WO2015117523A1 - Access control method and device - Google Patents

Access control method and device Download PDF

Info

Publication number
WO2015117523A1
WO2015117523A1 PCT/CN2014/094852 CN2014094852W WO2015117523A1 WO 2015117523 A1 WO2015117523 A1 WO 2015117523A1 CN 2014094852 W CN2014094852 W CN 2014094852W WO 2015117523 A1 WO2015117523 A1 WO 2015117523A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
key
whitelist
public key
data
Prior art date
Application number
PCT/CN2014/094852
Other languages
French (fr)
Chinese (zh)
Inventor
沙爽
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2015117523A1 publication Critical patent/WO2015117523A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0853Network architectures or network communication protocols for network security for authentication of entities using an additional device, e.g. smartcard, SIM or a different communication terminal

Definitions

  • the present invention relates to the field of communications, and in particular to an access control method and apparatus.
  • the embodiment of the invention provides an access control method and device, so as to at least solve the problem that the access control method for accessing data in the related art has limitations.
  • an access control method comprising: obtaining an identification key of an application accessing specified data, wherein the identification key is based on an identification of the application and a slave register or an independent Generating a hardware key read in the security chip; determining whether the application is legal according to the identity identification key, and controlling access of the application to the specified data according to the determination result.
  • Determining whether the application is legal according to the identity identification key includes: determining whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determining that the application is legal.
  • the method further includes: reading an RSA public key from the register or a separate security chip; and verifying by using the RSA public key
  • the whitelist data corresponding to the application whitelist after the signature of the RSA private key is used, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
  • the method further includes: encrypting the application whitelist by aes_cbc_128, and signing the whitelist data by using an RSA private key; and the RSA private key
  • the corresponding RSA public key is stored in the register or a separate security chip.
  • the method further includes: authenticating the interaction signaling between the application client and the server by using an RSA public key of the server, wherein the public key of the server is stored in the register or a separate security chip, and the public key corresponds to The private key of the server is stored on the server side.
  • an access control apparatus comprising: an obtaining module configured to acquire an identification key of an application accessing specified data, wherein the identification key is based on an identifier of the application And generating a hardware key read from a register or a separate security chip; the control module is configured to determine whether the application is legal according to the identification key, and control the application to the specified data according to the determination result access.
  • the control module includes: a determining unit, configured to determine whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determine that the application is legal.
  • the apparatus further includes: a reading module configured to read an RSA public key from the register or a separate security chip; and a decryption module configured to verify, by using the RSA public key, the RSA private key signature
  • the whitelist data corresponding to the whitelist is applied, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
  • the device further includes: an encryption module, configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature; and the saving module is configured to set an RSA public key corresponding to the RSA private key Stored in the register or in a separate security chip.
  • an encryption module configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature
  • the saving module is configured to set an RSA public key corresponding to the RSA private key Stored in the register or in a separate security chip.
  • the device further includes: an authentication module configured to authenticate the interaction signaling between the application client and the server by using an RSA public key of the server, where the public key of the server is stored in the register or a separate security chip, The private key of the server corresponding to the public key is stored on the server side.
  • an authentication module configured to authenticate the interaction signaling between the application client and the server by using an RSA public key of the server, where the public key of the server is stored in the register or a separate security chip, The private key of the server corresponding to the public key is stored on the server side.
  • an identity identification key of an application for accessing specified data is used, wherein the identity identification key is generated according to an identifier of the application and a hardware key read from a register or a separate security chip; Determining whether the application is legal according to the identity identification key, and controlling the application pair according to the determination result.
  • FIG. 1 is a flow chart of an access control method according to an embodiment of the present invention.
  • FIG. 2 is a block diagram showing the structure of an access control apparatus according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a system of application software according to a preferred embodiment of the present invention.
  • FIG. 4 is a flow chart of application identity authentication in accordance with a preferred embodiment of the present invention.
  • FIG. 5 is a schematic diagram of a verification process of an application whitelist according to a preferred embodiment of the present invention.
  • FIG. 6 is a schematic diagram of an application client and server signaling encryption process in accordance with a preferred embodiment of the present invention.
  • this control mode only controls the above specific categories of rights and data access, has limitations, and cannot secure any sensitive data. Protection; Secondly, this control method does not have access control from the application identity authentication, there is no whitelist mechanism, there is no complete solution; in addition, there is no authentication protection for the instruction transmission between the application client and the server. .
  • FIG. 1 is a flowchart of an access control method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
  • Step S102 Acquire an identity identification key of an application that accesses the specified data, where the identity identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip;
  • Step S104 Determine, according to the identity identification key, whether the application is legal, and control access by the application to the specified data according to the determination result.
  • the identification key of the application is generated by using the identifier of the application and the hardware key read from the register or the independent security chip, and determining whether the application is legal according to the identification key and controlling according to the judgment result.
  • the access to the specified data is applied, so that the access control mode is controlled by the authority for the application, and the access control is controlled according to the controlled designated data, and the permission control is associated with the hardware key, thereby solving the permission control of accessing data in the related art.
  • the method has limitations, making the access control of accessing data more flexible and more secure.
  • the method may be determined by using a whitelist. Specifically, it may be determined whether the application corresponding to the identity identification key belongs to a preset application whitelist. If yes, it is determined that the application is legal.
  • the whitelist may also be signed and encrypted using a hardware key.
  • the application whitelist may be encrypted by aes_cbc_128, and the whitelist data may be obtained by using an RSA private key signature;
  • the corresponding RSA public key is stored in the register or a separate security chip.
  • the RSA public key may be read from the register or the independent security chip before determining whether the application corresponding to the identity key belongs to the preset application whitelist;
  • the whitelist data corresponding to the application whitelist signed by the RSA private key is verified by the RSA public key, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
  • the interaction key signaling between the application client and the server may be signed and encrypted by using the hardware key, as follows: the interaction signaling between the application client and the server is authenticated by using the RSA public key of the server, where The public key of the server is stored in the register or a separate security chip, and the private key of the server corresponding to the public key is stored on the server side.
