CN112149134A - Trusted application management method and device - Google Patents

Abstract

The embodiments of this specification provide a trusted application management method and device. Both the TEE terminal and the service provider can monitor the application client's installation or update requirements of the trusted application, and initiate the management process of the trusted application to the TEE management party. After that, the TEE management party synchronizes the device state with the TEE terminal, and obtains encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE management party. Finally, the encrypted application information is sent to the TEE terminal, and the TEE terminal completes the installation or update operation.

Description

Trusted application management method and device

technical field

One or more embodiments of this specification relate to the field of computers, and in particular, to a method and apparatus for managing trusted applications.

Background technique

With the development of computer technology, users' privacy information security has received more and more attention and attention. To this end, a Trusted Application (TA) is proposed to process user data with higher security requirements. For example, the trusted application may be a fingerprint authentication application for verifying a user's identity, a face-swiping authentication application, and the like. In order to meet the high security and confidentiality requirements of the trusted application, it is necessary to make the trusted application run in a trusted execution environment (Trusted execution environment, TEE).

TEE is a computing module or computing device that has a certain isolation capability to ensure computing security. Its isolation capability can ensure that the outside world, including operating systems or drivers, cannot obtain secrets such as internal runtime memory. For example, according to SGX technology, a private memory area with high access rights can be created in memory to form a computing enclave. Other applications, including the operating system OS, BIOS system, virtual machine system, etc., cannot access the data in the enclave, and therefore cannot spy on and tamper with the state and data of the applications in it.

For general applications, under normal circumstances, the provider of the TEE terminal will provide the user of the TEE terminal with an application installation and update channel through an application store or the like. For trusted applications, since they need to run in a trusted execution environment, the TEE terminal provider will set up a dedicated TEE manager to manage the trusted execution environment TEE in the TEE terminal, and communicate with the service provider of the trusted application through a dedicated TEE manager. interaction to implement the installation or update of trusted applications.

Due to the security requirements of trusted applications, the existing installation or update process is often complicated. It is hoped that there will be an improved solution that can make the installation or update process of trusted applications more efficient and improve user experience.

SUMMARY OF THE INVENTION

One or more embodiments of this specification describe a trusted application management method and apparatus. Through such a method and apparatus, both the TEE terminal and the service provider can monitor the application client's installation or update requirements for trusted applications, and report to the TEE The management party initiates the management process of the trusted application; after that, the TEE management party obtains the encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE management party, and sends the encrypted application information to the TEE terminal, which is completed by the TEE terminal The installation or update operation simplifies the repeated transmission, reduces the load on the service provider, improves the transmission efficiency, and further improves the installation or update efficiency.

According to a first aspect, a trusted application management method is provided, and the method is executed by a trusted execution environment TEE manager, including:

A first operation request for requesting to install or update a first trusted application in a TEE terminal is received from a requester, where the requester includes the TEE terminal or a service provider corresponding to the first trusted application, the The first operation request is generated by the requestor monitoring the installation or update requirement of the first trusted application by the application client;

Perform device state synchronization with the TEE terminal, thereby sending the first secret key to it;

obtaining first encrypted application information obtained by encrypting the first trusted application based on the first secret key;

appending the first encrypted application information to the first operation request to generate a second operation request;

The second operation request is sent to the TEE terminal, so that the TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request.

In one embodiment, the obtaining the first encrypted application information obtained by encrypting the first trusted application based on the first secret key includes:

sending the first secret key to the service provider, so that it encrypts the first trusted application based on the first secret key to obtain the first encrypted application information;

The first encrypted application information is received from the service provider.

In one embodiment, the obtaining the first encrypted application information obtained by encrypting the first trusted application based on the first secret key includes:

Acquire the pre-stored first encrypted application information.

In one embodiment, before acquiring the pre-stored first encrypted application information, the method includes:

receiving the first trusted application from the service provider in advance;

Encrypt the first trusted application with the first secret key to obtain the first encrypted application information;

The first encrypted application information is stored.

In one embodiment, before acquiring the pre-stored first encrypted application information, the method includes:

The first encrypted application information is received from the service provider in advance, and the first encrypted application information is stored.

According to a second aspect, a trusted application management method is provided, and the method is executed by a trusted execution environment TEE manager, including:

A first operation request for requesting to install or update a first trusted application in multiple TEE terminals is received from a requester, where the requester includes a service provider corresponding to the first trusted application or the multiple TEEs terminal;

Perform device state synchronization with the multiple TEE terminals respectively, obtain the device information of each TEE terminal, and send the first secret key to each TEE terminal;

sending a first message to the service provider, where the first message includes device information of each TEE terminal, so that the service provider determines corresponding application installation information based on the device information of each TEE terminal;

receiving a second message sent by the service provider, where the second message includes application installation information corresponding to each TEE terminal;

First encrypted application information corresponding to each TEE terminal is determined from a plurality of pre-stored encrypted application information based on the application installation information corresponding to each TEE terminal, where the first encrypted application information is based on the first secret key obtained by encrypting the first trusted application;

appending the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request, and generating a second operation request corresponding to each of the TEE terminals;

The second operation request corresponding to each TEE terminal is sent to the corresponding TEE terminal, so that the corresponding TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request.

In one embodiment, the application installation information includes version information and file size information of the first trusted application.

In one embodiment, the first message includes a first session identifier created for the multiple TEE terminals; the second message includes the first session identifier.

In an embodiment, the sending the second operation request corresponding to each TEE terminal to the corresponding TEE terminal includes:

Determine a target TEE terminal group based on the application installation information corresponding to each TEE terminal, and the target TEE terminal group is composed of TEE terminals corresponding to the same application installation information;

sending a merge operation request to the service provider, where the merge operation request includes the first session identifier, the first encrypted application information corresponding to the same application installation information, and the information of the target TEE terminal group, So that the service provider sends a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the combined operation request.

In an embodiment, the performing device state synchronization with the multiple TEE terminals respectively includes:

The device state synchronization is performed directly with the multiple TEE terminals, or the device state synchronization is performed with the multiple TEE terminals through the service provider and/or the application client.

In one embodiment, the first operation request is generated by the service provider monitoring the installation or update requirements of the first trusted application by the application clients on the multiple TEE terminals; or

The first operation request is generated by the TEE terminal monitoring the installation or update requirement of the first trusted application by the application client on the TEE terminal, and sent to the service provider.

According to a third aspect, a trusted application management method is provided, the method is performed by a service provider, including:

Monitor the installation or update requirements of the application client for the first trusted application, and generate a first operation request, where the first operation request is used to request to install the first trusted application in the TEE terminal corresponding to the application client application;

sending the first operation request to the trusted execution environment TEE manager;

receiving the first secret key sent by the TEE management party;

Encrypting the first trusted application based on at least the first secret key to obtain first encrypted application information;

Sending the first encrypted application information to the TEE manager, so that the TEE manager sends the first encrypted application information to the TEE terminal.

