CN107888589A - A kind of method and its system for calling trusted application - Google Patents
A kind of method and its system for calling trusted application Download PDFInfo
- Publication number
- CN107888589A CN107888589A CN201711101161.XA CN201711101161A CN107888589A CN 107888589 A CN107888589 A CN 107888589A CN 201711101161 A CN201711101161 A CN 201711101161A CN 107888589 A CN107888589 A CN 107888589A
- Authority
- CN
- China
- Prior art keywords
- trusted application
- access
- access request
- application
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
- H04L67/61—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The application is related to communication technical field, more particularly to a kind of method and its system for calling trusted application, including:Trusted application one receives the access request of common application;Trusted application one judges to whether there is the access request to trusted application two in the access request of the common application;If there is the access request to trusted application two, then according to the access control right list for the trusted application two being arranged in credible performing environment, the legitimacy of the access request to the trusted application two is judged;If judged result is legal, the trusted application two is accessed.The method and its system of calling trusted application provided herein need the legitimacy according to accesses control list determined property access request, and accesses control list attribute has multi-parameter, therefore the security mutually called, accessed between trusted application is just effectively raised, avoids and illegally called.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of method and its system for calling trusted application.
Background technology
With the continuous development of intelligent terminal and mobile network's technology, the type and quantity of various applications are more and more, its
In be no lack of can be related to mobile payment, safety storage etc. the higher application of security requirement, in order to these application in sensitive number
According to being protected, Global Platform (GP) propose credible performing environment (Trusted execution
Environment, abbreviation TEE) concept, the application operated under the credible performing environments of TEE is trusted application (Trusted
Apps, TA).
With TEE extensive use and continuous development, TA type and quantity also gradually increase, and more TA are applied simultaneously and deposited
Situation about mutually calling is also more and more, and the credible performing environment for only relying only on TEE offers ensures the safety accessed between TA
Property, security is relatively low, therefore, how to be effectively ensured mutually call between trusted application TA, the security that accesses is at present urgently
Solve the problems, such as.
The content of the invention
This application provides a kind of method and system for calling trusted application, with improve mutually call between trusted application,
The security of access.
In order to solve the above technical problems, the application provides following technical scheme:
A kind of method for calling trusted application, it is characterised in that comprise the following steps:
Trusted application one receives the access request of common application;
Trusted application one judges to whether there is the access request to trusted application two in the access request of the common application;
If there is the access request to trusted application two, then according to be arranged in credible performing environment it is described it is credible should
With two access control right list, the legitimacy of the access request to the trusted application two is judged;
If judged result is legal, the trusted application two is accessed.
The method as described above for calling trusted application, these, it is preferred to, trusted application one receives the visit of common application
Also comprise the following steps after asking request:
According to the access control right list for the trusted application one being arranged in credible performing environment, judge to described
The legitimacy of the access request of common application;
If judged result is legal, trusted application one allows common application to access.
The method as described above for calling trusted application, these, it is preferred to, the access request to trusted application two
The middle mark and authentication information for carrying the trusted application two.
The as described above method for calling trusted application, these, it is preferred to, according to being arranged in credible performing environment
Access control right list, judge to specifically include following sub-step to the legitimacy of the access request of trusted application two:
The access request to the trusted application two is parsed, obtains the mark and authentication information of trusted application two;
The access control of trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition
List processed;
Judged according to the accesses control list of the trusted application two of acquisition and the authentication information to the trusted application two
The legitimacy of access request.
The method as described above for calling trusted application, these, it is preferred to, the authentication information includes access privileges
Mark, the accesses control list of the trusted application two includes access privileges mark order list, judges credible to answer to described
With two access requests it is legal after also comprise the following steps:
Compare access privileges mark and access privileges mark order list;
Judge the priority to the access request of trusted application two;
Queue queue will be added to the access request of trusted application two according to the priority to the access request of trusted application two.
