CN107888589A - A kind of method and its system for calling trusted application - Google Patents

A kind of method and its system for calling trusted application Download PDF

Info

Publication number
CN107888589A
CN107888589A CN201711101161.XA CN201711101161A CN107888589A CN 107888589 A CN107888589 A CN 107888589A CN 201711101161 A CN201711101161 A CN 201711101161A CN 107888589 A CN107888589 A CN 107888589A
Authority
CN
China
Prior art keywords
trusted application
access
access request
application
trusted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711101161.XA
Other languages
Chinese (zh)
Inventor
张志华
陆道如
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hengbao Co Ltd
Original Assignee
Hengbao Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hengbao Co Ltd filed Critical Hengbao Co Ltd
Priority to CN201711101161.XA priority Critical patent/CN107888589A/en
Publication of CN107888589A publication Critical patent/CN107888589A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
    • H04L67/61Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources taking into account QoS or priority requirements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application is related to communication technical field, more particularly to a kind of method and its system for calling trusted application, including:Trusted application one receives the access request of common application;Trusted application one judges to whether there is the access request to trusted application two in the access request of the common application;If there is the access request to trusted application two, then according to the access control right list for the trusted application two being arranged in credible performing environment, the legitimacy of the access request to the trusted application two is judged;If judged result is legal, the trusted application two is accessed.The method and its system of calling trusted application provided herein need the legitimacy according to accesses control list determined property access request, and accesses control list attribute has multi-parameter, therefore the security mutually called, accessed between trusted application is just effectively raised, avoids and illegally called.

