order to be illustrated more clearly that the embodiment of the present application or technical scheme of the prior art, below will be to reality
Execute the required accompanying drawing used in example or description of the prior art to be briefly described, it should be apparent that below,
Accompanying drawing in description is only some embodiments described in the application, for those of ordinary skill in the art
From the point of view of, it is also possible to other accompanying drawing is obtained according to these accompanying drawings.
Fig. 1 is the structural representation of the application safety applications configuration device;
Fig. 2 is the structural representation of the application deployment module;
Fig. 3 is the structural representation of the application access control module;
Fig. 4 is the structural representation of the application security update module;
Fig. 5 is the structural representation of the application preset deployment assembly;
Fig. 6 is that the application bundlees the structural representation disposing assembly;
Fig. 7 is the structural representation of the application remote deployment assembly;
Fig. 8 is the flow chart of the application safety applications collocation method;
Fig. 9 be the application at deployment phase, safety applications is deployed in the flow chart in credible execution environment;
Figure 10 is that the application is at operational phase, the flow chart of the control that conducts interviews safety applications;
Figure 11 is the flow chart that safety applications is preset on mobile phone terminal by the application;
Figure 12 is that the mode that safety applications and the application of some untrusted carry out binding installation is installed by the application
Flow chart to mobile phone terminal;
Figure 13 is that safety applications is placed in trusted service management system by the application, is managed by trusted service
The system mode mutual with mobile phone terminal installs the flow chart to mobile phone terminal;
Figure 14 be the application in the more new stage, by trusted service management system safety applications is updated
Flow chart.
Detailed description of the invention
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out
Clearly and completely describe.
The application proposes a kind of safety applications configuration device, as it is shown in figure 1, include:
Deployment module 1, at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, deployment module 1, as in figure 2 it is shown, include:
Preset deployment assembly 11, for being preset at mobile phone terminal by safety applications;Assembly 12 is disposed in binding,
The mode installed for safety applications and the application of some untrusted carry out binding is installed to mobile phone terminal;
Remote deployment assembly 13, for safety applications is placed in trusted service management system, passes through trusted service
The management system mode mutual with mobile phone terminal is installed to mobile phone terminal.
Three of the above module can work simultaneously or arrange selector, enables one.
Wherein, as it is shown in figure 5, preset deployment assembly 11 includes:
Application preset unit 111, in preset safety applications to credible execution environment, preset client
Apply to untrusted execution environment;Module creation unit 112, is used for creating credible execution environment access
Module, is deployed to untrusted and performs in environment;Script compilation unit 113, is used for writing client application
Behavior script, stores to client application;Communication unit 114, is used for starting client application and accesses
Credible execution environment;Data transmission unit 115, reads client application behavior pin for client application
This, be sent to credible execution environment access module by access behavior;First application loading unit 116, uses
The peace in credible execution environment is loaded according to client application behavior script in credible execution environment access module
Full application.
As shown in Figure 6, binding deployment assembly 12 includes:
Application bundle unit 121, for bundling safety applications with untrusted application;First performs
Operating unit 122, untrusted application of installing in performing environment at untrusted or upgrade;First runs
Applying unit 123, runs untrusted application in performing environment at untrusted;First file transmission is single
Unit 124, copies to credible execution environment for untrusted application by the safety applications file of binding and specifies mesh
Under record;Second application loading unit 125, for loading the safety applications in credible execution environment.
The mode of concrete binding is should as mutual with user or communication with the outside world main body using untrusted application
With, trusted application is as the background application of backstage safe handling, and mobile phone terminal runs untrusted when mounted
Application, untrusted application is automatically releasable trusted application in TEE, and user can be avoided to directly contact can
Letter application;Time in use, untrusted application receives access request, forwards the request to trusted application
In, it is processed by trusted application, then result is returned via untrusted application, can avoid the external world
The potential safety hazard directly caused with trusted application communication, promotes the safety in utilization of TA.