  • an access control device is also provided in the embodiment, and the device is configured to implement the above-mentioned embodiments and preferred embodiments, and the description thereof has been omitted.
  • the term "module” may implement a combination of software and/or hardware of a predetermined function.
  • the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
  • FIG. 2 is a structural block diagram of an access control apparatus according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes an acquisition module 22 and a control module 24. The following describes each module in detail:
  • An obtaining module 22 configured to obtain an identification key of an application that accesses the specified data, wherein the identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip;
  • the control module 24 is connected to the obtaining module 22, and is configured to determine whether the application is legal according to the identity identification key, and control the application to access the specified data according to the determination result.
  • control module 24 may be configured to: determine whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determine that the application is legal.
  • the device may further include: a reading module, connected to the control module 24, configured to read the RSA public key from the register or a separate security chip; and the decryption module is connected to the reading module and configured to be used
  • the RSA public key verifies the whitelist data corresponding to the application whitelist after being signed by the RSA private key, and decrypts the whitelist data by aes_cbc_128 to obtain the application whitelist.
  • the device may further include: an encryption module, configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature; the saving module is connected to the reading module, and is set to be The RSA public key corresponding to the RSA private key is stored in the register or a separate security chip.
  • an encryption module configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature
  • the saving module is connected to the reading module, and is set to be
  • the RSA public key corresponding to the RSA private key is stored in the register or a separate security chip.
  • the apparatus further comprises: an authentication module configured to authenticate the interaction signaling between the application client and the server using the RSA public key of the server, wherein the public key of the server is stored in the register or independent security In the chip, the private key of the server corresponding to the public key is stored on the server side.
  • an authentication module configured to authenticate the interaction signaling between the application client and the server using the RSA public key of the server, wherein the public key of the server is stored in the register or independent security In the chip, the private key of the server corresponding to the public key is stored on the server side.
  • the terminal device On the terminal device, some data only needs to be accessed by the specified application, and other applications access to the data are considered illegal and dangerous, for example, including personal finance, private files, social accounts, etc. If it can be read by any application, it is easily stolen by malware.
  • the data may be encrypted, but the encryption key and the encrypted data are stored in a common storage area, and the application authentication for data access is also lacking.
  • the preferred embodiment is designed with a hardware device-based application identity authentication mechanism, which not only ensures that the legitimate application accesses the specified data, but also increases the protection of the application wireless signaling interaction, thereby greatly reducing the possibility of losing key data.
  • a method and apparatus for applying rights systemized authentication is provided.
  • the solution saves the key used to authenticate the application in a register or security chip, is physically isolated from normal data, greatly reduces the possibility of being stolen and tampered by Trojans and malicious viruses, and adds authentication measures from the access mechanism.
  • the rights management through the whitelist can not only provide the scalability of the application list, but also ensure the effectiveness of the management.
  • the identity authentication key stored by the hardware is used to strengthen the instruction interaction authentication between the application client and the server, and the key used during the period is read through the security interface, so that the application that performs the reading action is authenticated. Certified.
  • the preferred embodiment is based on the ARM Trust Zone (also known as the Whitelist, TrustZone) technology, and the TrustZone(TM) technology appears in the ARMv6KZ and later application core architectures. It provides a low-cost solution for adding a dedicated security core to a system-on-a-chip (SoC), and two virtual processors supported by hardware-built access control. This approach allows the application core to switch between two states (usually referred to as worlds to avoid confusion with names in other functional areas), which prevents information from leaking from more trusted core areas. Less secure areas. This kind of switching between kernel domains is usually completely unrelated to other functions of the processor, so each domain can operate independently but still use the same kernel.
  • SoC system-on-a-chip
  • the preferred embodiment provides a method and apparatus for applying identity authentication.
  • the key in the hardware chip is used to authenticate the access rights of the application, thereby ensuring legal application access.
  • Legal data. 3 is a schematic structural diagram of a system of application software according to a preferred embodiment of the present invention.
  • an application client on the left side of the figure is embedded with a security module, and the security module uses a unique secret of each application in advance. The key is signed.
  • the security module invokes the encapsulated interface of the device system to access the protected data.
  • the client access interface is applied, the device system will call the authentication module to verify the identity of the application.
  • FIG. 4 is a flow chart of application identity authentication according to a preferred embodiment of the present invention. The process of applying identity authentication is as shown in FIG. 4 .
  • FIG. 5 is a schematic diagram of a verification process of an application whitelist according to a preferred embodiment of the present invention. As shown in FIG. 5, the verification method of the application whitelist is as follows:
  • the application whitelist is first encrypted by aes_cbc_128, and then signed with the RSA private key.
  • the RSA public key is stored in the hardware register, and the signed data is built into the software system device.
  • the checksum matching process is started. .
  • FIG. 6 is a schematic diagram of an application client and server signaling encryption process according to a preferred embodiment of the present invention.
  • the RSA public key of the server is stored in a hardware register, and the application accesses the public key through the security module, and the server private key Save on the server side.
  • the identity of both parties is authenticated by the public key in the hardware register, thereby ensuring the security of the communication, and the software interaction process is as shown in FIG. 6.
  • the mechanism for applying identity authentication in the preferred embodiment can be applied in many scenarios, especially in applications with strong privacy such as banking, shopping, and social networking.
  • the data may be encrypted, but the encryption key and the encrypted data are stored in a common storage area, and the application authentication for data access is also lacking.
  • the hardware device-based application identity authentication mechanism designed in the preferred embodiment not only ensures that the legitimate application accesses the specified data, but also increases the protection of the application wireless signaling interaction, thereby greatly reducing the possibility of key data loss.
  • the key is stored in the hardware register, which reduces the risk of leakage, and the identity between the client and the server is mutually authenticated through the set of keys. It is more secure to ensure communication.
  • a software is provided that is configured to perform the technical solutions described in the above embodiments and preferred embodiments.
  • a storage medium in which the above software is stored, including but not limited to an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
  • modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
  • the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module.
  • the invention is not limited to any specific combination of hardware and software.
  • an access control method and apparatus provided by an embodiment of the present invention have the following beneficial effects: solving the problem that the access control method for accessing data in the related art has limitations, and making the access control of the access data more flexible and diverse. And more secure.

