CN112149134A - Trusted application management method and device - Google Patents
Trusted application management method and device Download PDFInfo
- Publication number
- CN112149134A CN112149134A CN202010955075.0A CN202010955075A CN112149134A CN 112149134 A CN112149134 A CN 112149134A CN 202010955075 A CN202010955075 A CN 202010955075A CN 112149134 A CN112149134 A CN 112149134A
- Authority
- CN
- China
- Prior art keywords
- tee
- application
- operation request
- information
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/34—Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the specification provides a trusted application management method and device. Both the TEE terminal and the service provider can monitor the installation or update requirements of the application client on the trusted application and initiate the management flow of the trusted application to the TEE manager. And then, the TEE management party and the TEE terminal carry out equipment state synchronization and acquire encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE management party. And finally, sending the encrypted application information to the TEE terminal, and finishing installation or updating operation by the TEE terminal.
Description
Technical Field
One or more embodiments of the present disclosure relate to the field of computers, and more particularly, to a trusted application management method and apparatus.
Background
With the development of computer technology, the privacy information security of users receives more and more attention and attention. For this reason, Trusted Applications (TAs) are proposed to handle user data with high requirements on security. For example, the trusted application may be a fingerprint authentication application for verifying the identity of a user, a swipe face authentication application, or the like. To meet the high security and confidentiality requirements of Trusted applications, it is necessary to have the Trusted application run in a Trusted Execution Environment (TEE).
The trusted execution environment TEE is a computing module or a computing device having a certain isolation capability to ensure computing security, and the isolation capability can ensure that the outside world, including an operating system or a driver, cannot acquire secrets such as an internal runtime memory. For example, according to the SGX technique, a private memory area with high access rights may be created in the memory to form a computation enclosure Enclave. Other application programs, including an operating system OS, a BIOS system, a virtual machine system, etc., cannot access data in the enclosure Enclave, and thus cannot snoop and tamper the state and data of the application programs therein.
For general applications, a provider of the TEE terminal provides a channel for installing and updating applications for a user of the TEE terminal in the form of an application store or the like. For the trusted application, because the application needs to run in the trusted execution environment, a TEE terminal provider may set a dedicated TEE manager, manage the trusted execution environment TEE in the TEE terminal, and implement installation or update of the trusted application through interaction with a service provider of the trusted application.
Existing installation or update procedures are often complex due to the security requirements of trusted applications. An improved scheme is expected to be provided, so that the installation or update process of the trusted application can be more efficient, and the user experience is improved.
Disclosure of Invention
One or more embodiments of the present specification describe a trusted application management method and apparatus, by which a TEE terminal and a service provider can both monitor the installation or update requirements of an application client on a trusted application, and initiate a management flow of the trusted application to the TEE manager; and then, the TEE manager acquires encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE manager, and sends the encrypted application information to the TEE terminal, and the TEE terminal completes installation or updating operation, so that repeated transmission is simplified, the load of a service provider is reduced, the transmission efficiency is improved, and the installation or updating efficiency is further improved.
According to a first aspect, there is provided a trusted application management method, performed by a trusted execution environment, TEE, manager, comprising:
receiving a first operation request for requesting installation or update of a first trusted application in a TEE terminal from a requester, wherein the requester comprises a service provider corresponding to the TEE terminal or the first trusted application, and the first operation request is generated by monitoring the installation or update demand of an application client on the first trusted application by the requester;
performing device state synchronization with the TEE terminal so as to send a first secret key to the TEE terminal;
acquiring first encrypted application information obtained by encrypting the first trusted application based on the first secret key;
attaching the first encrypted application information to the first operation request to generate a second operation request;
sending the second operation request to the TEE terminal to enable the TEE terminal to install or update the first trusted application based on the first key and the second operation request.
In one embodiment, the obtaining first encrypted application information obtained by encrypting the first trusted application based on the first key comprises:
sending the first secret key to the service provider, so that the service provider encrypts the first trusted application based on the first secret key to obtain first encrypted application information;
receiving the first encrypted application information from the service provider.
In one embodiment, the obtaining first encrypted application information obtained by encrypting the first trusted application based on the first key comprises:
and acquiring the first encryption application information stored in advance.
In one embodiment, before the obtaining of the pre-stored first encryption application information, the method includes:
receiving the first trusted application from the service provider in advance;
encrypting the first trusted application by using the first secret key to obtain first encrypted application information;
storing the first encrypted application information.
In one embodiment, before the obtaining of the pre-stored first encryption application information, the method includes:
receiving the first encryption application information from the service provider in advance, and storing the first encryption application information.
According to a second aspect, there is provided a trusted application management method, performed by a trusted execution environment, TEE, manager, comprising:
receiving a first operation request for requesting installation or update of a first trusted application in a plurality of TEE terminals from a requester, wherein the requester comprises a service provider corresponding to the first trusted application or the plurality of TEE terminals;
respectively carrying out equipment state synchronization with the TEE terminals, acquiring equipment information of each TEE terminal, and sending a first secret key to each TEE terminal;
sending a first message to the service provider, wherein the first message comprises the equipment information of each TEE terminal, so that the service provider determines corresponding application installation information based on the equipment information of each TEE terminal;
receiving a second message sent by the service provider, wherein the second message comprises application installation information corresponding to each TEE terminal;
determining first encrypted application information corresponding to each TEE terminal from a plurality of encrypted application information stored in advance based on application installation information corresponding to each TEE terminal, wherein the first encrypted application information is obtained by encrypting the first trusted application based on the first secret key;
attaching the first encryption application information corresponding to each TEE terminal to a corresponding first operation request, and generating a second operation request corresponding to each TEE terminal;
and sending the second operation request corresponding to each TEE terminal to the corresponding TEE terminal so that the corresponding TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request.
In one embodiment, the application installation information includes version information and file size information of the first trusted application.
In one embodiment, the first message comprises a first session identity created for the plurality of TEE terminals; the second message includes the first session identification.
In one embodiment, the sending the second operation request corresponding to each TEE terminal to the corresponding TEE terminal includes:
determining a target TEE terminal group based on the application installation information corresponding to each TEE terminal, wherein the target TEE terminal group consists of TEE terminals corresponding to the same application installation information;
and sending a merging operation request to the service provider, wherein the merging operation request comprises the first session identifier, first encrypted application information corresponding to the same application installation information and information of the target TEE terminal group, so that the service provider sends a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the merging operation request.
In one embodiment, the performing device state synchronization with the multiple TEE terminals respectively includes:
and directly and respectively carrying out equipment state synchronization with the plurality of TEE terminals, or respectively carrying out equipment state synchronization with the plurality of TEE terminals through the service provider and/or the application client.
In one embodiment, the first operation request is generated by the service provider listening to a demand of an application client on the plurality of TEE terminals for installation or update of the first trusted application; or
The first operation request is generated by monitoring the installation or update requirement of the first trusted application by an application client on the TEE terminal, and is sent to the service provider.
According to a third aspect, there is provided a trusted application management method, performed by a service provider, comprising:
monitoring the installation or update requirement of an application client on a first trusted application, and generating a first operation request, wherein the first operation request is used for requesting the installation of the first trusted application in a TEE terminal corresponding to the application client;
sending the first operation request to a Trusted Execution Environment (TEE) manager;
receiving a first secret key sent by the TEE manager;
encrypting the first trusted application at least based on the first secret key to obtain first encrypted application information;
and sending the first encryption application information to the TEE manager so that the TEE manager sends the first encryption application information to the TEE terminal.