A kind of system for calling trusted application, including:
Communication module, the access request of common application is received for trusted application one;
Judge module, judge to whether there is to trusted application in the access request of the common application for trusted application one
Two access request;It is if there is the access request to trusted application two, then described in credible performing environment according to being arranged at
The access control right list of trusted application two, judge the legitimacy of the access request to the trusted application two;
Execution module, if judged result is legal, access the trusted application two.
The system as described above for calling trusted application, these, it is preferred to, in addition to:
Memory module, for storing access control right list.
The as described above system for calling trusted application, these, it is preferred to, judge module is according to the trusted application of acquisition
Two mark obtains the accesses control list of the trusted application two in access control right list;According to the trusted application two of acquisition
Accesses control list and the authentication information judge legitimacy to the access request of trusted application two.
The system as described above for calling trusted application, these, it is preferred to, in addition to:Access request management module, its
In,
Judge module, for comparing the accesses control list of the mark of the access privileges in authentication information and trusted application two
In access privileges mark order list, judge the priority to the access request of trusted application two;
Access request management module, for basis to the priority of the access request of trusted application two by trusted application two
Access request adds queue queue.
A kind of equipment for calling trusted application, include the system of the calling trusted application described in any of the above-described.
Relatively above-mentioned background technology, the method and its system and equipment of calling trusted application provided herein need root
According to the legitimacy of accesses control list determined property access request, and accesses control list attribute has multi-parameter, therefore just has
Effect improves the security mutually called, accessed between trusted application, avoids and is illegally called.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this
Some embodiments described in invention, for those of ordinary skill in the art, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is the conceptual diagram for the equipment for being deployed with untrusted performing environment and credible performing environment;
Fig. 2 is the schematic diagram for the calling trusted application that the embodiment of the present application one is provided;
Fig. 3 is the method flow diagram for the calling trusted application that the embodiment of the present application one is provided;
Fig. 4 is that the method for the calling trusted application that the embodiment of the present application one is provided judges that common application access request is legal
Property method flow diagram;
Fig. 5 is that the method for the calling trusted application that the embodiment of the present application one is provided is judged to the access request of trusted application two
Legitimacy method flow diagram;
Fig. 6 is that the method for the calling trusted application that the embodiment of the present application one is provided judges the method flow diagram of priority;
Fig. 7 is the structural representation of the system for the calling trusted application that the embodiment of the present application three is provided.
Embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end
Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached
The embodiment of figure description is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.
Two running environment be present simultaneously on the claimed mobile device of the application, as shown in figure 1, including common non-
Credible performing environment (Rich execution environment, abbreviation REE) and credible performing environment (Trusted
Execution environment, abbreviation TEE), wherein including various common application CA (such as Taobao, capital in REE environment
East, wechat etc.), and normal operating system is run, such as Andriod, include various trusted application TA in TEE environment, and transport
Row function is simple, size of code is small, the trusted operating system of closing;When operate in the CA in REE need to perform some securities will
When asking higher order (such as running into the sensitive operations such as payment) it is necessary to from REE CA be switched to the corresponding TA of TEE complete it is corresponding
The information such as operation, the password of user, account is completed to input in the environment of TEE.
With the appearance of various client, TA value volume and range of product is also on the increase, but each TA can have it is specific
Some functions, below to TA numbering be distinguish between different TA, such as:TA1, TA2, TA3, TA4 ... wait multiple TA, TA1
Can have a function such as accounts information storage, cryptographic service, TA2 can with functions such as fingerprint recognition, iris recognitions, TA3,
TA4 etc. can have other functions, be also not necessarily limited to the above situation certainly, below it is exemplary with two TA (TA1, TA2)
Situation illustrates the method and its system of calling trusted application provided herein, with improve mutually call between trusted application,
The security of access.
Embodiment one
As shown in Figures 2 and 3, this application provides a kind of method for calling trusted application, comprise the following steps:
Step S301, trusted application one receives the access request of common application;
The common application CA run in REE initiates access request to the TA1 of trusted application one run in TEE, and TA1 connects
CA access request is received, the mark and authentication of the TA1 of trusted application one can be carried in common application CA access request
Information etc., the access request to trusted application two can also be carried.