According to a fourth aspect, a trusted application management method is provided, the method is performed by a service provider, including:

Monitor the installation or update requirements of the first trusted application by the application clients on multiple TEE terminals, and generate a first operation request, where the first operation request is used to request to install the first trusted application in the multiple TEE terminals a trusted application;

sending the first operation request to the trusted execution environment TEE manager;

receiving a first message sent by the TEE manager, where the first message includes device information of each TEE terminal;

Determine corresponding application installation information based on the device information of each TEE terminal;

Send a second message to the TEE management party, where the second message includes the application installation information corresponding to the respective TEE terminals, so that the TEE management party can download the pre-stored application installation information based on the application installation information corresponding to the respective TEE terminals. Among the plurality of encrypted application information, first encrypted application information corresponding to each TEE terminal is determined, and the first encrypted application information is obtained by encrypting the first trusted application based on a first secret key.

In one embodiment, the application installation information includes version information and file size information of the first trusted application.

In one embodiment, the first message includes a first session identifier created for the multiple TEE terminals; the second message includes the first session identifier.

In one embodiment, it also includes:

Receive a merge operation request sent by the TEE manager, where the merge operation request includes the first session identifier, the first encrypted application information corresponding to the same application installation information, and the information of the target TEE terminal group. The TEE terminal group consists of TEE terminals corresponding to the same application installation information;

According to the combined operation request, a corresponding second operation request is sent to each TEE terminal in the target TEE terminal group, so that each TEE terminal is installed based on the first key and the second operation request Or update the first trusted application, and the second operation request is generated by the TEE management party adding the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request.

According to a fifth aspect, a trusted application management method is provided, and the method is executed by a trusted execution environment TEE terminal, including:

In response to a synchronization request from the TEE manager of the trusted execution environment, perform device state synchronization with the TEE manager, and receive the first key sent by the TEE manager;

Receive a second operation request sent by the TEE management party, where the second operation request is generated by the TEE management party adding the first encrypted application information corresponding to the TEE terminal to the corresponding first operation request, and the first operation request is generated by the TEE management party. Encrypted application information is obtained by encrypting a first trusted application based on the first key, and the first operation request is used to request to install or update the first trusted application in the TEE terminal;

The first trusted application is installed or updated based on the first secret key and the second operation request.

In one embodiment, before the response to the synchronization request of the trusted execution environment TEE manager, includes:

Monitor the installation or update requirements of the application client for the first trusted application, and generate a first operation request;

The first operation request is sent to the TEE manager, so that the TEE manager and the TEE terminal perform device state synchronization and/or acquire the first encrypted application information.

In an embodiment, when the device state synchronization with the TEE manager includes:

Send the device information of the TEE terminal to the TEE management party.

According to a sixth aspect, a trusted application management device is provided, and the device is deployed in a trusted execution environment TEE management party, including:

a first operation request receiving unit, configured to receive a first operation request for requesting to install or update a first trusted application in a TEE terminal from a requesting party, where the requesting party includes the TEE terminal or the first trusted application a service provider corresponding to the application, where the first operation request is generated by the requester monitoring the installation or update requirement of the first trusted application by the application client;

a synchronization unit, configured to perform device state synchronization with the TEE terminal, thereby sending the first secret key to it;

an encrypted application information obtaining unit, configured to obtain first encrypted application information obtained by encrypting the first trusted application based on the first secret key;

A second operation request generating unit, configured to append the first encrypted application information to the first operation request to generate a second operation request;

A second operation request sending unit, configured to send the second operation request to the TEE terminal, so that the TEE terminal installs or updates the first operation request based on the first key and the second operation request Trusted application.

According to a seventh aspect, a trusted application management device is provided, and the device is deployed on a trusted execution environment TEE management party, including:

A first operation request receiving unit, configured to receive a first operation request for requesting to install or update a first trusted application in multiple TEE terminals from a requesting party, where the requesting party includes the corresponding first trusted application. the service provider or the plurality of TEE terminals;

a synchronization unit, configured to perform device state synchronization with the multiple TEE terminals respectively, obtain device information of each TEE terminal, and send the first secret key to each TEE terminal;

a first message sending unit, configured to send a first message to the service provider, where the first message includes device information of each TEE terminal, so that the service provider can base the service provider on the device information of each TEE terminal Determine the corresponding application installation information;

a second message receiving unit, configured to receive a second message sent by the service provider, where the second message includes application installation information corresponding to each TEE terminal;

An encrypted application information determination unit, configured to determine first encrypted application information corresponding to each TEE terminal from a plurality of pre-stored encrypted application information based on the application installation information corresponding to each TEE terminal, the first encrypted application information The information is obtained by encrypting the first trusted application based on the first secret key;

A second operation request generating unit, configured to attach the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request, and generate a second operation request corresponding to each TEE terminal;

The second operation request sending unit is configured to send the second operation request corresponding to each TEE terminal to the corresponding TEE terminal, so that the corresponding TEE terminal installs or installs the operation request based on the first key and the second operation request. The first trusted application is updated.

According to an eighth aspect, a trusted application management device is provided, the device is deployed on a service provider, including:

The monitoring unit is configured to monitor the installation or update requirements of the application client for the first trusted application, and generate a first operation request, where the first operation request is used for requesting to install all the trusted applications in the TEE terminal corresponding to the application client. the first trusted application;

a first operation request sending unit, configured to send the first operation request to a trusted execution environment TEE manager;

a key receiving unit, configured to receive the first key sent by the TEE management party;

an encryption unit, configured to encrypt the first trusted application based on at least the first secret key to obtain first encrypted application information;

The encrypted application information sending unit is configured to send the first encrypted application information to the TEE manager, so that the TEE manager sends the first encrypted application information to the TEE terminal.

According to a ninth aspect, a trusted application management device is provided, the device is deployed on a service provider, including:

a monitoring unit, configured to monitor the installation or update requirements of the first trusted application by the application clients on the multiple TEE terminals, and generate a first operation request, where the first operation request is used to request the multiple TEE terminals install the first trusted application in;

a first operation request sending unit, configured to send the first operation request to a trusted execution environment TEE manager;

a message receiving unit, configured to receive a first message sent by the TEE manager, where the first message includes device information of each TEE terminal;

a determining unit, configured to determine corresponding application installation information based on the device information of each TEE terminal;

A second message sending unit, configured to send a second message to the TEE management party, where the second message includes application installation information corresponding to each TEE terminal, so that the TEE management party is based on the corresponding TEE terminal The first encrypted application information corresponding to each TEE terminal is determined from a plurality of pre-stored encrypted application information, and the first encrypted application information is encrypted based on the first key to encrypt the first trusted application. get.