As it is shown in fig. 7, remote deployment assembly 13 includes:
Second performs operating unit 131, installs or untrusted of upgrading should in performing environment at untrusted
With;Second runs applying unit 132, runs untrusted application in performing environment at untrusted;The
For untrusted application, one file judging unit 133, judges whether client has safety applications to install file;
First installation kit acquiring unit 134, is used for connecting trusted service management system and obtains safety applications installation kit;
First installation kit performance element 135, is used for opening safety applications installation kit and obtains safety applications file;Literary composition
Part memory cell 136, for being copied to client by safety applications file;Second file judging unit 137,
For judging whether credible execution environment has safety applications file;Second file transmission unit 138, uses
In safety applications file being copied under credible execution environment assigned catalogue;3rd application loading unit 139,
For loading the safety applications in credible execution environment.
Access control module 2, in operational phase, conduct interviews control to safety applications;
Wherein said access control module 2 includes as shown in Figure 3:
Risk Monitoring module 21, for when client application sends safety applications access request, safety should
Detect with current untrusted is performed environment, it may be judged whether there is risk;
Specifically, first have to assembly is verified, see whether identical, if not with arranging when dispatching from the factory
Same then send risk warning notice, secondly need all client application are carried out risk evaluation and test, whether see
There is risk application, if having, also sending risk warning notice, finally background application being detected,
See whether this terminal is monitored, if monitored, send risk warning notice.
Authentication module 22, sends authenticating identity for safety applications to client application and asks, it is judged that
The security of client application;
Secure communication module 23, sets up escape way, by safety for safety applications and client application
Passage communicates.
Specifically, safety applications is poured into identity ID when mounted, accesses peace in client application simultaneously
When entirely applying, generating public and private secret key pair, PKI is sent to client application, client application is by public affairs
Key coded communication information is sent to safety applications, and safety applications uses private key to be decrypted the communication information,
So safety applications and client application uses the communication information to set up escape way, safety applications and client
Application uses escape way to securely communicate.
Security update module 3, in the more new stage, by trusted service management system to safety applications
It is updated.
Wherein, described security update module as shown in Figure 4, including:
3rd application running unit 31, runs untrusted application in performing environment at untrusted;Application
Information acquisition unit 32, obtains safety applications with client application by escape way for untrusted application
Version information;Installation kit information acquisition unit 33, connecting trusted service management for untrusted application is
System obtains the version information of safety applications installation kit;Information comparing unit 34, for untrusted application comparison
Safety applications and the version information of safety applications installation kit;Second installation kit acquiring unit 35, for from can
Telecommunications services management system obtains safety applications installation kit;Second installation kit performance element 36, is used for opening peace
Full application installation kit obtains safety applications file;3rd file transmission unit 37, for by safety applications literary composition
Part is copied under the assigned catalogue of client credible execution environment;Unit 38 is deleted in application, for by former peace
Full application file is deleted;4th application loading unit 39, for loading the peace in credible execution environment
Full application.
The above-mentioned a kind of safety applications configuration device introducing the application proposition according to Fig. 1-7, below according to figure
8-14 introduces a kind of safety applications collocation method that the application proposes.
A kind of safety applications collocation method that the application proposes, as shown in Figure 8, including:
Step S1: at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, safety applications is deployed in credible execution environment, as it is shown in figure 9, include:
Safety applications is preset on mobile phone terminal (step S101);By safety applications and some untrusted
Application carries out the mode of binding installation and installs to mobile phone terminal (step S102);Safety applications is placed in
In trusted service management system, install by the way of trusted service management system and mobile phone terminal are mutual to
On mobile phone terminal (step S103).
Wherein, as shown in figure 11, safety applications deployment way safety applications being preset on mobile phone terminal
Including:
Step S1011: in preset safety applications to credible execution environment, preset client application is the most non-can
Letter performs in environment;
Step S1012: create credible execution environment access module, is deployed to untrusted and performs in environment;
Step S1013: write client application behavior script, store to client application;
Step S1014: start client application and access credible execution environment;
Step S1015: client application reads client application behavior script, access behavior is sent to
Credible execution environment access module;
Step S1016: credible execution environment access module loads credible according to client application behavior script
Perform the safety applications in environment.
