Search

CN-122001571-A - Cross-equipment calling method, device, equipment and medium based on hong Mongolian system

CN122001571ACN 122001571 ACN122001571 ACN 122001571ACN-122001571-A

Abstract

The application relates to a method, a device, equipment and a medium for cross-equipment calling based on a hong system, which relate to the technical field of cross-equipment calling and comprise the steps of generating a signature certificate key pair in a trusted execution environment, receiving an encrypted certificate key pair encrypted and packaged by a server, recovering the encrypted certificate key pair through a key negotiation mechanism, storing the recovered encrypted certificate key pair in the trusted execution environment, receiving data to be processed sent by a hong client through established secure connection with the hong client, executing signature or decryption operation on the data to be processed through the stored signature certificate key pair in the trusted execution environment and the recovered encrypted certificate key pair, and returning the operation result of the signature or decryption operation to the hong client through secure connection.

Inventors

  • WANG ZHIYONG
  • WANG FU
  • LIU XIAOQING
  • ZHAO YU
  • LIU JUNE
  • LI YUECHEN

Assignees

  • 中金金融认证中心有限公司

Dates

Publication Date
20260508
Application Date
20260128

Claims (10)

  1. 1. A method for cross-device invocation based on a hong system, the method being performed by a hong device side, the method comprising: generating a signature certificate key pair in a trusted execution environment, receiving an encryption certificate key pair encrypted and packaged by a server, recovering the encryption certificate key pair through a key negotiation mechanism, and storing the recovered encryption certificate key pair in the trusted execution environment; Establishing a secure connection with the hong Monte client; And receiving data to be processed sent by the hong client through the secure connection, executing signature or decryption operation on the data to be processed through the signature certificate key pair stored in the trusted execution environment and the restored encryption certificate key pair, and returning the operation result of the signature or decryption operation to the hong client through the secure connection.
  2. 2. The method of claim 1, wherein generating a signed certificate key pair in a trusted execution environment and receiving an encrypted certificate key pair cryptographically encapsulated by a server comprises: Responding to user identity authentication completed by a user in the hong Monte device application, and initiating a national password double-evidence application request to the server; Receiving a public key of an temporary ECC key pair generated by the server according to the national encryption double-certificate application request; Generating an SM2 signing certificate key pair in the trusted execution environment, constructing a certificate signing request comprising a public key of the SM2 signing certificate key pair and a public key of the temporary ECC key pair, and generating an import key pair of the hong client in the trusted execution environment; And sending the certificate signing request and the import key pair of the hong Monte client to the server, and receiving a public key of the import key pair of the server returned by the server and encrypted key materials, wherein the encrypted key materials are obtained by packaging the encrypted certificate key pair by the server by using a shared key negotiated based on elliptic curve Difei-Hulman protocol.
  3. 3. The method of claim 2, wherein the recovering the encrypted certificate key pair by the key negotiation mechanism and storing the recovered encrypted certificate key pair in the trusted execution environment comprises: In the trusted execution environment, executing elliptic curve diffie-hellman protocol by utilizing the private key of the import key pair of the hong client and the public key of the import key pair of the server to derive a shared key; decrypting the key material by using the shared key, and storing the encrypted certificate key pair obtained by decryption in the trusted execution environment.
  4. 4. The method of claim 1, wherein the establishing a secure connection with the hong client comprises: in the life cycle callback after the business page of the hong Monte client is loaded, calling a star flashing service interface to create a star flashing service instance, and calling a broadcasting interface to start broadcasting; And starting star flash scanning to scan the broadcast service of the hong Monte client, and establishing star flash secure connection with the hong Monte client through the broadcast service.
  5. 5. The method of claim 4, wherein said receiving the pending data sent by the hong client over the secure connection comprises: And receiving the data to be processed sent by the hong and Monte client through the star flash secure connection, wherein the data to be processed at least comprises transaction information and ciphertext to be decrypted.
  6. 6. The method of claim 5, wherein said performing a signing or decrypting operation on said data to be processed with said signing certificate key pair stored in said trusted execution environment and said recovered encrypted certificate key pair and returning the result of said signing or decrypting operation to said hong client over said secure connection comprises: Displaying the transaction information to a user through the trusted user interface; After receiving a confirmation instruction input by a user through the trusted user interface based on the transaction information, executing SM2 signature or SM2 decryption operation on the data to be processed through the signature certificate key pair stored in the trusted execution environment and the restored encryption certificate key pair; And returning the SM2 signature or the operation result of the SM2 decryption operation to the hong-Monte client through the star-flash secure connection, and disconnecting the star-flash secure connection.
  7. 7. The method of claim 6, wherein the transaction information includes at least one of a transaction amount, a payee, and a type of operation.
  8. 8. A cross-device calling apparatus based on a hong system, which is applied to a hong device side, comprising: The recovery module is used for generating a signature certificate key pair in a trusted execution environment, receiving an encryption certificate key pair encrypted and packaged by a server, recovering the encryption certificate key pair through a key negotiation mechanism, and storing the recovered encryption certificate key pair in the trusted execution environment; The establishment module is used for establishing the safe connection with the hong Monte client; the receiving module is used for receiving the data to be processed sent by the hong client through the secure connection, executing signature or decryption operation on the data to be processed through the signature certificate key pair stored in the trusted execution environment and the restored encryption certificate key pair, and returning the operation result of the signature or decryption operation to the hong client through the secure connection.
  9. 9. An electronic device comprising a storage medium, a processor and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the method of getting rid of the system-based cross-device invocation of any of claims 1 to 7 when the computer program is executed by the processor.
  10. 10. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the method of cross-device invocation based on the hong system of any one of claims 1 to 7.