According to a tenth aspect, a trusted application management device is provided, the device is deployed in a trusted execution environment TEE terminal, including:

a response unit, configured to perform device state synchronization with the TEE manager in response to a synchronization request from the TEE manager of the trusted execution environment, and receive the first secret key sent by the TEE manager;

A second operation request receiving unit, configured to receive a second operation request sent by the TEE manager, where the TEE manager appends the first encrypted application information corresponding to the TEE terminal to the corresponding first operation request by the TEE manager An operation request is generated, the first encrypted application information is obtained by encrypting a first trusted application based on the first key, and the first operation request is used to request to install or update the first trusted application in the TEE terminal ;

An installation or update unit configured to install or update the first trusted application based on the first secret key and the second operation request.

According to an eleventh aspect, there is provided a computer-readable storage medium on which a computer program is stored, and when the computer program is executed in a computer, causes the computer to execute the methods of the first to fifth aspects.

According to a twelfth aspect, a computing device is provided, including a memory and a processor, the memory stores executable codes, and when the processor executes the executable codes, the first to fifth aspects are implemented. method.

With the method and device provided by the embodiments of this specification, during the process of installing or updating a trusted application, both the TEE terminal and the service provider can monitor the application client's installation or update requirements for the trusted application, and initiate a request to the TEE management party Management process of trusted applications; after that, the TEE management party obtains encrypted application information obtained by encrypting trusted applications based on the first secret key generated by the TEE management party, and sends the encrypted application information to the TEE terminal, and the TEE terminal completes the installation or update The operation simplifies the repeated transmission, reduces the load on the service provider, improves the transmission efficiency, and further improves the installation or update efficiency.

Description of drawings

In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings used in the description of the embodiments. Obviously, the drawings in the following description are only some embodiments of the present invention. For those of ordinary skill in the art, other drawings can also be obtained from these drawings without any creative effort.

FIG. 1 shows a schematic diagram of an implementation scenario of an embodiment disclosed in this specification;

Figure 2 illustrates a trusted application management method according to one embodiment;

Figure 3 illustrates a data structure of encrypted application information according to one embodiment;

4 illustrates a data structure of encrypted application information according to another embodiment;

Figure 5 illustrates the data structure of an operation request according to one embodiment;

6 illustrates a trusted application management method according to another embodiment;

7 illustrates a trusted application management method according to yet another embodiment;

8 illustrates a trusted application management method according to yet another embodiment;

9 shows a schematic diagram of a TEE management sending a message to a service provider according to one embodiment;

10 shows a schematic diagram of a service provider sending a message to a TEE manager according to an embodiment;

11 shows a schematic block diagram of a trusted application management apparatus according to an embodiment;

FIG. 12 shows a schematic block diagram of a trusted application management apparatus according to an embodiment;

13 shows a schematic block diagram of a trusted application management apparatus according to an embodiment;

14 shows a schematic block diagram of a trusted application management apparatus according to an embodiment;

FIG. 15 shows a schematic block diagram of a trusted application management apparatus according to an embodiment.

Detailed ways

The solution provided in this specification will be described below with reference to the accompanying drawings.

It should be understood that "first" and "second" in this document are only used to mark and distinguish similar concepts for clarity of expression, and have no other limiting role.

FIG. 1 is a schematic diagram of an implementation scenario of an embodiment disclosed in this specification. According to the embodiment of FIG. 1 , the user terminal is configured with a TEE execution environment and installed with an application client that needs to use trusted applications; wherein, the user terminal may be an electronic device such as a mobile phone or a tablet computer, and the TEE execution environment is used for authorized applications. Trusted applications (such as fingerprint authentication applications, face recognition applications, etc.) provide a secure execution environment, and the application client may be a client that needs to use the above-mentioned trusted applications. Hereinafter, the user terminal in which the TEE execution environment is deployed will be referred to as a TEE terminal. Both the TEE terminal and the service provider can monitor the application client's installation or update requirements of the trusted application, and initiate the management process of the trusted application to the TEE management party. After that, the TEE management party synchronizes the device state with the TEE terminal, and obtains encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE management party. Finally, the encrypted application information is sent to the TEE terminal, and the TEE terminal completes the installation or update operation.

Specifically, the TEE terminal and/or the service provider monitors the application client's installation or update requirements for trusted applications, generates a first operation request, and sends the first operation request to the TEE manager, where the first operation The request may be used to request to install the first trusted application in the TEE terminal corresponding to the application client. After that, the TEE manager synchronizes the device state with the TEE terminal, and sends the first secret key generated by the TEE terminal to the TEE terminal. Next, the TEE management party obtains encrypted application information obtained by encrypting the first trusted application based on the first secret key; wherein the encrypted application information may be received from the service provider in real time, or may be pre-stored by the TEE management party. After that, the TEE manager adds the encrypted application information to the first operation request, and sends it to the TEE terminal. Finally, the TEE terminal decrypts the encrypted application information based on the first secret key, obtains the first trusted application, and installs or updates the first trusted application. The specific implementation steps of the above process are described below.

Figure 2 illustrates a trusted application management method according to one embodiment. As shown in FIG. 2, the method involves at least a TEE manager, a service provider and a TEE terminal.

The TEE manager is deployed by the TEE terminal provider and is responsible for detecting requests for installing or updating trusted applications generated by TEE terminals and/or service providers, as well as detecting whether the TEE terminal has an environment for installing or updating trusted applications, etc. For example, detecting Whether there is a security domain for the service provider in the user terminal in which trusted applications can be installed or updated.

A service provider, or provider of a trusted application, is a party that provides documentation about trusted applications that can be installed or updated. The service provider may generate a request for installing or updating the trusted application, and the request may be generated when monitoring the application client's request for installing or updating the trusted application. The application client may be, for example, an Alipay application client that can provide security services such as payment and identity authentication.

The TEE terminal may include a TEE proxy or a security domain applied for the service provider in the user terminal, and the like. The TEE terminal may generate a request for installing or updating a trusted application, and the request is generated when the application client's request for installing or updating a trusted application is monitored.

Next, the specific steps of the trusted application management method shown in FIG. 2 are described.

First, in step S101, the application client may send its installation or update requirements for the trusted application to the TEE terminal. In this implementation manner, the TEE terminal monitors the installation or update requirement of the first trusted application by the application client.

The above-mentioned monitoring of the application client's installation or update requirements for the first trusted application can be performed in various ways. For example, the TEE terminal may listen to the user's input of an instruction to install or update an application such as fingerprint recognition through the application client user terminal. The user may input the above installation instruction through the client of the relevant application. For example, in the Alipay client, the user inputs an instruction to install the fingerprint authentication application by clicking, for example, "enable fingerprint authentication".