As shown in figure 12, the application of safety applications and some untrusted is carried out the mode that binding installs install to
Safety applications deployment way on mobile phone terminal includes:
Step S1021: safety applications is bundled with untrusted application;
The mode of concrete binding is should as mutual with user or communication with the outside world main body using untrusted application
With, trusted application is as the background application of backstage safe handling, and mobile phone terminal runs untrusted when mounted
Application, untrusted application is automatically releasable trusted application in TEE, and user can be avoided to directly contact can
Letter application;Time in use, untrusted is applied and receives access request, forwards the request to credible answering
In with, it is processed by trusted application, then result is returned, outside can avoiding via untrusted application
The potential safety hazard that boundary directly causes with trusted application communication, promotes the safety in utilization of TA.
Step S1022: untrusted application of installing in untrusted performs environment or upgrade;
Step S1023: run untrusted application in untrusted performs environment;
Step S1024: the safety applications file of binding is copied to credible execution environment and refers to by untrusted application
Determine under catalogue;
Step S1025: load the safety applications in credible execution environment.
As shown in figure 13, safety applications is placed in trusted service management system, is managed by trusted service
The safety applications deployment way that the system mode mutual with mobile phone terminal is installed to mobile phone terminal includes:
Step S1031: untrusted application of installing in untrusted performs environment or upgrade;
Step S1032: run untrusted application in untrusted performs environment;
Step S1033: untrusted application judges whether client has safety applications to install file, does not continue
Continuous, there is then execution step S1035;
Step S1034: system connects trusted service management system and obtains safety applications installation kit;
Step S1035: system is opened safety applications installation kit and obtained safety applications file;
Step S1036: safety applications file is copied to client by system;
Step S1037: system judges whether there is safety applications file in credible execution environment, has, continues,
The most then perform step S1033;
Step S1038: safety applications file is copied under credible execution environment assigned catalogue by system;
Step S1039: the safety applications in system loads is credible execution ambient environment.
Step S2: in operational phase, conduct interviews control to safety applications;
Concrete, described control that safety applications is conducted interviews, as shown in Figure 10, including:
Step S201: when client application sends safety applications access request, safety applications is to the most non-
Credible execution environment detects, it may be judged whether there is risk;
Specifically, first have to assembly is verified, see whether identical, if not with arranging when dispatching from the factory
Same then send risk warning notice, secondly need all client application are carried out risk evaluation and test, whether see
There is risk application, if having, also sending risk warning notice, finally background application being detected,
See whether this terminal is monitored, if monitored, send risk warning notice.
Step S202: safety applications sends authenticating identity request to client application, it is judged that client application
Security;
Step S203: safety applications and client application set up escape way, are led to by escape way
Letter.
Specifically, safety applications is poured into identity ID when mounted, accesses peace in client application simultaneously
When entirely applying, generating public and private secret key pair, PKI is sent to client application, client application is by public affairs
Key coded communication information is sent to safety applications, and safety applications uses private key to be decrypted the communication information,
So safety applications and client application uses the communication information to set up escape way, safety applications and client
Application uses escape way to securely communicate.
Step S3: in the more new stage, is updated safety applications by trusted service management system;
Concrete, described by trusted service management system, safety applications is updated, as shown in figure 14,
Including:
Step S301: run untrusted application in untrusted performs environment;
Step S302: untrusted application and client application obtain the version of safety applications by escape way
Information;
Step S303: untrusted application connects trusted service management system and obtains the version of safety applications installation kit
This information;
Step S304: untrusted application comparison safety applications and the version information of safety applications installation kit, as
Fruit the most then exits the method, otherwise continues;
Step S305: obtain safety applications installation kit from trusted service management system;
Step S306: open safety applications installation kit and obtain safety applications file;
Step S307: safety applications file is copied under the assigned catalogue of client credible execution environment;
Step S308: former safety applications file is deleted;
Step S309: load the safety applications in credible execution ambient environment.