Description

Cross-equipment calling method, device, equipment and medium based on hong Mongolian system Technical Field The application relates to the technical field of cross-device calling, in particular to a cross-device calling method, a device, equipment and a medium based on a hong system. Background With the rapid development of information technology, information security has become a key foundation for national security, social stability and economic development. National commercial password management system (hereinafter referred to as "national password") has become a rigid requirement for security compliance in the key fields of government affairs, finance, internet of things and the like. The national cryptographic algorithms such as SM2, SM3, SM4 and the like are adopted to carry out identity authentication, data encryption and signature verification, so that the method is a necessary means for guaranteeing information security in the fields. Meanwhile, the hong Mongolian operating system breaks through barriers among devices by virtue of a unique distributed architecture, and provides a solid operating system foundation for realizing seamless collaboration and data circulation of multiple devices such as mobile phones, tablets, PCs and the like. However, under the hong Monte-Cary ecological condition, how to meet the high compliance requirement of the national cryptographic algorithm, and realize the safe storage and cross-equipment safe call of the national cryptographic double certificate (namely the signature certificate and the encryption certificate) by utilizing the distributed advantage becomes the technical problem to be solved currently. The existing scheme is mainly a PKI system-based equipment authentication and communication encryption scheme, the scheme is generally characterized in that a digital certificate is installed at a mobile terminal, a trust relationship is established by verifying a certificate chain of the opposite party with a PC terminal, a session key is derived by a key negotiation algorithm, and an end-to-end encryption communication channel is established through the session key. Although the scheme effectively solves the problems of identity authentication and communication channel encryption between devices, the scheme cannot meet the special key management requirements (particularly the problem that an encryption private key is generated by a server) under the national secret double-certificate scene and the problem of how to safely import the key into a mobile terminal Trusted Execution Environment (TEE). Disclosure of Invention In view of this, the present application provides a method, apparatus, device and medium for cross-device call based on hong Monte-Meng system, which mainly aims to solve the technical problems that the existing scheme effectively solves the problems of identity authentication and communication channel encryption between devices, but cannot meet the special key management requirements (especially the generation of encryption private keys by a server) under the "Guobu double-certificate" scene, and how to safely import such keys into a mobile terminal Trusted Execution Environment (TEE). In a first aspect, the present application provides a method for calling a device-crossing device based on a hong Monte system, which is executed by a hong Monte device side, and includes: generating a signature certificate key pair in a trusted execution environment, receiving an encryption certificate key pair encrypted and packaged by a server, recovering the encryption certificate key pair through a key negotiation mechanism, and storing the recovered encryption certificate key pair in the trusted execution environment; Establishing a secure connection with the hong Monte client; And receiving data to be processed sent by the hong client through the secure connection, executing signature or decryption operation on the data to be processed through the signature certificate key pair stored in the trusted execution environment and the restored encryption certificate key pair, and returning the operation result of the signature or decryption operation to the hong client through the secure connection. In a second aspect, the present application provides a device calling apparatus based on a hong Monte system, which is applied to a hong Monte device end, and includes: The recovery module is used for generating a signature certificate key pair in a trusted execution environment, receiving an encryption certificate key pair encrypted and packaged by a server, recovering the encryption certificate key pair through a key negotiation mechanism, and storing the recovered encryption certificate key pair in the trusted execution environment; The establishment module is used for establishing the safe connection with the hong Monte client; the receiving module is used for receiving the data to be processed sent by the hong client through the secure connection, executing sign