In another example, the above-mentioned monitoring of the installation or update requirements of the first trusted application by the application client may also be performed by monitoring the requirements initiated by the application client. For example, when an application client needs to invoke a function of a trusted application, it can generate a requirement under the user's authorization, and feed the requirement back to the TEE terminal, so that the TEE terminal can know the application client's requirement for the trusted application. Alternatively, when the application client detects that the installed trusted application needs to be updated, the requirement can be fed back to the TEE terminal, so that the TEE terminal can learn the application client's requirement for the trusted application.

Next, in step S102, once the TEE terminal monitors the installation or update requirement of the application client for the first trusted application, the TEE terminal generates a first operation request. The first operation request is used to request to install or update the first trusted application in the TEE terminal.

Next, in step S104, the TEE terminal sends a first operation request to the TEE management party.

In an example, the TEE terminal may transparently transmit the first operation request to the TEE management party through the above-mentioned application client related to the trusted application (for example, an Alipay client). In another embodiment, the TEE terminal may also directly send the above-mentioned first operation request to the TEE management party through its operating system.

In step S106, the TEE manager receives the first operation request, and performs device state synchronization with the TEE terminal. Generally, when the TEE management party receives the operation request sent by the TEE terminal, it responds to the operation request, synchronizes the device status with the TEE terminal, detects whether the TEE terminal has an environment for installing or updating trusted applications, etc., and sends the first message to the TEE terminal. a secret key. Optionally, the TEE manager can directly synchronize the device state with the TEE terminal to reduce the load on the service provider; it can also synchronize the device state with the TEE terminal through the service provider and/or the application client.

In an example, each time the TEE manager receives the first operation request, it may generate a series of symmetric dynamic keys (ie, the first key) for the first operation request.

Next, in step S108, the TEE management sends the first secret key to the service provider corresponding to the first trusted application.

Step S110, the service provider encrypts the first trusted application based on the first secret key to obtain first encrypted application information.

In an example, as shown in FIG. 3 , the service provider may directly encrypt the first trusted application by using the first secret key to obtain encrypted application information.

In another example, as shown in FIG. 4 , the service provider can generate a private key, and then use the private key to encrypt the first trusted application to obtain the first encrypted data; and then use the private key to encrypt the first trusted application. The first secret key encrypts the private secret key to obtain the second encrypted data; finally, the first encrypted data and the second encrypted data are used as the first encrypted application information. It can also be said that the first encrypted data and the second encrypted data constitute the first encrypted application information. It can be understood that when using the private key for encryption, symmetric algorithms such as DES, 3DES, IDEA, RC5, RC6 can be used for encryption; when using the first key for encryption, the above-mentioned symmetric algorithm can also be used for encryption.

In yet another example, the service provider may encrypt the first trusted application with the private key in advance, and obtain the first encrypted data. Wherein, the private key is a key corresponding to the first trusted application that needs to be installed or updated currently among the multiple trusted applications provided by the service provider, or the private key is a key corresponding to the first trusted application currently required to be installed or updated. or the key corresponding to the current version of the updated first trusted application; that is, the same trusted application can be pre-encrypted with the same key, or the same version of the trusted application can be pre-encrypted with the same key, This avoids repeated encryption of the application, further speeding up the installation/update process. After that, the private key is encrypted with the first key to obtain the second encrypted data. Finally, the first encrypted data and the second encrypted data are regarded as encrypted application information, it can also be said that the first encrypted data and the second encrypted data constitute encrypted application information.

Step S112, the service provider sends the first encrypted application information to the TEE manager.

Next, in step S114, the TEE manager adds the first encrypted application information to the first operation request to generate a second operation request. The second operation request may be understood as a request to install or update a trusted application. Optionally, the TEE manager may also sign the second operation request to prevent the content in the second operation request from being tampered with. Specifically, as shown in FIG. 5 , the TEE manager may add the first encrypted application information to the operation request first, and then sign the operation request.

In addition, the TEE manager may also add its own identification information to the second operation request, so that the service provider and/or the TEE terminal can clarify the source of the second operation request and improve operation security.

Next, in step S116, the TEE manager sends the second operation request to the TEE terminal.

In step S118, the TEE terminal requests to install or update the first trusted application based on the first secret key and the second operation request. Generally, the TEE terminal can use the first secret key to decrypt the first encrypted application information in the second operation request to obtain the first trusted application; after that, the first trusted application can be installed or updated.

In addition, after the first trusted application is successfully installed or updated, the TEE terminal can feed back information about the successful installation or update to the TEE management party, service provider and/or application client, so that the TEE management party, service provider and/or application client can / or the application client is informed that the installation or update is successful.

It can be understood that when the TEE terminal uses the first secret key to decrypt the first encrypted application information in the second operation request, it can also verify the signature of the TEE manager, the identity information of the TEE manager, and the service provider's signature. Identity information, etc., to improve the security of operations.

FIG. 6 illustrates a trusted application management method according to another embodiment. The specific steps of the trusted application management method shown in FIG. 6 are described below.

First, in step S201, the application client may send its installation or update requirements for the trusted application to the service provider. In this embodiment, the service provider monitors the application client's installation or update requirements for the first trusted application.

For example, when an application client needs to call a function of a trusted application, it can generate a demand under the authorization of the user, and feed the demand back to the service provider corresponding to the trusted application, so that the service provider can know the application client End-to-end requirements for trusted applications. Alternatively, when the application client detects that the installed trusted application needs to be updated, the application client can feed back the requirement to the service provider, so that the service provider can learn the application client's requirement for the trusted application.

Next, in step S202, once the service provider monitors the installation or update requirements of the application client for the first trusted application, a first operation request is generated. The first operation request is used to request to install or update the first trusted application in the TEE terminal.

Next, in step S204, the service provider sends a first operation request to the TEE manager.

For the next steps, reference may be made to the above steps S106-S118, which will not be repeated here.

FIG. 7 illustrates a trusted application management method according to yet another embodiment. The specific steps of the trusted application management method shown in FIG. 7 are described below.

First, in step S101, the application client may send its installation or update requirements for the trusted application to the TEE terminal.

Next, in step S102, the TEE terminal monitors the installation or update requirements of the application client for the first trusted application, and generates a first operation request. The first operation request is used to request to install or update the first trusted application in the TEE terminal.

Next, in step S104, the TEE terminal sends a first operation request to the TEE management party.

In step S106, the TEE manager receives the first operation request and synchronizes with the TEE in the TEE terminal.

Step S302, the TEE management party obtains the pre-stored first encrypted application information obtained by encrypting the first trusted application based on the first secret key. Among them, pre-storing encrypted application information can avoid multiple transmissions of encrypted application information between the TEE manager and the service provider during the process of installing or updating trusted applications, reducing the load on the service provider and improving the transmission efficiency. This in turn improves installation or update efficiency.

In an example, the TEE manager may send a request for acquiring the first trusted application to the service provider corresponding to the first trusted application in advance. Then, the TEE manager receives the first trusted application from the service provider. After that, the TEE management party encrypts the first trusted application by using the generated first secret key to obtain the first encrypted application information. Finally, the TEE manager stores the first encrypted application information again.