According to a fourth aspect, there is provided a trusted application management method, performed by a service provider, comprising:
monitoring the installation or update requirements of application clients on a plurality of TEE terminals on a first trusted application, and generating a first operation request, wherein the first operation request is used for requesting the installation of the first trusted application in the plurality of TEE terminals;
sending the first operation request to a Trusted Execution Environment (TEE) manager;
receiving a first message sent by the TEE manager, wherein the first message comprises equipment information of each TEE terminal;
determining corresponding application installation information based on the equipment information of each TEE terminal;
and sending a second message to the TEE manager, wherein the second message comprises application installation information corresponding to each TEE terminal, so that the TEE manager determines first encrypted application information corresponding to each TEE terminal from a plurality of encrypted application information stored in advance based on the application installation information corresponding to each TEE terminal, and the first encrypted application information is obtained by encrypting the first trusted application based on a first secret key.
In one embodiment, the application installation information includes version information and file size information of the first trusted application.
In one embodiment, the first message comprises a first session identity created for the plurality of TEE terminals; the second message includes the first session identification.
In one embodiment, further comprising:
receiving a merging operation request sent by the TEE manager, wherein the merging operation request comprises the first session identifier, first encrypted application information corresponding to the same application installation information and information of a target TEE terminal group, and the target TEE terminal group consists of TEE terminals corresponding to the same application installation information;
and according to the merging operation request, sending a corresponding second operation request to each TEE terminal in the target TEE terminal group, so that each TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request, and the TEE manager adds first encryption application information corresponding to each TEE terminal to the corresponding first operation request to generate the second operation request.
According to a fifth aspect, there is provided a trusted application management method, performed by a trusted execution environment, TEE, terminal, comprising:
responding to a synchronization request of a Trusted Execution Environment (TEE) manager, performing equipment state synchronization with the TEE manager, and receiving a first secret key sent by the TEE manager;
receiving a second operation request sent by the TEE manager, wherein the second operation request is generated by attaching first encryption application information corresponding to the TEE terminal to a corresponding first operation request by the TEE manager, the first encryption application information is obtained by encrypting a first trusted application based on the first secret key, and the first operation request is used for requesting to install or update the first trusted application in the TEE terminal;
installing or updating the first trusted application based on the first key and the second operation request.
In one embodiment, the responding to the synchronization request of the trusted execution environment TEE manager is preceded by:
monitoring the installation or update requirement of an application client on the first trusted application, and generating a first operation request;
and sending the first operation request to the TEE manager so as to enable the TEE manager and the TEE terminal to carry out equipment state synchronization and/or obtain the first encryption application information.
In one embodiment, the device state synchronization with the TEE manager includes:
and sending the equipment information of the TEE terminal to the TEE manager.
According to a sixth aspect, there is provided a trusted application management apparatus, which is deployed on a trusted execution environment TEE manager, including:
a first operation request receiving unit, configured to receive a first operation request for requesting installation or update of a first trusted application in a TEE terminal from a requester, where the requester includes a service provider corresponding to the TEE terminal or the first trusted application, and the first operation request is generated by monitoring, by the requester, a demand of an application client for installation or update of the first trusted application;
a synchronization unit configured to perform device state synchronization with the TEE terminal, thereby transmitting a first secret key thereto;
an encrypted application information acquisition unit configured to acquire first encrypted application information obtained by encrypting the first trusted application based on the first key;
a second operation request generation unit configured to attach the first encrypted application information to the first operation request, generating a second operation request;
a second operation request sending unit configured to send the second operation request to the TEE terminal, so that the TEE terminal installs or updates the first trusted application based on the first key and the second operation request.
According to a seventh aspect, there is provided a trusted application management apparatus, which is deployed on a trusted execution environment TEE manager, including:
a first operation request receiving unit configured to receive a first operation request for requesting installation or update of a first trusted application in a plurality of TEE terminals from a requester, the requester including a service provider corresponding to the first trusted application or the plurality of TEE terminals;
the synchronization unit is configured to perform equipment state synchronization with the TEE terminals respectively, acquire equipment information of each TEE terminal, and send a first secret key to each TEE terminal;
a first message sending unit configured to send a first message to the service provider, the first message including the device information of the respective TEE terminals, so that the service provider determines corresponding application installation information based on the device information of the respective TEE terminals;
a second message receiving unit, configured to receive a second message sent by the service provider, where the second message includes application installation information corresponding to each TEE terminal;
an encrypted application information determining unit configured to determine first encrypted application information corresponding to each TEE terminal from a plurality of pieces of encrypted application information stored in advance based on application installation information corresponding to each TEE terminal, the first encrypted application information being obtained by encrypting the first trusted application based on the first secret key;
a second operation request generation unit, configured to attach the first encrypted application information corresponding to each TEE terminal to a corresponding first operation request, and generate a second operation request corresponding to each TEE terminal;
a second operation request sending unit, configured to send a second operation request corresponding to each TEE terminal to a corresponding TEE terminal, so that the corresponding TEE terminal installs or updates the first trusted application based on the first key and the second operation request.
According to an eighth aspect, there is provided a trusted application management apparatus, deployed at a service provider, comprising:
the monitoring unit is configured to monitor the installation or update requirement of an application client on a first trusted application, and generate a first operation request, where the first operation request is used to request that the first trusted application is installed in a TEE terminal corresponding to the application client;
a first operation request sending unit configured to send the first operation request to a Trusted Execution Environment (TEE) manager;
a key receiving unit configured to receive a first key sent by the TEE manager;
the encryption unit is configured to encrypt the first trusted application at least based on the first secret key to obtain first encrypted application information;
and the encryption application information sending unit is configured to send the first encryption application information to the TEE manager so that the TEE manager sends the first encryption application information to the TEE terminal.
According to a ninth aspect, there is provided a trusted application management apparatus, deployed at a service provider, comprising:
the monitoring unit is configured to monitor installation or update requirements of application clients on a plurality of TEE terminals on a first trusted application, and generate a first operation request, wherein the first operation request is used for requesting that the first trusted application is installed in the plurality of TEE terminals;
a first operation request sending unit configured to send the first operation request to a Trusted Execution Environment (TEE) manager;
a message receiving unit configured to receive a first message sent by the TEE manager, where the first message includes device information of each TEE terminal;
a determining unit configured to determine corresponding application installation information based on the device information of the respective TEE terminals;
a second message sending unit, configured to send a second message to the TEE manager, where the second message includes application installation information corresponding to each TEE terminal, so that the TEE manager determines, based on the application installation information corresponding to each TEE terminal, first encrypted application information corresponding to each TEE terminal from a plurality of pieces of encrypted application information stored in advance, where the first encrypted application information is obtained by encrypting the first trusted application based on a first secret key.
According to a tenth aspect, there is provided a trusted application management apparatus, which is deployed in a trusted execution environment TEE terminal, including:
the response unit is configured to respond to a synchronization request of a Trusted Execution Environment (TEE) manager, perform device state synchronization with the TEE manager, and receive a first secret key sent by the TEE manager;
a second operation request receiving unit, configured to receive a second operation request sent by the TEE manager, where the second operation request is generated by the TEE manager attaching first encrypted application information corresponding to a TEE terminal to a corresponding first operation request, the first encrypted application information is obtained by encrypting a first trusted application based on the first secret key, and the first operation request is used for requesting to install or update the first trusted application in the TEE terminal;
an installation or update unit configured to install or update the first trusted application based on the first key and the second operation request.
