Search

CN-121997366-A - Fine granularity security access control method, system, computer equipment and medium for trusted application

CN121997366ACN 121997366 ACN121997366 ACN 121997366ACN-121997366-A

Abstract

The invention discloses a fine-granularity security access control method, a system, a computer device and a medium of a trusted application, wherein the method comprises the steps that an application developer randomly generates an application signature certificate, applies access authority of the trusted application to a background server of a terminal device manufacturer, and receives an authorization signature of the trusted application returned by the background server of the terminal device manufacturer; and triggering an access authorization verification program of the trusted application when the current APP calls the trusted application, checking the authorization signature by using a background server public key of a terminal equipment manufacturer preset in the application installation package by a system server of the terminal equipment, calling the trusted application after the verification is passed, and completing the access flow of the trusted application. The invention can realize flexible authorization, accurate shielding and dynamic adaptation of the application access trusted application, and improves the security protection capability and service adaptation efficiency of the terminal equipment.

Inventors

  • PAN LANLAN

Assignees

  • 深圳开鸿数字产业发展有限公司

Dates

Publication Date
20260508
Application Date
20251229

Claims (19)

  1. 1. A fine-grained secure access control method for trusted applications, the method comprising: the method comprises the steps that an application developer randomly generates an application signature credential, applies for access rights of a trusted application to a background server of a terminal equipment manufacturer, and receives an authorization signature of the trusted application returned by the background server of the terminal equipment manufacturer, wherein the application signature credential comprises an application signature private key and an application signature certificate of the trusted application; the application developer makes and issues an application installation package containing authorization information, wherein the authorization information comprises an authorization signature of the trusted application and a background server public key of a terminal equipment manufacturer; when the current APP calls the trusted application, triggering an access authorization verification program of the trusted application, checking the authorization signature by using a background server public key of a terminal equipment manufacturer preset in an application installation package by a system server of the terminal equipment, calling the trusted application after the verification is passed, and completing an access flow of the trusted application.
  2. 2. The fine-grained security access control method of a trusted application of claim 1, further comprising: And if the background server of the terminal equipment manufacturer receives the shielding access request, shielding the trusted application access authorization program of the appointed version APP based on the shielding access request.
  3. 3. The fine-grained security access control method of a trusted application according to claim 2, characterized in that the application developer randomly generates an application signature credential, applies access rights of the trusted application to a background server of a terminal equipment manufacturer, comprising: The application developer randomly generates a key pair to obtain the application signature credential; the application developer registers the generated application signature certificate with a background server of the terminal equipment manufacturer; The method comprises the steps that a background server of a terminal equipment manufacturer randomly generates a background server key pair, wherein the background server key pair comprises a background server private key of the terminal equipment manufacturer and a background server public key of the terminal equipment manufacturer; The application developer constructs the authorization request parameters and submits the constructed authorization request parameters to a background server of the terminal device manufacturer.
  4. 4. The fine-grained security access control method of a trusted application of claim 3, wherein the authorization request parameters include an application name of the trusted application, an application signature certificate, a trusted application identification number, and a trusted application instruction range for access.
  5. 5. The fine-grained security access control method of a trusted application according to claim 4, characterized in that receiving an authorization signature of the trusted application returned by a background server of the terminal device manufacturer comprises: after auditing the authorization request parameters, the terminal equipment manufacturer signs the authorization request parameters by using a background server private key of the terminal equipment manufacturer to obtain an authorization signature of the trusted application, and returns the authorization signature of the trusted application to an application developer.
  6. 6. The fine-grained security access control method of a trusted application of claim 5, wherein the application developer makes and publishes an application installation package containing authorization information, comprising: The application developer embeds a trusted application identification number, a trusted application instruction range for access application, an authorized signature and a background server public key of a terminal equipment manufacturer in an application binary file; The application developer signs the application binary file embedded with the related information by using the application signature certificate to obtain a trusted application signature; The application developer constructs an application installation package and issues the application installation package to a background server of the terminal manufacturer, wherein the application installation package comprises an application binary file embedded with related information, a trusted application signature and an application signature certificate in the application signature certificate.
  7. 7. The fine-grained security access control method of a trusted application according to claim 6, wherein if a background server of a terminal equipment manufacturer receives a mask access request, masking a trusted application access authorization program of a specified version of APP based on the mask access request, comprising: if a background server of a terminal equipment manufacturer receives a shielding access request, constructing a shielding request parameter; the background server of the terminal equipment manufacturer signs the shielding request parameters by using the private key of the background server of the terminal equipment manufacturer to generate an application shielding signature; Generating shielding information based on the shielding request parameters, the application shielding signature and a background server public key of a terminal equipment manufacturer; the background server of the terminal equipment manufacturer pushes the shielding information to the system server of the terminal equipment so that the system server of the terminal equipment checks the shielding information.
  8. 8. The fine-grained security access control method of a trusted application of claim 7, wherein the masking request parameters include an application name, an application signature certificate, an application identification number, and APP version information of the application to be masked.
  9. 9. The fine-grained security access control method for trusted applications according to claim 7, wherein when the system server of the terminal device verifies the mask information, comprising: Acquiring a background server public key of a terminal equipment manufacturer preset when a system server of the terminal equipment leaves a factory; checking whether the background server public key of the terminal equipment manufacturer in the shielding information is consistent with the background server public key of the terminal equipment manufacturer preset in factory; If the application shielding signatures are consistent, the system server of the terminal equipment uses a preset background server public key of a terminal equipment manufacturer to check the application shielding signatures; and after the verification is passed, the system server of the terminal equipment caches the shielding request parameters.
  10. 10. The fine-grained security access control method of a trusted application according to claim 9, characterized in that triggering an access authorization verification procedure of the trusted application when a current APP calls the trusted application comprises: after the terminal equipment installs the application installation package, the current APP calls a related interface; Requesting to execute a trusted application identification number and a trusted application instruction, and triggering an access authorization verification program of the trusted application.