In another example, the TEE manager may send a request for acquiring the information of the first encrypted application to the service provider corresponding to the first trusted application in advance. Then, the TEE manager receives the first encrypted application information sent by the service provider. Finally, the TEE manager stores the first encrypted application information. It should be understood that, at this time, the first encrypted application information is obtained by the service provider encrypting the first trusted application based on the first secret key obtained from the TEE management party.

Next, in step S114, the TEE manager adds the first encrypted application information to the first operation request to generate a second operation request. In addition, the TEE manager may also add its own identification information to the second operation request, so that the service provider and/or the TEE terminal can clarify the source of the second operation request and improve operation security.

Next, in step S116, the TEE manager sends the second operation request to the TEE terminal.

In step S118, the TEE terminal requests to install or update the first trusted application based on the first secret key and the second operation request.

It should be understood that the steps S102-S104 in the trusted application management method may also be performed by the service provider corresponding to the first trusted application. For details, please refer to the description in FIG. 6 above, which will not be repeated here. .

FIG. 8 illustrates a trusted application management method according to yet another embodiment. The specific steps of the trusted application management method shown in FIG. 8 are described below.

First, in step S401, application clients on multiple TEE terminals may send their installation or update requirements for trusted applications to the service provider. In one example, when the application client on each TEE terminal detects that the installed trusted application needs to be updated, it can send the update requirement to the service provider. In another example, when the application client on any TEE terminal needs to call the function of the trusted application, if the trusted application is not installed in the TEE terminal, the application client can send the request for installing the trusted application to to the service provider.

Next, in step S402, the service provider monitors the installation or update requirements of the first trusted application by the application clients on the multiple TEE terminals, and generates a first operation request. The first operation request is used to request to install the first trusted application in the multiple TEE terminals.

In step S404, the service provider sends the first operation request to the TEE manager.

In one embodiment, the service provider generates multiple first operation requests based on the demand information of multiple TEE terminals, and sends them to the TEE manager respectively. In another embodiment, the service provider combines the requirement information of multiple TEE terminals into a single first operation request, and sends it to the TEE manager, where the single first operation request includes request information of multiple TEE terminals.

Next, in step S406, the TEE manager receives the first operation request, and performs device state synchronization with the multiple TEE terminals respectively. Generally, when the TEE management party receives the above operation request, it responds to the operation request and synchronizes the device status with multiple TEE terminals to send the first secret key to the TEE terminals to detect whether the TEE terminals have the ability to install or update trusted applications. environment, obtain the device information of each TEE terminal, etc. The device information of the TEE terminal may include the identity of the TEE terminal such as device ID, device model, etc., the hash value of the identity, the version number of the operating system of the TEE terminal, the identity of the TEE in the TEE terminal, and the like.

Optionally, the TEE manager can directly perform device status synchronization with multiple TEE terminals to reduce the load on the service provider; it can also perform device status synchronization with multiple TEE terminals through the service provider and/or the application client.

In an example, each time the TEE manager receives the first operation request, it may generate a series of symmetric dynamic keys (ie, the first key) for the first operation request.

In step S408, the TEE management sends a first message to the service provider. The first message includes device information of each TEE terminal.

In one example, the first message may include first session identifiers created for multiple TEE terminals. The TEE manager may use the session window corresponding to the first session identifier to send the device information of each TEE terminal to the service provider. In other words, as shown in Figure 9, the TEE manager uses the current session represented by a session ID to send the device information of each TEE terminal to the service provider, so that multiple user terminals can share the information flow, so as to reduce repeated transmission and improve Transmission efficiency and reduced delay.

Next, in step S410, the service provider determines application installation information corresponding to each TEE terminal based on the device information of each TEE terminal. The application installation information may include version information of the first trusted application, file size information, and the like. Generally, the service provider can query the mapping table between device information and application installation information based on the device information of the TEE terminal, and determine the version information and file size information of the trusted application adapted to the TEE terminal. For example, if the version of the trusted application corresponding to the operating system ios9 is V1, and the version of the trusted application corresponding to ios10 is V2, when the operating system of the TEE terminal is ios9, it can be determined that the version of the trusted application is V1.

In step S412, the service provider sends a second message to the TEE manager. The second message includes application installation information corresponding to each TEE terminal.

In one example, the second message includes the aforementioned first session identifiers created for multiple TEE terminals. The service provider may use the session window corresponding to the first session identifier to send the application installation information corresponding to each TEE terminal to the TEE manager. In other words, as shown in Figure 10, the service provider uses the current session represented by a session ID to send the application installation information of each TEE terminal to the TEE manager, so that multiple user terminals can share the information flow to reduce repeated transmissions. Improve transmission efficiency and reduce latency.

Next, in step S414, the TEE management party determines the first encrypted application information corresponding to each TEE terminal from a plurality of pre-stored encrypted application information based on the application installation information corresponding to each TEE terminal; the first encrypted application information is based on the first encrypted application information. obtained by encrypting the first trusted application with the key. Generally, after receiving the application installation information corresponding to each TEE terminal, the TEE management party can search for relevant information from multiple pre-stored encrypted application information based on relevant information about trusted applications in the application installation information, such as version number information, etc. Trusted applications, so as to determine the first encrypted application information corresponding to each TEE terminal.

It should be noted that, for the process of pre-storing the encrypted application information, reference may be made to the above description, which will not be repeated here. Among them, pre-storing encrypted application information can avoid multiple transmissions of encrypted application information between the TEE manager and the service provider during the process of installing or updating trusted applications, reducing the load on the service provider and improving the transmission efficiency. This in turn improves installation or update efficiency.

In step S416, the TEE management party adds the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request, and generates a second operation request corresponding to each TEE terminal.

In step S418, the TEE manager determines a target TEE terminal group based on the application installation information corresponding to each TEE terminal. The target TEE terminal group is composed of TEE terminals corresponding to the same application installation information. Generally, the TEE manager can filter out the same application installation information from multiple application installation information; then, group TEE terminals corresponding to the same application installation information into a group to form a target terminal group. For example, when the version numbers of the trusted applications required by the TEE terminal 1 and the TEE terminal 2 are the same, the TEE terminal 1 and the TEE terminal 2 may be grouped into one group.

In step S420, the TEE management sends a merge operation request to the service provider, and the merge operation request includes the first session identifier, the first encrypted application information corresponding to the same application installation information, and the information of the target TEE terminal group. In this way, for multiple TEE terminals in a TEE terminal group, since they correspond to the same application installation information, a combined operation request is used to send the common first encrypted application information to the multiple TEE terminals to reduce repeated transmission and improve transmission. efficiency and reduce latency.

Next, in step S422, the service provider sends a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the combined operation request.

In another embodiment, the above steps S418 to S422 may also be modified so that the TEE management party directly sends its corresponding second operation request to each TEE terminal.