Abstract

Disclosed are an access control method and device. The method comprises: acquiring an identity recognition key of an application for accessing designated data, wherein the identity recognition key is generated according to an identifier of the application and a hardware key read from a register or an independent security chip; and judging whether the application is valid according to the identity recognition key, and controlling the access of the application to the designated data according to the judgement result. By means of the present invention, the problem in the related art that the permission control manner for accessing data has limitations is solved, so that the permission control for accessing data becomes more flexible and diverse, and the security is higher.

Description

访问控制方法及装置Access control method and device 技术领域Technical field
本发明涉及通信领域,具体而言,涉及一种访问控制方法及装置。The present invention relates to the field of communications, and in particular to an access control method and apparatus.
背景技术Background technique
随着智能手机上的应用越来越多,很多应用都需要访问手机上的用户数据,比如社交应用需要访问通讯录、导航应用需要访问手机位置、鉴权类软件需要访问手机标识,但是往往用户并没有意识到手机的这些信息被应用读取,而且也常常发生某些应用访问一些与自身并无关联的数据,这就为信息泄露提供了机会。With more and more applications on smartphones, many applications need to access user data on mobile phones. For example, social applications need to access address books, navigation applications need to access mobile phone locations, and authentication software needs to access mobile phone identification, but users often I don't realize that this information on the mobile phone is read by the application, and it is often the case that some applications access data that is not related to itself, which provides an opportunity for information disclosure.
目前业内对于应用访问数据的权限控制,基本采用下述方式:At present, the industry's authority to control access to data is basically as follows:
A.检查应用对私密权限的访问情况,如:拨打电话、发送消息、读取联系人、读取消息、获取GPS位置、录音、拍照摄像、手机识别信息等;A. Check the application's access to private permissions, such as: making calls, sending messages, reading contacts, reading messages, obtaining GPS location, recording, camera, mobile phone identification information, etc.
B.用户对上述私密权限是否允许应用访问,进行允许或禁止的控制。B. The user controls whether the above private permission allows application access, and allows or prohibits.
采用这种方式进行权限控制,仅仅对上述特定类别权限和数据访问进行了控制,具有局限性,不能对任意敏感的数据进行安全保护。In this way, the authority control is only controlled for the specific categories of rights and data access mentioned above, which has limitations and cannot protect any sensitive data.
针对相关技术中访问数据的权限控制方式具有局限性的问题,目前尚未提出有效的解决方案。In view of the limitation of the access control method for accessing data in the related art, an effective solution has not been proposed yet.
发明内容Summary of the invention
本发明实施例提供了一种访问控制方法及装置,以至少解决相关技术中访问数据的权限控制方式具有局限性的问题。The embodiment of the invention provides an access control method and device, so as to at least solve the problem that the access control method for accessing data in the related art has limitations.
根据本发明的一个实施例,提供了一种访问控制方法,包括:获取访问指定数据的应用的身份识别密钥,其中,所述身份识别密钥根据所述应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生成;根据所述身份识别密钥判断所述应用是否合法,并根据判断结果控制所述应用对所述指定数据的访问。According to an embodiment of the present invention, there is provided an access control method comprising: obtaining an identification key of an application accessing specified data, wherein the identification key is based on an identification of the application and a slave register or an independent Generating a hardware key read in the security chip; determining whether the application is legal according to the identity identification key, and controlling access of the application to the specified data according to the determination result.
根据所述身份识别密钥判断所述应用是否合法包括:判断所述身份识别密钥对应的应用是否属于预设的应用白名单中,如果是,则确定所述应用合法。 Determining whether the application is legal according to the identity identification key includes: determining whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determining that the application is legal.
在判断所述身份识别密钥对应的应用是否属于预设的应用白名单中之前,还包括:从所述寄存器或独立的安全芯片中读取RSA公钥;用所述RSA公钥校验使用RSA私钥签名后的所述应用白名单对应的白名单数据,并用aes_cbc_128解密所述白名单数据得到所述应用白名单。Before determining whether the application corresponding to the identification key belongs to the preset application white list, the method further includes: reading an RSA public key from the register or a separate security chip; and verifying by using the RSA public key The whitelist data corresponding to the application whitelist after the signature of the RSA private key is used, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
在从所述寄存器或独立的安全芯片中读取RSA公钥之前,还包括:对所述应用白名单经过aes_cbc_128加密,并用RSA私钥签名得到所述白名单数据;将与所述RSA私钥对应的RSA公钥保存在所述寄存器或独立的安全芯片中。Before reading the RSA public key from the register or the independent security chip, the method further includes: encrypting the application whitelist by aes_cbc_128, and signing the whitelist data by using an RSA private key; and the RSA private key The corresponding RSA public key is stored in the register or a separate security chip.
所述方法还包括:对应用客户端与服务器的交互信令使用服务器的RSA公钥进行认证,其中,所述服务器的公钥保存在所述寄存器或独立的安全芯片中,所述公钥对应的服务器的私钥保存在所述服务器一侧。The method further includes: authenticating the interaction signaling between the application client and the server by using an RSA public key of the server, wherein the public key of the server is stored in the register or a separate security chip, and the public key corresponds to The private key of the server is stored on the server side.
根据本发明的另一实施例,提供了一种访问控制装置,包括:获取模块,设置为获取访问指定数据的应用的身份识别密钥,其中,所述身份识别密钥根据所述应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生成;控制模块,设置为根据所述身份识别密钥判断所述应用是否合法,并根据判断结果控制所述应用对所述指定数据的访问。According to another embodiment of the present invention, there is provided an access control apparatus comprising: an obtaining module configured to acquire an identification key of an application accessing specified data, wherein the identification key is based on an identifier of the application And generating a hardware key read from a register or a separate security chip; the control module is configured to determine whether the application is legal according to the identification key, and control the application to the specified data according to the determination result access.
所述控制模块包括:判断单元,设置为判断所述身份识别密钥对应的应用是否属于预设的应用白名单中,如果是,则确定所述应用合法。The control module includes: a determining unit, configured to determine whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determine that the application is legal.
所述装置还包括:读取模块,设置为从所述寄存器或独立的安全芯片中读取RSA公钥;解密模块,设置为用所述RSA公钥校验使用RSA私钥签名后的所述应用白名单对应的白名单数据,并用aes_cbc_128解密所述白名单数据得到所述应用白名单。The apparatus further includes: a reading module configured to read an RSA public key from the register or a separate security chip; and a decryption module configured to verify, by using the RSA public key, the RSA private key signature The whitelist data corresponding to the whitelist is applied, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
所述装置还包括:加密模块,设置为对所述应用白名单经过aes_cbc_128加密,并用RSA私钥签名得到所述白名单数据;保存模块,设置为将与所述RSA私钥对应的RSA公钥保存在所述寄存器或独立的安全芯片中。The device further includes: an encryption module, configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature; and the saving module is configured to set an RSA public key corresponding to the RSA private key Stored in the register or in a separate security chip.
所述装置还包括:认证模块,设置为对应用客户端与服务器的交互信令使用服务器的RSA公钥进行认证,其中,所述服务器的公钥保存在所述寄存器或独立的安全芯片中,所述公钥对应的服务器的私钥保存在所述服务器一侧。The device further includes: an authentication module configured to authenticate the interaction signaling between the application client and the server by using an RSA public key of the server, where the public key of the server is stored in the register or a separate security chip, The private key of the server corresponding to the public key is stored on the server side.