According to an eleventh aspect, there is provided a computer readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method of the first to fifth aspects.
According to a twelfth aspect, there is provided a computing device comprising a memory having stored therein executable code and a processor that, when executing the executable code, implements the methods of the first to fifth aspects.
By the method and the device provided by the embodiment of the specification, in the process of installing or updating the trusted application, both the TEE terminal and the service provider can monitor the installation or updating requirement of the application client on the trusted application and initiate the management flow of the trusted application to the TEE manager; and then, the TEE manager acquires encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE manager, and sends the encrypted application information to the TEE terminal, and the TEE terminal completes installation or updating operation, so that repeated transmission is simplified, the load of a service provider is reduced, the transmission efficiency is improved, and the installation or updating efficiency is further improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 illustrates a schematic diagram of an implementation scenario of an embodiment disclosed herein;
FIG. 2 illustrates a trusted application management method according to one embodiment;
FIG. 3 illustrates a data structure of encrypted application information, according to one embodiment;
fig. 4 illustrates a data structure of encryption application information according to another embodiment;
FIG. 5 illustrates a data structure of an operation request according to one embodiment;
FIG. 6 illustrates a trusted application management method according to another embodiment;
FIG. 7 illustrates a trusted application management method according to yet another embodiment;
FIG. 8 illustrates a trusted application management method according to yet another embodiment;
fig. 9 illustrates a schematic diagram of a TEE manager sending a message to a service provider, according to one embodiment;
fig. 10 shows a schematic diagram of a service provider sending a message to a TEE manager, according to one embodiment;
FIG. 11 shows a schematic block diagram of a trusted application management apparatus according to one embodiment;
FIG. 12 shows a schematic block diagram of a trusted application management apparatus according to one embodiment;
FIG. 13 shows a schematic block diagram of a trusted application management apparatus according to one embodiment;
FIG. 14 shows a schematic block diagram of a trusted application management apparatus according to one embodiment;
FIG. 15 shows a schematic block diagram of a trusted application management device according to one embodiment.
Detailed Description
The scheme provided by the specification is described below with reference to the accompanying drawings.
It should be understood that the terms "first" and "second" herein are used merely for descriptive clarity and to distinguish similar concepts, and are not otherwise limiting.
Fig. 1 is a schematic view of an implementation scenario of an embodiment disclosed in this specification. According to the embodiment of fig. 1, a TEE execution environment is configured in a user terminal and an application client which needs to use a trusted application is installed; the user terminal may be an electronic device such as a mobile phone and a tablet computer, the TEE execution environment is used to provide a secure execution environment for authorized trusted applications (e.g., a fingerprint authentication application, a face recognition application, etc.), and the application client may be a client that needs to use the trusted applications. Hereinafter, a user terminal in which a TEE execution environment is deployed is referred to as a TEE terminal. Both the TEE terminal and the service provider can monitor the installation or update requirements of the application client on the trusted application and initiate the management flow of the trusted application to the TEE manager. And then, the TEE management party and the TEE terminal carry out equipment state synchronization and acquire encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE management party. And finally, sending the encrypted application information to the TEE terminal, and finishing installation or updating operation by the TEE terminal.
Specifically, the TEE terminal and/or the service provider monitors the installation or update requirement of the application client on the trusted application, generates a first operation request, and sends the first operation request to the TEE manager, where the first operation request may be used to request that the first trusted application is installed in the TEE terminal corresponding to the application client. And then, the TEE manager and the TEE terminal carry out equipment state synchronization and send the generated first secret key to the TEE terminal. Then, the TEE management party acquires encrypted application information obtained by encrypting the first trusted application based on the first secret key; the encryption application information may be received from the service provider in real time, or may be pre-stored by the TEE manager. After that, the TEE manager appends the encrypted application information to the first operation request and sends the encrypted application information to the TEE terminal. And finally, the TEE terminal decrypts the encrypted application information based on the first secret key to obtain a first trusted application, and installs or updates the first trusted application. The specific implementation steps of the above process are described below.
FIG. 2 illustrates a trusted application management method, according to one embodiment. As shown in fig. 2, the method involves at least a TEE manager, a service provider, and a TEE terminal.
The TEE manager is deployed by the TEE terminal provider and is responsible for detecting requests generated by the TEE terminal and/or the service provider for installing or updating trusted applications, detecting whether the TEE terminal has an environment for installing or updating trusted applications, and the like, for example, detecting whether a security domain for the service provider exists in the user terminal, wherein the trusted applications can be installed or updated in the security domain.
A service provider, or provider of trusted applications, is a party that provides relevant files of trusted applications that are available for installation or update. The service provider may generate a request to install or update the trusted application, which may be generated when listening to the installation or update needs of the application client for the trusted application. The application client may be an application client that can provide security services such as payment and identity authentication, for example, a paypal application client.
The TEE terminal may include a TEE agent or a security domain applied for a service provider in the user terminal. The TEE terminal may generate a request to install or update a trusted application, the request being generated when it hears the need for installation or update of the trusted application by the application client.
Next, specific steps of the trusted application management method shown in fig. 2 are described.
First, in step S101, the application client may send its installation or update requirements for the trusted application to the TEE terminal. In this embodiment, the TEE terminal listens for a need for an installation or update of the first trusted application by the application client.
The installation or update requirement of the listening application client on the first trusted application can be performed in various ways. For example, the TEE terminal may listen for a user entering an instruction to install or update, for example, a fingerprint identification application through an application client user terminal. The user can input the installation instruction through a client of the related application. For example, the user inputs an instruction to install a fingerprint authentication application by clicking, for example, "turn on fingerprint authentication" in the paymate client.
In another example, the requirement for installing or updating the first trusted application by the listening application client may also be performed by a requirement initiated by the listening application client. For example, when a certain application client needs to call a function of a trusted application, a requirement may be generated under the condition of user authorization, and the requirement is fed back to the TEE terminal, so that the TEE terminal knows the requirement of the application client for the trusted application. Or when detecting that the installed trusted application needs to be updated, the application client may feed back the requirement to the TEE terminal, so that the TEE terminal knows the requirement of the application client on the trusted application.
Next, in step S102, the TEE terminal generates a first operation request once it monitors a requirement of the application client for installing or updating the first trusted application. The first operation request is for requesting installation or updating of a first trusted application in the TEE terminal.
Next, in step S104, the TEE terminal issues a first operation request to the TEE manager.
In one example, the TEE terminal may transmit the first operation request to the TEE manager through an application client (e.g., a paymate client) associated with the trusted application as described above. In another embodiment, the TEE terminal may also directly send the first operation request to the TEE manager through its operating system.
In step S106, the TEE manager receives the first operation request, and performs device state synchronization with the TEE terminal. Generally, a TEE manager receives an operation request sent by a TEE terminal, responds to the operation request, performs device state synchronization with the TEE terminal, detects whether the TEE terminal has an environment for installing or updating a trusted application, and sends a first secret key to the TEE terminal. Optionally, the TEE manager may directly perform device state synchronization with the TEE terminal to reduce the load of the service provider; device state synchronization may also be performed with the TEE terminal through the service provider and/or the application client.
