Search

CN-121365418-B - Realization system for multiple application authorization passwords based on trusted equipment hierarchy

CN121365418BCN 121365418 BCN121365418 BCN 121365418BCN-121365418-B

Abstract

The invention relates to a realization system of a trusted device hierarchy multi-application authorization password, which comprises an interface service module, a hierarchy authorization management program, a trusted device management service module and a hierarchy authorization password ciphertext storage module, wherein the interface service module is used for providing an application authorization password to realize service call of the trusted device hierarchy multi-application authorization password, the hierarchy authorization management program is used for realizing management of the trusted device hierarchy authorization password, and the trusted device management service module is used for obtaining the trusted device hierarchy authorization password. The invention can solve the problem of misuse of the hierarchy authorization password caused by the fact that the application time authority verification passwords are the same when a plurality of applications acquire hierarchy authorization.

Inventors

  • Bian Xiuning
  • Yue Jiayuan
  • XU YE
  • YANG ZHAOJUN
  • WEI LIFENG
  • KONG JINZHU

Assignees

  • 麒麟软件有限公司

Dates

Publication Date
20260512
Application Date
20251223

Claims (8)

  1. 1. The realization system based on the trusted equipment hierarchy multi-application authorization password is characterized by comprising an interface service module, a hierarchy authorization management program, a trusted equipment management service module and a hierarchy authorization password ciphertext storage module, wherein, The trusted device is a trusted platform module TPM or a trusted cryptographic module TCM, the hierarchy of the TPM/TCM is that each hierarchy only supports setting of a single authorization password; The interface service module is connected with the trusted device management service module and is oriented to different application programs, and the application program authorization password is provided through the unique id of the application program to realize service call of the trusted device hierarchy multi-authorization password, so that the different application programs obtain the unique trusted device hierarchy authorization password through the different application program authorization passwords; The hierarchy authorization management program is connected with the trusted device management service module and is used for receiving an administrator authorization password input by an authorization administrator and/or an application authorization password transmitted to the trusted device management service module by the interface service module, and managing the trusted device hierarchy authorization password, so that a trusted device hierarchy authorization password encrypted by the administrator authorization password is generated, a ciphertext of the trusted device hierarchy authorization password encrypted by the application authorization password is generated or destroyed, and the ciphertext of the trusted device hierarchy authorization password encrypted by the generated application authorization password is stored in the hierarchy authorization password ciphertext storage module; The hierarchy authorization manager manages the hierarchy authorization password of the trusted device, and the generation of the hierarchy authorization password of the trusted device by encrypting the hierarchy authorization password of the manager comprises the following steps: step S11, inputting an administrator authorization password; Step S12, calling the trusted device to generate a random number, and taking the generated random number as a trusted device hierarchy authorization password; step S13, encrypting the trusted device hierarchy authorization password by using the administrator authorization password; step S14, calculating the unique id of the hierarchy authorization management program; S15, taking the unique id of the hierarchy authorization management program as an index to obtain a trusted equipment hierarchy authorization password encrypted by the manager authorization password; The trusted device management service module is connected with the interface service module and the hierarchy authorization password ciphertext storage module and is used for decrypting ciphertext of the trusted device hierarchy authorization password encrypted by the application authorization password based on the application authorization password received by the interface service module to obtain the trusted device hierarchy authorization password; the trusted device management service module uses the unique id value of the application program as an index to find an application program authorization password, decrypts the ciphertext stored in the hierarchy authorization password ciphertext storage module through the application program authorization password, the ciphertext is the trusted device hierarchy authorization password encrypted by the application program authorization password, the trusted device hierarchy authorization password is obtained after decryption, authentication is performed based on the plaintext of the trusted device hierarchy authorization password, and the operation authority of the application program to the trusted device is determined.
  2. 2. The system for implementing the trusted device hierarchy multi-application authorization password of claim 1, wherein the hierarchy authorization manager manages the trusted device hierarchy authorization password further comprises canceling the trusted device hierarchy authorization password.
  3. 3. The system for implementing the trusted device hierarchy multi-application authorization password as recited in claim 2, wherein the hierarchy authorization manager cancels the trusted device hierarchy authorization password settings comprising: S21, inputting an administrator authorization password; step S22, decrypting the trusted device hierarchy authorization password by using the administrator authorization password; Step S23, canceling the setting of a trusted device hierarchy authorization password; And step S24, deleting the trusted device hierarchy authorization password encrypted by the application authorization password.
  4. 4. The system for implementing the trusted device hierarchy multi-application authorization password as recited in claim 1, wherein the generating ciphertext of the trusted device hierarchy authorization password encrypted by the hierarchy authorization manager comprises: step S31, inputting an administrator authorization password; Step S32, decrypting the trusted device hierarchy authorization password encrypted by the manager authorization password generated by the hierarchy authorization management program through the manager authorization password to obtain the decrypted trusted device hierarchy authorization password; step S33, setting an application program authorization password; step S34, encrypting the trusted device hierarchy authorization password by using the application authorization password; step S35, calculating the unique id of the application program; and step S36, taking the unique id of the application program as an index to obtain the ciphertext of the trusted device hierarchy authorization password encrypted by the application program authorization password.
  5. 5. The system for implementing the trusted device hierarchy multi-application authorization password as recited in claim 4, wherein in step S35, the unique id of the application program is calculated through a hash algorithm.
  6. 6. The system for implementing the trusted device hierarchy multi-application authorization password as recited in claim 1, wherein the hierarchy authorization manager destroys ciphertext of the trusted device hierarchy authorization password encrypted by the application authorization password comprises: step S41, inputting an administrator authorization password; Step S42, decrypting the trusted device hierarchy authorization password encrypted by the manager authorization password generated by the hierarchy authorization management program to obtain the decrypted trusted device hierarchy authorization password; step S43, inputting an application program authorization password; step S44, decrypting the ciphertext of the trusted device hierarchy authorization password encrypted by the application authorization password to obtain a decrypted trusted device hierarchy authorization password; and step S45, judging whether the trusted device hierarchy authorization passwords decrypted in the step S42 and the step S44 are consistent, if not, not destroying the trusted device hierarchy authorization password, and if so, destroying the ciphertext of the trusted device hierarchy authorization password encrypted by the application authorization password.
  7. 7. The system for realizing the multiple application authorization passwords based on the trusted device hierarchy as claimed in claim 1, wherein the secret authorization password ciphertext storage module is arranged in the TEE secure memory or the encryption card device.
  8. 8. The system for implementing the trusted device hierarchy multiple application authorization code based on claim 1, wherein the ciphertext storage format of the trusted device hierarchy authorization code encrypted by the application authorization code is set to 32 bytes of program hash value plus 16 bytes of SM4 encrypted authorization code ciphertext.