通过本发明实施例,采用获取访问指定数据的应用的身份识别密钥,其中,所述身份识别密钥根据所述应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生成;根据所述身份识别密钥判断所述应用是否合法,并根据判断结果控制所述应用对 所述指定数据的访问的方式,解决了相关技术中访问数据的权限控制方式具有局限性的问题,使得对访问数据的权限控制更加灵活多样,并且安全性更高。According to an embodiment of the present invention, an identity identification key of an application for accessing specified data is used, wherein the identity identification key is generated according to an identifier of the application and a hardware key read from a register or a separate security chip; Determining whether the application is legal according to the identity identification key, and controlling the application pair according to the determination result The manner of specifying the access of the data solves the problem that the access control method of accessing data in the related art has limitations, and the authority control for accessing data is more flexible and diverse, and the security is higher.
附图说明DRAWINGS
此处所说明的附图用来提供对本发明的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings described herein are intended to provide a further understanding of the invention, and are intended to be a part of the invention. In the drawing:
图1是根据本发明实施例的访问控制方法的流程图;1 is a flow chart of an access control method according to an embodiment of the present invention;
图2是根据本发明实施例的访问控制装置的结构框图;2 is a block diagram showing the structure of an access control apparatus according to an embodiment of the present invention;
图3是根据本发明优选实施例的应用软件的***结构示意图;3 is a schematic structural diagram of a system of application software according to a preferred embodiment of the present invention;
图4是根据本发明优选实施例的应用身份认证流程图;4 is a flow chart of application identity authentication in accordance with a preferred embodiment of the present invention;
图5是根据本发明优选实施例的应用白名单的验证流程示意图;FIG. 5 is a schematic diagram of a verification process of an application whitelist according to a preferred embodiment of the present invention; FIG.
图6是根据本发明优选实施例的应用客户端与服务器信令加密流程示意图。6 is a schematic diagram of an application client and server signaling encryption process in accordance with a preferred embodiment of the present invention.
具体实施方式detailed description
下文中将参考附图并结合实施例来详细说明本发明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。The invention will be described in detail below with reference to the drawings in conjunction with the embodiments. It should be noted that the embodiments in the present application and the features in the embodiments may be combined with each other without conflict.
发明人发现,采用相关技术中的方式进行权限控制,会存在以下缺陷:首先,这种控制方式仅仅对上述特定类别权限和数据访问进行了控制,具有局限性,不能对任意敏感的数据进行安全保护;其次,这种控制方式并没有从应用身份认证方面进行访问控制,更没有白名单机制,没有完整的解决方案;此外,对于应用客户端和服务器之间的指令传输,也没有进行认证保护。The inventor has found that the use of the method in the related art for access control has the following drawbacks: First, this control mode only controls the above specific categories of rights and data access, has limitations, and cannot secure any sensitive data. Protection; Secondly, this control method does not have access control from the application identity authentication, there is no whitelist mechanism, there is no complete solution; in addition, there is no authentication protection for the instruction transmission between the application client and the server. .
基于上述考虑,在本实施例中,提供了一种访问控制方法,图1是根据本发明实施例的访问控制方法的流程图,如图1所示,该方法包括如下步骤:Based on the above considerations, in this embodiment, an access control method is provided. FIG. 1 is a flowchart of an access control method according to an embodiment of the present invention. As shown in FIG. 1, the method includes the following steps:
步骤S102,获取访问指定数据的应用的身份识别密钥,其中,所述身份识别密钥根据所述应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生成; Step S102: Acquire an identity identification key of an application that accesses the specified data, where the identity identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip;
步骤S104,根据所述身份识别密钥判断所述应用是否合法,并根据判断结果控制所述应用对所述指定数据的访问。Step S104: Determine, according to the identity identification key, whether the application is legal, and control access by the application to the specified data according to the determination result.
本实施例通过上述步骤,使用应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生产应用的身份识别密钥,根据该身份识别密钥判断应用是否合法,并根据判断结果控制应用对指定数据的访问,使得访问控制方式由针对应用进行权限控制变成了根据受控的指定数据进行权限控制,并且将权限控制与硬件密钥关联,解决了相关技术中访问数据的权限控制方式具有局限性的问题,使得对访问数据的权限控制更加灵活多样,并且安全性更高。In this embodiment, the identification key of the application is generated by using the identifier of the application and the hardware key read from the register or the independent security chip, and determining whether the application is legal according to the identification key and controlling according to the judgment result. The access to the specified data is applied, so that the access control mode is controlled by the authority for the application, and the access control is controlled according to the controlled designated data, and the permission control is associated with the hardware key, thereby solving the permission control of accessing data in the related art. The method has limitations, making the access control of accessing data more flexible and more secure.
优选地,在根据所述身份识别密钥判断所述应用是否合法时,可以采用白名单的方式进行判断,具体地,可以判断所述身份识别密钥对应的应用是否属于预设的应用白名单中,如果是,则确定所述应用合法。Preferably, when determining whether the application is legal according to the identity identification key, the method may be determined by using a whitelist. Specifically, it may be determined whether the application corresponding to the identity identification key belongs to a preset application whitelist. If yes, it is determined that the application is legal.
优选地,该白名单也可以使用硬件密钥进行签名及加密,具体地,可以对所述应用白名单经过aes_cbc_128加密,并用RSA私钥签名得到所述白名单数据;将与所述RSA私钥对应的RSA公钥保存在所述寄存器或独立的安全芯片中。对应地,在需要使用上述白名单时,可以在判断所述身份识别密钥对应的应用是否属于预设的应用白名单中之前,从所述寄存器或独立的安全芯片中读取RSA公钥;用所述RSA公钥校验使用RSA私钥签名后的所述应用白名单对应的白名单数据,并用aes_cbc_128解密所述白名单数据得到所述应用白名单。Preferably, the whitelist may also be signed and encrypted using a hardware key. Specifically, the application whitelist may be encrypted by aes_cbc_128, and the whitelist data may be obtained by using an RSA private key signature; The corresponding RSA public key is stored in the register or a separate security chip. Correspondingly, when the whitelist needs to be used, the RSA public key may be read from the register or the independent security chip before determining whether the application corresponding to the identity key belongs to the preset application whitelist; The whitelist data corresponding to the application whitelist signed by the RSA private key is verified by the RSA public key, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
优选地,还可以使用上述硬件密钥对应用客户端与服务器之间的交互信令进行签名及加密,具体如下:对应用客户端与服务器的交互信令使用服务器的RSA公钥进行认证,其中,所述服务器的公钥保存在所述寄存器或独立的安全芯片中,所述公钥对应的服务器的私钥保存在所述服务器一侧。Preferably, the interaction key signaling between the application client and the server may be signed and encrypted by using the hardware key, as follows: the interaction signaling between the application client and the server is authenticated by using the RSA public key of the server, where The public key of the server is stored in the register or a separate security chip, and the private key of the server corresponding to the public key is stored on the server side.
对应于上述方法,在本实施例中还提供了一种访问控制装置,该装置设置为实现上述实施例及优选实施方式,已经进行过说明的不再赘述。如以下所使用的,术语“模块”可以实现预定功能的软件和/或硬件的组合。尽管以下实施例所描述的装置较佳地以软件来实现,但是硬件,或者软件和硬件的组合的实现也是可能并被构想的。Corresponding to the above method, an access control device is also provided in the embodiment, and the device is configured to implement the above-mentioned embodiments and preferred embodiments, and the description thereof has been omitted. As used below, the term "module" may implement a combination of software and/or hardware of a predetermined function. Although the apparatus described in the following embodiments is preferably implemented in software, hardware, or a combination of software and hardware, is also possible and contemplated.