On the basis of the above, it can also judge that specific deterministic process is such as to the access request legitimacy of common application
Shown in Fig. 4, comprise the following steps:
Step S401, basis is arranged at the access control right list of the trusted application one in credible performing environment,
Judge the legitimacy of the access request to the common application;
It can be specifically the access request for parsing common application CA, obtain the TA1 of trusted application one mark and authentication information,
Authentication information in common application CA access requests includes such as common application CA mark, accesses the term of validity, access privileges
The information such as mark;
Obtain the TA1's of trusted application one in access control right list according to the TA1 of trusted application one of acquisition mark
Accesses control list, TA1 accesses control list can be included for example:Whether TA1 mark, TA1 allow CA to access, allow to visit
Ask whether TA1 CA mark, TA1 allow other TA access etc.;
Judge that common application accesses according to the TA1 of trusted application one of acquisition accesses control list and the authentication information to ask
The legitimacy asked.
If step S402, judged result is legal, the TA1 of trusted application one allows common application CA to access, if judged result
Illegal, then the TA1 of trusted application one refuses common application CA access, accesses failure.
With continued reference to Fig. 3, in addition to:
Step S302, trusted application one judges to whether there is to trusted application two in the access request of the common application
Access request;
Trusted application TA1 allows common application CA access request, obtains common application CA access information, it is general to parse this
The logical access information using CA, the content of access information is obtained, judges to whether there is in the access request of the common application CA
To the TA2 of trusted application two access request.
Step S303, if there is the access request to trusted application two, then according to being arranged in credible performing environment
The access control right list of the trusted application two, judge the legitimacy of the access request to the trusted application two;
The TA2 of trusted application two mark and authentication letter can also be carried in the above-mentioned access request to the TA2 of trusted application two
Breath, above-mentioned list of access rights can include the accesses control list of the multiple trusted applications run in credible performing environment,
Such as:As shown in Fig. 2 access control right list waits the access control of multiple trusted applications to arrange including TA1, TA2, TA3 ...
Table, if the situation of a trusted application, the trusted application can be directly run in access control right list and accesses control
Information in list processed.
Such as:Need to judge the legitimacy to the TA2 access requests of trusted application two in the present embodiment, that is, need to TA2
Accesses control list judge whether access request legal, below by taking TA2 accesses control list as an example, simply introduce credible
The accesses control list of application, TA2 accesses control list can have with properties:1st, TA2 mark;2nd, whether TA2
TA is allowed to access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA to access;5th, the mark for accessing TA2 CA is allowed
Know;6th, whether support concurrently to access;7th, the term of validity is accessed, such as:Allow to access before fixed date;8th, access privileges etc.,
Above attribute is only exemplary, is also not necessarily limited to these attributes certainly, can set accesses control list according to actual conditions
Attribute.
The legitimacy of the access request to the TA2 of trusted application two is judged, specifically as shown in figure 5, including following sub-step
Suddenly:
Step S501, to the access request of the trusted application two, the mark and authentication for obtaining trusted application two are believed for parsing
Breath;The access request to accessing TA2 is parsed, obtains TA2 trusted application mark and authentication information.
Step S502, the trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition
Accesses control list;
Such as:Identified according to the default TA2 of rule set in advance accesses control list mark and TA2 trusted application,
Rule set in advance can be that the trusted application mark of TA2 accesses control list mark and TA2 is arranged into identical,
Can be different, as long as can ensure that TA2 accesses control list mark and TA2 trusted application mark are to correspond
, TA2 accesses control list can be obtained by TA2 trusted application mark, here with TA2 accesses control list
Introduced exemplified by mark is identical with TA2 trusted application mark.