Description

A kind of method and its system for calling trusted application
Technical field
The present invention relates to communication technical field, more particularly to a kind of method and its system for calling trusted application.
Background technology
With the continuous development of intelligent terminal and mobile network's technology, the type and quantity of various applications are more and more, its In be no lack of can be related to mobile payment, safety storage etc. the higher application of security requirement, in order to these application in sensitive number According to being protected, Global Platform (GP) propose credible performing environment (Trusted execution Environment, abbreviation TEE) concept, the application operated under the credible performing environments of TEE is trusted application (Trusted Apps, TA).
With TEE extensive use and continuous development, TA type and quantity also gradually increase, and more TA are applied simultaneously and deposited Situation about mutually calling is also more and more, and the credible performing environment for only relying only on TEE offers ensures the safety accessed between TA Property, security is relatively low, therefore, how to be effectively ensured mutually call between trusted application TA, the security that accesses is at present urgently Solve the problems, such as.
The content of the invention
This application provides a kind of method and system for calling trusted application, with improve mutually call between trusted application, The security of access.
In order to solve the above technical problems, the application provides following technical scheme:
A kind of method for calling trusted application, it is characterised in that comprise the following steps:
Trusted application one receives the access request of common application;
Trusted application one judges to whether there is the access request to trusted application two in the access request of the common application;
If there is the access request to trusted application two, then according to be arranged in credible performing environment it is described it is credible should With two access control right list, the legitimacy of the access request to the trusted application two is judged;
If judged result is legal, the trusted application two is accessed.
The method as described above for calling trusted application, these, it is preferred to, trusted application one receives the visit of common application Also comprise the following steps after asking request:
According to the access control right list for the trusted application one being arranged in credible performing environment, judge to described The legitimacy of the access request of common application;
If judged result is legal, trusted application one allows common application to access.
The method as described above for calling trusted application, these, it is preferred to, the access request to trusted application two The middle mark and authentication information for carrying the trusted application two.
The as described above method for calling trusted application, these, it is preferred to, according to being arranged in credible performing environment Access control right list, judge to specifically include following sub-step to the legitimacy of the access request of trusted application two:
The access request to the trusted application two is parsed, obtains the mark and authentication information of trusted application two;
The access control of trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition List processed;
Judged according to the accesses control list of the trusted application two of acquisition and the authentication information to the trusted application two The legitimacy of access request.
The method as described above for calling trusted application, these, it is preferred to, the authentication information includes access privileges Mark, the accesses control list of the trusted application two includes access privileges mark order list, judges credible to answer to described With two access requests it is legal after also comprise the following steps:
Compare access privileges mark and access privileges mark order list;
Judge the priority to the access request of trusted application two;
Queue queue will be added to the access request of trusted application two according to the priority to the access request of trusted application two.
A kind of system for calling trusted application, including:
Communication module, the access request of common application is received for trusted application one;
Judge module, judge to whether there is to trusted application in the access request of the common application for trusted application one Two access request;It is if there is the access request to trusted application two, then described in credible performing environment according to being arranged at The access control right list of trusted application two, judge the legitimacy of the access request to the trusted application two;
Execution module, if judged result is legal, access the trusted application two.
The system as described above for calling trusted application, these, it is preferred to, in addition to:
Memory module, for storing access control right list.
The as described above system for calling trusted application, these, it is preferred to, judge module is according to the trusted application of acquisition Two mark obtains the accesses control list of the trusted application two in access control right list;According to the trusted application two of acquisition Accesses control list and the authentication information judge legitimacy to the access request of trusted application two.
The system as described above for calling trusted application, these, it is preferred to, in addition to:Access request management module, its In,
Judge module, for comparing the accesses control list of the mark of the access privileges in authentication information and trusted application two In access privileges mark order list, judge the priority to the access request of trusted application two;
Access request management module, for basis to the priority of the access request of trusted application two by trusted application two Access request adds queue queue.
A kind of equipment for calling trusted application, include the system of the calling trusted application described in any of the above-described.
Relatively above-mentioned background technology, the method and its system and equipment of calling trusted application provided herein need root According to the legitimacy of accesses control list determined property access request, and accesses control list attribute has multi-parameter, therefore just has Effect improves the security mutually called, accessed between trusted application, avoids and is illegally called.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments described in invention, for those of ordinary skill in the art, other can also be obtained according to these accompanying drawings Accompanying drawing.
Fig. 1 is the conceptual diagram for the equipment for being deployed with untrusted performing environment and credible performing environment;
Fig. 2 is the schematic diagram for the calling trusted application that the embodiment of the present application one is provided;