图2是根据本发明实施例的访问控制装置的结构框图,如图2所示,该装置包括获取模块22和控制模块24,下面对各个模块进行详细说明:2 is a structural block diagram of an access control apparatus according to an embodiment of the present invention. As shown in FIG. 2, the apparatus includes an acquisition module 22 and a control module 24. The following describes each module in detail:
获取模块22,设置为获取访问指定数据的应用的身份识别密钥,其中,所述身份识别密钥根据所述应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生成; 控制模块24,与获取模块22相连,设置为根据所述身份识别密钥判断所述应用是否合法,并根据判断结果控制所述应用对所述指定数据的访问。An obtaining module 22, configured to obtain an identification key of an application that accesses the specified data, wherein the identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip; The control module 24 is connected to the obtaining module 22, and is configured to determine whether the application is legal according to the identity identification key, and control the application to access the specified data according to the determination result.
优选地,所述控制模块24可以包括:判断单元,设置为判断所述身份识别密钥对应的应用是否属于预设的应用白名单中,如果是,则确定所述应用合法。Preferably, the control module 24 may be configured to: determine whether the application corresponding to the identity identification key belongs to a preset application white list, and if yes, determine that the application is legal.
优选地,所述装置还可以包括:读取模块,与控制模块24相连,设置为从所述寄存器或独立的安全芯片中读取RSA公钥;解密模块,与读取模块相连,设置为用所述RSA公钥校验使用RSA私钥签名后的所述应用白名单对应的白名单数据,并用aes_cbc_128解密所述白名单数据得到所述应用白名单。Preferably, the device may further include: a reading module, connected to the control module 24, configured to read the RSA public key from the register or a separate security chip; and the decryption module is connected to the reading module and configured to be used The RSA public key verifies the whitelist data corresponding to the application whitelist after being signed by the RSA private key, and decrypts the whitelist data by aes_cbc_128 to obtain the application whitelist.
优选地,所述装置还可以包括:加密模块,设置为对所述应用白名单经过aes_cbc_128加密,并用RSA私钥签名得到所述白名单数据;保存模块,与读取模块相连,设置为将与所述RSA私钥对应的RSA公钥保存在所述寄存器或独立的安全芯片中。Preferably, the device may further include: an encryption module, configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature; the saving module is connected to the reading module, and is set to be The RSA public key corresponding to the RSA private key is stored in the register or a separate security chip.
优选地,所述装置还包括:认证模块,设置为对应用客户端与服务器的交互信令使用服务器的RSA公钥进行认证,其中,所述服务器的公钥保存在所述寄存器或独立的安全芯片中,所述公钥对应的服务器的私钥保存在所述服务器一侧。Preferably, the apparatus further comprises: an authentication module configured to authenticate the interaction signaling between the application client and the server using the RSA public key of the server, wherein the public key of the server is stored in the register or independent security In the chip, the private key of the server corresponding to the public key is stored on the server side.
下面结合优选实施例进行说明,以下优选实施例结合了上述实施例及其优选实施方式。The following description is made in conjunction with the preferred embodiments, and the following preferred embodiments incorporate the above-described embodiments and preferred embodiments thereof.
考虑到智能手机上的应用越来越多,很多应用都需要访问手机上的用户数据,比如社交应用需要访问通讯录、导航应用需要访问手机位置、鉴权类软件需要访问手机标识,但是往往用户并没有意识到手机的这些信息被应用读取,而且也常常发生某些应用访问一些与自身并无关联的数据,这就为信息泄露提供了机会。Considering that there are more and more applications on smart phones, many applications need to access user data on mobile phones. For example, social applications need to access address books, navigation applications need to access mobile phone locations, authentication software needs to access mobile phone identification, but users often I don't realize that this information on the mobile phone is read by the application, and it is often the case that some applications access data that is not related to itself, which provides an opportunity for information disclosure.
在终端设备上,有一些数据只希望被指定的应用访问,而其他应用对这块数据的访问都被视为非法和危险的,例如:包括个人金融、私密文件、社交帐号等方面的数据,如果可以被任意应用读取,那么就很容易被恶意软件窃取。在相关技术方案中,可能会对数据做加密处理,但是加密密钥和加密后的数据都保存在公共的存储区域,也缺乏应用对于数据访问的身份认证。本优选实施例设计了一套基于硬件设备的应用身份认证机制,不但可以保证合法应用访问指定数据,还可以对应用无线信令的交互增加保护,大大降低了关键数据丢失的可能性。 On the terminal device, some data only needs to be accessed by the specified application, and other applications access to the data are considered illegal and dangerous, for example, including personal finance, private files, social accounts, etc. If it can be read by any application, it is easily stolen by malware. In the related technical solution, the data may be encrypted, but the encryption key and the encrypted data are stored in a common storage area, and the application authentication for data access is also lacking. The preferred embodiment is designed with a hardware device-based application identity authentication mechanism, which not only ensures that the legitimate application accesses the specified data, but also increases the protection of the application wireless signaling interaction, thereby greatly reducing the possibility of losing key data.
因此,在以下优选实施例中,提供了一种应用权限***化认证的方法和装置。通过应用权限的***化认证,我们可以将重要数据保存在基带寄存器或者独立的安全芯片中,给手机上的应用分配不同的权限管理级别,安全等级高的应用,需要认证以后才能访问指定基带寄存器或安全芯片中的数据;低级别的应用虽然不需要认证,但是也不能访问这块数据。Accordingly, in the following preferred embodiments, a method and apparatus for applying rights systemized authentication is provided. Through systematic authentication of application rights, we can store important data in baseband registers or independent security chips, assign different rights management levels to applications on mobile phones, and applications with high security levels, which require authentication to access specified baseband registers. Or data in a security chip; low-level applications do not require authentication, but they cannot access this data.
该方案将用来认证应用程序的密钥保存在寄存器或者安全芯片中,从物理上与普通数据隔离,大大降低了被木马和恶意病毒窃取和篡改的可能性,并且从访问机制上增加认证措施,保证只有合法身份的应用可以运行和访问,对用户数据安全和应用权限的***化管理都非常有意义。在应用的访问机制上,通过白名单进行权限管理,既可以提供应用名单的可扩展性,又可以保证管理的有效性。此外,利用硬件存储的身份认证密钥,对应用客户端与服务器之间的指令交互认证进行加强,期间使用的密钥都通过安全接口进行读取,可以保证执行读取动作的应用是经过身份认证的。The solution saves the key used to authenticate the application in a register or security chip, is physically isolated from normal data, greatly reduces the possibility of being stolen and tampered by Trojans and malicious viruses, and adds authentication measures from the access mechanism. To ensure that only legitimate applications can run and access, and it is very meaningful to systematically manage user data security and application permissions. In the application access mechanism, the rights management through the whitelist can not only provide the scalability of the application list, but also ensure the effectiveness of the management. In addition, the identity authentication key stored by the hardware is used to strengthen the instruction interaction authentication between the application client and the server, and the key used during the period is read through the security interface, so that the application that performs the reading action is authenticated. Certified.
本优选实施例以ARM信任区域(也称白名单,TrustZone)技术作为基础,TrustZone(TM)技术出现在ARMv6KZ以及较晚期的应用核心架构中。它提供了一种低成本的方案,针对***单芯片(SoC)内加入专属的安全核心,由硬件建构的存取控制方式支援两颗虚拟的处理器。这个方式可使得应用程式核心能够在两个状态之间切换(通常改称为领域(worlds)以避免和其他功能领域的名称混淆),在此架构下可以避免资讯从较可信的核心领域泄漏至较不安全的领域。这种内核领域之间的切换通常是与处理器其他功能完全无关联性(orthogonal),因此各个领域可以各自独立运作但却仍能使用同一颗内核。The preferred embodiment is based on the ARM Trust Zone (also known as the Whitelist, TrustZone) technology, and the TrustZone(TM) technology appears in the ARMv6KZ and later application core architectures. It provides a low-cost solution for adding a dedicated security core to a system-on-a-chip (SoC), and two virtual processors supported by hardware-built access control. This approach allows the application core to switch between two states (usually referred to as worlds to avoid confusion with names in other functional areas), which prevents information from leaking from more trusted core areas. Less secure areas. This kind of switching between kernel domains is usually completely unrelated to other functions of the processor, so each domain can operate independently but still use the same kernel.