The above, be only presently preferred embodiments of the present invention, and the present invention not makees any pro forma limit
System, although the present invention is disclosed above with preferred embodiment, but is not limited to the present invention, any
Those skilled in the art, in the range of without departing from technical solution of the present invention, when may utilize above-mentioned taking off
The technology contents shown is made a little change or is modified to the Equivalent embodiments of equivalent variations, as long as be without departing from
The content of technical solution of the present invention, any letter above example made according to the technical spirit of the present invention
Single amendment, equivalent variations and modification, all still fall within the range of technical solution of the present invention.
Claims (10)
1. a safety applications collocation method, it is characterised in that including:
At deployment phase, safety applications is deployed in credible execution environment;
In operational phase, conduct interviews control to safety applications;
In the more new stage, by trusted service management system, safety applications is updated;
Wherein, described safety applications is deployed in credible execution environment, including:
Safety applications is preset on mobile phone terminal;Safety applications is bundled with the application of some untrusted
The mode installed is installed to mobile phone terminal;Safety applications is placed in trusted service management system, passes through
The mode that trusted service manages system mutual with mobile phone terminal is installed to mobile phone terminal.
2. safety applications collocation method as claimed in claim 1, it is characterised in that described should to safety
With the control that conducts interviews, including:
When client application sends safety applications access request, safety applications performs ring to current untrusted
Border is detected, it may be judged whether there is risk;
Safety applications sends authenticating identity request to client application, it is judged that the security of client application;
Safety applications and client application set up escape way, are communicated by escape way.
3. safety applications collocation method as claimed in claim 1, it is characterised in that described should by safety
Include with the safety applications deployment way being preset on mobile phone terminal:
Preset safety applications is in credible execution environment, and preset client application to untrusted performs in environment;
Create credible execution environment access module, be deployed to untrusted and perform in environment;
Write client application behavior script, store to client application;
Start client application and access credible execution environment;
Client application reads client application behavior script, and access behavior is sent to credible execution environment
Access modules;
Credible execution environment access module loads in credible execution environment according to client application behavior script
Safety applications.
4. safety applications collocation method as claimed in claim 1, it is characterised in that described should by safety
The safety applications installing to mobile phone terminal by the mode carrying out binding installation with the application of some untrusted is disposed
Mode includes:
Safety applications is bundled with untrusted application;
Install in untrusted performs environment or untrusted of upgrading is applied;
Untrusted application is run in untrusted performs environment;
The safety applications file of binding is copied under credible execution environment assigned catalogue by untrusted application;
Load the safety applications in credible execution environment.
5. safety applications collocation method as claimed in claim 1, it is characterised in that described by credible
Safety applications is updated by service management system, including:
Untrusted application is run in untrusted performs environment;
Untrusted application and client application obtain the version information of safety applications by escape way;
Untrusted application connects trusted service management system and obtains the version information of safety applications installation kit;
Untrusted application comparison safety applications and the version information of safety applications installation kit, if consistent, move back
Go out the method, otherwise continue;
Safety applications installation kit is obtained from trusted service management system;
Open safety applications installation kit and obtain safety applications file;
Safety applications file is copied under the assigned catalogue of client credible execution environment;
Former safety applications file is deleted;
Load the safety applications in credible execution ambient environment.
6. a safety applications configuration device, it is characterised in that including:
Deployment module, at deployment phase, is deployed in safety applications in credible execution environment;
Wherein, described deployment module, including:
Preset deployment assembly, for being preset at mobile phone terminal by safety applications;
Assembly is disposed in binding, for safety applications is carried out the mode that binding is installed with the application of some untrusted
Install to mobile phone terminal;
Remote deployment assembly, for being placed in trusted service management system by safety applications, by convincing
The business management system mode mutual with mobile phone terminal is installed to mobile phone terminal;
Access control module, in operational phase, conduct interviews control to safety applications;
Security update module, in the more new stage, is entered safety applications by trusted service management system
Row updates.