Description

Realization system for multiple application authorization passwords based on trusted equipment hierarchy Technical Field The invention relates to the technical field of trusted security, in particular to a realization system of a trusted device based on a hierarchy multi-application authorization password. Background A trusted platform module (Trusted Platform Module, TPM), a security co-processor with cryptographic algorithm capabilities, provides a protected cryptographic engine, secure key management, platform integrity metrics, storage and reporting, hierarchical structure and access control. The trusted cryptography module TCM (Trusted Cryptography Module) is a set of security chip standard for trusted computing, which is independently developed in China, functionally targets international TPM, and has the functions of protected cryptography engine, secure key management, platform integrity measurement, storage and reporting, hierarchical structure and access control. TPM 2.0/TCM2.0 uses multiple independent hierarchies (Hierarchy) (e.g., platform Hierarchy, owner Hierarchy, endorsement Hierarchy) to isolate and manage keys and data for different purposes. The Hierarchy authorization password is an independent authorization mechanism of each level, and fine authority control is achieved. The trusted device hierarchy can only set one authorization password, and when multiple application programs acquire the use right of the hierarchy, the same authorization password is used for verification and acquisition of authorization. If the hierarchy authorization data is revealed, a malicious user can randomly modify the key and the data under the hierarchy by using the hierarchy authorization password. As shown in fig. 1, after the trusted device sets the hierarchy authorization password, if the user 1 has authority to execute the application 1, the user 2 has authority to execute the application 2 and the application 3, and the application 1, the application 2 and the application 3 create NV indexes on the same hierarchy, after the user 2 knows the hierarchy authorization password, the space of the NV indexes created by the application 1 can be maliciously deleted and reinitialized, resulting in data tampering. Disclosure of Invention In order to solve the defects existing in the prior art, the invention provides a realization system of a trusted device based on a hierarchy multi-application authorization password, which comprises an interface service module, a hierarchy authorization management program, a trusted device management service module and a hierarchy authorization password ciphertext storage module, wherein, The interface service module is connected with the trusted device management service module and is oriented to different application programs, and the application program authorization password is provided through the unique id of the application program to realize service call of the trusted device hierarchy multi-authorization password, so that the different application programs obtain the unique trusted device hierarchy authorization password through the different application program authorization passwords; The hierarchy authorization management program is connected with the trusted device management service module and is used for receiving an administrator authorization password input by an authorization administrator and/or an application authorization password transmitted to the trusted device management service module by the interface service module, and managing the trusted device hierarchy authorization password, so that a trusted device hierarchy authorization password encrypted by the administrator authorization password is generated, a ciphertext of the trusted device hierarchy authorization password encrypted by the application authorization password is generated or destroyed, and the ciphertext of the trusted device hierarchy authorization password encrypted by the generated application authorization password is stored in the hierarchy authorization password ciphertext storage module; the trusted device management service module is connected with the interface service module and the hierarchy authorization password ciphertext storage module and is used for decrypting ciphertext of the trusted device hierarchy authorization password encrypted by the application authorization password based on the application authorization password received by the interface service module to obtain the trusted device hierarchy authorization password. The trusted device management service module finds an application program authorization password by taking a unique id value of the application program as an index, decrypts a ciphertext of the application program authorization password encrypted by the application program authorization password stored in the hierarchy authorization password ciphertext storage module to obtain the trusted device hierarchy authorization password, authenticates the plain