本优选实施例提供的是一个应用身份认证的方法和装置,为了从根本上防止恶意程序对重要数据的访问,结合硬件芯片中的密钥,对应用的访问权限进行认证,从而保证合法应用访问合法数据。图3是根据本发明优选实施例的应用软件的***结构示意图,如图3所示,该图左侧的应用客户端,通过内嵌一个安全模块,这个安全模块事先使用每个应用唯一的密钥进行签名,在此应用启动后,涉及到访问受控数据时,安全模块调用设备***封装好的接口来访问受保护的数据。当应用客户端访问接口时,设备***将调用认证模块对应用的身份进行验证。图4是根据本发明优选实施例的应用身份认证流程图,应用身份认证的流程如图4所示。The preferred embodiment provides a method and apparatus for applying identity authentication. In order to fundamentally prevent malicious programs from accessing important data, the key in the hardware chip is used to authenticate the access rights of the application, thereby ensuring legal application access. Legal data. 3 is a schematic structural diagram of a system of application software according to a preferred embodiment of the present invention. As shown in FIG. 3, an application client on the left side of the figure is embedded with a security module, and the security module uses a unique secret of each application in advance. The key is signed. After the application is started, when the controlled data is accessed, the security module invokes the encapsulated interface of the device system to access the protected data. When the client access interface is applied, the device system will call the authentication module to verify the identity of the application. FIG. 4 is a flow chart of application identity authentication according to a preferred embodiment of the present invention. The process of applying identity authentication is as shown in FIG. 4 .
图5是根据本发明优选实施例的应用白名单的验证流程示意图,如图5所示,应用白名单的验证方法如下: FIG. 5 is a schematic diagram of a verification process of an application whitelist according to a preferred embodiment of the present invention. As shown in FIG. 5, the verification method of the application whitelist is as follows:
应用白名单先经过aes_cbc_128加密,然后用RSA私钥签名,RSA公钥保存在硬件寄存器中,将签名后的数据内置在软件***装置中,当应用访问受控数据时,启动校验和匹配流程。The application whitelist is first encrypted by aes_cbc_128, and then signed with the RSA private key. The RSA public key is stored in the hardware register, and the signed data is built into the software system device. When the application accesses the controlled data, the checksum matching process is started. .
图6是根据本发明优选实施例的应用客户端与服务器信令加密流程示意图,如图6所示,将服务器的RSA公钥保存在硬件寄存器中,应用通过安全模块访问公钥,服务器私钥保存在服务器端。在应用客户端与服务器的信令交互中,通过硬件寄存器中的公钥对双方的身份进行认证,从而保证通信的安全性,软件交互流程如图6所示。6 is a schematic diagram of an application client and server signaling encryption process according to a preferred embodiment of the present invention. As shown in FIG. 6, the RSA public key of the server is stored in a hardware register, and the application accesses the public key through the security module, and the server private key Save on the server side. In the signaling interaction between the application client and the server, the identity of both parties is authenticated by the public key in the hardware register, thereby ensuring the security of the communication, and the software interaction process is as shown in FIG. 6.
需要说明的是,1)在应用身份认证流程中,可以不为每个应用生成唯一的密钥,这样可以简化设计逻辑,但是这样就面临所有应用都采用相同身份认证密钥的情况,这个密钥即使保存在硬件寄存器里面,也有可能被恶意软件模仿调用接口访问到,从而使认证的有效性降低。2)在应用白名单的验证流程中,可以将相关的公钥保存在普通的Flash存储空间,但是这个区域的访问是所有应用共用的,存在被其他应用访问的风险。It should be noted that, 1) in the application identity authentication process, a unique key may not be generated for each application, which simplifies the design logic, but this is the case that all applications use the same identity authentication key. Even if the key is stored in the hardware register, it may be accessed by the malware emulation call interface, which reduces the effectiveness of the authentication. 2) In the verification process of applying the whitelist, the related public key can be saved in the ordinary Flash storage space, but the access in this area is shared by all applications, and there is a risk of being accessed by other applications.
此外,本优选实施例中对应用身份认证的这套机制,可以应用在很多场景,尤其是银行、购物、社交等私密性很强的应用中。In addition, the mechanism for applying identity authentication in the preferred embodiment can be applied in many scenarios, especially in applications with strong privacy such as banking, shopping, and social networking.
通过本优选实施例中的应用身份认证机制,具有如下优势:The application identity authentication mechanism in the preferred embodiment has the following advantages:
(1)在终端设备上,有一些数据只希望被指定的应用访问,而其他应用对这块数据的访问都被视为非法和危险的。在现有技术方案中,可能会对数据做加密处理,但是加密密钥和加密后的数据都保存在公共的存储区域,也缺乏应用对于数据访问的身份认证。本优选实施例设计的基于硬件设备的应用身份认证机制,不但可以保证合法应用访问指定数据,还可以对应用无线信令的交互增加保护,大大降低了关键数据丢失的可能性。(1) On the terminal device, some data only needs to be accessed by the specified application, and access by other applications to this piece of data is considered illegal and dangerous. In the prior art solution, the data may be encrypted, but the encryption key and the encrypted data are stored in a common storage area, and the application authentication for data access is also lacking. The hardware device-based application identity authentication mechanism designed in the preferred embodiment not only ensures that the legitimate application accesses the specified data, but also increases the protection of the application wireless signaling interaction, thereby greatly reducing the possibility of key data loss.
(2)同时,在应用客户端与服务器的信令交互中,把密钥保存在硬件寄存器中,降低了泄露的风险,通过这套密钥对客户端和服务器之间的身份进行双向认证,更加能够保证通信的安全。(2) At the same time, in the signaling interaction between the application client and the server, the key is stored in the hardware register, which reduces the risk of leakage, and the identity between the client and the server is mutually authenticated through the set of keys. It is more secure to ensure communication.
在另外一个实施例中,还提供了一种软件,该软件设置为执行上述实施例及优选实施例中描述的技术方案。In another embodiment, a software is provided that is configured to perform the technical solutions described in the above embodiments and preferred embodiments.
在另外一个实施例中,还提供了一种存储介质,该存储介质中存储有上述软件,该存储介质包括但不限于光盘、软盘、硬盘、可擦写存储器等。 In another embodiment, a storage medium is also provided, in which the above software is stored, including but not limited to an optical disk, a floppy disk, a hard disk, an erasable memory, and the like.
显然,本领域的技术人员应该明白,上述的本发明的各模块或各步骤可以用通用的计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成各个集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本发明不限制于任何特定的硬件和软件结合。It will be apparent to those skilled in the art that the various modules or steps of the present invention described above can be implemented by a general-purpose computing device that can be centralized on a single computing device or distributed across a network of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein. The steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps thereof are fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上所述仅为本发明的优选实施例而已,并不用于限制本发明,对于本领域的技术人员来说,本发明可以有各种更改和变化。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above description is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
如上所述,本发明实施例提供的一种访问控制方法及装置,具有以下有益效果:解决了相关技术中访问数据的权限控制方式具有局限性的问题,使得对访问数据的权限控制更加灵活多样,并且安全性更高。 As described above, an access control method and apparatus provided by an embodiment of the present invention have the following beneficial effects: solving the problem that the access control method for accessing data in the related art has limitations, and making the access control of the access data more flexible and diverse. And more secure.