7. safety applications configuration device as claimed in claim 6, it is characterised in that described access controls
Module includes:
Risk Monitoring module, is used for when client application sends safety applications access request, safety applications
Current untrusted is performed environment detect, it may be judged whether there is risk;
Authentication module, sends authenticating identity for safety applications to client application and asks, it is judged that visitor
The security of family end application;
Secure communication module, sets up escape way for safety applications and client application, is led to by safety
Road communicates.
8. safety applications configuration device as claimed in claim 6, it is characterised in that described preset deployment
Assembly includes:
Application preset unit, in preset safety applications to credible execution environment, preset client application
Perform in environment to untrusted;
Module creation unit, is used for creating credible execution environment access module, is deployed to untrusted and performs ring
In border;
Script compilation unit, is used for writing client application behavior script, stores to client application;
Communication unit, is used for starting client application and accesses credible execution environment;
Data transmission unit, reads client application behavior script for client application, will access behavior
It is sent to credible execution environment access module;
First application loading unit, for credible execution environment access module according to client application behavior pin
Safety applications in this loading is credible execution environment.
9. safety applications configuration device as claimed in claim 6, it is characterised in that described binding is disposed
Assembly includes:
Application bundle unit, for bundling safety applications with untrusted application;
First performs operating unit, untrusted application of installing in performing environment at untrusted or upgrade;
First runs applying unit, runs untrusted application in performing environment at untrusted;
First file transmission unit, copies to credible for untrusted application by the safety applications file of binding
Perform under environment assigned catalogue;
Second application loading unit, for loading the safety applications in credible execution environment.
10. safety applications configuration device as claimed in claim 6, it is characterised in that described safety is more
New module includes:
3rd application running unit, runs untrusted application in performing environment at untrusted;
Application message acquiring unit, obtains peace with client application by escape way for untrusted application
The version information of full application;
Installation kit information acquisition unit, connects trusted service management system for untrusted application and obtains safety
The version information of application installation kit;
Information comparing unit, for the version of untrusted application comparison safety applications Yu safety applications installation kit
Information;
Second installation kit acquiring unit, for obtaining safety applications installation kit from trusted service management system;
Second installation kit performance element, is used for opening safety applications installation kit and obtains safety applications file;
3rd file transmission unit, for being copied to client credible execution environment by safety applications file
Under assigned catalogue;
Unit is deleted in application, for being deleted by former safety applications file;
4th application loading unit, for loading the safety applications in credible execution environment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610225472.6A CN105843653B (en) | 2016-04-12 | 2016-04-12 | A kind of safety applications collocation method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610225472.6A CN105843653B (en) | 2016-04-12 | 2016-04-12 | A kind of safety applications collocation method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105843653A true CN105843653A (en) | 2016-08-10 |
| CN105843653B CN105843653B (en) | 2017-11-24 |
Family
ID=56597369