Next, in step S424, the TEE terminal requests to install or update the first trusted application based on the first secret key and the second operation request. Generally, the TEE terminal can use the first secret key to decrypt the first encrypted application information in the second operation request to obtain the first trusted application; after that, the first trusted application can be installed or updated.

In addition, after the first trusted application is successfully installed or updated, the TEE terminal can feed back information about the successful installation or update to the TEE management party, service provider and/or application client, so that the TEE management party, service provider and/or application client can / or the application client is informed that the installation or update is successful.

It can be understood that when the TEE terminal uses the first secret key to decrypt the first encrypted application information in the second operation request, it can also verify the signature of the TEE manager, the identity information of the TEE manager, and the service provider's signature. Identity information, etc., to improve the security of operations.

It should be understood that the steps S402-S404 in the trusted application management method may also be executed by multiple TEE terminals. For the execution process of the TEE terminals, see the above description for details, and will not be repeated here.

It can be seen from the above description that during the process of installing or updating a trusted application, both the TEE terminal and the service provider can monitor the application client's installation or update requirements for the trusted application, and initiate a trusted application notification to the TEE manager. Management process; after that, the TEE management party obtains the encrypted application information obtained by encrypting the trusted application based on the generated first key, and sends the encrypted application information to the TEE terminal, and the TEE terminal completes the installation or update operation, which simplifies the Repeated transmission reduces the load on service providers, improves transmission efficiency, and further improves installation or update efficiency.

In the above process of trusted application management, multi-party interaction between the TEE manager, the service provider and the TEE terminal is involved. The device configuration of each of the above will be described separately below.

Fig. 11 shows a schematic block diagram of a trusted application management apparatus provided according to an embodiment, where the apparatus is deployed on a TEE manager. As shown in Figure 11, the device 500 includes:

The first operation request receiving unit 51 is configured to receive a first operation request for requesting to install or update a first trusted application in the TEE terminal from a requesting party, where the requesting party includes the TEE terminal or the service provider corresponding to the first trusted application The first operation request is generated by the requesting party monitoring the installation or update requirements of the application client for the first trusted application;

The synchronization unit 52 is configured to perform device state synchronization with the TEE terminal, thereby sending the first secret key to it;

The encrypted application information obtaining unit 53 is configured to obtain the first encrypted application information obtained by encrypting the first trusted application based on the first secret key;

The second operation request generating unit 54 is configured to attach the first encrypted application information to the first operation request to generate a second operation request;

The second operation request sending unit 55 is configured to send the second operation request to the TEE terminal, so that the TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request.

In one example, the encrypted application information obtaining unit 53 may obtain the first encrypted application information as follows: send the first secret key to the service provider, so that it encrypts the first trusted application based on the first secret key, and obtains the first encrypted application Application information; receiving the first encrypted application information from the service provider.

In another example, the encrypted application information obtaining unit 53 may obtain the first encrypted application information as follows: obtain pre-stored first encrypted application information.

Further, in an example, the encrypted application information obtaining unit 53 may store the first encrypted application information as follows: receive the first trusted application from the service provider in advance; encrypt the first trusted application with the first key to obtain the first trusted application Encrypting application information; storing the first encrypted application information.

Further, in another example, the encrypted application information acquisition unit 53 may store the first encrypted application information as follows: receive the first encrypted application information from the service provider in advance, and store the first encrypted application information.

FIG. 12 shows a schematic block diagram of trusted application management provided according to an embodiment, and the apparatus is deployed on a TEE manager. As shown in Figure 12, the device 600 includes:

The first operation request receiving unit 61 is configured to receive a first operation request for requesting to install or update a first trusted application in multiple TEE terminals from a requesting party, where the requesting party includes a service provider corresponding to the first trusted application or multiple TEE terminals;

The synchronization unit 62 is configured to perform device state synchronization with a plurality of TEE terminals respectively, obtain the device information of each TEE terminal, and send the first secret key to each TEE terminal;

The first message sending unit 63 is configured to send a first message to the service provider, where the first message includes device information of each TEE terminal, so that the service provider determines the corresponding application installation information based on the device information of each TEE terminal;

The second message receiving unit 64 is configured to receive a second message sent by the service provider, where the second message includes application installation information corresponding to each TEE terminal;

The encrypted application information determination unit 65 is configured to determine the first encrypted application information corresponding to each TEE terminal from a plurality of pre-stored encrypted application information based on the application installation information corresponding to each TEE terminal, and the first encrypted application information is based on the first encrypted application information. obtained by encrypting the first trusted application with the key;

The second operation request generating unit 66 is configured to attach the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request, and generate a second operation request corresponding to each TEE terminal;

The second operation request sending unit 67 is configured to send the second operation request corresponding to each TEE terminal to the corresponding TEE terminal, so that the corresponding TEE terminal installs or updates the first trusted terminal based on the first secret key and the second operation request application.

In one example, the application installation information includes version information and file size information of the first trusted application.

In one example, the first message includes a first session identifier created for multiple TEE terminals; the second message includes the first session identifier.

Further, the second operation request sending unit 67 can send the second operation request as follows: based on the application installation information corresponding to each TEE terminal, determine a target TEE terminal group, and the target TEE terminal group is composed of TEE terminals corresponding to the same application installation information; Send a merge operation request to the service provider, where the merge operation request includes the first session identifier, the first encrypted application information corresponding to the same application installation information, and the information of the target TEE terminal group, so that the service provider according to the merge operation request, Send a corresponding second operation request to each TEE terminal in the target TEE terminal group.

In one example, the synchronization unit 62 may perform synchronization as follows: directly perform device status synchronization with multiple TEE terminals, or perform device status synchronization with multiple TEE terminals respectively through a service provider and/or an application client.

In one example, the first operation request is generated by the service provider monitoring the installation or update requirements of the first trusted application by the application clients on multiple TEE terminals; or

The first operation request is generated by the TEE terminal monitoring the installation or update requirement of the first trusted application by the application client on the TEE terminal, and sent to the service provider.

Figure 13 shows a schematic block diagram of trusted application management provided according to one embodiment, the apparatus is deployed on a service provider. As shown in Figure 13, the device 700 includes:

The monitoring unit 71 is configured to monitor the installation or update requirements of the application client for the first trusted application, and generate a first operation request, where the first operation request is used to request to install the first trusted application in the TEE terminal corresponding to the application client application;

The first operation request sending unit 72 is configured to send the first operation request to the trusted execution environment TEE manager;

The key receiving unit 73 is configured to receive the first key sent by the TEE management party;

an encryption unit, configured to encrypt the first trusted application based on at least the first secret key to obtain first encrypted application information;

The encrypted application information sending unit 74 is configured to send the first encrypted application information to the TEE manager, so that the TEE manager sends the first encrypted application information to the TEE terminal.