Fig. 3 is the method flow diagram for the calling trusted application that the embodiment of the present application one is provided;
Fig. 4 is that the method for the calling trusted application that the embodiment of the present application one is provided judges that common application access request is legal Property method flow diagram;
Fig. 5 is that the method for the calling trusted application that the embodiment of the present application one is provided is judged to the access request of trusted application two Legitimacy method flow diagram;
Fig. 6 is that the method for the calling trusted application that the embodiment of the present application one is provided judges the method flow diagram of priority;
Fig. 7 is the structural representation of the system for the calling trusted application that the embodiment of the present application three is provided.
Embodiment
Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached The embodiment of figure description is exemplary, is only used for explaining the present invention, and is not construed as limiting the claims.
Two running environment be present simultaneously on the claimed mobile device of the application, as shown in figure 1, including common non- Credible performing environment (Rich execution environment, abbreviation REE) and credible performing environment (Trusted Execution environment, abbreviation TEE), wherein including various common application CA (such as Taobao, capital in REE environment East, wechat etc.), and normal operating system is run, such as Andriod, include various trusted application TA in TEE environment, and transport Row function is simple, size of code is small, the trusted operating system of closing;When operate in the CA in REE need to perform some securities will When asking higher order (such as running into the sensitive operations such as payment) it is necessary to from REE CA be switched to the corresponding TA of TEE complete it is corresponding The information such as operation, the password of user, account is completed to input in the environment of TEE.
With the appearance of various client, TA value volume and range of product is also on the increase, but each TA can have it is specific Some functions, below to TA numbering be distinguish between different TA, such as:TA1, TA2, TA3, TA4 ... wait multiple TA, TA1 Can have a function such as accounts information storage, cryptographic service, TA2 can with functions such as fingerprint recognition, iris recognitions, TA3, TA4 etc. can have other functions, be also not necessarily limited to the above situation certainly, below it is exemplary with two TA (TA1, TA2) Situation illustrates the method and its system of calling trusted application provided herein, with improve mutually call between trusted application, The security of access.
Embodiment one
As shown in Figures 2 and 3, this application provides a kind of method for calling trusted application, comprise the following steps:
Step S301, trusted application one receives the access request of common application;
The common application CA run in REE initiates access request to the TA1 of trusted application one run in TEE, and TA1 connects CA access request is received, the mark and authentication of the TA1 of trusted application one can be carried in common application CA access request Information etc., the access request to trusted application two can also be carried.
On the basis of the above, it can also judge that specific deterministic process is such as to the access request legitimacy of common application Shown in Fig. 4, comprise the following steps:
Step S401, basis is arranged at the access control right list of the trusted application one in credible performing environment, Judge the legitimacy of the access request to the common application;
It can be specifically the access request for parsing common application CA, obtain the TA1 of trusted application one mark and authentication information, Authentication information in common application CA access requests includes such as common application CA mark, accesses the term of validity, access privileges The information such as mark;
Obtain the TA1's of trusted application one in access control right list according to the TA1 of trusted application one of acquisition mark Accesses control list, TA1 accesses control list can be included for example:Whether TA1 mark, TA1 allow CA to access, allow to visit Ask whether TA1 CA mark, TA1 allow other TA access etc.;
Judge that common application accesses according to the TA1 of trusted application one of acquisition accesses control list and the authentication information to ask The legitimacy asked.
If step S402, judged result is legal, the TA1 of trusted application one allows common application CA to access, if judged result Illegal, then the TA1 of trusted application one refuses common application CA access, accesses failure.
With continued reference to Fig. 3, in addition to:
Step S302, trusted application one judges to whether there is to trusted application two in the access request of the common application Access request;
Trusted application TA1 allows common application CA access request, obtains common application CA access information, it is general to parse this The logical access information using CA, the content of access information is obtained, judges to whether there is in the access request of the common application CA To the TA2 of trusted application two access request.
Step S303, if there is the access request to trusted application two, then according to being arranged in credible performing environment The access control right list of the trusted application two, judge the legitimacy of the access request to the trusted application two;
The TA2 of trusted application two mark and authentication letter can also be carried in the above-mentioned access request to the TA2 of trusted application two Breath, above-mentioned list of access rights can include the accesses control list of the multiple trusted applications run in credible performing environment, Such as:As shown in Fig. 2 access control right list waits the access control of multiple trusted applications to arrange including TA1, TA2, TA3 ... Table, if the situation of a trusted application, the trusted application can be directly run in access control right list and accesses control Information in list processed.
Such as:Need to judge the legitimacy to the TA2 access requests of trusted application two in the present embodiment, that is, need to TA2 Accesses control list judge whether access request legal, below by taking TA2 accesses control list as an example, simply introduce credible The accesses control list of application, TA2 accesses control list can have with properties:1st, TA2 mark;2nd, whether TA2 TA is allowed to access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA to access;5th, the mark for accessing TA2 CA is allowed Know;6th, whether support concurrently to access;7th, the term of validity is accessed, such as:Allow to access before fixed date;8th, access privileges etc., Above attribute is only exemplary, is also not necessarily limited to these attributes certainly, can set accesses control list according to actual conditions Attribute.
The legitimacy of the access request to the TA2 of trusted application two is judged, specifically as shown in figure 5, including following sub-step Suddenly:
Step S501, to the access request of the trusted application two, the mark and authentication for obtaining trusted application two are believed for parsing Breath;The access request to accessing TA2 is parsed, obtains TA2 trusted application mark and authentication information.
Step S502, the trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition Accesses control list;
Such as:Identified according to the default TA2 of rule set in advance accesses control list mark and TA2 trusted application, Rule set in advance can be that the trusted application mark of TA2 accesses control list mark and TA2 is arranged into identical, Can be different, as long as can ensure that TA2 accesses control list mark and TA2 trusted application mark are to correspond , TA2 accesses control list can be obtained by TA2 trusted application mark, here with TA2 accesses control list Introduced exemplified by mark is identical with TA2 trusted application mark.
The trusted application that accesses control list according to the default TA2 of rule set in advance is identified as 2, TA2 is identified as 2, TA2 trusted application mark 2 is obtained, the accesses control list for calling access control right identified in list to be 2 is TA2 access Control list.
Step S503, according to the accesses control list of the trusted application two of acquisition and the authentication information judge to it is described can Letter applies the legitimacy of two access requests.
Such as:TA2 accesses control list is obtained, its attribute can be:1st, TA2 mark;2nd, whether TA2 TA is allowed to access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA access etc., and above-mentioned authentication information includes:TA1 Mark, the CA identification access term of validity, access privileges mark etc. information, according to above- mentioned information judge to access TA2 access The legitimacy of request.
Please continue to refer to Fig. 3, if step S304, judged result is legal, the trusted application two is accessed.
If it is legal to the access request for accessing TA2 to judge in above-mentioned steps, TA2 allows to access, if judging to accessing TA2 Access request it is illegal, then TA2 does not allow to access, access failure.
On the basis of above-described embodiment, when accessing a trusted application simultaneously in order to avoid multiple trusted applications, occur Situation that is disorder, causing access to fail occurs, and the authentication information includes access privileges and identified, the trusted application two Accesses control list include access privileges mark order list, judge it is legal to the access request of trusted application two after also Comprise the following steps, as shown in Figure 2 and Figure 6, introduced so that TA1 and TA3 accesses TA2 simultaneously as an example, be also not necessarily limited to this visit certainly Ask form.
Step S601, access privileges mark and access privileges mark order list are compared;
The TA1 access privileges obtained in TA1 authentication informations identifies, and for example, 00, obtain the TA3 in TA3 authentication informations Access privileges identifies, and 00 is preset in for example, 11, TA2 access privileges mark order list compared with 11 preferential access, by TA1 Access privileges mark, TA3 access privileges mark are respectively compared with TA2 access privileges mark order list.
Step S602, the priority of the access request to trusted application two is judged;
For example, TA1 access privileges is identified as the access privileges mark that 00, TA3 access privileges is identified as 11, TA2 00 is preset in order list compared with 11 preferential access, then is judged as that TA1 preferentially accesses TA2 compared with TA3.
Step S603, the access request of trusted application two will be added according to the priority of the access request to trusted application two Enter queue queue.
TA1 access request is added before queue queue, TA3 access request is added behind queue queue.
From the foregoing, it will be observed that the method for calling trusted application provided herein is needed according to accesses control list determined property The legitimacy of access request, and accesses control list attribute has multi-parameter, therefore just effectively raise between trusted application The security mutually called, accessed, avoids and is illegally called.
Embodiment two
There is the functions such as accounts information storage, cryptographic service with TA1, there is TA2 the functions such as fingerprint recognition, iris recognition to be The method that example specifically introduces indirect calling trusted application provided herein.
Because TA is the application that assistance CA completes some sensitive operations, specifically such as CA is REE sides Taobao, Jingdone district, wechat Etc. client, TA1 is that the clients such as TEE sides Taobao, Jingdone district, wechat correspond to trusted application, therefore, clicks on CA clients and enters to keep accounts Number log in and to be serviced with Password Input etc., that is, CA initiates to access TA1 request, can also by access control right list come Judge that CA accesses the legitimacy of TA1 access requests, detailed process and the process one that access request legitimacy is judged in embodiment one Cause, just do not repeating here, CA access TA1 access requests are legal, and TA1 receives the access request of CA initiations, then can be used The operations such as family logs in, Password Input, if judged result is illegal, the access request of TA1 rejections CA initiations, CA logs in failure.
Here being logged in successfully with CA to introduce, after CA is logged in successfully, the CA in REE sides can complete in general operation, such as Completion such as browses, selected at the operation, when need to complete to pay, transfer accounts etc. operate when, and the operation such as complete to pay, transfer accounts and also needing to Such as the function not available for the TA1 such as fingerprint recognition, iris recognition, this just needs the TA2 with the function to assist to complete, example Payment interface is such as clicked to enter, is that CA initiates to access TA1 request, the access request that CA is initiated at this includes:Visit to TA2 Request is asked, the TA1 that the access request i.e. CA to TA2 are sent then judges that CA accesses TA1 and accessed to TA2 visit order It is legal to ask, and introduces judge legal situation below, judge that illegal is denied access, terminate flow.
Judge it is legal after, CA accesses TA1 successes, according to the access request to TA2, initiates to access TA2 request, judges TA1 accesses the legitimacy to TA2 access requests, detailed process and the process one that access request legitimacy is judged in embodiment one Cause, just do not repeating here, access request is legal, and TA2 allows to access, that is, completes the operation of fingerprint recognition during payment.
Embodiment three
Present invention also provides a kind of system 700 for calling trusted application, as shown in fig. 7, comprises:
Communication module 710, the access request of common application is received for trusted application one;