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610225472.6A Active CN105843653B (en) | 2016-04-12 | 2016-04-12 | A kind of safety applications collocation method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105843653B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106547633A (en) * | 2016-10-19 | 2017-03-29 | 沈阳微可信科技有限公司 | Multi-channel communication systems and electronic equipment |
| CN106778255A (en) * | 2016-11-24 | 2017-05-31 | 工业和信息化部电信研究院 | Credible performing environment isolation detection method and device based on internal memory traversal |
| CN107679858A (en) * | 2017-10-24 | 2018-02-09 | 恒宝股份有限公司 | Mobile terminal and method of mobile payment |
| CN107995230A (en) * | 2016-10-26 | 2018-05-04 | 中国移动通信有限公司研究院 | A kind of method for down loading and terminal |
| CN108595970A (en) * | 2018-03-13 | 2018-09-28 | Oppo广东移动通信有限公司 | Configuration method and device of processing assembly, terminal and storage medium |
| CN108600222A (en) * | 2018-04-24 | 2018-09-28 | 北京握奇智能科技有限公司 | The communication means of client application and trusted application, system and terminal |
| CN109863475A (en) * | 2017-10-09 | 2019-06-07 | 华为技术有限公司 | The upgrade method and relevant device of a kind of application in safety element |
| CN110366843A (en) * | 2017-07-13 | 2019-10-22 | 华为技术有限公司 | Control the method and terminal of trusted application access |
| CN110933668A (en) * | 2019-11-20 | 2020-03-27 | 江苏恒宝智能系统技术有限公司 | eSIM card and safety control method thereof |
| CN111428281A (en) * | 2020-03-25 | 2020-07-17 | 支付宝(杭州)信息技术有限公司 | Operation method and device of trusted program in TEE |
| CN112800488A (en) * | 2021-04-12 | 2021-05-14 | 支付宝(杭州)信息技术有限公司 | Application upgrading method and device and electronic equipment |
| CN113486411A (en) * | 2021-07-19 | 2021-10-08 | 上海擎昆信息科技有限公司 | Security chip and design method and initialization method thereof |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015073139A1 (en) * | 2013-11-15 | 2015-05-21 | Oracle International Corporation | System and method for managing tokens authorizing on-device operations |
| CN104683336A (en) * | 2015-02-12 | 2015-06-03 | 中国科学院信息工程研究所 | A security domain-based Android privacy data protection method and system |
-
2016
- 2016-04-12 CN CN201610225472.6A patent/CN105843653B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015073139A1 (en) * | 2013-11-15 | 2015-05-21 | Oracle International Corporation | System and method for managing tokens authorizing on-device operations |
| CN104683336A (en) * | 2015-02-12 | 2015-06-03 | 中国科学院信息工程研究所 | A security domain-based Android privacy data protection method and system |
Cited By (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106547633B (en) * | 2016-10-19 | 2019-12-31 | 沈阳微可信科技有限公司 | Multi-channel communication system and electronic device |
| CN106547633A (en) * | 2016-10-19 | 2017-03-29 | 沈阳微可信科技有限公司 | Multi-channel communication systems and electronic equipment |
| CN107995230A (en) * | 2016-10-26 | 2018-05-04 | 中国移动通信有限公司研究院 | A kind of method for down loading and terminal |
| CN107995230B (en) * | 2016-10-26 | 2019-10-18 | 中国移动通信有限公司研究院 | A kind of method for down loading and terminal |
| CN106778255A (en) * | 2016-11-24 | 2017-05-31 | 工业和信息化部电信研究院 | Credible performing environment isolation detection method and device based on internal memory traversal |
| CN110366843A (en) * | 2017-07-13 | 2019-10-22 | 华为技术有限公司 | Control the method and terminal of trusted application access |
| US11379573B2 (en) | 2017-07-13 | 2022-07-05 | Huawei Technologies Co., Ltd. | Trusted application access control method and terminal |
| CN110366843B (en) * | 2017-07-13 | 2020-12-25 | 华为技术有限公司 | Method and terminal for controlling access of trusted application |
| CN109863475A (en) * | 2017-10-09 | 2019-06-07 | 华为技术有限公司 | The upgrade method and relevant device of a kind of application in safety element |
| CN107679858A (en) * | 2017-10-24 | 2018-02-09 | 恒宝股份有限公司 | Mobile terminal and method of mobile payment |
| CN108595970A (en) * | 2018-03-13 | 2018-09-28 | Oppo广东移动通信有限公司 | Configuration method and device of processing assembly, terminal and storage medium |