Claims (10)

  1. 一种访问控制方法,包括:An access control method comprising:
    获取访问指定数据的应用的身份识别密钥,其中,所述身份识别密钥根据所述应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生成;Obtaining an identification key of an application accessing the specified data, wherein the identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip;
    根据所述身份识别密钥判断所述应用是否合法,并根据判断结果控制所述应用对所述指定数据的访问。Determining whether the application is legal according to the identity identification key, and controlling access of the application to the specified data according to the determination result.
  2. 根据权利要求1所述的方法,其中,根据所述身份识别密钥判断所述应用是否合法包括:The method according to claim 1, wherein determining whether the application is legal according to the identity identification key comprises:
    判断所述身份识别密钥对应的应用是否属于预设的应用白名单中,如果是,则确定所述应用合法。Determining whether the application corresponding to the identity key belongs to a preset application white list, and if yes, determining that the application is legal.
  3. 根据权利要求1所述的方法,其中,在判断所述身份识别密钥对应的应用是否属于预设的应用白名单中之前,还包括:The method of claim 1, wherein before determining whether the application corresponding to the identity key belongs to the preset application white list, the method further includes:
    从所述寄存器或独立的安全芯片中读取RSA公钥;Reading the RSA public key from the register or a separate security chip;
    用所述RSA公钥校验使用RSA私钥签名后的所述应用白名单对应的白名单数据,并用aes_cbc_128解密所述白名单数据得到所述应用白名单。The whitelist data corresponding to the application whitelist signed by the RSA private key is verified by the RSA public key, and the whitelist data is decrypted by aes_cbc_128 to obtain the application whitelist.
  4. 根据权利要求3所述的方法,其中,在从所述寄存器或独立的安全芯片中读取RSA公钥之前,还包括:The method of claim 3, wherein before reading the RSA public key from the register or a separate security chip, the method further comprises:
    对所述应用白名单经过aes_cbc_128加密,并用RSA私钥签名得到所述白名单数据;Encrypting the application whitelist by aes_cbc_128 and signing with the RSA private key to obtain the whitelist data;
    将与所述RSA私钥对应的RSA公钥保存在所述寄存器或独立的安全芯片中。The RSA public key corresponding to the RSA private key is stored in the register or a separate security chip.
  5. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1 wherein the method further comprises:
    对应用客户端与服务器的交互信令使用服务器的RSA公钥进行认证,其中,所述服务器的公钥保存在所述寄存器或独立的安全芯片中,所述公钥对应的服务器的私钥保存在所述服务器一侧。The interaction signaling between the application client and the server is authenticated using the RSA public key of the server, wherein the public key of the server is stored in the register or a separate security chip, and the private key of the server corresponding to the public key is saved. On the server side.
  6. 一种访问控制装置,包括: An access control device comprising:
    获取模块,设置为获取访问指定数据的应用的身份识别密钥,其中,所述身份识别密钥根据所述应用的标识和从寄存器或独立的安全芯片中读取的硬件密钥生成;An obtaining module, configured to obtain an identification key of an application accessing the specified data, wherein the identification key is generated according to the identifier of the application and a hardware key read from a register or a separate security chip;
    控制模块,设置为根据所述身份识别密钥判断所述应用是否合法,并根据判断结果控制所述应用对所述指定数据的访问。And a control module, configured to determine, according to the identity identification key, whether the application is legal, and control the application to access the specified data according to the determination result.
  7. 根据权利要求6所述的装置,其中,所述控制模块包括:The apparatus of claim 6 wherein said control module comprises:
    判断单元,设置为判断所述身份识别密钥对应的应用是否属于预设的应用白名单中,如果是,则确定所述应用合法。The determining unit is configured to determine whether the application corresponding to the identity key belongs to a preset application white list, and if yes, determine that the application is legal.
  8. 根据权利要求6所述的装置,其中,所述装置还包括:The apparatus of claim 6 wherein said apparatus further comprises:
    读取模块,设置为从所述寄存器或独立的安全芯片中读取RSA公钥;a reading module configured to read an RSA public key from the register or a separate security chip;
    解密模块,设置为用所述RSA公钥校验使用RSA私钥签名后的所述应用白名单对应的白名单数据,并用aes_cbc_128解密所述白名单数据得到所述应用白名单。The decryption module is configured to use the RSA public key to verify the whitelist data corresponding to the application whitelist signed by the RSA private key, and decrypt the whitelist data by aes_cbc_128 to obtain the application whitelist.
  9. 根据权利要求8所述的装置,其中,所述装置还包括:The apparatus of claim 8 wherein said apparatus further comprises:
    加密模块,设置为对所述应用白名单经过aes_cbc_128加密,并用RSA私钥签名得到所述白名单数据;The encryption module is configured to encrypt the application whitelist by aes_cbc_128, and obtain the whitelist data by using an RSA private key signature;
    保存模块,设置为将与所述RSA私钥对应的RSA公钥保存在所述寄存器或独立的安全芯片中。The saving module is configured to save the RSA public key corresponding to the RSA private key in the register or a separate security chip.
  10. 根据权利要求6所述的装置,其中,所述装置还包括:The apparatus of claim 6 wherein said apparatus further comprises:
    认证模块,设置为对应用客户端与服务器的交互信令使用服务器的RSA公钥进行认证,其中,所述服务器的公钥保存在所述寄存器或独立的安全芯片中,所述公钥对应的服务器的私钥保存在所述服务器一侧。 An authentication module, configured to authenticate the interaction between the application client and the server by using an RSA public key of the server, where the public key of the server is stored in the register or a separate security chip, where the public key corresponds The server's private key is stored on the server side.
PCT/CN2014/094852 2014-07-21 2014-12-24 Access control method and device WO2015117523A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410346485.XA CN105282117A (en) 2014-07-21 2014-07-21 Access control method and device
CN201410346485.X 2014-07-21