Communication module 710 is for receiving the common application CA run in REE to the trusted application one run in TEE TA1 initiates access request, and TA1 receives CA access request, can carried in common application CA access request described credible Using the mark of a TA1 and authentication information etc., the access request to trusted application two can also be carried.
Validity judgement can also be carried out to common application CA access request by judge module 720, specifically judged Journey is consistent with the process that access request legitimacy is judged in embodiment one, is not just repeating here.
Judge module 720, judge to whether there is to credible in the access request of the common application for trusted application one Using two access request;If there is the access request to trusted application two, then according to being arranged in credible performing environment The access control right list of the trusted application two, judge the legitimacy of the access request to the trusted application two;Judge Module 720 judges to whether there is in the access request of the common application to the access request of trusted application two and judged to described The specific deterministic process of legitimacy of the access request of trusted application two and the process that access request legitimacy is judged in embodiment one Unanimously, just do not repeating here.
Execution module 730, if judged result is legal, access the trusted application two.
If it is legal to the access request for accessing TA2 to judge in above-mentioned steps, TA2 allows to access, if judging to accessing TA2 Access request it is illegal, then TA2 does not allow to access, access failure.
Further, in addition to:Memory module 740, for storing access control right list, that is, storage accesses control List processed.
Can be specifically storage access control right list, what storage access control right list included runs on credible The accesses control list of multiple trusted applications in performing environment, such as:List of access rights is including TA1, TA2, TA3 ... etc. The accesses control list of multiple trusted applications, can be in access control right list if the situation of a trusted application The information in the trusted application accesses control list is directly run, the attribute of accesses control list is also stored in memory module 740 In.
Such as:Need to judge the legitimacy to TA2 access requests in the present embodiment, that is, need the access control to TA2 Whether list is legal to TA2 access request to judge, TA2 accesses control list can have with properties:1st, TA2 mark Know;2nd, TA2 whether permission TA access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA to access;5th, allow to visit Ask TA2 CA mark;6th, whether support concurrently to access;7th, the term of validity is accessed, such as:Allow to access before fixed date;8、 Access privileges etc., these attributes are stored in memory module 740.
Further, judge module 720, for parsing the access request to the trusted application two, trusted application is obtained Two mark and authentication information;
The access control of trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition List processed;
Such as:Identified according to the default TA2 of rule set in advance accesses control list mark and TA2 trusted application, Rule set in advance can be that the trusted application mark of TA2 accesses control list mark and TA2 is arranged into identical, Can be different, as long as can ensure that TA2 accesses control list mark and TA2 trusted application mark are to correspond , TA2 accesses control list can be obtained by TA2 trusted application mark, here with TA2 accesses control list Introduced exemplified by mark is identical with TA2 trusted application mark.According to the default TA2 of rule set in advance accesses control list mark Know and be identified as 2 for 2, TA2 trusted application, obtain TA2 trusted application mark 2, call access control right identified in list Accesses control list for 2 is TA2 accesses control list.
Judged according to the accesses control list of the trusted application two of acquisition and the authentication information to the trusted application two The legitimacy of access request.
Such as:TA2 accesses control list is obtained, its attribute can be:1st, TA2 mark;2nd, whether TA2 TA is allowed to access;3rd, the mark for accessing TA2 TA is allowed;4th, whether TA2 allows CA access etc., and above-mentioned authentication information includes:TA1 Mark, the CA identification access term of validity, access privileges mark etc. information, according to above- mentioned information judge to access TA2 access The legitimacy of request.Further, in addition to:Access request management module 750, judge module 720, for comparing authentication information In access privileges mark and the access privileges mark order list in the accesses control list of trusted application two, judge pair The priority of the access request of trusted application two;
Access request management module 750, will be to trusted application to the priority of the access request of trusted application two for basis Two access request adds queue queue.
Introduced so that TA1 and TA3 accesses TA2 simultaneously as an example, be also not necessarily limited to this access stencil certainly.
Judge module 720, the TA1 access privileges obtained in TA1 authentication informations identify, and for example, 00, obtain TA3 authentications TA3 access privileges mark in information, it is excellent compared with 11 to preset 00 in for example, 11, TA2 access privileges mark order list First access, TA1 access privileges mark, TA3 access privileges are identified into the access privileges mark order list with TA2 respectively It is compared.
TA1 access privileges is identified as the access privileges mark order row that 00, TA3 access privileges is identified as 11, TA2 00 is preset in table compared with 11 preferential access, then is judged as that TA1 preferentially accesses TA2 compared with TA3.
Access request management module 750, TA1 access request is added before queue queue, by TA3 access request Add behind queue queue.
Example IV
Present invention also provides a kind of equipment for calling trusted application, including calling trusted application described above is System.
It is obvious to a person skilled in the art that the invention is not restricted to the details of above-mentioned one exemplary embodiment, Er Qie In the case of without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, embodiment all should be regarded as exemplary, and be nonrestrictive, the scope of the present invention is by appended power Profit requires rather than described above limits, it is intended that all in the implication and scope of the equivalency of claim by falling Change is included in the present invention.Any reference in claim should not be considered as to the involved claim of limitation.
Moreover, it will be appreciated that although the present specification is described in terms of embodiments, not each embodiment is only wrapped Containing an independent technical scheme, this narrating mode of specification is only that those skilled in the art should for clarity Using specification as an entirety, the technical solutions in the various embodiments may also be suitably combined, forms those skilled in the art It is appreciated that other embodiment.