In one example, each time the TEE manager receives a first operation request, a symmetric string of dynamic keys (i.e., a first key) may be generated for the first operation request.
Next, in step S108, the TEE manager sends the first key to the service provider corresponding to the first trusted application.
In step S110, the service provider encrypts the first trusted application based on the first key to obtain first encrypted application information.
In one example, as shown in fig. 3, the service provider may directly encrypt the first trusted application with the first secret key to obtain encrypted application information.
In another example, as shown in fig. 4, the service provider may generate a private key, and then encrypt the first trusted application using the private key to obtain first encrypted data; then, the private key is encrypted by using the first secret key to obtain second encrypted data; finally, the first encrypted data and the second encrypted data are used as the first encrypted application information, and it can be said that the first encrypted data and the second encrypted data constitute the first encrypted application information. It can be understood that when the private key is used for encryption, symmetric algorithms such as DES, 3DES, IDEA, RC5, RC6 and the like can be used for encryption; when the first secret key is used for encryption, the symmetric algorithm can be used for encryption.
In yet another example, the service provider may encrypt the first trusted application with a private key in advance and obtain the first encrypted data. The private key is a key corresponding to a first trusted application which needs to be installed or updated currently in a plurality of trusted applications provided by a service provider, or the private key is a key corresponding to a current version of the first trusted application which needs to be installed or updated currently; that is, the same trusted application may be encrypted in advance using the same key, or trusted applications of the same version may be encrypted in advance using the same key, so that repeated encryption of applications is avoided, and the installation/update process is further accelerated. And then, the first secret key is used for encrypting the private key to obtain second encrypted data. Finally, the first encrypted data and the second encrypted data are used as the encryption application information, and it can be said that the first encrypted data and the second encrypted data constitute the encryption application information.
In step S112, the service provider sends the first encrypted application information to the TEE manager.
Next, in step S114, the TEE manager attaches the first encrypted application information to the first operation request, and generates a second operation request. The second operation request may be understood as a request to install or update a trusted application. Optionally, the TEE manager may also sign the second operation request to prevent the content in the second operation request from being tampered. Specifically, as shown in fig. 5, the TEE manager may attach the first encrypted application information to the operation request and sign the operation request.
In addition, the TEE manager can also attach the identity information of the TEE manager to the second operation request, so that the service provider and/or the TEE terminal can clearly identify the source of the second operation request, and the operation safety is improved.
Next, in step S116, the TEE manager sends a second operation request to the TEE terminal.
In step S118, the TEE terminal installs or updates the first trusted application based on the first key and the second operation request. Generally, the TEE terminal may decrypt the first encrypted application information in the second operation request by using the first key to obtain the first trusted application; thereafter, the first trusted application may be installed or updated.
In addition, after the first trusted application is successfully installed or updated, the TEE terminal may feed back information of successful installation or update to the TEE manager, the service provider, and/or the application client, so that the TEE manager, the service provider, and/or the application client learn the information of successful installation or update.
It can be understood that, when the TEE terminal decrypts the first encrypted application information in the second operation request by using the first key, the signature of the TEE manager, the identification information of the service provider, and the like can be verified, so as to improve the operation security.
FIG. 6 illustrates a trusted application management method according to another embodiment. The following describes specific steps of the trusted application management method shown in fig. 6.
First, in step S201, the application client may send its installation or update requirements for the trusted application to the service provider. In this embodiment, a need for installation or update of a first trusted application by an application client is monitored by a service provider.
For example, when a certain application client needs to invoke a function of a trusted application, a requirement may be generated under the condition of user authorization, and the requirement is fed back to a service provider corresponding to the trusted application, so that the service provider knows the requirement of the application client for the trusted application. Or when detecting that the installed trusted application needs to be updated, the application client may feed back the requirement to the service provider, so that the service provider knows the requirement of the application client on the trusted application.
Next, in step S202, once the service provider monitors the installation or update demand of the application client for the first trusted application, a first operation request is generated. The first operation request is for requesting installation or updating of a first trusted application in the TEE terminal.
Next, in step S204, the service provider issues a first operation request to the TEE manager.
The following steps can refer to the above steps S106 to S118, and are not described herein again.
FIG. 7 illustrates a trusted application management method according to yet another embodiment. The following describes specific steps of the trusted application management method shown in fig. 7.
First, in step S101, the application client may send its installation or update requirements for the trusted application to the TEE terminal.
Next, in step S102, the TEE terminal monitors a requirement of the application client for installing or updating the first trusted application, and generates a first operation request. The first operation request is for requesting installation or updating of a first trusted application in the TEE terminal.
Next, in step S104, the TEE terminal issues a first operation request to the TEE manager.
In step S106, the TEE manager receives the first operation request, and synchronizes with the TEE in the TEE terminal.
In step S302, the TEE manager obtains first encrypted application information, which is obtained by encrypting the first trusted application based on the first key and is pre-stored by the TEE manager. The encryption application information is stored in advance, so that the encryption application information can be prevented from being transmitted for many times between the TEE manager and the service provider in the process of installing or updating the trusted application, the load of the service provider is reduced, the transmission efficiency is improved, and the installation or updating efficiency is improved.
In one example, the TEE manager may send a request to obtain the first trusted application to a service provider corresponding to the first trusted application in advance. The TEE manager then receives the first trusted application from the service provider. And then, the TEE manager encrypts the first trusted application by using the generated first secret key to obtain first encrypted application information. And finally, the TEE manager stores the first encrypted application information.
In another example, the TEE manager may send a request for obtaining the first encrypted application information to a service provider corresponding to the first trusted application in advance. Then, the TEE manager receives the first encrypted application information sent by the service provider. Finally, the TEE manager stores the first encrypted application information. It should be understood that the first encrypted application information is now obtained by the service provider encrypting the first trusted application based on the first secret key obtained from the TEE manager.
Next, in step S114, the TEE manager attaches the first encrypted application information to the first operation request, and generates a second operation request. In addition, the TEE manager can also attach the identity information of the TEE manager to the second operation request, so that the service provider and/or the TEE terminal can clearly identify the source of the second operation request, and the operation safety is improved.
Next, in step S116, the TEE manager sends a second operation request to the TEE terminal.
In step S118, the TEE terminal installs or updates the first trusted application based on the first key and the second operation request.
It should be understood that steps S102 to S104 in the trusted application management method may also be performed by a service provider corresponding to the first trusted application, which is described in detail in fig. 6 and is not described again here.
FIG. 8 illustrates a trusted application management method according to yet another embodiment. The following describes specific steps of the trusted application management method shown in fig. 8.
First, in step S401, the application clients on multiple TEE terminals may send their installation or update requirements for trusted applications to the service provider. In one example, an application client on each TEE terminal may send an update requirement to the service provider upon detecting that an already installed trusted application needs to be updated. In another example, when an application client on any TEE terminal needs to invoke a function of a trusted application, if the trusted application is not installed in the TEE terminal, the application client may send a requirement for installing the trusted application to the service provider.
Next, in step S402, the service provider monitors the installation or update demand of the application client on the multiple TEE terminals on the first trusted application, and generates a first operation request. The first operation request is for requesting installation of a first trusted application in a plurality of TEE terminals.