The trusted application that accesses control list according to the default TA2 of rule set in advance is identified as 2, TA2 is identified as 2,
TA2 trusted application mark 2 is obtained, the accesses control list for calling access control right identified in list to be 2 is TA2 access
Control list.
Step S503, according to the accesses control list of the trusted application two of acquisition and the authentication information judge to it is described can
Letter applies the legitimacy of two access requests.
Such as:TA2 accesses control list is obtained, its attribute can be:1st, TA2 mark;2nd, whether TA2
TA is allowed to access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA access etc., and above-mentioned authentication information includes:TA1
Mark, the CA identification access term of validity, access privileges mark etc. information, according to above- mentioned information judge to access TA2 access
The legitimacy of request.
Please continue to refer to Fig. 3, if step S304, judged result is legal, the trusted application two is accessed.
If it is legal to the access request for accessing TA2 to judge in above-mentioned steps, TA2 allows to access, if judging to accessing TA2
Access request it is illegal, then TA2 does not allow to access, access failure.
On the basis of above-described embodiment, when accessing a trusted application simultaneously in order to avoid multiple trusted applications, occur
Situation that is disorder, causing access to fail occurs, and the authentication information includes access privileges and identified, the trusted application two
Accesses control list include access privileges mark order list, judge it is legal to the access request of trusted application two after also
Comprise the following steps, as shown in Figure 2 and Figure 6, introduced so that TA1 and TA3 accesses TA2 simultaneously as an example, be also not necessarily limited to this visit certainly
Ask form.
Step S601, access privileges mark and access privileges mark order list are compared;
The TA1 access privileges obtained in TA1 authentication informations identifies, and for example, 00, obtain the TA3 in TA3 authentication informations
Access privileges identifies, and 00 is preset in for example, 11, TA2 access privileges mark order list compared with 11 preferential access, by TA1
Access privileges mark, TA3 access privileges mark are respectively compared with TA2 access privileges mark order list.
Step S602, the priority of the access request to trusted application two is judged;
For example, TA1 access privileges is identified as the access privileges mark that 00, TA3 access privileges is identified as 11, TA2
00 is preset in order list compared with 11 preferential access, then is judged as that TA1 preferentially accesses TA2 compared with TA3.
Step S603, the access request of trusted application two will be added according to the priority of the access request to trusted application two
Enter queue queue.
TA1 access request is added before queue queue, TA3 access request is added behind queue queue.
From the foregoing, it will be observed that the method for calling trusted application provided herein is needed according to accesses control list determined property
The legitimacy of access request, and accesses control list attribute has multi-parameter, therefore just effectively raise between trusted application
The security mutually called, accessed, avoids and is illegally called.
Embodiment two
There is the functions such as accounts information storage, cryptographic service with TA1, there is TA2 the functions such as fingerprint recognition, iris recognition to be
The method that example specifically introduces indirect calling trusted application provided herein.
Because TA is the application that assistance CA completes some sensitive operations, specifically such as CA is REE sides Taobao, Jingdone district, wechat
Etc. client, TA1 is that the clients such as TEE sides Taobao, Jingdone district, wechat correspond to trusted application, therefore, clicks on CA clients and enters to keep accounts
Number log in and to be serviced with Password Input etc., that is, CA initiates to access TA1 request, can also by access control right list come
Judge that CA accesses the legitimacy of TA1 access requests, detailed process and the process one that access request legitimacy is judged in embodiment one
Cause, just do not repeating here, CA access TA1 access requests are legal, and TA1 receives the access request of CA initiations, then can be used
The operations such as family logs in, Password Input, if judged result is illegal, the access request of TA1 rejections CA initiations, CA logs in failure.