Claims (10)

  1. A kind of 1. method for calling trusted application, it is characterised in that comprise the following steps:
    Trusted application one receives the access request of common application;
    Trusted application one judges to whether there is the access request to trusted application two in the access request of the common application;
    If there is the access request to trusted application two, then according to the trusted application two being arranged in credible performing environment Access control right list, judge the legitimacy of the access request to the trusted application two;
    If judged result is legal, the trusted application two is accessed.
  2. 2. the method according to claim 1 for calling trusted application, it is characterised in that trusted application one receives common application Access request after also comprise the following steps:
    According to the access control right list for the trusted application one being arranged in credible performing environment, judge to described common The legitimacy of the access request of application;
    If judged result is legal, trusted application one allows common application to access.
  3. 3. the method according to claim 1 for calling trusted application, it is characterised in that the access to trusted application two The mark and authentication information of the trusted application two are carried in request.
  4. 4. the method according to claim 3 for calling trusted application, it is characterised in that according to being arranged at credible performing environment In access control right list, judge to specifically include following sub-step to the legitimacy of the access request of trusted application two:
    The access request to the trusted application two is parsed, obtains the mark and authentication information of trusted application two;
    The access control that the trusted application two in access control right list is obtained according to the mark of the trusted application two of acquisition arranges Table;
    Judge to access the trusted application two according to the accesses control list of the trusted application two of acquisition and the authentication information The legitimacy of request.
  5. 5. the method according to claim 4 for calling trusted application, it is characterised in that it is excellent that the authentication information includes access First level mark, the accesses control list of the trusted application two include access privileges mark order list, judge to it is described can Letter also comprises the following steps after applying two access requests legal:
    Compare access privileges mark and access privileges mark order list;
    Judge the priority to the access request of trusted application two;
    Queue queue will be added to the access request of trusted application two according to the priority to the access request of trusted application two.
  6. A kind of 6. system for calling trusted application, it is characterised in that including:
    Communication module, the access request of common application is received for trusted application one;
    Judge module, judge to whether there is to trusted application two in the access request of the common application for trusted application one Access request;It is if there is the access request to trusted application two, then described credible in credible performing environment according to being arranged at Using two access control right list, the legitimacy of the access request to the trusted application two is judged;
    Execution module, if judged result is legal, access the trusted application two.
  7. 7. the system according to claim 6 for calling trusted application, it is characterised in that also include:
    Memory module, for storing access control right list.
  8. 8. the system according to claim 7 for calling trusted application, it is characterised in that wherein,
    Judge module obtains the visit of the trusted application two in access control right list according to the mark of the trusted application two of acquisition Ask control list;Judged according to the accesses control list of the trusted application two of acquisition and the authentication information to the trusted application The legitimacy of two access requests.
  9. 9. the system according to claim 8 for calling trusted application, it is characterised in that also include:Access request manages mould Block, wherein,
    Judge module, identified for comparing the access privileges in authentication information in the accesses control list with trusted application two Access privileges mark order list, judges the priority to the access request of trusted application two;
    Access request management module, for according to the priority of the access request of trusted application two by the access to trusted application two Request adds queue queue.
  10. 10. a kind of equipment for calling trusted application, it is characterised in that including the calling described in any one of the claims 6 to 9 The system of trusted application.
CN201711101161.XA 2017-11-10 2017-11-10 A kind of method and its system for calling trusted application Pending CN107888589A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711101161.XA CN107888589A (en) 2017-11-10 2017-11-10 A kind of method and its system for calling trusted application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711101161.XA CN107888589A (en) 2017-11-10 2017-11-10 A kind of method and its system for calling trusted application