Figure 14 shows a schematic block diagram of trusted application management provided according to one embodiment, the apparatus is deployed on a service provider. As shown in Figure 14, the apparatus 800 includes:

The monitoring unit 81 is configured to monitor the installation or update requirements of the first trusted application by the application clients on the multiple TEE terminals, and generate a first operation request, and the first operation request is used to request the installation of the first trusted application in the multiple TEE terminals. a trusted application;

The first operation request sending unit 82 is configured to send the first operation request to the trusted execution environment TEE manager;

The message receiving unit 83 is configured to receive a first message sent by the TEE manager, where the first message includes device information of each TEE terminal;

The determining unit 84 is configured to determine the corresponding application installation information based on the device information of each TEE terminal;

The second message sending unit 85 is configured to send a second message to the TEE management party, where the second message includes the application installation information corresponding to each TEE terminal, so that the TEE management party can select the application installation information corresponding to each TEE terminal from the pre-stored multiple Among the pieces of encrypted application information, the first encrypted application information corresponding to each TEE terminal is determined, and the first encrypted application information is obtained by encrypting the first trusted application based on the first secret key.

In one example, also include:

The merge operation request receiving unit (not shown) is configured to receive the merge operation request sent by the TEE manager, where the merge operation request includes the first session identifier, the first encrypted application information corresponding to the same application installation information, and the target TEE terminal Group information, the target TEE terminal group is composed of TEE terminals corresponding to the same application installation information;

The second operation request sending unit (not shown) is configured to send a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the combined operation request, so that each TEE terminal is based on the first secret key and the third operation request. The second operation request is to install or update the first trusted application, and the second operation request is generated by the TEE management party adding the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request.

FIG. 15 shows a schematic block diagram of trusted application management provided according to an embodiment, and the apparatus is deployed in a trusted execution environment TEE terminal. As shown in Figure 15, the device 500 includes:

The response unit 91 is configured to perform device state synchronization with the TEE manager in response to a synchronization request from the TEE manager of the trusted execution environment, and receive the first secret key sent by the TEE manager;

The second operation request receiving unit 92 is configured to receive a second operation request sent by the TEE manager, where the second operation request is generated by the TEE manager adding the first encrypted application information corresponding to the TEE terminal to the corresponding first operation request, The first encrypted application information is obtained by encrypting the first trusted application based on the first secret key, and the first operation request is used to request to install or update the first trusted application in the TEE terminal;

The installation or update unit 93 is configured to install or update the first trusted application based on the first secret key and the second operation request.

In one example, also include:

a monitoring unit (not shown), configured to monitor the installation or update requirements of the application client for the first trusted application, and generate a first operation request;

The first operation request sending unit is configured to send the first operation request to the TEE management party, so that the TEE management party and the TEE terminal perform device state synchronization and/or obtain first encrypted application information.

In one example, also include:

The device information sending unit (not shown) is configured to send the device information of the TEE terminal to the TEE manager.

According to another embodiment, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the above-described method.

According to yet another embodiment, a computing device is also provided, including a memory and a processor, the memory stores executable codes, and when the processor executes the executable codes, the above-mentioned method is implemented .

Those skilled in the art should appreciate that, in one or more of the above examples, the functions described in the present invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.

The specific embodiments described above further describe the objectives, technical solutions and beneficial effects of the present invention in detail. It should be understood that the above descriptions are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention. Any modification, equivalent replacement, improvement, etc. made on the basis of the technical solution of the present invention shall be included within the protection scope of the present invention.

Claims (22)

1. A trusted application management method, performed by a trusted execution environment, TEE, manager, comprising:

receiving a first operation request for requesting installation or update of a first trusted application in a TEE terminal from a requester, wherein the requester comprises a service provider corresponding to the TEE terminal or the first trusted application, and the first operation request is generated by monitoring the installation or update demand of an application client on the first trusted application by the requester;

performing device state synchronization with the TEE terminal so as to send a first secret key to the TEE terminal;

acquiring first encrypted application information obtained by encrypting the first trusted application based on the first secret key;

attaching the first encrypted application information to the first operation request to generate a second operation request;

sending the second operation request to the TEE terminal to enable the TEE terminal to install or update the first trusted application based on the first key and the second operation request.

2. The method of claim 1, wherein the obtaining first encrypted application information that is obtained by encrypting the first trusted application based on the first key comprises:

sending the first secret key to the service provider, so that the service provider encrypts the first trusted application based on the first secret key to obtain first encrypted application information;

receiving the first encrypted application information from the service provider.

3. The method of claim 1, wherein the obtaining first encrypted application information that is obtained by encrypting the first trusted application based on the first key comprises:

and acquiring the first encryption application information stored in advance.

4. The method of claim 3, wherein the obtaining the pre-stored first encrypted application information comprises, prior to:

receiving the first trusted application from the service provider in advance;

encrypting the first trusted application by using the first secret key to obtain first encrypted application information;

storing the first encrypted application information.

5. The method of claim 3, wherein the obtaining the pre-stored first encrypted application information comprises, prior to:

receiving the first encryption application information from the service provider in advance, and storing the first encryption application information.

6. A trusted application management method, performed by a trusted execution environment, TEE, manager, comprising:

receiving a first operation request for requesting installation or update of a first trusted application in a plurality of TEE terminals from a requester, wherein the requester comprises a service provider corresponding to the first trusted application or the plurality of TEE terminals;

respectively carrying out equipment state synchronization with the TEE terminals, acquiring equipment information of each TEE terminal, and sending a first secret key to each TEE terminal;

sending a first message to the service provider, wherein the first message comprises the equipment information of each TEE terminal, so that the service provider determines corresponding application installation information based on the equipment information of each TEE terminal;

receiving a second message sent by the service provider, wherein the second message comprises application installation information corresponding to each TEE terminal;

determining first encrypted application information corresponding to each TEE terminal from a plurality of encrypted application information stored in advance based on application installation information corresponding to each TEE terminal, wherein the first encrypted application information is obtained by encrypting the first trusted application based on the first secret key;

attaching the first encryption application information corresponding to each TEE terminal to a corresponding first operation request, and generating a second operation request corresponding to each TEE terminal;

and sending the second operation request corresponding to each TEE terminal to the corresponding TEE terminal so that the corresponding TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request.

7. The method of claim 6, wherein the application installation information includes version information, file size information of the first trusted application.

8. The method of claim 6, wherein the first message comprises a first session identification created for the plurality of TEE terminals; the second message includes the first session identification.

9. The method of claim 8, wherein the sending the second operation request corresponding to each TEE terminal to the corresponding TEE terminal comprises:

determining a target TEE terminal group based on the application installation information corresponding to each TEE terminal, wherein the target TEE terminal group consists of TEE terminals corresponding to the same application installation information;

and sending a merging operation request to the service provider, wherein the merging operation request comprises the first session identifier, first encrypted application information corresponding to the same application installation information and information of the target TEE terminal group, so that the service provider sends a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the merging operation request.