Here being logged in successfully with CA to introduce, after CA is logged in successfully, the CA in REE sides can complete in general operation, such as
Completion such as browses, selected at the operation, when need to complete to pay, transfer accounts etc. operate when, and the operation such as complete to pay, transfer accounts and also needing to
Such as the function not available for the TA1 such as fingerprint recognition, iris recognition, this just needs the TA2 with the function to assist to complete, example
Payment interface is such as clicked to enter, is that CA initiates to access TA1 request, the access request that CA is initiated at this includes:Visit to TA2
Request is asked, the TA1 that the access request i.e. CA to TA2 are sent then judges that CA accesses TA1 and accessed to TA2 visit order
It is legal to ask, and introduces judge legal situation below, judge that illegal is denied access, terminate flow.
Judge it is legal after, CA accesses TA1 successes, according to the access request to TA2, initiates to access TA2 request, judges
TA1 accesses the legitimacy to TA2 access requests, detailed process and the process one that access request legitimacy is judged in embodiment one
Cause, just do not repeating here, access request is legal, and TA2 allows to access, that is, completes the operation of fingerprint recognition during payment.
Embodiment three
Present invention also provides a kind of system 700 for calling trusted application, as shown in fig. 7, comprises:
Communication module 710, the access request of common application is received for trusted application one;
Communication module 710 is for receiving the common application CA run in REE to the trusted application one run in TEE
TA1 initiates access request, and TA1 receives CA access request, can carried in common application CA access request described credible
Using the mark of a TA1 and authentication information etc., the access request to trusted application two can also be carried.
Validity judgement can also be carried out to common application CA access request by judge module 720, specifically judged
Journey is consistent with the process that access request legitimacy is judged in embodiment one, is not just repeating here.
Judge module 720, judge to whether there is to credible in the access request of the common application for trusted application one
Using two access request;If there is the access request to trusted application two, then according to being arranged in credible performing environment
The access control right list of the trusted application two, judge the legitimacy of the access request to the trusted application two;Judge
Module 720 judges to whether there is in the access request of the common application to the access request of trusted application two and judged to described
The specific deterministic process of legitimacy of the access request of trusted application two and the process that access request legitimacy is judged in embodiment one
Unanimously, just do not repeating here.
Execution module 730, if judged result is legal, access the trusted application two.
If it is legal to the access request for accessing TA2 to judge in above-mentioned steps, TA2 allows to access, if judging to accessing TA2
Access request it is illegal, then TA2 does not allow to access, access failure.
Further, in addition to:Memory module 740, for storing access control right list, that is, storage accesses control
List processed.
Can be specifically storage access control right list, what storage access control right list included runs on credible
The accesses control list of multiple trusted applications in performing environment, such as:List of access rights is including TA1, TA2, TA3 ... etc.
The accesses control list of multiple trusted applications, can be in access control right list if the situation of a trusted application
The information in the trusted application accesses control list is directly run, the attribute of accesses control list is also stored in memory module 740
In.
Such as:Need to judge the legitimacy to TA2 access requests in the present embodiment, that is, need the access control to TA2
Whether list is legal to TA2 access request to judge, TA2 accesses control list can have with properties:1st, TA2 mark
Know;2nd, TA2 whether permission TA access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA to access;5th, allow to visit
Ask TA2 CA mark;6th, whether support concurrently to access;7th, the term of validity is accessed, such as:Allow to access before fixed date;8、
Access privileges etc., these attributes are stored in memory module 740.
Further, judge module 720, for parsing the access request to the trusted application two, trusted application is obtained
Two mark and authentication information;
The access control of trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition
List processed;
Such as:Identified according to the default TA2 of rule set in advance accesses control list mark and TA2 trusted application,
Rule set in advance can be that the trusted application mark of TA2 accesses control list mark and TA2 is arranged into identical,
Can be different, as long as can ensure that TA2 accesses control list mark and TA2 trusted application mark are to correspond
, TA2 accesses control list can be obtained by TA2 trusted application mark, here with TA2 accesses control list
Introduced exemplified by mark is identical with TA2 trusted application mark.According to the default TA2 of rule set in advance accesses control list mark
Know and be identified as 2 for 2, TA2 trusted application, obtain TA2 trusted application mark 2, call access control right identified in list
Accesses control list for 2 is TA2 accesses control list.