Publications (1)

Publication Number Publication Date
CN107888589A true CN107888589A (en) 2018-04-06

Family

ID=61779687

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711101161.XA Pending CN107888589A (en) 2017-11-10 2017-11-10 A kind of method and its system for calling trusted application

Country Status (1)

Country Link
CN (1) CN107888589A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110365684A (en) * 2019-07-17 2019-10-22 中国工商银行股份有限公司 Access control method, device and the electronic equipment of application cluster
WO2020034881A1 (en) * 2018-08-17 2020-02-20 阿里巴巴集团控股有限公司 Method and apparatus for activating trusted execution environment
CN111506899A (en) * 2020-04-15 2020-08-07 北京谦川科技有限公司 Authority management method and authority management architecture of security system
CN111787006A (en) * 2020-06-30 2020-10-16 北京经纬恒润科技有限公司 Access control method and system for security application
CN112948824A (en) * 2021-03-31 2021-06-11 支付宝(杭州)信息技术有限公司 Program communication method, device and equipment based on privacy protection
CN113411297A (en) * 2021-05-07 2021-09-17 上海纽盾科技股份有限公司 Situation awareness defense method and system based on attribute access control
CN113645045A (en) * 2021-10-13 2021-11-12 北京创米智汇物联科技有限公司 Security control method, device and equipment in TEE and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105930731A (en) * 2015-12-21 2016-09-07 ***股份有限公司 Trusted application (TA) interactive method and apparatus
CN106034120A (en) * 2015-03-16 2016-10-19 阿里巴巴集团控股有限公司 Method for multiple processes to access trusted application and system thereof
CN107077565A (en) * 2015-11-25 2017-08-18 华为技术有限公司 The collocation method and equipment of a kind of safe configured information