  11. 11. The fine-grained security access control method of a trusted application according to claim 10, characterized in that the verification of the authorization signature by a system server of the terminal device using a background server public key of a terminal device manufacturer preset in an application installation package comprises: a system server of the terminal equipment reads authorization information in an application installation package installed by the current APP; The system server of the terminal equipment checks whether the trusted application instruction currently requested to be executed is in an application installation package application binary file; if yes, the system server of the terminal equipment checks whether the current APP is matched with the application to be shielded in the shielding request parameters; If the terminal equipment is not matched with the terminal equipment, the system server of the terminal equipment checks whether the background server public key of the terminal equipment manufacturer embedded in the application installation package installed by the current APP is consistent with the background server public key of the terminal equipment manufacturer preset by the system server of the terminal equipment; if the authorization signature is consistent, the system server of the terminal equipment uses a background server public key of a terminal equipment manufacturer preset by the system server of the terminal equipment to verify the authorization signature.
  12. 12. The fine-grained security access control method of a trusted application according to claim 11, characterized in that invoking the trusted application after verification passes and completing the access procedure to the trusted application, comprising: After verification is passed, a system server of the terminal equipment transmits a trusted application identification number to a trusted execution environment so as to request to call a corresponding trusted application; the system server of the terminal equipment transmits instruction parameters to the called trusted application based on the trusted execution environment, so that the trusted application executes corresponding internal functions based on the instruction parameters to obtain an execution result; And the system server of the terminal equipment receives the execution result of the trusted application and feeds back the execution result to the current APP.
  13. 13. A fine-grained security access control system for trusted applications, characterized in that the system is configured to implement the fine-grained security access control method for trusted applications according to any of claims 1-12, the system comprising an application developer, a background server of a terminal device manufacturer, a system server of a terminal device; wherein the application developer comprises: The access right application module is used for randomly generating an application signature certificate and applying the access right of the trusted application to a background server of a terminal equipment manufacturer, wherein the application signature certificate comprises an application signature private key and an application signature certificate of the trusted application; The authorization signature receiving module is used for receiving the authorization signature of the trusted application returned by the background server of the terminal equipment manufacturer; The application installation package making and issuing module is used for making and issuing an application installation package containing authorization information, wherein the authorization information comprises an authorization signature of the trusted application and a background server public key of a terminal equipment manufacturer; The system server of the terminal device includes: And the authorization signature verification module is used for triggering an access authorization verification program of the trusted application when the current APP calls the trusted application, and a system server of the terminal equipment verifies the authorization signature by using a background server public key of a terminal equipment manufacturer preset in an application installation package, calls the trusted application after the verification is passed, and completes an access flow of the trusted application.
  14. 14. The fine grain security access control system for trusted applications of claim 13, wherein the background server of the terminal device manufacturer comprises: and the shielding control module is used for shielding the trusted application access authorization program of the appointed version APP based on the shielding access request after receiving the shielding access request.
  15. 15. The fine-grained security access control system of a trusted application of claim 14, wherein the application installation package creation and publication module comprises: the information embedding unit is used for embedding a trusted application identification number, a trusted application instruction range for applying access, an authorized signature and a background server public key of a terminal equipment manufacturer in the application binary file; the file signing unit is used for signing the application binary file embedded with the related information by using the application signing certificate to obtain a trusted application signature; The installation package construction and release unit is used for constructing an application installation package by an application developer and releasing the application installation package to a background server of a terminal manufacturer, wherein the application installation package comprises an application binary file embedded with related information, a trusted application signature and an application signature certificate in the application signature certificate.
  16. 16. The fine grain security access control system for trusted applications of claim 15, wherein said mask control module comprises: A shielding request constructing unit, configured to construct a shielding request parameter if a background server of a terminal equipment manufacturer receives a shielding access request; The shielding signature generating unit is used for signing the shielding request parameters by using a background server private key of the shielding signature generating unit to generate an application shielding signature; A mask information generating unit, configured to generate mask information based on the mask request parameter, the application mask signature, and a background server public key of a terminal device manufacturer; And the shielding information pushing unit is used for pushing the shielding information to the system server of the terminal equipment so as to enable the system server of the terminal equipment to verify the shielding information.
  17. 17. The fine grain security access control system for trusted applications of claim 16, wherein said authorization signature verification module comprises: the authorization information reading unit is used for reading the authorization information in the application installation package installed by the current APP; the instruction checking unit is used for checking whether the trusted application instruction which is currently requested to be executed is in the application installation package application binary file; The system server of the terminal equipment is used for checking whether the current APP is matched with the application to be shielded in the shielding request parameters or not; The public key checking unit is used for checking whether the public key of the background server of the terminal equipment manufacturer embedded in the application installation package installed by the current APP is consistent with the public key of the background server of the terminal equipment manufacturer preset by the system server of the terminal equipment if the public keys are not matched; And the authorization signature verification unit is used for verifying the authorization signature by using a background server public key of a terminal equipment manufacturer preset by the system server of the terminal equipment if the authorization signature is consistent.
  18. 18. A computer device comprising a memory, a processor and a fine-grained security access control program of a trusted application stored in the memory and executable on the processor, the processor implementing the steps of the fine-grained security access control method of a trusted application of any of claims 1-12 when executing the fine-grained security access control program of a trusted application.
  19. 19. A computer readable storage medium having stored thereon a fine-grained security access control program of a trusted application, the fine-grained security access control program of the trusted application implementing the steps of the fine-grained security access control method of a trusted application of any of claims 1-12 on the computer readable storage medium.