Judged according to the accesses control list of the trusted application two of acquisition and the authentication information to the trusted application two
The legitimacy of access request.
Such as:TA2 accesses control list is obtained, its attribute can be:1st, TA2 mark;2nd, whether TA2
TA is allowed to access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA access etc., and above-mentioned authentication information includes:TA1
Mark, the CA identification access term of validity, access privileges mark etc. information, according to above- mentioned information judge to access TA2 access
The legitimacy of request.Further, in addition to:Access request management module 750, judge module 720, for comparing authentication information
In access privileges mark and the access privileges mark order list in the accesses control list of trusted application two, judge pair
The priority of the access request of trusted application two;
Access request management module 750, will be to trusted application to the priority of the access request of trusted application two for basis
Two access request adds queue queue.
Introduced so that TA1 and TA3 accesses TA2 simultaneously as an example, be also not necessarily limited to this access stencil certainly.
Judge module 720, the TA1 access privileges obtained in TA1 authentication informations identify, and for example, 00, obtain TA3 authentications
TA3 access privileges mark in information, it is excellent compared with 11 to preset 00 in for example, 11, TA2 access privileges mark order list
First access, TA1 access privileges mark, TA3 access privileges are identified into the access privileges mark order list with TA2 respectively
It is compared.
TA1 access privileges is identified as the access privileges mark order row that 00, TA3 access privileges is identified as 11, TA2
00 is preset in table compared with 11 preferential access, then is judged as that TA1 preferentially accesses TA2 compared with TA3.
Access request management module 750, TA1 access request is added before queue queue, by TA3 access request
Add behind queue queue.
Example IV
Present invention also provides a kind of equipment for calling trusted application, including calling trusted application described above is
System.
It is obvious to a person skilled in the art that the invention is not restricted to the details of above-mentioned one exemplary embodiment, Er Qie
In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter
From the point of view of which point, embodiment all should be regarded as exemplary, and be nonrestrictive, the scope of the present invention is by appended power
Profit requires rather than described above limits, it is intended that all in the implication and scope of the equivalency of claim by falling
Change is included in the present invention.Any reference in claim should not be considered as to the involved claim of limitation.
Moreover, it will be appreciated that although the present specification is described in terms of embodiments, not each embodiment is only wrapped
Containing an independent technical scheme, this narrating mode of specification is only that those skilled in the art should for clarity
Using specification as an entirety, the technical solutions in the various embodiments may also be suitably combined, forms those skilled in the art
It is appreciated that other embodiment.
Claims (10)
- A kind of 1. method for calling trusted application, it is characterised in that comprise the following steps:Trusted application one receives the access request of common application;Trusted application one judges to whether there is the access request to trusted application two in the access request of the common application;If there is the access request to trusted application two, then according to the trusted application two being arranged in credible performing environment Access control right list, judge the legitimacy of the access request to the trusted application two;If judged result is legal, the trusted application two is accessed.
- 2. the method according to claim 1 for calling trusted application, it is characterised in that trusted application one receives common application Access request after also comprise the following steps:According to the access control right list for the trusted application one being arranged in credible performing environment, judge to described common The legitimacy of the access request of application;If judged result is legal, trusted application one allows common application to access.
- 3. the method according to claim 1 for calling trusted application, it is characterised in that the access to trusted application two The mark and authentication information of the trusted application two are carried in request.
- 4. the method according to claim 3 for calling trusted application, it is characterised in that according to being arranged at credible performing environment In access control right list, judge to specifically include following sub-step to the legitimacy of the access request of trusted application two:The access request to the trusted application two is parsed, obtains the mark and authentication information of trusted application two;The access control that the trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition arranges Table;Judge to access the trusted application two according to the accesses control list of the trusted application two of acquisition and the authentication information The legitimacy of request.