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106034120A (en) * 2015-03-16 2016-10-19 阿里巴巴集团控股有限公司 Method for multiple processes to access trusted application and system thereof
CN107077565A (en) * 2015-11-25 2017-08-18 华为技术有限公司 The collocation method and equipment of a kind of safe configured information
CN105930731A (en) * 2015-12-21 2016-09-07 ***股份有限公司 Trusted application (TA) interactive method and apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
陈亚莎等: ""可信应用环境的安全性验证方法"", 《计算机工程》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020034881A1 (en) * 2018-08-17 2020-02-20 阿里巴巴集团控股有限公司 Method and apparatus for activating trusted execution environment
CN110837643A (en) * 2018-08-17 2020-02-25 阿里巴巴集团控股有限公司 Activation method and device of trusted execution environment
CN110837643B (en) * 2018-08-17 2022-09-23 阿里巴巴集团控股有限公司 Activation method and device of trusted execution environment
CN110365684A (en) * 2019-07-17 2019-10-22 中国工商银行股份有限公司 Access control method, device and the electronic equipment of application cluster
CN110365684B (en) * 2019-07-17 2022-02-22 中国工商银行股份有限公司 Access control method and device for application cluster and electronic equipment
CN111506899A (en) * 2020-04-15 2020-08-07 北京谦川科技有限公司 Authority management method and authority management architecture of security system
CN111506899B (en) * 2020-04-15 2023-06-16 宁波谦川科技有限公司 Rights management method and rights management architecture of security system
CN111787006A (en) * 2020-06-30 2020-10-16 北京经纬恒润科技有限公司 Access control method and system for security application
CN112948824A (en) * 2021-03-31 2021-06-11 支付宝(杭州)信息技术有限公司 Program communication method, device and equipment based on privacy protection
CN112948824B (en) * 2021-03-31 2022-04-26 支付宝(杭州)信息技术有限公司 Program communication method, device and equipment based on privacy protection
CN113411297A (en) * 2021-05-07 2021-09-17 上海纽盾科技股份有限公司 Situation awareness defense method and system based on attribute access control
CN113645045A (en) * 2021-10-13 2021-11-12 北京创米智汇物联科技有限公司 Security control method, device and equipment in TEE and storage medium

Similar Documents

Publication Publication Date Title
CN107888589A (en) A kind of method and its system for calling trusted application
CN104025539B (en) The method and apparatus for promoting single-sign-on services
CN103249045B (en) A kind of methods, devices and systems of identification
CN103312796B (en) For the login interface selection of computing environment User logs in
CN108200050A (en) Single logging-on server, method and computer readable storage medium
US11212283B2 (en) Method for authentication and authorization and authentication server using the same for providing user management mechanism required by multiple applications
CN103457738B (en) Method and system for login processing based on browser
CN106341234B (en) Authorization method and device
US20030018915A1 (en) Method and system for user authentication and authorization of services
CN103813334A (en) Right control method and right control device
CN104205721A (en) A context-aware adaptive authentication method and apparatus
CN107864144A (en) Obtain method and device, computer installation and the storage medium of dynamic password
US20130332727A1 (en) Access token event virtualization
CN108830099A (en) Call verification method, device, computer equipment and the storage medium of api interface
US8903360B2 (en) Mobile device validation
US20090249430A1 (en) Claim category handling
US7210163B2 (en) Method and system for user authentication and authorization of services
AU2013370768B2 (en) Method and apparatus for controlling invoking of hardware instruction
CN106169042A (en) The method and device of administration authority
CN104469736B (en) A kind of data processing method, server and terminal
CN105721425A (en) Information processing method and electronic device
CN109977039A (en) HD encryption method for storing cipher key, device, equipment and readable storage medium storing program for executing
CN107846676A (en) Safety communicating method and system based on network section security architecture
CN104704502A (en) Using trusted devices to augment location-based account protection
CN106339332B (en) A kind of information processing method, device and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180406