Description

Fine granularity security access control method, system, computer equipment and medium for trusted application Technical Field The present invention relates to the field of application security access technologies, and in particular, to a method, a system, a computer device, and a medium for controlling fine-grained security access of trusted applications. Background With the rapid development of mobile internet and intelligent terminals, the sensitive operations (such as payment, login and data encryption) of users on terminal devices are increasing, and the requirements on service security are increasing. The trusted execution environment (TEE, trustedExecutionEnvironment) is used as an independent security area in the terminal equipment, can provide an isolated execution environment for sensitive codes and data, ensures that the sensitive codes and the data are not tampered or stolen by malicious software in the execution process, and becomes one of core technologies of terminal security. In the TEE architecture, applications running inside the TEE are called trusted applications (TA, trustedApplication) responsible for handling core sensitive logic (e.g., key generation, encryption operations, payment verification, etc.), applications running in the common execution environment (REE, richExecutionEnvironment) are called client applications (CA, clientApplication) requesting TA services by invoking interfaces provided by the TEE. The terminal equipment manufacturer (OEM, originalEquipmentManufacturer) is responsible for providing the underlying support of the TEE, TA and terminal system (DeviceOS), and the back end server (OEMServer) is used for managing services such as application release, authority configuration and the like. In the prior art, the authority control for CA access TA mainly has two schemes, namely a trusted application checking scheme and a terminal system checking scheme, and the two schemes can realize basic access control, but have the following obvious defects in practical application, and are difficult to meet the requirements of terminal security and service flexibility. Accordingly, there is a need in the art for improvement. Disclosure of Invention Aiming at the defects in the prior art, the invention provides a fine-granularity security access control method, a system, computer equipment and a medium for trusted application, and the technical scheme adopted by the invention is as follows: in a first aspect, the present invention provides a fine-grained security access control method for trusted applications, the method comprising: the method comprises the steps that an application developer randomly generates an application signature credential, applies for access rights of a trusted application to a background server of a terminal equipment manufacturer, and receives an authorization signature of the trusted application returned by the background server of the terminal equipment manufacturer, wherein the application signature credential comprises an application signature private key and an application signature certificate of the trusted application; the application developer makes and issues an application installation package containing authorization information, wherein the authorization information comprises an authorization signature of the trusted application and a background server public key of a terminal equipment manufacturer; when the current APP calls the trusted application, triggering an access authorization verification program of the trusted application, checking the authorization signature by using a background server public key of a terminal equipment manufacturer preset in an application installation package by a system server of the terminal equipment, calling the trusted application after the verification is passed, and completing an access flow of the trusted application. In one implementation, the method further comprises: And if the background server of the terminal equipment manufacturer receives the shielding access request, shielding the trusted application access authorization program of the appointed version APP based on the shielding access request. In one implementation, the application developer randomly generates an application signature credential, applies a background server of a terminal device manufacturer for access rights of a trusted application, including: The application developer randomly generates a key pair to obtain the application signature credential; the application developer registers the generated application signature certificate with a background server of the terminal equipment manufacturer; The method comprises the steps that a background server of a terminal equipment manufacturer randomly generates a background server key pair, wherein the background server key pair comprises a background server private key of the terminal equipment manufacturer and a background server public key of the terminal equipment manufacturer; T