| CN108595970B (en) * | 2018-03-13 | 2020-08-28 | Oppo广东移动通信有限公司 | Configuration method, device, terminal and storage medium of processing component |
| CN108600222B (en) * | 2018-04-24 | 2021-01-29 | 北京握奇智能科技有限公司 | Communication method, system and terminal of client application and trusted application |
| CN108600222A (en) * | 2018-04-24 | 2018-09-28 | 北京握奇智能科技有限公司 | The communication means of client application and trusted application, system and terminal |
| CN110933668A (en) * | 2019-11-20 | 2020-03-27 | 江苏恒宝智能系统技术有限公司 | eSIM card and safety control method thereof |
| CN110933668B (en) * | 2019-11-20 | 2023-01-24 | 江苏恒宝智能系统技术有限公司 | eSIM card and safety control method thereof |
| CN111428281B (en) * | 2020-03-25 | 2021-06-18 | 支付宝(杭州)信息技术有限公司 | Operation method and device of trusted program in TEE |
| CN113673000A (en) * | 2020-03-25 | 2021-11-19 | 支付宝(杭州)信息技术有限公司 | Operation method and device of trusted program in TEE |
| CN111428281A (en) * | 2020-03-25 | 2020-07-17 | 支付宝(杭州)信息技术有限公司 | Operation method and device of trusted program in TEE |
| CN113673000B (en) * | 2020-03-25 | 2024-03-08 | 支付宝(杭州)信息技术有限公司 | Method and device for operating trusted program in TEE |
| CN112800488A (en) * | 2021-04-12 | 2021-05-14 | 支付宝(杭州)信息技术有限公司 | Application upgrading method and device and electronic equipment |
| CN113486411A (en) * | 2021-07-19 | 2021-10-08 | 上海擎昆信息科技有限公司 | Security chip and design method and initialization method thereof |
| CN113486411B (en) * | 2021-07-19 | 2024-05-14 | 上海擎昆信息科技有限公司 | Security chip and design method and initialization method thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105843653B (en) | 2017-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105843653A (en) | TA (trusted application) configuration method and device | |
| EP1479187B2 (en) | Controlling access levels in phones by certificates | |
| CN103491056B (en) | The control method and device of application permission | |
| CN103716785B (en) | A kind of mobile Internet safety service system | |
| CN103514000B (en) | Browser plug-in installation method and device | |
| CN105656860A (en) | Safety management and control method, apparatus and system for Android system | |
| CN103403669A (en) | Securing and managing APPs on a device | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| EP2859487A1 (en) | Evaluating whether to block or allow installation of a software application | |
| CN100489767C (en) | Communicating device | |
| CN103744652A (en) | Hybrid APP development method and device across mobile terminals | |
| CN111782416A (en) | Data reporting method, device, system, terminal and computer readable storage medium | |
| CN104517054A (en) | Method, device, client and server for detecting malicious APK | |
| US10389685B2 (en) | Systems and methods for securely transferring selective datasets between terminals | |
| CN104486086B (en) | Digital signature method and mobile terminal and server | |
| CN111447176A (en) | Method and device for safely accessing external network by internal network, computer equipment and storage medium | |
| US11073994B2 (en) | System and method to secure a computer system by selective control of write access to a data storage medium | |
| CN106022128A (en) | Method and device for detecting process access right and mobile terminal | |
| CN104636154B (en) | Application program installation method and device | |
| CN109522683A (en) | Software source tracing method, system, computer equipment and storage medium | |
| CN104318174A (en) | Document protecting method, document protecting devices and document protecting system | |
| KR20150030047A (en) | Method and system for application authentication | |
| CN103052060A (en) | Method for improving information security of mobile terminal and mobile terminal | |
| EP3281142B1 (en) | Apparatus with test execution environment | |
| CN113032042B (en) | Target file processing method, device and terminal equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190313 Address after: 212355 Hengtang Industrial Zone, Yunyang Town, Danyang City, Zhenjiang City, Jiangsu Province Patentee after: Jiangsu Hengbao Intelligent System Technology Co. Ltd. Address before: 212355 Hengtang Industrial Zone, Zhenjiang City, Jiangsu Province Patentee before: Hengbao Corp. |