- 5. the method according to claim 4 for calling trusted application, it is characterised in that it is excellent that the authentication information includes access First level mark, the accesses control list of the trusted application two include access privileges mark order list, judge to it is described can Letter also comprises the following steps after applying two access requests legal:Compare access privileges mark and access privileges mark order list;Judge the priority to the access request of trusted application two;Queue queue will be added to the access request of trusted application two according to the priority to the access request of trusted application two.
- A kind of 6. system for calling trusted application, it is characterised in that including:Communication module, the access request of common application is received for trusted application one;Judge module, judge to whether there is to trusted application two in the access request of the common application for trusted application one Access request;It is if there is the access request to trusted application two, then described credible in credible performing environment according to being arranged at Using two access control right list, the legitimacy of the access request to the trusted application two is judged;Execution module, if judged result is legal, access the trusted application two.
- 7. the system according to claim 6 for calling trusted application, it is characterised in that also include:Memory module, for storing access control right list.
- 8. the system according to claim 7 for calling trusted application, it is characterised in that wherein,Judge module obtains the visit of the trusted application two in access control right list according to the mark of the trusted application two of acquisition Ask control list;Judged according to the accesses control list of the trusted application two of acquisition and the authentication information to the trusted application The legitimacy of two access requests.
- 9. the system according to claim 8 for calling trusted application, it is characterised in that also include:Access request manages mould Block, wherein,Judge module, identified for comparing the access privileges in authentication information in the accesses control list with trusted application two Access privileges mark order list, judges the priority to the access request of trusted application two;Access request management module, for according to the priority of the access request of trusted application two by the access to trusted application two Request adds queue queue.
- 10. a kind of equipment for calling trusted application, it is characterised in that including the calling described in any one of the claims 6 to 9 The system of trusted application.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711101161.XA CN107888589A (en) | 2017-11-10 | 2017-11-10 | A kind of method and its system for calling trusted application |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711101161.XA CN107888589A (en) | 2017-11-10 | 2017-11-10 | A kind of method and its system for calling trusted application |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107888589A true CN107888589A (en) | 2018-04-06 |
Family
ID=61779687
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711101161.XA Pending CN107888589A (en) | 2017-11-10 | 2017-11-10 | A kind of method and its system for calling trusted application |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107888589A (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110365684A (en) * | 2019-07-17 | 2019-10-22 | 中国工商银行股份有限公司 | Access control method, device and the electronic equipment of application cluster |
WO2020034881A1 (en) * | 2018-08-17 | 2020-02-20 | 阿里巴巴集团控股有限公司 | Method and apparatus for activating trusted execution environment |
CN111506899A (en) * | 2020-04-15 | 2020-08-07 | 北京谦川科技有限公司 | Authority management method and authority management architecture of security system |
CN111787006A (en) * | 2020-06-30 | 2020-10-16 | 北京经纬恒润科技有限公司 | Access control method and system for security application |
CN112948824A (en) * | 2021-03-31 | 2021-06-11 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
CN113411297A (en) * | 2021-05-07 | 2021-09-17 | 上海纽盾科技股份有限公司 | Situation awareness defense method and system based on attribute access control |
CN113645045A (en) * | 2021-10-13 | 2021-11-12 | 北京创米智汇物联科技有限公司 | Security control method, device and equipment in TEE and storage medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105930731A (en) * | 2015-12-21 | 2016-09-07 | ***股份有限公司 | Trusted application (TA) interactive method and apparatus |