Publications (1)

Publication Number Publication Date
WO2015117523A1 true WO2015117523A1 (en) 2015-08-13

Family

ID=53777324

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/094852 WO2015117523A1 (en) 2014-07-21 2014-12-24 Access control method and device

Country Status (2)

Country Link
CN (1) CN105282117A (en)
WO (1) WO2015117523A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243311A (en) * 2015-10-19 2016-01-13 广东欧珀移动通信有限公司 Fingerprint information safe calling method, fingerprint information safe calling device and mobile terminal
CN111797430A (en) * 2020-06-30 2020-10-20 平安国际智慧城市科技股份有限公司 Data verification method, device, server and storage medium

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106790178B (en) * 2016-12-30 2019-10-25 网宿科技股份有限公司 Anti-intrusion authentication method, system and device
CN107358114A (en) * 2017-06-12 2017-11-17 深圳市金立通信设备有限公司 A kind of method and terminal for preventing user data loss
CN110990331B (en) * 2019-12-03 2023-09-05 飞腾信息技术有限公司 System-on-chip key management method, device, equipment and readable storage medium
CN111783113A (en) * 2020-06-22 2020-10-16 济南浪潮高新科技投资发展有限公司 Data access authority control method based on SAS Controller
CN114091027B (en) * 2021-12-01 2023-08-29 海光信息技术股份有限公司 Information configuration method, data access method, related device and equipment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546172A (en) * 2011-12-16 2012-07-04 北京握奇数据***有限公司 Access control method of intelligent card, intelligent card, terminal and system

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4473256B2 (en) * 2006-12-27 2010-06-02 インターナショナル・ビジネス・マシーンズ・コーポレーション Information processing apparatus, method, and program for controlling resource access by application program
CN101655892A (en) * 2009-09-22 2010-02-24 成都市华为赛门铁克科技有限公司 Mobile terminal and access control method
CN101938563B (en) * 2010-09-09 2013-08-14 宇龙计算机通信科技(深圳)有限公司 Protection method, system and mobile terminal of SIM card information
CN202551356U (en) * 2012-02-02 2012-11-21 厦门欣嘉朗光电科技有限公司 IOT (Internet Of Things) access transmission module
CN103455520A (en) * 2012-06-04 2013-12-18 北京三星通信技术研究有限公司 Method and device for accessing Android database
CN102693395B (en) * 2012-06-07 2015-02-11 北京奇虎科技有限公司 Method and device for intercepting calling of application program for service
CN103812649B (en) * 2012-11-07 2017-05-17 中国电信股份有限公司 Method and system for safety access control of machine-card interface, and handset terminal

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546172A (en) * 2011-12-16 2012-07-04 北京握奇数据***有限公司 Access control method of intelligent card, intelligent card, terminal and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105243311A (en) * 2015-10-19 2016-01-13 广东欧珀移动通信有限公司 Fingerprint information safe calling method, fingerprint information safe calling device and mobile terminal
CN105243311B (en) * 2015-10-19 2017-02-22 广东欧珀移动通信有限公司 Fingerprint information safe calling method, fingerprint information safe calling device and mobile terminal
US10713381B2 (en) 2015-10-19 2020-07-14 Guangdong Oppo Mobile Telecommunications Corp., Ltd. Method and apparatus for securely calling fingerprint information, and mobile terminal
CN111797430A (en) * 2020-06-30 2020-10-20 平安国际智慧城市科技股份有限公司 Data verification method, device, server and storage medium
CN111797430B (en) * 2020-06-30 2023-10-03 平安国际智慧城市科技股份有限公司 Data verification method, device, server and storage medium

Also Published As

Publication number Publication date
CN105282117A (en) 2016-01-27

Similar Documents

Publication Publication Date Title
CN107743133B (en) Mobile terminal and access control method and system based on trusted security environment
KR102399582B1 (en) System access using mobile devices
US9875368B1 (en) Remote authorization of usage of protected data in trusted execution environments
JP6114832B2 (en) Management control method, apparatus and system for virtual machine
CN105745661B (en) Policy-based trusted detection of rights managed content
JP6612322B2 (en) Data processing method and data processing apparatus
TWI515601B (en) Electronic device, method for establishing and enforcing a security policy associated with anaccess control element, and secure element
WO2015117523A1 (en) Access control method and device
JP5361894B2 (en) Multi-factor content protection
US20160125180A1 (en) Near Field Communication Authentication Mechanism
US20160323264A1 (en) Secure Import and Export of Keying Material
US20150089589A1 (en) Secure data processing
Wessel et al. Improving mobile device security with operating system-level virtualization
US10747885B2 (en) Technologies for pre-boot biometric authentication
CN111191217B (en) Password management method and related device
US20150264047A1 (en) Method and system for providing secure communication between multiple operating systems in a communication device
CN112765637A (en) Data processing method, password service device and electronic equipment
CN106992978B (en) Network security management method and server
Mayrhofer An architecture for secure mobile devices
WO2019226510A1 (en) Methods and systems for multiple independent roots of trust
US20180198618A1 (en) Apparatus and method for providing secure execution environment for mobile cloud
Kim et al. Secure user authentication based on the trusted platform for mobile devices
Akram et al. Recovering from a lost digital wallet: A smart cards perspective extended abstract
Patil et al. User Privacy and Database Security using Context based Access Control in Android Devices: A Survey
KR20130085534A (en) Authentication platform of mobile terminal and method for servicing using its

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14881895

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14881895

Country of ref document: EP

Kind code of ref document: A1