At step S404, the service provider sends the first operation request to the TEE manager.
In one embodiment, the service provider generates a plurality of first operation requests based on the requirement information of a plurality of TEE terminals, and the first operation requests are respectively sent to the TEE manager. In another embodiment, the service provider combines the requirement information of a plurality of TEE terminals into a single first operation request, and sends the single first operation request to the TEE manager, wherein the single first operation request comprises the request information of the plurality of TEE terminals.
Next, in step S406, the TEE manager receives the first operation request, and performs device state synchronization with the multiple TEE terminals, respectively. Generally, the TEE manager receives the operation request, and in response to the operation request, performs device state synchronization with the multiple TEE terminals to send a first key to the TEE terminals, detect whether the TEE terminals have an environment for installing or updating a trusted application, and acquire device information of each TEE terminal. The device information of the TEE terminal may include an identity of the TEE terminal, such as a device ID, a device model, and the like, a hash value of the identity, a version number of an operating system of the TEE terminal, an identity of the TEE in the TEE terminal, and the like.
Optionally, the TEE manager may directly perform device state synchronization with multiple TEE terminals to reduce the load of the service provider; device state synchronization may also be performed with multiple TEE terminals through the service provider and/or application client.
In one example, each time the TEE manager receives a first operation request, a symmetric string of dynamic keys (i.e., a first key) may be generated for the first operation request.
At step S408, the TEE manager sends a first message to the service provider. The first message includes device information of the respective TEE terminals.
In one example, the first message may include therein a first session identification created for a plurality of TEE terminals. The TEE manager may send the device information of each TEE terminal to the service provider using the session window corresponding to the first session identifier. In other words, as shown in fig. 9, the TEE manager sends the device information of each TEE terminal to the service provider using the current session indicated by one session ID, so that multiple user terminals can share the information flow, thereby reducing repeated transmission, improving transmission efficiency, and reducing time delay.
Next, in step S410, the service provider determines application installation information corresponding to each TEE terminal based on the device information of each TEE terminal. The application installation information may include version information, file size information, etc. of the first trusted application. Generally, the service provider may query a mapping relationship table between the device information and the application installation information based on the device information of the TEE terminal, and determine version information, file size information, and the like of the trusted application adapted to the TEE terminal. For example, if the version of the trusted application corresponding to the os9 is V1, and the version of the trusted application corresponding to the os10 is V2, when the operating system of the TEE terminal is ios9, it may be determined that the version of the trusted application is V1.
In step S412, the service provider sends a second message to the TEE manager. The second message includes application installation information corresponding to each TEE terminal.
In one example, the second message comprises the aforementioned first session identification created for a plurality of TEE terminals. The service provider can use the session window corresponding to the first session identification to send the application installation information corresponding to each TEE terminal to the TEE manager. In other words, as shown in fig. 10, the service provider sends the application installation information of each TEE terminal to the TEE manager using the current session indicated by one session ID, so that multiple user terminals can share the information flow, thereby reducing repeated transmission, improving transmission efficiency, and reducing time delay.
Next, in step S414, the TEE manager determines, from the plurality of encrypted application information stored in advance, first encrypted application information corresponding to each TEE terminal based on application installation information corresponding to each TEE terminal; the first encrypted application information is obtained by encrypting the first trusted application based on the first secret key. Generally, after receiving application installation information corresponding to each TEE terminal, a TEE manager may search for a relevant trusted application from a plurality of pre-stored encrypted application information based on relevant information, such as version number information, about the trusted application in the application installation information, so as to determine first encrypted application information corresponding to each TEE terminal.
It should be noted that, for the process of storing the encrypted application information in advance, reference may be made to the description above, and details are not repeated here. The encryption application information is stored in advance, so that the encryption application information can be prevented from being transmitted for many times between the TEE manager and the service provider in the process of installing or updating the trusted application, the load of the service provider is reduced, the transmission efficiency is improved, and the installation or updating efficiency is improved.
In step S416, the TEE manager attaches the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request, and generates a second operation request corresponding to each TEE terminal.
In step S418, the TEE manager determines a target TEE terminal group based on the application installation information corresponding to each TEE terminal. The target TEE terminal group is composed of TEE terminals corresponding to the same application installation information. Generally, a TEE manager may filter out the same application installation information from a plurality of application installation information; then, the TEE terminals corresponding to the same application installation information are divided into a group, so that a target terminal group is formed. For example, when the version numbers of the trusted applications required by the TEE terminals 1, 2 are the same, the TEE terminal 1 and the TEE terminal 2 may be grouped together.
In step S420, the TEE manager sends a merge operation request to the service provider, where the merge operation request includes the first session identifier, the first encrypted application information corresponding to the same application installation information, and the information of the target TEE terminal group. Therefore, for a plurality of TEE terminals in one TEE terminal group, because the TEE terminals correspond to the same application installation information, the common first encryption application information is sent to the TEE terminals through the merging operation request, so that repeated transmission is reduced, the transmission efficiency is improved, and the time delay is reduced.
Next, in step S422, the service provider sends a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the merge operation request.
In another embodiment, the foregoing steps S418 to S422 may also be modified to that the TEE management party directly sends their respective corresponding second operation requests to the respective TEE terminals.
Next, in step S424, the TEE terminal installs or updates the first trusted application based on the first key and the second operation request. Generally, the TEE terminal may decrypt the first encrypted application information in the second operation request by using the first key to obtain the first trusted application; thereafter, the first trusted application may be installed or updated.
In addition, after the first trusted application is successfully installed or updated, the TEE terminal may feed back information of successful installation or update to the TEE manager, the service provider, and/or the application client, so that the TEE manager, the service provider, and/or the application client learn the information of successful installation or update.
It can be understood that, when the TEE terminal decrypts the first encrypted application information in the second operation request by using the first key, the signature of the TEE manager, the identification information of the service provider, and the like can be verified, so as to improve the operation security.
It should be understood that steps S402-S404 in the trusted application management method may also be executed by a plurality of TEE terminals, and for the execution process of the TEE terminals, see the description above for details, which is not repeated herein.
As can be seen from the above description, in the process of installing or updating the trusted application, both the TEE terminal and the service provider may monitor the installation or update requirement of the application client on the trusted application, and initiate a management flow of the trusted application to the TEE manager; and then, the TEE manager acquires encrypted application information obtained by encrypting the trusted application based on the first secret key generated by the TEE manager, and sends the encrypted application information to the TEE terminal, and the TEE terminal completes installation or updating operation, so that repeated transmission is simplified, the load of a service provider is reduced, the transmission efficiency is improved, and the installation or updating efficiency is further improved.
In the above procedure of trusted application management, multi-party interaction involving the TEE manager, the service provider and the TEE terminal is involved. The device configurations of the above are described below.