10. The method of any of claims 6-8, wherein the device state synchronization with the plurality of TEE terminals, respectively, comprises:

and directly and respectively carrying out equipment state synchronization with the plurality of TEE terminals, or respectively carrying out equipment state synchronization with the plurality of TEE terminals through the service provider and/or the application client.

11. The method of any of claims 6-8, wherein the first operation request is generated by the service provider listening to a need for installation or update of the first trusted application by an application client on the plurality of TEE terminals; or

The first operation request is generated by monitoring the installation or update requirement of the first trusted application by an application client on the TEE terminal, and is sent to the service provider.

12. A trusted application management method, performed by a service provider, comprising:

monitoring the installation or update requirement of an application client on a first trusted application, and generating a first operation request, wherein the first operation request is used for requesting the installation of the first trusted application in a TEE terminal corresponding to the application client;

sending the first operation request to a Trusted Execution Environment (TEE) manager;

receiving a first secret key sent by the TEE manager;

encrypting the first trusted application at least based on the first secret key to obtain first encrypted application information;

and sending the first encryption application information to the TEE manager so that the TEE manager sends the first encryption application information to the TEE terminal.

13. A trusted application management method, performed by a service provider, comprising:

monitoring the installation or update requirements of application clients on a plurality of TEE terminals on a first trusted application, and generating a first operation request, wherein the first operation request is used for requesting the installation of the first trusted application in the plurality of TEE terminals;

sending the first operation request to a Trusted Execution Environment (TEE) manager;

receiving a first message sent by the TEE manager, wherein the first message comprises equipment information of each TEE terminal;

determining corresponding application installation information based on the equipment information of each TEE terminal;

and sending a second message to the TEE manager, wherein the second message comprises application installation information corresponding to each TEE terminal, so that the TEE manager determines first encrypted application information corresponding to each TEE terminal from a plurality of encrypted application information stored in advance based on the application installation information corresponding to each TEE terminal, and the first encrypted application information is obtained by encrypting the first trusted application based on a first secret key.

14. The method of claim 13, wherein the application installation information includes version information, file size information of the first trusted application.

15. The method of claim 13, wherein the first message comprises a first session identification created for the plurality of TEE terminals; the second message includes the first session identification.

16. The method of claim 15, further comprising:

receiving a merging operation request sent by the TEE manager, wherein the merging operation request comprises the first session identifier, first encrypted application information corresponding to the same application installation information and information of a target TEE terminal group, and the target TEE terminal group consists of TEE terminals corresponding to the same application installation information;

and according to the merging operation request, sending a corresponding second operation request to each TEE terminal in the target TEE terminal group, so that each TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request, and the TEE manager adds first encryption application information corresponding to each TEE terminal to the corresponding first operation request to generate the second operation request.

17. A trusted application management apparatus, the apparatus being deployed at a trusted execution environment, TEE, manager, comprising:

a first operation request receiving unit, configured to receive a first operation request for requesting installation or update of a first trusted application in a TEE terminal from a requester, where the requester includes a service provider corresponding to the TEE terminal or the first trusted application, and the first operation request is generated by monitoring, by the requester, a demand of an application client for installation or update of the first trusted application;

a synchronization unit configured to perform device state synchronization with the TEE terminal, thereby transmitting a first secret key thereto;

an encrypted application information acquisition unit configured to acquire first encrypted application information obtained by encrypting the first trusted application based on the first key;

a second operation request generation unit configured to attach the first encrypted application information to the first operation request, generating a second operation request;

a second operation request sending unit configured to send the second operation request to the TEE terminal, so that the TEE terminal installs or updates the first trusted application based on the first key and the second operation request.

18. A trusted application management apparatus, the apparatus being deployed at a trusted execution environment, TEE, manager, comprising:

a first operation request receiving unit configured to receive a first operation request for requesting installation or update of a first trusted application in a plurality of TEE terminals from a requester, the requester including a service provider corresponding to the first trusted application or the plurality of TEE terminals;

the synchronization unit is configured to perform equipment state synchronization with the TEE terminals respectively, acquire equipment information of each TEE terminal, and send a first secret key to each TEE terminal;

a first message sending unit configured to send a first message to the service provider, the first message including the device information of the respective TEE terminals, so that the service provider determines corresponding application installation information based on the device information of the respective TEE terminals;

a second message receiving unit, configured to receive a second message sent by the service provider, where the second message includes application installation information corresponding to each TEE terminal;

an encrypted application information determining unit configured to determine first encrypted application information corresponding to each TEE terminal from a plurality of pieces of encrypted application information stored in advance based on application installation information corresponding to each TEE terminal, the first encrypted application information being obtained by encrypting the first trusted application based on the first secret key;

a second operation request generation unit, configured to attach the first encrypted application information corresponding to each TEE terminal to a corresponding first operation request, and generate a second operation request corresponding to each TEE terminal;

a second operation request sending unit, configured to send a second operation request corresponding to each TEE terminal to a corresponding TEE terminal, so that the corresponding TEE terminal installs or updates the first trusted application based on the first key and the second operation request.

19. A trusted application management apparatus, deployed at a service provider, comprising:

the monitoring unit is configured to monitor the installation or update requirement of an application client on a first trusted application, and generate a first operation request, where the first operation request is used to request that the first trusted application is installed in a TEE terminal corresponding to the application client;

a first operation request sending unit configured to send the first operation request to a Trusted Execution Environment (TEE) manager;

a key receiving unit configured to receive a first key sent by the TEE manager;

the encryption unit is configured to encrypt the first trusted application at least based on the first secret key to obtain first encrypted application information;

and the encryption application information sending unit is configured to send the first encryption application information to the TEE manager so that the TEE manager sends the first encryption application information to the TEE terminal.

20. A trusted application management apparatus, deployed at a service provider, comprising:

the monitoring unit is configured to monitor installation or update requirements of application clients on a plurality of TEE terminals on a first trusted application, and generate a first operation request, wherein the first operation request is used for requesting that the first trusted application is installed in the plurality of TEE terminals;

a first operation request sending unit configured to send the first operation request to a Trusted Execution Environment (TEE) manager;

a message receiving unit configured to receive a first message sent by the TEE manager, where the first message includes device information of each TEE terminal;

a determining unit configured to determine corresponding application installation information based on the device information of the respective TEE terminals;

a second message sending unit, configured to send a second message to the TEE manager, where the second message includes application installation information corresponding to each TEE terminal, so that the TEE manager determines, based on the application installation information corresponding to each TEE terminal, first encrypted application information corresponding to each TEE terminal from a plurality of pieces of encrypted application information stored in advance, where the first encrypted application information is obtained by encrypting the first trusted application based on a first secret key.

21. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-16.

22. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 1-16.

Images