CN106034120A (en) * | 2015-03-16 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Method for multiple processes to access trusted application and system thereof |
CN107077565A (en) * | 2015-11-25 | 2017-08-18 | 华为技术有限公司 | The collocation method and equipment of a kind of safe configured information |
-
2017
- 2017-11-10 CN CN201711101161.XA patent/CN107888589A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106034120A (en) * | 2015-03-16 | 2016-10-19 | 阿里巴巴集团控股有限公司 | Method for multiple processes to access trusted application and system thereof |
CN107077565A (en) * | 2015-11-25 | 2017-08-18 | 华为技术有限公司 | The collocation method and equipment of a kind of safe configured information |
CN105930731A (en) * | 2015-12-21 | 2016-09-07 | ***股份有限公司 | Trusted application (TA) interactive method and apparatus |
Non-Patent Citations (1)
Title |
---|
陈亚莎等: ""可信应用环境的安全性验证方法"", 《计算机工程》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2020034881A1 (en) * | 2018-08-17 | 2020-02-20 | 阿里巴巴集团控股有限公司 | Method and apparatus for activating trusted execution environment |
CN110837643A (en) * | 2018-08-17 | 2020-02-25 | 阿里巴巴集团控股有限公司 | Activation method and device of trusted execution environment |
CN110837643B (en) * | 2018-08-17 | 2022-09-23 | 阿里巴巴集团控股有限公司 | Activation method and device of trusted execution environment |
CN110365684A (en) * | 2019-07-17 | 2019-10-22 | 中国工商银行股份有限公司 | Access control method, device and the electronic equipment of application cluster |
CN110365684B (en) * | 2019-07-17 | 2022-02-22 | 中国工商银行股份有限公司 | Access control method and device for application cluster and electronic equipment |
CN111506899A (en) * | 2020-04-15 | 2020-08-07 | 北京谦川科技有限公司 | Authority management method and authority management architecture of security system |
CN111506899B (en) * | 2020-04-15 | 2023-06-16 | 宁波谦川科技有限公司 | Rights management method and rights management architecture of security system |
CN111787006A (en) * | 2020-06-30 | 2020-10-16 | 北京经纬恒润科技有限公司 | Access control method and system for security application |
CN112948824A (en) * | 2021-03-31 | 2021-06-11 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
CN112948824B (en) * | 2021-03-31 | 2022-04-26 | 支付宝(杭州)信息技术有限公司 | Program communication method, device and equipment based on privacy protection |
CN113411297A (en) * | 2021-05-07 | 2021-09-17 | 上海纽盾科技股份有限公司 | Situation awareness defense method and system based on attribute access control |
CN113645045A (en) * | 2021-10-13 | 2021-11-12 | 北京创米智汇物联科技有限公司 | Security control method, device and equipment in TEE and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107888589A (en) | A kind of method and its system for calling trusted application | |
CN104025539B (en) | The method and apparatus for promoting single-sign-on services | |
CN103249045B (en) | A kind of methods, devices and systems of identification | |
CN103312796B (en) | For the login interface selection of computing environment User logs in | |
CN108200050A (en) | Single logging-on server, method and computer readable storage medium | |
US11212283B2 (en) | Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications | |
CN103457738B (en) | Method and system for login processing based on browser | |
CN106341234B (en) | Authorization method and device | |
US20030018915A1 (en) | Method and system for user authentication and authorization of services | |
CN103813334A (en) | Right control method and right control device | |
CN104205721A (en) | A context-aware adaptive authentication method and apparatus | |
CN107864144A (en) | Obtain method and device, computer installation and the storage medium of dynamic password | |
US20130332727A1 (en) | Access token event virtualization | |
CN108830099A (en) | Call verification method, device, computer equipment and the storage medium of api interface | |
US8903360B2 (en) | Mobile device validation | |
US20090249430A1 (en) | Claim category handling | |
US7210163B2 (en) | Method and system for user authentication and authorization of services | |
AU2013370768B2 (en) | Method and apparatus for controlling invoking of hardware instruction | |
CN106169042A (en) | The method and device of administration authority | |
CN104469736B (en) | A kind of data processing method, server and terminal | |
CN105721425A (en) | Information processing method and electronic device | |
CN109977039A (en) | HD encryption method for storing cipher key, device, equipment and readable storage medium storing program for executing | |
CN107846676A (en) | Safety communicating method and system based on network section security architecture | |
CN104704502A (en) | Using trusted devices to augment location-based account protection | |
CN106339332B (en) | A kind of information processing method, device and terminal |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180406 |