Fig. 11 illustrates a schematic block diagram of a trusted application management apparatus provided in accordance with one embodiment, the apparatus being deployed at a TEE manager. As shown in fig. 11, the apparatus 500 includes:
a first operation request receiving unit 51 configured to receive a first operation request for requesting installation or update of a first trusted application in a TEE terminal from a requester, where the requester includes a service provider corresponding to the TEE terminal or the first trusted application, and the first operation request is generated by monitoring an installation or update demand of an application client for the first trusted application by the requester;
a synchronization unit 52 configured to perform device state synchronization with the TEE terminal, thereby transmitting a first secret key thereto;
an encrypted application information obtaining unit 53 configured to obtain first encrypted application information obtained by encrypting the first trusted application based on the first key;
a second operation request generation unit 54 configured to attach the first encrypted application information to the first operation request, generating a second operation request;
a second operation request sending unit 55 configured to send a second operation request to the TEE terminal, so that the TEE terminal installs or updates the first trusted application based on the first key and the second operation request.
In one example, the encryption application information obtaining unit 53 may obtain the first encryption application information as follows: sending a first secret key to a service provider, and encrypting the first trusted application based on the first secret key to obtain first encrypted application information; first encrypted application information is received from a service provider.
In another example, the encryption application information obtaining unit 53 may obtain the first encryption application information as follows: and acquiring first encryption application information stored in advance.
Further, in one example, the encryption application information obtaining unit 53 may store the first encryption application information as follows: receiving a first trusted application from a service provider in advance; encrypting the first trusted application by using the first secret key to obtain first encrypted application information; the first encrypted application information is stored.
Further, in another example, the encryption application information obtaining unit 53 may store the first encryption application information as follows: the method includes receiving first encryption application information from a service provider in advance, and storing the first encryption application information.
Fig. 12 shows a schematic block diagram of trusted application management provided according to one embodiment, the apparatus being deployed at a TEE manager. As shown in fig. 12, the apparatus 600 includes:
a first operation request receiving unit 61 configured to receive a first operation request for requesting installation or update of a first trusted application in a plurality of TEE terminals from a requester, the requester including a service provider or the plurality of TEE terminals to which the first trusted application corresponds;
a synchronization unit 62 configured to perform device state synchronization with the multiple TEE terminals, respectively, acquire device information of each TEE terminal, and send a first key to each TEE terminal;
a first message sending unit 63 configured to send a first message to the service provider, the first message including the device information of each TEE terminal, so that the service provider determines corresponding application installation information based on the device information of each TEE terminal;
a second message receiving unit 64 configured to receive a second message sent by a service provider, where the second message includes application installation information corresponding to each TEE terminal;
an encrypted application information determining unit 65 configured to determine, from a plurality of encrypted application information stored in advance, first encrypted application information corresponding to each TEE terminal based on application installation information corresponding to each TEE terminal, the first encrypted application information being obtained by encrypting a first trusted application based on a first secret key;
a second operation request generating unit 66 configured to attach the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request, and generate a second operation request corresponding to each TEE terminal;
the second operation request sending unit 67 is configured to send the second operation request corresponding to each TEE terminal to the corresponding TEE terminal, so that the corresponding TEE terminal installs or updates the first trusted application based on the first key and the second operation request.
In one example, the application installation information includes version information of the first trusted application, and file size information.
In one example, the first message includes a first session identification created for a plurality of TEE terminals; the second message includes the first session identification.
Further, the second operation request transmitting unit 67 may transmit the second operation request as follows: determining a target TEE terminal group based on application installation information corresponding to each TEE terminal, wherein the target TEE terminal group is composed of TEE terminals corresponding to the same application installation information; and sending a merging operation request to a service provider, wherein the merging operation request comprises a first session identifier, first encrypted application information corresponding to the same application installation information and information of the target TEE terminal group, so that the service provider sends a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the merging operation request.
In one example, the synchronization unit 62 may synchronize as follows: and directly and respectively carrying out equipment state synchronization with the plurality of TEE terminals, or respectively carrying out equipment state synchronization with the plurality of TEE terminals through a service provider and/or an application client.
In one example, the first operation request is generated by the service provider listening to installation or update requirements of the first trusted application by the application client on the plurality of TEE terminals; or
The first operation request is generated by monitoring the installation or update requirement of the application client on the TEE terminal on the first trusted application, and is sent to the service provider.
FIG. 13 illustrates a schematic block diagram of trusted application management provided in accordance with one embodiment, the apparatus deployed at a service provider. As shown in fig. 13, the apparatus 700 includes:
the monitoring unit 71 is configured to monitor an installation or update requirement of the application client on the first trusted application, and generate a first operation request, where the first operation request is used to request that the first trusted application is installed in a TEE terminal corresponding to the application client;
a first operation request sending unit 72 configured to send a first operation request to the trusted execution environment TEE manager;
a key receiving unit 73 configured to receive a first key sent by the TEE manager;
the encryption unit is configured to encrypt the first trusted application at least based on the first secret key to obtain first encrypted application information;
an encrypted application information sending unit 74 configured to send the first encrypted application information to the TEE manager so that the TEE manager sends the first encrypted application information to the TEE terminal.
FIG. 14 illustrates a schematic block diagram of trusted application management provided in accordance with one embodiment, the apparatus deployed at a service provider. As shown in fig. 14, the apparatus 800 includes:
the monitoring unit 81 is configured to monitor installation or update requirements of application clients on the multiple TEE terminals on the first trusted application, and generate a first operation request, where the first operation request is used for requesting installation of the first trusted application in the multiple TEE terminals;
a first operation request sending unit 82 configured to send a first operation request to a trusted execution environment TEE manager;
a message receiving unit 83 configured to receive a first message sent by a TEE manager, where the first message includes device information of each TEE terminal;
a determining unit 84 configured to determine corresponding application installation information based on the device information of each TEE terminal;
the second message sending unit 85 is configured to send a second message to the TEE manager, where the second message includes application installation information corresponding to each TEE terminal, so that the TEE manager determines, from a plurality of pieces of encrypted application information stored in advance, first encrypted application information corresponding to each TEE terminal based on the application installation information corresponding to each TEE terminal, where the first encrypted application information is obtained by encrypting the first trusted application based on the first secret key.
In one example, the method further comprises:
a merge operation request receiving unit (not shown) configured to receive a merge operation request sent by the TEE manager, where the merge operation request includes a first session identifier, first encrypted application information corresponding to the same application installation information, and information of a target TEE terminal group, and the target TEE terminal group is composed of TEE terminals corresponding to the same application installation information;
and a second operation request sending unit (not shown) configured to send, according to the merged operation request, a corresponding second operation request to each TEE terminal in the target TEE terminal group, so that each TEE terminal installs or updates the first trusted application based on the first key and the second operation request, where the second operation request is generated by the TEE manager attaching the first encrypted application information corresponding to each TEE terminal to the corresponding first operation request.
Fig. 15 shows a schematic block diagram of a trusted application management provided according to an embodiment, the apparatus being deployed in a trusted execution environment TEE terminal. As shown in fig. 15, the apparatus 500 includes:
the response unit 91 is configured to respond to a synchronization request of a TEE manager of the trusted execution environment, perform device state synchronization with the TEE manager, and receive a first secret key sent by the TEE manager;
a second operation request receiving unit 92, configured to receive a second operation request sent by the TEE manager, where the second operation request is generated by the TEE manager attaching first encrypted application information corresponding to the TEE terminal to a corresponding first operation request, the first encrypted application information is obtained by encrypting a first trusted application based on a first secret key, and the first operation request is used for requesting to install or update the first trusted application in the TEE terminal;
an installation or update unit 93 configured to install or update the first trusted application based on the first key and the second operation request.
In one example, the method further comprises:
a monitoring unit (not shown) configured to monitor a requirement of the application client for installation or update of the first trusted application, and generate a first operation request;
the first operation request sending unit is configured to send the first operation request to the TEE manager so that the TEE manager and the TEE terminal can perform equipment state synchronization and/or obtain first encryption application information.
In one example, the method further comprises:
and a device information sending unit (not shown) configured to send the device information of the TEE terminal to the TEE manager.
According to an embodiment of another aspect, there is also provided a computer-readable storage medium having stored thereon a computer program which, when executed in a computer, causes the computer to perform the method described above.
According to an embodiment of yet another aspect, there is also provided a computing device comprising a memory and a processor, the memory having stored therein executable code, the processor implementing the method described above when executing the executable code.
Those skilled in the art will recognize that, in one or more of the examples described above, the functions described in this invention may be implemented in hardware, software, firmware, or any combination thereof. When implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium.
The above-mentioned embodiments, objects, technical solutions and advantages of the present invention are further described in detail, it should be understood that the above-mentioned embodiments are only exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made on the basis of the technical solutions of the present invention should be included in the scope of the present invention.
Claims (22)
1. A trusted application management method, performed by a trusted execution environment, TEE, manager, comprising:
receiving a first operation request for requesting installation or update of a first trusted application in a TEE terminal from a requester, wherein the requester comprises a service provider corresponding to the TEE terminal or the first trusted application, and the first operation request is generated by monitoring the installation or update demand of an application client on the first trusted application by the requester;
performing device state synchronization with the TEE terminal so as to send a first secret key to the TEE terminal;
acquiring first encrypted application information obtained by encrypting the first trusted application based on the first secret key;
attaching the first encrypted application information to the first operation request to generate a second operation request;
sending the second operation request to the TEE terminal to enable the TEE terminal to install or update the first trusted application based on the first key and the second operation request.
2. The method of claim 1, wherein the obtaining first encrypted application information that is obtained by encrypting the first trusted application based on the first key comprises:
sending the first secret key to the service provider, so that the service provider encrypts the first trusted application based on the first secret key to obtain first encrypted application information;
receiving the first encrypted application information from the service provider.
3. The method of claim 1, wherein the obtaining first encrypted application information that is obtained by encrypting the first trusted application based on the first key comprises:
and acquiring the first encryption application information stored in advance.
4. The method of claim 3, wherein the obtaining the pre-stored first encrypted application information comprises, prior to:
receiving the first trusted application from the service provider in advance;
encrypting the first trusted application by using the first secret key to obtain first encrypted application information;
storing the first encrypted application information.
5. The method of claim 3, wherein the obtaining the pre-stored first encrypted application information comprises, prior to:
receiving the first encryption application information from the service provider in advance, and storing the first encryption application information.
6. A trusted application management method, performed by a trusted execution environment, TEE, manager, comprising:
receiving a first operation request for requesting installation or update of a first trusted application in a plurality of TEE terminals from a requester, wherein the requester comprises a service provider corresponding to the first trusted application or the plurality of TEE terminals;
respectively carrying out equipment state synchronization with the TEE terminals, acquiring equipment information of each TEE terminal, and sending a first secret key to each TEE terminal;
sending a first message to the service provider, wherein the first message comprises the equipment information of each TEE terminal, so that the service provider determines corresponding application installation information based on the equipment information of each TEE terminal;
receiving a second message sent by the service provider, wherein the second message comprises application installation information corresponding to each TEE terminal;
determining first encrypted application information corresponding to each TEE terminal from a plurality of encrypted application information stored in advance based on application installation information corresponding to each TEE terminal, wherein the first encrypted application information is obtained by encrypting the first trusted application based on the first secret key;
attaching the first encryption application information corresponding to each TEE terminal to a corresponding first operation request, and generating a second operation request corresponding to each TEE terminal;
and sending the second operation request corresponding to each TEE terminal to the corresponding TEE terminal so that the corresponding TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request.
7. The method of claim 6, wherein the application installation information includes version information, file size information of the first trusted application.
8. The method of claim 6, wherein the first message comprises a first session identification created for the plurality of TEE terminals; the second message includes the first session identification.
9. The method of claim 8, wherein the sending the second operation request corresponding to each TEE terminal to the corresponding TEE terminal comprises:
determining a target TEE terminal group based on the application installation information corresponding to each TEE terminal, wherein the target TEE terminal group consists of TEE terminals corresponding to the same application installation information;
and sending a merging operation request to the service provider, wherein the merging operation request comprises the first session identifier, first encrypted application information corresponding to the same application installation information and information of the target TEE terminal group, so that the service provider sends a corresponding second operation request to each TEE terminal in the target TEE terminal group according to the merging operation request.
10. The method of any of claims 6-8, wherein the device state synchronization with the plurality of TEE terminals, respectively, comprises:
and directly and respectively carrying out equipment state synchronization with the plurality of TEE terminals, or respectively carrying out equipment state synchronization with the plurality of TEE terminals through the service provider and/or the application client.
11. The method of any of claims 6-8, wherein the first operation request is generated by the service provider listening to a need for installation or update of the first trusted application by an application client on the plurality of TEE terminals; or
The first operation request is generated by monitoring the installation or update requirement of the first trusted application by an application client on the TEE terminal, and is sent to the service provider.
12. A trusted application management method, performed by a service provider, comprising:
monitoring the installation or update requirement of an application client on a first trusted application, and generating a first operation request, wherein the first operation request is used for requesting the installation of the first trusted application in a TEE terminal corresponding to the application client;
sending the first operation request to a Trusted Execution Environment (TEE) manager;
receiving a first secret key sent by the TEE manager;
encrypting the first trusted application at least based on the first secret key to obtain first encrypted application information;
and sending the first encryption application information to the TEE manager so that the TEE manager sends the first encryption application information to the TEE terminal.
13. A trusted application management method, performed by a service provider, comprising:
monitoring the installation or update requirements of application clients on a plurality of TEE terminals on a first trusted application, and generating a first operation request, wherein the first operation request is used for requesting the installation of the first trusted application in the plurality of TEE terminals;
sending the first operation request to a Trusted Execution Environment (TEE) manager;
receiving a first message sent by the TEE manager, wherein the first message comprises equipment information of each TEE terminal;
determining corresponding application installation information based on the equipment information of each TEE terminal;
and sending a second message to the TEE manager, wherein the second message comprises application installation information corresponding to each TEE terminal, so that the TEE manager determines first encrypted application information corresponding to each TEE terminal from a plurality of encrypted application information stored in advance based on the application installation information corresponding to each TEE terminal, and the first encrypted application information is obtained by encrypting the first trusted application based on a first secret key.
14. The method of claim 13, wherein the application installation information includes version information, file size information of the first trusted application.
15. The method of claim 13, wherein the first message comprises a first session identification created for the plurality of TEE terminals; the second message includes the first session identification.
16. The method of claim 15, further comprising:
receiving a merging operation request sent by the TEE manager, wherein the merging operation request comprises the first session identifier, first encrypted application information corresponding to the same application installation information and information of a target TEE terminal group, and the target TEE terminal group consists of TEE terminals corresponding to the same application installation information;
and according to the merging operation request, sending a corresponding second operation request to each TEE terminal in the target TEE terminal group, so that each TEE terminal installs or updates the first trusted application based on the first secret key and the second operation request, and the TEE manager adds first encryption application information corresponding to each TEE terminal to the corresponding first operation request to generate the second operation request.
17. A trusted application management apparatus, the apparatus being deployed at a trusted execution environment, TEE, manager, comprising:
a first operation request receiving unit, configured to receive a first operation request for requesting installation or update of a first trusted application in a TEE terminal from a requester, where the requester includes a service provider corresponding to the TEE terminal or the first trusted application, and the first operation request is generated by monitoring, by the requester, a demand of an application client for installation or update of the first trusted application;
a synchronization unit configured to perform device state synchronization with the TEE terminal, thereby transmitting a first secret key thereto;
an encrypted application information acquisition unit configured to acquire first encrypted application information obtained by encrypting the first trusted application based on the first key;
a second operation request generation unit configured to attach the first encrypted application information to the first operation request, generating a second operation request;
a second operation request sending unit configured to send the second operation request to the TEE terminal, so that the TEE terminal installs or updates the first trusted application based on the first key and the second operation request.
18. A trusted application management apparatus, the apparatus being deployed at a trusted execution environment, TEE, manager, comprising:
a first operation request receiving unit configured to receive a first operation request for requesting installation or update of a first trusted application in a plurality of TEE terminals from a requester, the requester including a service provider corresponding to the first trusted application or the plurality of TEE terminals;
the synchronization unit is configured to perform equipment state synchronization with the TEE terminals respectively, acquire equipment information of each TEE terminal, and send a first secret key to each TEE terminal;
a first message sending unit configured to send a first message to the service provider, the first message including the device information of the respective TEE terminals, so that the service provider determines corresponding application installation information based on the device information of the respective TEE terminals;
a second message receiving unit, configured to receive a second message sent by the service provider, where the second message includes application installation information corresponding to each TEE terminal;
an encrypted application information determining unit configured to determine first encrypted application information corresponding to each TEE terminal from a plurality of pieces of encrypted application information stored in advance based on application installation information corresponding to each TEE terminal, the first encrypted application information being obtained by encrypting the first trusted application based on the first secret key;
a second operation request generation unit, configured to attach the first encrypted application information corresponding to each TEE terminal to a corresponding first operation request, and generate a second operation request corresponding to each TEE terminal;
a second operation request sending unit, configured to send a second operation request corresponding to each TEE terminal to a corresponding TEE terminal, so that the corresponding TEE terminal installs or updates the first trusted application based on the first key and the second operation request.
19. A trusted application management apparatus, deployed at a service provider, comprising:
the monitoring unit is configured to monitor the installation or update requirement of an application client on a first trusted application, and generate a first operation request, where the first operation request is used to request that the first trusted application is installed in a TEE terminal corresponding to the application client;
a first operation request sending unit configured to send the first operation request to a Trusted Execution Environment (TEE) manager;
a key receiving unit configured to receive a first key sent by the TEE manager;
the encryption unit is configured to encrypt the first trusted application at least based on the first secret key to obtain first encrypted application information;
and the encryption application information sending unit is configured to send the first encryption application information to the TEE manager so that the TEE manager sends the first encryption application information to the TEE terminal.
20. A trusted application management apparatus, deployed at a service provider, comprising:
the monitoring unit is configured to monitor installation or update requirements of application clients on a plurality of TEE terminals on a first trusted application, and generate a first operation request, wherein the first operation request is used for requesting that the first trusted application is installed in the plurality of TEE terminals;
a first operation request sending unit configured to send the first operation request to a Trusted Execution Environment (TEE) manager;
a message receiving unit configured to receive a first message sent by the TEE manager, where the first message includes device information of each TEE terminal;
a determining unit configured to determine corresponding application installation information based on the device information of the respective TEE terminals;
a second message sending unit, configured to send a second message to the TEE manager, where the second message includes application installation information corresponding to each TEE terminal, so that the TEE manager determines, based on the application installation information corresponding to each TEE terminal, first encrypted application information corresponding to each TEE terminal from a plurality of pieces of encrypted application information stored in advance, where the first encrypted application information is obtained by encrypting the first trusted application based on a first secret key.
21. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-16.
22. A computing device comprising a memory and a processor, wherein the memory has stored therein executable code that, when executed by the processor, performs the method of any of claims 1-16.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010955075.0A CN112149134A (en) | 2020-09-11 | 2020-09-11 | Trusted application management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010955075.0A CN112149134A (en) | 2020-09-11 | 2020-09-11 | Trusted application management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112149134A true CN112149134A (en) | 2020-12-29 |
Family
ID=73889661
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010955075.0A Pending CN112149134A (en) | 2020-09-11 | 2020-09-11 | Trusted application management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112149134A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116708044A (en) * | 2023-08-07 | 2023-09-05 | 北京小米移动软件有限公司 | Application management system, application management method, server, terminal and medium |
-
2020
- 2020-09-11 CN CN202010955075.0A patent/CN112149134A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116708044A (en) * | 2023-08-07 | 2023-09-05 | 北京小米移动软件有限公司 | Application management system, application management method, server, terminal and medium |
| CN116708044B (en) * | 2023-08-07 | 2023-10-20 | 北京小米移动软件有限公司 | Application management system, application management method, server, terminal and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2022206349A1 (en) | Information verification method, related apparatus, device, and storage medium | |
| CN110968743B (en) | Data storage and data reading method and device for private data | |
| EP3916604B1 (en) | Method and apparatus for processing privacy data of block chain, device, storage medium and computer program product | |
| CN111737366B (en) | Private data processing method, device, equipment and storage medium of block chain | |
| CN109587101B (en) | Digital certificate management method, device and storage medium | |
| US11134069B2 (en) | Method for authorizing access and apparatus using the method | |
| US10601590B1 (en) | Secure secrets in hardware security module for use by protected function in trusted execution environment | |
| EP3408992A1 (en) | Secure connections for low-power devices | |
| CN111914229B (en) | Identity verification method and device, electronic equipment and storage medium | |
| CN110933484A (en) | Management method and device of wireless screen projection equipment | |
| CN111740824B (en) | Trusted application management method and device | |
| CN112966287B (en) | Method, system, device and computer readable medium for acquiring user data | |
| US20210211293A1 (en) | Systems and methods for out-of-band authenticity verification of mobile applications | |
| WO2024139616A1 (en) | Signature authentication method and apparatus | |
| US20240137221A1 (en) | Implementation of one-touch login service | |
| US8788825B1 (en) | Method and apparatus for key management for various device-server configurations | |
| CN113489706B (en) | Data processing method, device, system, equipment and storage medium | |
| CN113094190B (en) | Micro-service calling method, micro-service calling device, electronic equipment and storage medium | |
| CN113055182B (en) | Authentication method and system, terminal, server, computer system, and medium | |
| CN112149134A (en) | Trusted application management method and device | |
| KR20120019986A (en) | Mobile terminal interlocking resource, method for interlocking resource in mobile terminal, and between web server and terminal | |
| CN108989302B (en) | OPC proxy connection system and connection method based on secret key | |
| CN114584299B (en) | Data processing method, device, electronic equipment and storage medium | |
| CN114095165B (en) | Key updating method, server device, client device and storage medium | |
| CN113904830B (en) | SPA authentication method, SPA authentication device, electronic equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |