[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2014117648A1 - Application access method and device - Google Patents

Application access method and device Download PDF

Info

Publication number
WO2014117648A1
WO2014117648A1 PCT/CN2014/070668 CN2014070668W WO2014117648A1 WO 2014117648 A1 WO2014117648 A1 WO 2014117648A1 CN 2014070668 W CN2014070668 W CN 2014070668W WO 2014117648 A1 WO2014117648 A1 WO 2014117648A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
access device
digital certificate
server
access request
Prior art date
Application number
PCT/CN2014/070668
Other languages
French (fr)
Chinese (zh)
Inventor
刘小元
孙增才
何庆建
Original Assignee
华为终端有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为终端有限公司 filed Critical 华为终端有限公司
Publication of WO2014117648A1 publication Critical patent/WO2014117648A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3263Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
    • H04L9/3265Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model

Definitions

  • the present invention relates to communication technologies, and in particular, to an application access method and device.
  • a special encryption device such as a USB key is usually used to implement a security scheme such as encryption and decryption in the transaction process to ensure the security of the transaction process, that is, to enhance the security when accessing the application.
  • the above-mentioned dedicated encryption device generally stores some security information corresponding to the application, such as a digital certificate, a private key, etc.; during the access process of the application, the application uses the above security in the dedicated encryption device. The information is processed by security authentication, data encryption, etc. to ensure application access security.
  • the drawback of this method is that the security of the application access is too dependent on the peripherals of the dedicated encryption device. If the user does not carry the dedicated encryption device, the application access cannot be performed securely, and the user may work. It is very inconvenient to make an impact; and, for different applications, you need to use a dedicated encryption device customized for the application. If you want to use both the online banking client and the securities trading client, you may need to carry and use two. One Too strong and inconvenient for application access.
  • the present invention provides an application access method and apparatus to reduce reliance on secure peripherals.
  • the first aspect provides an application access method, where the method includes: an application access device generates a security access request, where the security access request is used to request an application security service for an application running on the application access device;
  • the application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key;
  • the application access device uses the public key to apply for obtaining a digital certificate to the certificate server, and the application accesses
  • the device establishes a connection with the application server by using the digital certificate; after the connection is established with the application server, the application access device encrypts data transmitted between the application access device and the application server by using the private key.
  • the method further includes: the application access device storing a correspondence between the digital certificate and the application.
  • the method further includes: The application access device detects, according to the correspondence, whether a digital certificate corresponding to the application has been stored; when the detection result is yes, directly establishing a connection with the application server by using the stored digital certificate.
  • the second aspect provides an application access method, where the method includes: the application access device receives a security access request sent by the application running device, where the security access request is used to generate a key pair for running the security access request, The key pair includes a public key and a private key; the application access device sends the public key to the application running device, so that the application running device uses the public key to apply for obtaining a digital certificate to the certificate server. And the application running device establishes a connection with the application server by using the digital certificate; the application access device is transported in the application After the row device establishes a connection with the application server, the private key is used to encrypt data transmitted between the application running device and the application server.
  • the receiving, by the application running device, the security access request includes: receiving, by the application access device, a USB connection, a WIFI connection, and an NFC connection with the application access device Any one of the connected applications running the secure access request sent by the device.
  • the application accessing device when receiving the security access request sent by the application running device, includes: the application accessing the device
  • the PKCS#11 interface receives the security access request sent by the application running device.
  • the method further includes: The application access device receives the digital certificate sent by the application running device, and stores a correspondence between the digital certificate and the application.
  • the application access device after the application access device receives the security access request sent by the application running device, generate a key pair according to the security access request.
  • the method further includes: detecting, by the application access device, whether a digital certificate corresponding to the application has been stored according to the correspondence; and performing, when the detection result is yes, directly sending the stored digital certificate to the application Run the device so that
  • the third aspect provides an application access device, including: an interface unit, an encryption unit, and an application processing unit, where the interface unit is configured to receive a security access request generated by an application access device, where the security access request is used for the request to run
  • the application on the application access device provides an application security service
  • the encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key
  • the application processing unit is configured to apply for obtaining a digital certificate to the certificate server by using the public key. And establishing a connection with the application server through the digital certificate.
  • the encryption unit is further And configured to store a correspondence between the digital certificate and the application.
  • the encryption unit is further configured to: after the interface unit receives the secure access request, according to the secure access request Before generating the key pair, detecting, according to the stored correspondence, whether the digital certificate corresponding to the application has been stored; the application processing unit is further configured to directly execute when the detection result of the encryption unit is yes Establishing a connection with the application server through the stored digital certificate.
  • the fourth aspect provides an application access device, where the application access device establishes a communication connection with an application running device, where the application access device includes: an interface unit and an encryption unit, and the interface unit is configured to receive the application running device. Sending a secure access request, the entire service; and transmitting, by the encryption unit, the public key to the application running device, so that the application running device applies for the digital certificate to the certificate server using the public key, and
  • the encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and after the application running device establishes a connection with the application server, using the The private key encrypts data transmitted between the application running device and the application server.
  • the interface unit is configured to receive, by using the application access device, the application running by using any one of a USB connection, a WIFI connection, and an NFC connection. A secure access request sent by the device.
  • the interface unit is a PKCS#11 interface.
  • the interface unit is further configured to: after sending the public key to the application running device Receiving the digital certificate sent by the application running device;
  • the encryption unit is further configured to: after the interface unit receives the secure access request sent by the application running device, before generating the key pair according to the secure access request, according to the stored correspondence, detecting whether the storage unit has been stored
  • the interface unit is further configured to: when the detection result of the encryption unit is YES, directly send the digital certificate stored by the encryption unit to the application running device, so that The application running device establishes a connection with an application server using the digital certificate.
  • the technical effect of the application access method and device provided by the present invention is: generating a key pair by the application access device according to the secure access request of the application, so that the application can use the key pair to apply for the digital certificate and encrypt the data.
  • the security capability of the application access device itself is enhanced, so that the application access device can provide security guarantee for application access, no need to additionally increase the use of security peripherals outside the application access device, and reduce the security peripherals. rely.
  • FIG. 1 is a schematic structural diagram of an application access device according to an embodiment of the present invention
  • FIG. 2 is a schematic diagram of another embodiment of an application access device according to the present invention
  • FIG. 3 is a schematic structural diagram of another embodiment of an application access device according to the present invention
  • FIG. 5 is a schematic diagram of a working principle of another embodiment of an application access device according to the present invention
  • FIG. 6 is a schematic structural diagram of another embodiment of an application access device according to the present invention.
  • a schematic structural diagram of another embodiment of an application access device according to the present invention is a schematic flowchart of an embodiment of an application access method according to the present invention
  • FIG. 9 is a schematic flowchart diagram of an embodiment of an application access method according to the present invention.
  • the embodiment of the present invention enhances the security capability of the application access device itself, so that the application is accessed without using a secure peripheral.
  • the device provides security for application access.
  • the application refers to, for example, online banking, securities trading, and the like.
  • the application access device refers to a device used by the application during use. For example, if a user launches an online banking application on his tablet and uses the online banking service, the tablet is called an application.
  • the application access device of the present embodiment refers to a device capable of providing a security protection service for an application (such as the above-mentioned tablet providing a key pair).
  • the application access method of the embodiment of the present invention is a method performed by the application access device, that is, the embodiment of the present invention improves the application access device, so that the security capability of the device is enhanced, and the access of the application is provided. Services, which also change the way applications are accessed.
  • the application access device of the embodiment of the present invention can provide an access device for an application running on the device.
  • the device can have two different structures. The following is a description of the structure of the application access device in the above two cases and the working principle of the application access device in the corresponding structure:
  • Embodiment 1 FIG. 1 is a schematic structural diagram of an application access device according to an embodiment of the present invention.
  • the application access device of the structure can provide security services for applications running on the device; as shown in FIG. 1, the application access device can include: an interface unit 11, an encryption unit 12, and an application processing unit.
  • the interface unit 11 is configured to receive a secure access request for requesting application security services.
  • the secure access request refers to, for example, when using an online banking application, when The operation of the fund transaction, for example, the user clicks to trigger a step on the online bank.
  • the device on which the online bank runs is connected to the application server corresponding to the online bank.
  • the device sends the secure access request to the application access device of the embodiment, requesting to provide a security service, for example, requesting to generate a key pair.
  • the interface unit 11 instructs the encryption unit 12 to perform an encryption process for the auxiliary application to establish the secure connection according to the secure access request.
  • the application access device installs and runs an application, and the application access device itself generates the security access request.
  • the secure access request is actually sent by the application processing unit in the application access device (the application processing unit is a module that invokes the online banking application).
  • the above security access request is specifically sent when the application access device invokes the execution of the application, such as running online banking on the notebook, and when the online banking runs to when the notebook needs to send a secure access request, the application developer may
  • the application access device of the embodiment provides a security service for the application, as long as the application is designed to automatically trigger the application access device to send a secure access request to the interface unit 11 when the application access security is required.
  • the encryption unit 12 is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and the operation of generating a key pair may use, for example, RSA (RSA public key force port)
  • RSA RSA public key force port
  • the secret algorithm was developed in 1977 by Ron Rivest, Adi Shamirh, and Len Adleman at the Massachusetts Institute of Technology, and the RSA was named from the name of the three of them. It is not detailed.
  • the generated public key will be sent by the encryption unit 12 to the interface unit 11, which in turn sends the public key to the application processing unit 13.
  • the application processing unit 13 is configured to apply, by using the public key, a certificate certificate (ie, a certificate authority (CA server)) to obtain a digital certificate (the certificate server will use the public key to generate a digital certificate)
  • a certificate certificate ie, a certificate authority (CA server)
  • CA server certificate authority
  • the digital certificate is a certificate uniquely corresponding to the application; and the application access device is established with the application server by using the digital certificate Secure connection.
  • the application access process of the present embodiment is directly stored in a dedicated encryption device such as a USB Key, and the application access device applied at runtime is directly used in the encryption device.
  • the digital certificate establishes a secure connection with the application server.
  • the application of the embodiment is generated by the encryption unit inside the application access device, and the application access device uses the public key to apply for the digital certificate and passes the certificate. Establish a connection to the application server.
  • the online banking of a bank uses the encryption device A
  • the online banking of another bank uses the encryption device B
  • the encryption device C used for the securities transaction, etc. not only requires the user to carry the encryption device with him or her
  • the encryption unit in the application access device can provide a key pair for the application in real time during the access process of the application, and the application can apply for a digital certificate in real time, and the encryption unit does not correspond to a specific application.
  • the encryption unit can be used by various applications; for example, the user's tablet is the application access device, and the tablet runs two applications of online banking and securities trading, and the two applications are at runtime tablet.
  • the encryption unit may be requested to generate a key pair for it.
  • the service for generating the key pair may be provided for any application, and each application may apply for a digital certificate corresponding to itself after obtaining the public key.
  • the application access device of the embodiment can provide services for various applications, which is very convenient, and improves the access efficiency of the application.
  • the process of establishing the connection between the application access device and the application server by using the digital certificate is a conventional technology, and the simple description is as follows:
  • the application access device sends a connection request to the application server, and carries a digital certificate corresponding to the application, and the application server will use the digital certificate.
  • the certificate is sent to the authentication server (that is, the VA server) for verification. If the authentication server passes the certificate verification, the application server returns a connection response to the application access device, and establishes a connection with the application access device.
  • the connection is established after the certificate is verified, so that the communication between the application access device and the application server can be ensured, that is, a secure connection.
  • the authentication of the certificate by the authentication server is that the authentication server uses the number received from the certificate server.
  • the certificate is compared with the certificate received from the application server. If the two are consistent, the verification is passed, and the certificate authentication server performs the verification of the certificate at this time.
  • the encryption unit 12 of the embodiment is further configured to perform encryption processing on data transmitted between the application access device and the application server by using the private key after the application access device establishes a connection with the application server.
  • the encryption process described herein includes: encrypting data transmitted between the application access device and the application server, and transmitting the data to the application server after being encrypted by the application access device side (for example, the application access device encrypts the data by using the private key, and the application server utilizes the public
  • the key decryption obtains data, and the public key is sent by the application access device to the application server, and also includes decrypting the data, and decrypting data sent by the application server to the application access device (for example, the application server encrypts the data by using the public key) , the application access device decrypts the data using the private key).
  • the application access device of this embodiment generates a key pair by the application access device according to the secure access request for requesting the application security service, so that the application access device can use the key pair to apply for the digital certificate and encrypt the data. Processing, establishing a secure connection with the application server, thereby enhancing the security capability of the application access device itself, so that the application access device can provide security guarantee for application access, and no additional need to increase the use security outside the application access device. Peripherals reduce the reliance on secure peripherals.
  • the application access device of the embodiment of the present invention can provide the working principle of the application access device in the two cases described in the second embodiment and the third embodiment for the application running on the device.
  • the second embodiment of the present invention provides a security service for an application running on the device.
  • FIG. 2 is a schematic diagram of the working principle of another embodiment of the application access device according to the present invention.
  • the application access device in this embodiment takes a tablet computer as an example, and the application uses an online banking as an example.
  • the online banking is an application running on a tablet computer. Therefore, the tablet computer is an application access device (ie, an application).
  • the device that provides the security service) is the application running device (that is, the device that installs and runs the application).
  • the application access device of this embodiment further includes an application processing unit 13 for calling and executing an online banking application; and the application office
  • the unit 13 is capable of communicating with the interface unit 11 in communication.
  • the application access device of the embodiment is also an application running device, the application access device can also communicate with the application server and the certificate server.
  • the transceiver unit 14 in the application access device communicates with the server. of.
  • the application processing unit 13 calls to execute the online banking, and the online banking starts running on the tablet; during the running process (for example, the user starts using the online banking on the tablet), according to the setting of the online banking, at a certain
  • the runtime application processing unit 13 will initiate a secure access request based on the pre-set of the online banking, which will be sent to the interface unit 11.
  • the tablet computer of the embodiment is installed with an android system, and an application such as an online bank running in the system may send a secure access request to the interface unit 11 at runtime.
  • the interface unit 11 instructs the encryption unit 12 to perform a service for generating a key pair according to the secure access request, and the public key generated by the encryption unit 12 is returned to the application processing unit 13 through the interface unit 11.
  • the application processing unit 13 sends the public key to the transceiver unit 14, instructing the transceiver unit 14 to apply for a digital certificate to the certificate server using the public key, and establish a secure connection with the application server using the certificate.
  • the transceiver unit 14 is only an interface between the tablet computer and the server.
  • the actual data transmission with the server is still the application processing unit 13.
  • the data is transmitted to the application server, which is sent by the application processing unit 13 to the transceiver unit 14, which is only responsible for forwarding the data to the application server, essentially still the communication between the application processing unit 13 and the application server.
  • the data may be sent to the encryption unit 12 through the interface unit 11, and the data is encrypted by the encryption unit 12 and then passed through the interface.
  • the unit 11 returns to the application processing unit 13, which in turn instructs the transceiver unit 14 to transmit the data to the application server.
  • the application processing unit 13 may send the data to the encryption unit 12 through the interface unit 11, decrypt the data by the encryption unit 12, and then return it to the application processing through the interface unit 11.
  • Unit 13 the application processing unit 13 obtains the data, and continues to run the online banking through the data.
  • FIG. 3 is a schematic structural diagram of another embodiment of an application access device according to the present invention.
  • the device in the embodiment may be referred to as an application running device.
  • the application access device may include: an interface unit 31 and an encryption unit 32.
  • the interface unit 31 is configured to receive a secure access request for requesting to provide an application security service, where the secure access request refers to, for example, when using an application of the online banking, when the funds are involved In the transaction operation, for example, the user clicks to trigger a certain step on the online banking.
  • the device on which the online banking is running must be connected to the application server corresponding to the online banking.
  • the connection is sent, so the device sends the secure access request to the application access device of the embodiment, requesting to provide a security service, for example, requesting to generate a key pair.
  • the interface unit 31 instructs the encryption unit 32 to perform an encryption process for the auxiliary application to establish the secure connection according to the secure access request.
  • the device that sends the foregoing security access request is an application running device that installs and runs an application, and the application running device is other devices than the application access device in this embodiment.
  • the secure access request is sent by the notebook to the embodiment.
  • the interface unit 31 of the access device is applied.
  • the above security access request is specifically sent when the application running device invokes the execution of the application, such as running online banking on the notebook, and when the online banking runs to when the notebook needs to send a secure access request, the application developer may
  • the application access device of the present embodiment provides security for the application by the application access device of the embodiment, as long as the application is configured to automatically trigger the application running device to send a secure access request to the interface unit 31 of the application access device of the embodiment. service.
  • the encryption unit 32 is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and the operation of generating the key pair may use a conventional technology such as RSA, no longer Detailed.
  • the generated public key will be sent by the encryption unit 32 to the interface unit 31, and then the interface unit 31 sends the public key to the application running device, so that the application running device uses the public key to apply for obtaining a digital certificate from the certificate server.
  • the digital certificate is a certificate that uniquely corresponds to the application.
  • the application running device will establish a secure connection with the application server through the digital certificate.
  • the application access process of the present embodiment is directly stored in a dedicated encryption device such as a USB Key, and the application running device used in the runtime is directly used in the encryption device.
  • the digital certificate establishes a secure connection with the application server.
  • the application of the embodiment is requested by the application running device to request an encryption unit in the application access device to generate a public key, and the application running device uses the public key to apply for the digital certificate. And establish a connection with the application server through the certificate.
  • the digital certificate is equivalent to the application ID card and the different applications correspond to different digital certificates
  • the manner in which the digital certificate is pre-stored in an encryption device such as a USB Key in the prior art also enables the encryption device.
  • the online banking of a bank uses the encryption device A
  • the online banking of another bank uses the encryption device B
  • the encryption device C used for the securities transaction, etc. not only requires the user to carry the encryption device with him or her
  • the encryption unit in the application access device can provide a key pair for the application in real time during the access process of the application, and the application can apply for a digital certificate in real time, and the encryption unit does not correspond to a specific application.
  • the encryption unit can be used by various applications; for example, the user's tablet is the application access device, and the tablet runs two applications of online banking and securities trading, and the two applications are at runtime tablet.
  • the encryption unit may be requested to generate a key pair for it.
  • the service for generating the key pair may be provided for any application, and each application may apply for a digital certificate corresponding to itself after obtaining the public key.
  • the application access device of the embodiment can provide services for various applications, which is very convenient and improves the access efficiency of the application.
  • the application running device sends a connection request to the application server, and carries a digital certificate corresponding to the application, and the application server sends the digital certificate to the authentication server (ie, the VA server) for verification, if the authentication server After the certificate is verified, the application server returns a connection response to the application running device, and establishes a connection with the running device of the application. Since the connection is established after the certificate verification is passed, the application running device and the device can be guaranteed.
  • the communication security between the application servers is a secure connection.
  • the authentication of the certificate by the authentication server is performed by the authentication server by using the digital certificate received from the certificate server and the certificate received from the application server, and if the two are consistent, the verification is passed.
  • the authentication server performs the verification of the certificate at this time.
  • the encryption unit 32 of the embodiment is further configured to perform encryption processing on data transmitted between the application running device and the application server by using the private key after the application running device establishes a connection with the application server.
  • the encryption process described herein includes: encrypting data transmitted between the application running device and the application server, and transmitting the data to the application server after the application running device side encrypts (for example, the application running device encrypts the data by using the private key, and the application server utilizes the public
  • the key decryption obtains data, and the public key is sent by the application running device to the application server, and also includes decrypting the data, and decrypting data sent by the application server to the application running device (for example, the application server encrypts the data by using the public key) , the application running device decrypts the data by using the private key).
  • the application access device of this embodiment generates a key pair by the application access device according to the secure access request for requesting the application security service, so that the application running device can use the key pair to apply for the digital certificate and encrypt the data. Processing, establishing a secure connection with the application server, thereby enhancing the security capability of the application access device itself, so that the application access device can provide security guarantee for application access, and no additional need to increase the use security outside the application access device. Peripherals reduce the reliance on secure peripherals.
  • Embodiment 4 The application access device of this embodiment provides a security service for an application running on another device, and the other device is a device that communicates with the application access device of the embodiment through an external connection.
  • FIG. 4 is a schematic diagram of a working principle of still another embodiment of an application access device according to the present invention.
  • the application access device of this embodiment takes a tablet computer as an example, and the external device uses a notebook as an example, and the application uses an online banking as an example.
  • the online banking is an application running on a notebook, and therefore, the tablet is an application access.
  • the device, the notebook is the application running device.
  • the transceiver unit of the embodiment may be provided with a transceiver unit, wherein the notebook is provided with an application processing unit 21 and a transceiver unit 22, and the application processing unit 21 is configured to invoke an online banking application installed on the notebook, and the notebook can Communicating with the application server and the certificate server, and being able to communicate with the tablet computer, the transceiver unit 22 serves as an interface for the notebook to communicate with the server and the tablet.
  • the transceiver unit 22 can transfer the secure access request sent by the application processing unit 21.
  • the tablet is sent to the application processing unit 21 and the public key returned by the tablet is forwarded.
  • a transceiver unit 33 is also provided on the tablet as an interface for communication between the tablet and the notebook.
  • the application processing unit 21 on the notebook calls to execute the online banking, and the online banking starts running on the notebook; during the running process (for example, the user starts using the online banking on the tablet), according to the setting of the online banking, in a certain
  • the runtime application processing unit 21 will initiate a secure access request according to the preset of the online banking, and the secure access request will be sent to the interface on the tablet through the transceiver unit 22 on the notebook and the transceiver unit 33 on the tablet.
  • the interface unit 31 instructs the encryption unit 32 to perform a service for generating a key pair according to the secure access request, and the public key generated by the encryption unit 32 is returned to the application processing unit 21 on the notebook through the interface unit 31 and each of the above-described transceiver units.
  • the application processing unit 21 uses the public key to apply for a digital certificate to the certificate server, and uses the certificate to establish a secure connection with the application server, and the communication with the server in the process is forwarded by the transceiver unit 22.
  • the encryption unit 32 on the tablet of the embodiment may also be responsible for data encryption and decryption processing between the application processing unit 21 and the application server, and the process is similar to the previous embodiment.
  • the data encryption request may be sent to the interface unit 31 through the transceiver unit 22 on the notebook, the transceiver unit 33 on the tablet, and the data to be encrypted is carried; the interface unit 31
  • the encryption unit 32 is instructed to perform data encryption processing; the encryption unit 32 encrypts the data, and then returns it to the application processing unit 21 on the notebook through the interface unit 31 and the above-mentioned transceiver units, and the application processing unit 21 instructs the transceiver unit 22 to transmit the data.
  • the notebook and the tablet communicate with each other through an external connection, such as a Universal Serial Bus (USB) connection, a WIFI connection, and a near field communication (Near).
  • USB Universal Serial Bus
  • WIFI Wireless Fidelity
  • FIG. 5 is a schematic diagram of a working principle of another embodiment of an application access device according to the present invention.
  • This embodiment is described by taking an application running inside an application access device as an example.
  • the principle of this embodiment is also applicable to an external device.
  • the situation of operation As shown in FIG. 5, after the tablet computer applies for obtaining the digital certificate to the certificate server, the transceiver unit 14 sends the digital certificate received from the certificate server to the application processing unit 13, and then the application processing unit 13 sends the digital certificate to the interface. Unit 11, the interface unit 11 sends the certificate to the encryption unit 12.
  • the application processing unit 13 sends the digital certificate to the interface unit 11, the identifier of the online banking application can be carried, so that the interface unit 11 can send the application identifier and the digital certificate to the encryption unit 12.
  • the encryption unit 12 stores the received digital certificate and application identifier, and establishes a correspondence between the digital certificate and the application identifier, that is, establishes a correspondence between the digital certificate and the online banking application.
  • the interface unit 11 forwards the secure access request sent by the application processing unit 13 to the encryption unit 12, it is equivalent to when the interface unit 11 instructs the encryption unit 12 to generate a key pair that has stored a digital certificate corresponding to the application.
  • the above-mentioned interface unit 11 sends the identifier of the online banking application to the encryption unit 12.
  • the detection result of the encryption unit 12 is YES, that is, the digital certificate of the online banking application is stored
  • the encryption unit 12 sends the stored digital certificate to the application processing unit 13 through the interface unit 11, and the application processing is performed.
  • Unit 13 will not need to apply for a digital certificate any more, but will directly establish a connection with the application server using the digital certificate.
  • the transceiver unit 22 on the notebook can send the digital certificate to the tablet for storage;
  • the transceiver unit 22 on the notebook sends the digital certificate to the transceiver unit 33 of the tablet computer, and simultaneously transmits the application identifier of the application running on the notebook corresponding to the certificate to the transceiver unit 33; the transceiver unit 33 then digitizes The certificate and application identifier are sent to the interface unit 31, which sends it to the encryption unit 32.
  • the encryption unit 32 stores the digital certificate and the application identifier described above, and establishes a correspondence between the digital certificate and the application identifier.
  • the unit 21 instructs the transceiver unit 22 to send the application identification to the tablet, and finally sends the application identification to the encryption unit 32 of the tablet in accordance with the above-described transmission process.
  • the encryption unit 32 will query whether a digital certificate corresponding to the application identifier is stored, and if so, the encryption unit 32 can send the digital certificate to the notebook according to the reverse process described above, so that the notebook does not need to go to the certificate server again. Obtain the certificate, but use the stored certificate to establish a connection with the application server.
  • the encryption unit 32 queries that it does not store the digital certificate corresponding to the application identifier, it can directly start a security service for the notebook, generate a key pair, and return the public key to the notebook, so that the notebook uses the public key to connect to the certificate server to apply for a number.
  • the related process can be referred to the above embodiment, and will not be described in detail.
  • the method in this embodiment that is, when the application running device needs to connect to the application server for the first time, the application access device of the embodiment provides a key pair for the application running device to use the key to apply for a digital certificate; and, the application The running device sends the certificate of the application to the application access device for storage.
  • the interface unit in the application access device may use, for example, a PKCS#11 interface, and the encryption unit may be implemented by software or an encryption chip, for example.
  • 6 is a schematic structural diagram of another embodiment of an application access device according to the present invention. As shown in FIG.
  • the device is a software mode
  • the encryption unit is a soft encryption module, that is, the encryption, decryption, and the like of the encryption unit are based on Software algorithm implementation, support common encryption and decryption algorithms, such as Triple Data Encryption Algorithm (3DES), AESRC4, Message Digest Algorithm 5 (MD5), DSA and RSA.
  • the encryption, decryption, generation key pair, and security services such as signature and signature verification provided by the soft encryption module are provided to the application through the PKCS#11 interface.
  • the encryption unit may involve some data cache or data storage, and the storage medium used by the application device is an application access device.
  • FIG. 7 is a schematic structural diagram of another embodiment of an application access device according to the present invention.
  • the device is in hardware mode, and the encryption unit is an encryption chip, that is, the encryption, decryption, and the like of the encryption unit are driven by the driver.
  • the program is implemented by the encryption chip and supports a common encryption and decryption algorithm.
  • the security services provided by the encryption chip such as encryption, decryption, signature, signature verification, and key generation, are provided to the application through the PKCS#11 interface.
  • Embodiment 7 This embodiment provides an application access method, which is performed by an application access device.
  • FIG. 8 is a schematic flowchart of an application access method according to an embodiment of the present invention. The method in this embodiment is performed by an application access device that provides a security service for an application running on the device itself. This embodiment only describes the method briefly.
  • the implementation principle can be combined as described in the device embodiment. As shown in Figure 8, it can include:
  • the application access device generates a security access request, where the security access request is used to request an application security service for an application running on the application access device.
  • the application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key.
  • the application access device uses the public key to apply for obtaining a digital certificate to the certificate server, and the application access device establishes a connection with the application server by using the digital certificate.
  • the application access device encrypts data transmitted between the application access device and the application server by using the private key after establishing a connection with the application server. Further, after the application access device generates the security access request, the method further includes: the application access device storing a correspondence between the digital certificate and the application. Further, after the application access device generates the security access request, before generating the key pair according to the security access request, the method further includes: the application access device according to the pair Correspondingly, detecting whether a digital certificate corresponding to the application has been stored; when the detection result is YES, directly establishing a connection with the application server by using the stored digital certificate.
  • FIG. 9 is a schematic flowchart of an application access method according to an embodiment of the present invention. The method of the present embodiment is only described briefly. The specific implementation principle may be as described in conjunction with the device embodiment. As shown in FIG. 9, it may include:
  • the application access device receives a security access request sent by an application running device, where the service is used.
  • the application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key.
  • the application access device sends the public key to the application running device, so that the application running device requests the certificate server to obtain a digital certificate by using the public key, and the application running device passes the number.
  • the certificate establishes a connection with the application server;
  • the application access device After the application running device establishes a connection with the application server, the application access device encrypts data transmitted between the application running device and the application server by using the private key. Further, the receiving the security access request sent by the application running device includes: the application accessing device receiving the application running connected with the application access device by using any one of a USB connection, a WIFI connection, and an NFC connection. A secure access request sent by the device.
  • the application access device specifically receives the security access request sent by the application running device by using a PKCS#11 interface. Further, after the application access device sends the public key to the application running device, the method further includes: the application access device receiving the digital certificate sent by the application running device, and storing the digital certificate and The corresponding relationship of the application. Further, after the application access device receives the security access request sent by the application running device, before generating the key pair according to the security access request, the method further includes: detecting, by the application access device, whether the storage device has been stored according to the corresponding relationship. Digital certificate corresponding to the application When the detection result is YES, the stored digital certificate is directly sent to the acknowledgment connection.
  • the aforementioned program can be stored in a computer readable storage medium.
  • the program when executed, performs the steps including the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

Provided are an application access method and device, comprising: an application access device generates a secure access request for providing an application security service for an application running on the application access device; the application access device generates a key pair according to the secure access request, the key pair comprising a public key and a private key; the application access device uses the public key to apply for a digital certificate from a certificate server, and the application access device establishes a connection with an application server via the digital certificate; and after establishing a connection with the application server, the application access device uses the private key to encrypt data transmitted between the application access device and the application server. The present invention reduces dependence on an external security device.

Description

应用访问方法和设备 本申请要求于 2013年 01月 23日提交中国专利局、 申请号为 201310038423.8、 发明名称为 "应用访问方法和设备" 的中国专利申请的优 先权, 其全部内容通过引用结合在本申请中。  Application Access Method and Apparatus This application claims priority to Chinese Patent Application No. 201310038423.8, entitled "Application Access Method and Apparatus", filed on Jan. 23, 2013, the entire contents of In this application.
技术领域 本发明涉及通信技术, 尤其涉及一种应用访问方法和设备。 TECHNICAL FIELD The present invention relates to communication technologies, and in particular, to an application access method and device.
背景技术 目前的很多应用对安全性要求很高, 比如, 网上银行客户端、 证券交易客 户端等, 当用户在自己的应用访问设备例如个人电脑上使用上述的应用进 行涉及资金方面的交易时, 通常都会使用 USB key等专用加密设备, 实现 交易过程中的加解密等安全方案, 以保证交易过程的安全性, 即增强访问 该应用时的安全性。 现有技术中, 上述的专用加密设备内部一般都存储有 与该应用对应的一些安全信息, 例如数字证书、 私钥等; 在应用的访问过 程中, 应用会使用该专用加密设备中的上述安全信息进行安全认证、 数据 加密等处理, 从而保证应用访问的安全。 BACKGROUND OF THE INVENTION Many current applications have high security requirements, such as an online banking client, a securities transaction client, etc., when a user uses the above application to conduct a transaction involving funds on his own application access device such as a personal computer. A special encryption device such as a USB key is usually used to implement a security scheme such as encryption and decryption in the transaction process to ensure the security of the transaction process, that is, to enhance the security when accessing the application. In the prior art, the above-mentioned dedicated encryption device generally stores some security information corresponding to the application, such as a digital certificate, a private key, etc.; during the access process of the application, the application uses the above security in the dedicated encryption device. The information is processed by security authentication, data encryption, etc. to ensure application access security.
但是这种方式的缺陷在于, 应用访问的安全性对于专用加密设备这些 外设的依赖性太强, 如果用户没有携带所述的专用加密设备, 则无法安全 地进行应用访问, 可能对用户的工作造成影响, 非常不方便; 并且, 对于 不同的应用还需要使用为该应用定制的专用加密设备, 假设用户既要使用 网上银行客户端, 又要使用证券交易客户端, 则可能需要携带和使用两个 太强而造成应用访问的不便。 However, the drawback of this method is that the security of the application access is too dependent on the peripherals of the dedicated encryption device. If the user does not carry the dedicated encryption device, the application access cannot be performed securely, and the user may work. It is very inconvenient to make an impact; and, for different applications, you need to use a dedicated encryption device customized for the application. If you want to use both the online banking client and the securities trading client, you may need to carry and use two. One Too strong and inconvenient for application access.
发明内容 本发明提供一种应用访问方法和设备, 以减少对安全外设的依赖。 第一方面, 提供一种应用访问方法, 所述方法包括: 应用访问设备生 成安全访问请求, 所述安全访问请求用于请求为运行在所述应用访问设备 上的应用提供应用安全服务; 所述应用访问设备根据所述安全访问请求, 生成密钥对, 所述密钥对包括公钥和私钥; 所述应用访问设备使用所述公 钥向证书服务器申请获得数字证书, 并且所述应用访问设备通过所述数字 证书与应用服务器建立连接; 所述应用访问设备在与所述应用服务器建立 连接之后, 使用所述私钥对所述应用访问设备和应用服务器之间传输的数 据进行加密处理。 结合第一方面, 在第一种可能的实现方式中, 所述应用访问设备生成 安全访问请求之后, 进一步包括: 所述应用访问设备存储所述数字证书与 所述应用的对应关系。 结合第一方面的第一种可能的实现方式, 在第二种可能的实现方式中, 在所述应用访问设备生成安全访问请求之后, 根据所述安全访问请求生成 密钥对之前, 进一步包括: 所述应用访问设备根据所述对应关系, 检测是 否已经存储与所述应用对应的数字证书; 在检测结果为是时, 直接执行通 过存储的所述数字证书与应用服务器建立连接。 SUMMARY OF THE INVENTION The present invention provides an application access method and apparatus to reduce reliance on secure peripherals. The first aspect provides an application access method, where the method includes: an application access device generates a security access request, where the security access request is used to request an application security service for an application running on the application access device; The application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key; the application access device uses the public key to apply for obtaining a digital certificate to the certificate server, and the application accesses The device establishes a connection with the application server by using the digital certificate; after the connection is established with the application server, the application access device encrypts data transmitted between the application access device and the application server by using the private key. With reference to the first aspect, in a first possible implementation, after the application access device generates the security access request, the method further includes: the application access device storing a correspondence between the digital certificate and the application. With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner, after the application access device generates the security access request, before generating the key pair according to the security access request, the method further includes: The application access device detects, according to the correspondence, whether a digital certificate corresponding to the application has been stored; when the detection result is yes, directly establishing a connection with the application server by using the stored digital certificate.
第二方面, 提供一种应用访问方法, 所述方法包括: 应用访问设备接 收应用运行设备发送的安全访问请求, 所述安全访问请求用于请求为运行 所述安全访问请求, 生成密钥对, 所述密钥对包括公钥和私钥; 所述应用 访问设备将所述公钥发送至所述应用运行设备, 以使得所述应用运行设备 使用所述公钥向证书服务器申请获得数字证书, 并且所述应用运行设备通 过所述数字证书与应用服务器建立连接; 所述应用访问设备在所述应用运 行设备与所述应用服务器建立连接之后, 使用所述私钥对所述应用运行设 备和应用服务器之间传输的数据进行加密处理。 The second aspect provides an application access method, where the method includes: the application access device receives a security access request sent by the application running device, where the security access request is used to generate a key pair for running the security access request, The key pair includes a public key and a private key; the application access device sends the public key to the application running device, so that the application running device uses the public key to apply for obtaining a digital certificate to the certificate server. And the application running device establishes a connection with the application server by using the digital certificate; the application access device is transported in the application After the row device establishes a connection with the application server, the private key is used to encrypt data transmitted between the application running device and the application server.
结合第二方面, 在第一种可能的实现方式中, 所述接收应用运行设备 发送的安全访问请求, 包括: 所述应用访问设备接收与所述应用访问设备 通过 USB连接、 WIFI连接、 NFC连接中的任意一种进行连接的所述应用 运行设备发送的安全访问请求。  With reference to the second aspect, in a first possible implementation manner, the receiving, by the application running device, the security access request includes: receiving, by the application access device, a USB connection, a WIFI connection, and an NFC connection with the application access device Any one of the connected applications running the secure access request sent by the device.
结合第二方面或第二方面的第一种可能的实现方式, 在第二种可能的 实现方式中, 所述应用访问设备接收应用运行设备发送的安全访问请求, 包括: 所述应用访问设备通过 PKCS#11接口, 接收所述应用运行设备发送 的所述安全访问请求。  With reference to the second aspect, or the first possible implementation manner of the second aspect, in a second possible implementation manner, the application accessing device, when receiving the security access request sent by the application running device, includes: the application accessing the device The PKCS#11 interface receives the security access request sent by the application running device.
结合第二方面或第二方面的第一种可能的实现方式, 在第三种可能的 实现方式中, 所述应用访问设备将所述公钥发送至所述应用运行设备之后, 进一步包括: 所述应用访问设备接收所述应用运行设备发送的所述数字证 书, 并存储所述数字证书与所述应用的对应关系。  With the second aspect or the first possible implementation manner of the second aspect, in a third possible implementation, after the application access device sends the public key to the application running device, the method further includes: The application access device receives the digital certificate sent by the application running device, and stores a correspondence between the digital certificate and the application.
结合第二方面的第三种可能的实现方式, 在第四种可能的实现方式中, 在所述应用访问设备接收应用运行设备发送的安全访问请求之后, 根据所 述安全访问请求生成密钥对之前, 进一步包括: 所述应用访问设备根据所 述对应关系, 检测是否已经存储与所述应用对应的数字证书; 在检测结果 为是时, 直接执行将存储的所述数字证书发送至所述应用运行设备, 以使  With the third possible implementation of the second aspect, in a fourth possible implementation, after the application access device receives the security access request sent by the application running device, generate a key pair according to the security access request. The method further includes: detecting, by the application access device, whether a digital certificate corresponding to the application has been stored according to the correspondence; and performing, when the detection result is yes, directly sending the stored digital certificate to the application Run the device so that
第三方面, 提供一种应用访问设备, 包括: 接口单元、 加密单元和应 用处理单元; 所述接口单元, 用于接收应用访问设备生成的安全访问请求, 所述安全访问请求用于请求为运行在所述应用访问设备上的应用提供应用 安全服务; 所述加密单元, 用于根据所述安全访问请求, 生成密钥对, 所 述密钥对包括公钥和私钥; 以及, 在与所述应用服务器建立连接之后, 使 用所述私钥对所述应用访问设备和应用服务器之间传输的数据进行加密处 理; 所述应用处理单元, 用于使用所述公钥向证书服务器申请获得数字证 书, 并且通过所述数字证书与应用服务器建立连接。 The third aspect provides an application access device, including: an interface unit, an encryption unit, and an application processing unit, where the interface unit is configured to receive a security access request generated by an application access device, where the security access request is used for the request to run The application on the application access device provides an application security service; the encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; After the application server establishes the connection, the data transmitted between the application access device and the application server is encrypted by using the private key; the application processing unit is configured to apply for obtaining a digital certificate to the certificate server by using the public key. And establishing a connection with the application server through the digital certificate.
结合第三方面, 在第一种可能的实现方式中, 所述加密单元, 进一步 用于存储所述数字证书与所述应用的对应关系。 With reference to the third aspect, in a first possible implementation manner, the encryption unit is further And configured to store a correspondence between the digital certificate and the application.
结合第三方面的第一种可能的实现方式, 在第二种可能的实现方式中, 所述加密单元, 进一步用于在所述接口单元接收所述安全访问请求之后, 根据所述安全访问请求生成密钥对之前, 根据存储的所述对应关系, 检测 是否已经存储与所述应用对应的数字证书; 所述应用处理单元, 进一步用 于在所述加密单元的检测结果为是时, 直接执行通过存储的所述数字证书 与应用服务器建立连接。  With the first possible implementation of the third aspect, in a second possible implementation, the encryption unit is further configured to: after the interface unit receives the secure access request, according to the secure access request Before generating the key pair, detecting, according to the stored correspondence, whether the digital certificate corresponding to the application has been stored; the application processing unit is further configured to directly execute when the detection result of the encryption unit is yes Establishing a connection with the application server through the stored digital certificate.
第四方面, 提供一种应用访问设备, 所述应用访问设备与应用运行设 备建立通信连接, 所述应用访问设备包括: 接口单元和加密单元; 所述接口单元, 用于接收所述应用运行设备发送的安全访问请求, 所 全服务; 以及将所述加密单元将所述公钥发送至所述应用运行设备, 以使 得所述应用运行设备使用所述公钥向证书服务器申请获得数字证书, 并且  The fourth aspect provides an application access device, where the application access device establishes a communication connection with an application running device, where the application access device includes: an interface unit and an encryption unit, and the interface unit is configured to receive the application running device. Sending a secure access request, the entire service; and transmitting, by the encryption unit, the public key to the application running device, so that the application running device applies for the digital certificate to the certificate server using the public key, and
所述加密单元, 用于根据所述安全访问请求, 生成密钥对, 所述密钥 对包括公钥和私钥; 以及, 在所述应用运行设备与所述应用服务器建立连 接之后, 使用所述私钥对所述应用运行设备和应用服务器之间传输的数据 进行加密处理。 结合第四方面, 在第一种可能的实现方式中, 所述接口单元, 用于接 收与所述应用访问设备通过 USB连接、 WIFI连接、 NFC连接中的任意一 种进行连接的所述应用运行设备发送的安全访问请求。 结合第四方面、 或第四方面的第一种可能的实现方式, 在第二种可能 的实现方式中, 所述接口单元为 PKCS#11接口。 The encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and after the application running device establishes a connection with the application server, using the The private key encrypts data transmitted between the application running device and the application server. With reference to the fourth aspect, in a first possible implementation, the interface unit is configured to receive, by using the application access device, the application running by using any one of a USB connection, a WIFI connection, and an NFC connection. A secure access request sent by the device. With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in the second possible implementation manner, the interface unit is a PKCS#11 interface.
结合第四方面、 或第四方面的第一种可能的实现方式, 在第三种可能 的实现方式中, 所述接口单元, 进一步用于在将所述公钥发送至所述应用 运行设备之后, 接收所述应用运行设备发送的所述数字证书; 所述加密单  With reference to the fourth aspect, or the first possible implementation manner of the fourth aspect, in a third possible implementation, the interface unit is further configured to: after sending the public key to the application running device Receiving the digital certificate sent by the application running device;
结合第四方面的第三种可能的实现方式, 在第四种可能的实现方式中, 所述加密单元, 进一步用于在所述接口单元接收应用运行设备发送的安全 访问请求之后, 根据所述安全访问请求生成密钥对之前, 根据存储的所述 对应关系, 检测是否已经存储与所述应用对应的数字证书; 所述接口单元, 进一步用于在所述加密单元的检测结果为是时, 直接执行将所述加密单元 存储的所述数字证书发送至所述应用运行设备, 以使得所述应用运行设备 使用所述数字证书与应用服务器建立连接。 本发明提供的应用访问方法和设备的技术效果是: 通过由应用访问设 备根据应用的安全访问请求而生成密钥对, 使得应用可以使用该密钥对进 行数字证书的申请以及数据的加密处理, 从而增强了该应用访问设备自身 的安全能力, 使得该应用访问设备可以提供对应用访问的安全保证, 不再 需要在该应用访问设备的外部另外增加使用安全外设, 减少了对安全外设 的依赖。 In conjunction with the third possible implementation of the fourth aspect, in a fourth possible implementation manner, The encryption unit is further configured to: after the interface unit receives the secure access request sent by the application running device, before generating the key pair according to the secure access request, according to the stored correspondence, detecting whether the storage unit has been stored The interface unit is further configured to: when the detection result of the encryption unit is YES, directly send the digital certificate stored by the encryption unit to the application running device, so that The application running device establishes a connection with an application server using the digital certificate. The technical effect of the application access method and device provided by the present invention is: generating a key pair by the application access device according to the secure access request of the application, so that the application can use the key pair to apply for the digital certificate and encrypt the data. Thereby, the security capability of the application access device itself is enhanced, so that the application access device can provide security guarantee for application access, no need to additionally increase the use of security peripherals outside the application access device, and reduce the security peripherals. rely.
附图说明 为了更清楚地说明本发明实施例的技术方案, 下面将对实施例描述中 所需要使用的附图作一简单地介绍, 显而易见地, 下面描述中的附图仅仅 是本发明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性 劳动的前提下, 还可以根据这些附图获得其他的附图。 图 1为本发明应用访问设备一实施例的结构示意图; 图 2为本发明应用访问设备另一实施例的工作原理示意图; 图 3为本发明应用访问设备又一实施例的结构示意图; 图 4为本发明应用访问设备又一实施例的工作原理示意图; 图 5为本发明应用访问设备又一实施例的工作原理示意图; 图 6为本发明应用访问设备又一实施例的结构示意图; 图 7为本发明应用访问设备又一实施例的结构示意图; 图 8为本发明应用访问方法一实施例的流程示意图; 图 9为本发明应用访问方法一实施例的流程示意图。 BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work. 1 is a schematic structural diagram of an application access device according to an embodiment of the present invention; FIG. 2 is a schematic diagram of another embodiment of an application access device according to the present invention; FIG. 3 is a schematic structural diagram of another embodiment of an application access device according to the present invention; FIG. 5 is a schematic diagram of a working principle of another embodiment of an application access device according to the present invention; FIG. 6 is a schematic structural diagram of another embodiment of an application access device according to the present invention; A schematic structural diagram of another embodiment of an application access device according to the present invention; FIG. 8 is a schematic flowchart of an embodiment of an application access method according to the present invention; FIG. 9 is a schematic flowchart diagram of an embodiment of an application access method according to the present invention.
具体实施方式 本发明实施例为了使得应用的访问减少对 USB Key等安全外设的依 赖, 对应用访问设备自身进行了安全能力的增强, 使得在不需要使用安全 外设的基础上, 由应用访问设备对应用访问提供安全保护。 所述的应用指的是, 例如, 网上银行、 证券交易等。 所述的应用访问 设备指的是该应用在使用时所用到的设备, 例如, 用户在自己的平板电脑 上启动了网上银行应用, 并使用该网上银行的服务, 则该平板电脑就称为 应用访问设备; 又例如, 用户在自己的笔记本上使用证券交易应用, 该应 用在使用过程中还用到了另一个设备比如平板电脑上所提供的密钥对, 则 本实施例是将所述的提供密钥对的平板电脑称为应用访问设备。 这些在后 续的具体实施例中还会详细说明, 总之本实施例的应用访问设备是指的能 够为应用提供安全保护服务的设备 (比如上述的提供密钥对的平板电脑)。 本发明实施例的应用访问方法, 是上述的应用访问设备所执行的方法, 即本发明实施例是对应用访问设备进行了改进, 使得该设备自身的安全能 力增强, 能够为应用的访问提供安全服务, 从而也使得应用访问的方法有 所变更。 基于此, 为使得本发明的方案描述更加清楚, 下面将首先对该应 用访问设备的结构进行说明。 本发明实施例的应用访问设备, 既可以为运行在该设备上的应用提供 访问设备可以有两种不同的结构。 下面将分别描述上述两种情况下的应用 访问设备的结构、 以及对应结构下的应用访问设备的工作原理: 实施例一 图 1 为本发明应用访问设备一实施例的结构示意图, 本实施例所述结 构的应用访问设备可以为运行在该设备上的应用提供安全服务; 如图 1 所 示, 该应用访问设备可以包括: 接口单元 11、 加密单元 12和应用处理单元 13; 其中, 所述的接口单元 11 , 是用于接收用于请求提供应用安全服务的 安全访问请求; 所述的安全访问请求指的是, 例如, 在使用网上银行的应 用时, 当涉及到资金交易方面的操作, 比如用户点击触发网上银行上的某 个步骤, 此时网上银行运行所在的设备要连接网上银行对应的应用服务器, 为了保证该设备与应用服务器之间的通信安全, 需要建立安全连接, 因此 设备就会向本实施例的应用访问设备发送所述的安全访问请求, 请求提供 安全服务例如是请求生成密钥对。 接口单元 11会根据该安全访问请求指示 加密单元 12进行辅助应用建立所述安全连接的加密处理。 本实施例中, 应用访问设备上安装和运行应用, 该应用访问设备自身 生成所述的安全访问请求。 例如, 本实施例的应用访问设备上安装和运行 网上银行应用, 则上述安全访问请求实际上是由该应用访问设备中的应用 处理单元(该应用处理单元是调用执行网上银行应用的模块)发送安全访 问请求至接口单元 11。 当然, 上述的安全访问请求具体是在应用访问设备调用执行应用的哪 个步骤时发送, 比如在笔记本上运行网上银行, 当该网上银行运行至何时 笔记本需要发送安全访问请求, 可以由应用开发者设定; 只要在需要保证 应用访问安全性时, 设计该应用自动触发应用访问设备向接口单元 11发送 安全访问请求, 即可由本实施例的应用访问设备为应用提供安全服务。 所述的加密单元 12, 用于根据所述安全访问请求, 生成密钥对, 所述 密钥对包括公钥和私钥; 生成密钥对的操作可以釆用例如 RSA ( RSA公钥 力口密算法是 1977年由 Ron Rivest、 Adi Shamirh和 LenAdleman在美国麻省 理工学院开发的, RSA取名来自开发他们三者的名字)等常规技术, 不再 详述。 所述生成的公钥将由加密单元 12发送至接口单元 11 , 接口单元 11 再将该公钥发送至应用处理单元 13。 所述应用处理单元 13 , 用于使用所述公钥向证书服务器 (即数字证书 认证中心 (Certificate Authority, 简称: CA服务器) ) 申请获得数字证书 (证书服务器将釆用该公钥生成数字证书) , 该数字证书是与该应用唯一 对应的证书; 并且所述应用访问设备将通过该数字证书与应用服务器建立 安全连接。 DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS In order to reduce the dependence of an application access on a security peripheral such as a USB Key, the embodiment of the present invention enhances the security capability of the application access device itself, so that the application is accessed without using a secure peripheral. The device provides security for application access. The application refers to, for example, online banking, securities trading, and the like. The application access device refers to a device used by the application during use. For example, if a user launches an online banking application on his tablet and uses the online banking service, the tablet is called an application. Accessing the device; for example, the user uses a securities trading application on his or her own notebook, and the application also uses a key pair provided on another device such as a tablet during use, and this embodiment provides the provided A tablet with a key pair is called an application access device. These will be described in detail in the following specific embodiments. In summary, the application access device of the present embodiment refers to a device capable of providing a security protection service for an application (such as the above-mentioned tablet providing a key pair). The application access method of the embodiment of the present invention is a method performed by the application access device, that is, the embodiment of the present invention improves the application access device, so that the security capability of the device is enhanced, and the access of the application is provided. Services, which also change the way applications are accessed. Based on this, in order to make the description of the scheme of the present invention clearer, the structure of the application access device will first be described below. The application access device of the embodiment of the present invention can provide an access device for an application running on the device. The device can have two different structures. The following is a description of the structure of the application access device in the above two cases and the working principle of the application access device in the corresponding structure: Embodiment 1 FIG. 1 is a schematic structural diagram of an application access device according to an embodiment of the present invention. The application access device of the structure can provide security services for applications running on the device; as shown in FIG. 1, the application access device can include: an interface unit 11, an encryption unit 12, and an application processing unit. The interface unit 11 is configured to receive a secure access request for requesting application security services. The secure access request refers to, for example, when using an online banking application, when The operation of the fund transaction, for example, the user clicks to trigger a step on the online bank. At this time, the device on which the online bank runs is connected to the application server corresponding to the online bank. In order to ensure the communication security between the device and the application server, it is necessary to establish The secure connection, so the device sends the secure access request to the application access device of the embodiment, requesting to provide a security service, for example, requesting to generate a key pair. The interface unit 11 instructs the encryption unit 12 to perform an encryption process for the auxiliary application to establish the secure connection according to the secure access request. In this embodiment, the application access device installs and runs an application, and the application access device itself generates the security access request. For example, if the online banking application is installed and run on the application access device of the embodiment, the secure access request is actually sent by the application processing unit in the application access device (the application processing unit is a module that invokes the online banking application). Secure access request to interface unit 11. Of course, the above security access request is specifically sent when the application access device invokes the execution of the application, such as running online banking on the notebook, and when the online banking runs to when the notebook needs to send a secure access request, the application developer may The application access device of the embodiment provides a security service for the application, as long as the application is designed to automatically trigger the application access device to send a secure access request to the interface unit 11 when the application access security is required. The encryption unit 12 is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and the operation of generating a key pair may use, for example, RSA (RSA public key force port) The secret algorithm was developed in 1977 by Ron Rivest, Adi Shamirh, and Len Adleman at the Massachusetts Institute of Technology, and the RSA was named from the name of the three of them. It is not detailed. The generated public key will be sent by the encryption unit 12 to the interface unit 11, which in turn sends the public key to the application processing unit 13. The application processing unit 13 is configured to apply, by using the public key, a certificate certificate (ie, a certificate authority (CA server)) to obtain a digital certificate (the certificate server will use the public key to generate a digital certificate) The digital certificate is a certificate uniquely corresponding to the application; and the application access device is established with the application server by using the digital certificate Secure connection.
其中, 将本实施例的应用访问过程与现有技术相比较, 现有技术的数 字证书是直接存储在 USB Key等专用加密设备中, 应用在运行时的应用访 问设备将直接使用加密设备中的数字证书与应用服务器建立安全连接; 而 本实施例的应用在运行时是由应用访问设备内部的加密单元为其生成公 钥, 应用访问设备自身使用该公钥进行数字证书的申请并通过该证书建立 与应用服务器的连接。 上述区别的好处在于: 由于数字证书相当于应用的身份证, 不同的应 用对应于不同的数字证书, 所以现有技术中将数字证书预先存储在 USB Key 等加密设备中的方式, 也使得加密设备与应用具有对应性, 例如, 某 银行的网上银行使用的是加密设备 A, 另一个银行的网上银行使用的是加 密设备 B, 证券交易使用的加密设备 C等, 不仅需要用户随身携带加密设 备, 而且使用该多个应用时还需要携带多个不同的加密设备, 非常不方便, 效率较低。 而本实施例的方案, 应用访问设备中的加密单元能够在应用的 访问过程中实时为该应用提供密钥对, 应用能够实时申请数字证书, 这种 加密单元不是对应于某种特定的应用的, 各种应用都可以使用该加密单元; 例如, 用户的平板电脑即为所述的应用访问设备, 该平板电脑上运行了网 上银行、 证券交易两种应用, 这两种应用在运行时平板电脑都可以请求加 密单元为其生成密钥对, 这种生成密钥对的服务可以为任意应用提供, 各 个应用在获得公钥后各自再申请与自身对应的数字证书即可。 显然, 釆用 本实施例的应用访问设备, 可以为各种应用提供服务, 非常方便, 且提高 了应用的访问效率。 所述的应用访问设备通过所述数字证书与应用服务器建立连接的过程 是常规技术, 简单说明如下: 应用访问设备向应用服务器发送连接请求, 携带与应用对应的数字证书, 应用服务器会将该数字证书发送至鉴权服务 器(即 VA服务器)进行验证, 如果鉴权服务器对该证书验证通过, 则应 用服务器就会向应用访问设备返回连接响应, 建立与该应用访问设备之间 的连接, 由于该连接是在证书验证通过后再建立的, 因此可以保证应用访 问设备和应用服务器之间的通信安全, 即为安全连接。 其中, 上述的鉴权 服务器对证书的验证, 是该鉴权服务器利用从证书服务器处接收到的数字 证书与从应用服务器接收的证书进行比较, 如果两者一致则验证通过, 证 备鉴权服务器此时进行证书的验证工作。 本实施例的加密单元 12 , 进一步用于在应用访问设备与所述应用服务 器建立连接之后, 使用所述私钥对所述应用访问设备和应用服务器之间传 输的数据进行加密处理。 The application access process of the present embodiment is directly stored in a dedicated encryption device such as a USB Key, and the application access device applied at runtime is directly used in the encryption device. The digital certificate establishes a secure connection with the application server. The application of the embodiment is generated by the encryption unit inside the application access device, and the application access device uses the public key to apply for the digital certificate and passes the certificate. Establish a connection to the application server. The advantages of the above differences are as follows: Since the digital certificate is equivalent to the application ID card and the different applications correspond to different digital certificates, the manner in which the digital certificate is pre-stored in an encryption device such as a USB Key in the prior art also enables the encryption device. Correspondence with the application, for example, the online banking of a bank uses the encryption device A, the online banking of another bank uses the encryption device B, and the encryption device C used for the securities transaction, etc., not only requires the user to carry the encryption device with him or her, Moreover, when using the multiple applications, it is also necessary to carry a plurality of different encryption devices, which is very inconvenient and inefficient. In the solution of the embodiment, the encryption unit in the application access device can provide a key pair for the application in real time during the access process of the application, and the application can apply for a digital certificate in real time, and the encryption unit does not correspond to a specific application. The encryption unit can be used by various applications; for example, the user's tablet is the application access device, and the tablet runs two applications of online banking and securities trading, and the two applications are at runtime tablet. The encryption unit may be requested to generate a key pair for it. The service for generating the key pair may be provided for any application, and each application may apply for a digital certificate corresponding to itself after obtaining the public key. Obviously, the application access device of the embodiment can provide services for various applications, which is very convenient, and improves the access efficiency of the application. The process of establishing the connection between the application access device and the application server by using the digital certificate is a conventional technology, and the simple description is as follows: The application access device sends a connection request to the application server, and carries a digital certificate corresponding to the application, and the application server will use the digital certificate. The certificate is sent to the authentication server (that is, the VA server) for verification. If the authentication server passes the certificate verification, the application server returns a connection response to the application access device, and establishes a connection with the application access device. The connection is established after the certificate is verified, so that the communication between the application access device and the application server can be ensured, that is, a secure connection. Wherein, the authentication of the certificate by the authentication server is that the authentication server uses the number received from the certificate server. The certificate is compared with the certificate received from the application server. If the two are consistent, the verification is passed, and the certificate authentication server performs the verification of the certificate at this time. The encryption unit 12 of the embodiment is further configured to perform encryption processing on data transmitted between the application access device and the application server by using the private key after the application access device establishes a connection with the application server.
这里所述的加密处理包括了: 对应用访问设备与应用服务器之间传输 的数据进行加密, 在应用访问设备侧加密后发送至应用服务器 (例如应用 访问设备利用私钥加密数据, 应用服务器利用公钥解密获得数据, 该公钥 是应用访问设备发送至应用服务器的) , 也包括了对所述数据进行解密, 对应用服务器发送至应用访问设备的数据进行解密 (例如应用服务器利用 公钥加密数据, 应用访问设备利用私钥解密获得数据) 。 本实施例的应用访问设备, 通过由应用访问设备根据用于请求提供应 用安全服务的安全访问请求而生成密钥对, 使得应用访问设备可以使用该 密钥对进行数字证书的申请以及数据的加密处理, 建立与应用服务器的安 全连接, 从而增强了该应用访问设备自身的安全能力, 使得该应用访问设 备可以提供对应用访问的安全保证, 不再需要在该应用访问设备的外部另 外增加使用安全外设, 减少了对安全外设的依赖。 本发明实施例的应用访问设备, 既可以为运行在该设备上的应用提供 例二和实施例三描述这两种情况下的应用访问设备的工作原理。 实施例二 本实施例的应用访问设备是为运行在该设备上的应用提供安全服务, 图 2为本发明应用访问设备另一实施例的工作原理示意图。  The encryption process described herein includes: encrypting data transmitted between the application access device and the application server, and transmitting the data to the application server after being encrypted by the application access device side (for example, the application access device encrypts the data by using the private key, and the application server utilizes the public The key decryption obtains data, and the public key is sent by the application access device to the application server, and also includes decrypting the data, and decrypting data sent by the application server to the application access device (for example, the application server encrypts the data by using the public key) , the application access device decrypts the data using the private key). The application access device of this embodiment generates a key pair by the application access device according to the secure access request for requesting the application security service, so that the application access device can use the key pair to apply for the digital certificate and encrypt the data. Processing, establishing a secure connection with the application server, thereby enhancing the security capability of the application access device itself, so that the application access device can provide security guarantee for application access, and no additional need to increase the use security outside the application access device. Peripherals reduce the reliance on secure peripherals. The application access device of the embodiment of the present invention can provide the working principle of the application access device in the two cases described in the second embodiment and the third embodiment for the application running on the device. The second embodiment of the present invention provides a security service for an application running on the device. FIG. 2 is a schematic diagram of the working principle of another embodiment of the application access device according to the present invention.
如图 2所示, 本实施例的应用访问设备以平板电脑为例, 应用以网上 银行为例, 网上银行是运行在平板电脑上的应用, 因此, 该平板电脑既是 应用访问设备(即为应用提供安全服务的设备) 又是应用运行设备(即安 装和运行应用的设备) 。 本实施例的应用访问设备中进一步包括应用处理 单元 13 , 该应用处理单元 13用于调用和执行网上银行应用; 并且该应用处 理单元 13能够与接口单元 11通信交互。 此外, 由于本实施例的应用访问 设备同时也是应用运行设备, 该应用访问设备还能够与应用服务器、 证书 服务器通信连接, 本实施例中, 是由应用访问设备中的收发单元 14与上述 服务器通信的。 具体的, 应用处理单元 13调用执行网上银行, 网上银行开始在该平板 电脑上运行;在运行过程中(比如用户在该平板电脑上启动使用网上银行), 根据网上银行的设定, 在某个运行时间应用处理单元 13将会根据该网上银 行的预先设定发起安全访问请求, 该安全访问请求将发送至接口单元 11。 例如, 本实施例的平板电脑中安装 android系统, 运行在该系统中的网上银 行等应用在运行时应用处理单元 13可以向接口单元 11发送安全访问请求。 接口单元 11根据该安全访问请求指示加密单元 12执行生成密钥对的服务, 加密单元 12生成的公钥将通过接口单元 11返回给应用处理单元 13。 应用 处理单元 13将该公钥发送给收发单元 14, 指示收发单元 14利用该公钥向 证书服务器申请数字证书, 并使用该证书与应用服务器建立安全连接。 需要说明的是, 所述的收发单元 14仅仅是平板电脑与服务器通信的接 口, 实际要与服务器进行数据传输的仍然是应用处理单元 13 , 比如, 应用 处理单元 13在调用运行网上银行时, 要向应用服务器传输数据, 该数据是 由应用处理单元 13发给收发单元 14, 收发单元 14仅负责将数据转发给应 用服务器, 本质上仍是应用处理单元 13与应用服务器之间的通信。 此外, 在平板电脑与应用服务器建立连接之后, 应用处理单元 13在向 应用服务器发送数据时,可以将该数据通过接口单元 11发送至加密单元 12, 由加密单元 12对该数据加密后再通过接口单元 11返回给应用处理单元 13 , 应用处理单元 13再指示收发单元 14传输所述数据至应用服务器。 应用处 理单元 13在从收发单元 14接收到应用服务器发送的数据时, 可以将该数 据通过接口单元 11发送至加密单元 12 , 由加密单元 12对该数据解密后再 通过接口单元 11返回给应用处理单元 13 , 应用处理单元 13获得该数据, 通过该数据继续运行网上银行。 即网上银行与其应用服务器之间的数据加 解密处理也由加密单元 12负责。 实施例三 图 3 为本发明应用访问设备又一实施例的结构示意图, 本实施例所述 他设备可以称为应用运行设备; 如图 3 所示, 该应用访问设备可以包括: 接口单元 31和加密单元 32; 其中, 所述的接口单元 31 , 是用于接收用于请求提供应用安全服务的 安全访问请求; 所述的安全访问请求指的是, 例如, 在使用网上银行的应 用时, 当涉及到资金交易方面的操作, 比如用户点击触发网上银行上的某 个步骤, 此时网上银行运行所在的设备要连接网上银行对应的应用服务器, 为了保证该设备与应用服务器之间的通信安全, 需要建立安全连接, 因此 设备就会向本实施例的应用访问设备发送所述的安全访问请求, 请求提供 安全服务例如是请求生成密钥对。 接口单元 31会根据该安全访问请求指示 加密单元 32进行辅助应用建立所述安全连接的加密处理。 本实施例中, 发送上述的安全访问请求的设备, 是安装和运行应用的 应用运行设备, 该应用运行设备是本实施例的应用访问设备之外的其他设 备。 例如, 网上银行应用是安装和运行在其他设备上, 并不在本实施例的 应用访问设备, 比如是运行在某个笔记本上, 则上述安全访问请求是由所 述的笔记本发送给本实施例的应用访问设备的接口单元 31。 当然, 上述的安全访问请求具体是在应用运行设备调用执行应用的哪 个步骤时发送, 比如在笔记本上运行网上银行, 当该网上银行运行至何时 笔记本需要发送安全访问请求, 可以由应用开发者设定; 只要在需要保证 应用访问安全性时, 设计该应用自动触发应用运行设备向本实施例应用访 问设备的接口单元 31发送安全访问请求, 即可由本实施例的应用访问设备 为应用提供安全服务。 所述的加密单元 32, 用于根据所述安全访问请求, 生成密钥对, 所述 密钥对包括公钥和私钥;生成密钥对的操作可以釆用例如 RSA等常规技术, 不再详述。 所述生成的公钥将由加密单元 32发送至接口单元 31 , 再由接口 单元 31将公钥发送至应用运行设备, 以使得所述应用运行设备使用所述公 钥向证书服务器申请获得数字证书, 该数字证书是与该应用唯一对应的证 书。 所述应用运行设备将通过该数字证书与应用服务器建立安全连接。 其中, 将本实施例的应用访问过程与现有技术相比较, 现有技术的数 字证书是直接存储在 USB Key等专用加密设备中, 应用在运行时的应用运 行设备将直接使用加密设备中的数字证书与应用服务器建立安全连接; 而 本实施例的应用在运行时是由应用运行设备请求应用访问设备中的加密单 元为其生成公钥, 应用运行设备自身使用该公钥进行数字证书的申请并通 过该证书建立与应用服务器的连接。 As shown in FIG. 2, the application access device in this embodiment takes a tablet computer as an example, and the application uses an online banking as an example. The online banking is an application running on a tablet computer. Therefore, the tablet computer is an application access device (ie, an application). The device that provides the security service) is the application running device (that is, the device that installs and runs the application). The application access device of this embodiment further includes an application processing unit 13 for calling and executing an online banking application; and the application office The unit 13 is capable of communicating with the interface unit 11 in communication. In addition, since the application access device of the embodiment is also an application running device, the application access device can also communicate with the application server and the certificate server. In this embodiment, the transceiver unit 14 in the application access device communicates with the server. of. Specifically, the application processing unit 13 calls to execute the online banking, and the online banking starts running on the tablet; during the running process (for example, the user starts using the online banking on the tablet), according to the setting of the online banking, at a certain The runtime application processing unit 13 will initiate a secure access request based on the pre-set of the online banking, which will be sent to the interface unit 11. For example, the tablet computer of the embodiment is installed with an android system, and an application such as an online bank running in the system may send a secure access request to the interface unit 11 at runtime. The interface unit 11 instructs the encryption unit 12 to perform a service for generating a key pair according to the secure access request, and the public key generated by the encryption unit 12 is returned to the application processing unit 13 through the interface unit 11. The application processing unit 13 sends the public key to the transceiver unit 14, instructing the transceiver unit 14 to apply for a digital certificate to the certificate server using the public key, and establish a secure connection with the application server using the certificate. It should be noted that the transceiver unit 14 is only an interface between the tablet computer and the server. The actual data transmission with the server is still the application processing unit 13. For example, when the application processing unit 13 calls the online banking, The data is transmitted to the application server, which is sent by the application processing unit 13 to the transceiver unit 14, which is only responsible for forwarding the data to the application server, essentially still the communication between the application processing unit 13 and the application server. In addition, after the tablet establishes a connection with the application server, when the application processing unit 13 sends data to the application server, the data may be sent to the encryption unit 12 through the interface unit 11, and the data is encrypted by the encryption unit 12 and then passed through the interface. The unit 11 returns to the application processing unit 13, which in turn instructs the transceiver unit 14 to transmit the data to the application server. When receiving the data sent by the application server from the transceiver unit 14, the application processing unit 13 may send the data to the encryption unit 12 through the interface unit 11, decrypt the data by the encryption unit 12, and then return it to the application processing through the interface unit 11. Unit 13, the application processing unit 13 obtains the data, and continues to run the online banking through the data. That is, the data encryption and decryption process between the online bank and its application server is also handled by the encryption unit 12. Embodiment 3 FIG. 3 is a schematic structural diagram of another embodiment of an application access device according to the present invention. The device in the embodiment may be referred to as an application running device. As shown in FIG. 3, the application access device may include: an interface unit 31 and an encryption unit 32. The interface unit 31 is configured to receive a secure access request for requesting to provide an application security service, where the secure access request refers to, for example, when using an application of the online banking, when the funds are involved In the transaction operation, for example, the user clicks to trigger a certain step on the online banking. At this time, the device on which the online banking is running must be connected to the application server corresponding to the online banking. In order to ensure the communication security between the device and the application server, it is necessary to establish security. The connection is sent, so the device sends the secure access request to the application access device of the embodiment, requesting to provide a security service, for example, requesting to generate a key pair. The interface unit 31 instructs the encryption unit 32 to perform an encryption process for the auxiliary application to establish the secure connection according to the secure access request. In this embodiment, the device that sends the foregoing security access request is an application running device that installs and runs an application, and the application running device is other devices than the application access device in this embodiment. For example, if the online banking application is installed and run on another device, and the application access device is not in the embodiment, for example, running on a certain notebook, the secure access request is sent by the notebook to the embodiment. The interface unit 31 of the access device is applied. Of course, the above security access request is specifically sent when the application running device invokes the execution of the application, such as running online banking on the notebook, and when the online banking runs to when the notebook needs to send a secure access request, the application developer may The application access device of the present embodiment provides security for the application by the application access device of the embodiment, as long as the application is configured to automatically trigger the application running device to send a secure access request to the interface unit 31 of the application access device of the embodiment. service. The encryption unit 32 is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and the operation of generating the key pair may use a conventional technology such as RSA, no longer Detailed. The generated public key will be sent by the encryption unit 32 to the interface unit 31, and then the interface unit 31 sends the public key to the application running device, so that the application running device uses the public key to apply for obtaining a digital certificate from the certificate server. The digital certificate is a certificate that uniquely corresponds to the application. The application running device will establish a secure connection with the application server through the digital certificate. The application access process of the present embodiment is directly stored in a dedicated encryption device such as a USB Key, and the application running device used in the runtime is directly used in the encryption device. The digital certificate establishes a secure connection with the application server. The application of the embodiment is requested by the application running device to request an encryption unit in the application access device to generate a public key, and the application running device uses the public key to apply for the digital certificate. And establish a connection with the application server through the certificate.
上述区别的好处在于: 由于数字证书相当于应用的身份证, 不同的应 用对应于不同的数字证书, 所以现有技术中将数字证书预先存储在 USB Key 等加密设备中的方式, 也使得加密设备与应用具有对应性, 例如, 某 银行的网上银行使用的是加密设备 A, 另一个银行的网上银行使用的是加 密设备 B, 证券交易使用的加密设备 C等, 不仅需要用户随身携带加密设 备, 而且使用该多个应用时还需要携带多个不同的加密设备, 非常不方便, 效率较低。 而本实施例的方案, 应用访问设备中的加密单元能够在应用的 访问过程中实时为该应用提供密钥对, 应用能够实时申请数字证书, 这种 加密单元不是对应于某种特定的应用的, 各种应用都可以使用该加密单元; 例如, 用户的平板电脑即为所述的应用访问设备, 该平板电脑上运行了网 上银行、 证券交易两种应用, 这两种应用在运行时平板电脑都可以请求加 密单元为其生成密钥对, 这种生成密钥对的服务可以为任意应用提供, 各 个应用在获得公钥后各自再申请与自身对应的数字证书即可。 显然, 釆用 本实施例的应用访问设备, 可以为各种应用提供服务, 非常方便, 且提高 了应用的访问效率。  The advantages of the above differences are as follows: Since the digital certificate is equivalent to the application ID card and the different applications correspond to different digital certificates, the manner in which the digital certificate is pre-stored in an encryption device such as a USB Key in the prior art also enables the encryption device. Correspondence with the application, for example, the online banking of a bank uses the encryption device A, the online banking of another bank uses the encryption device B, and the encryption device C used for the securities transaction, etc., not only requires the user to carry the encryption device with him or her, Moreover, when using the multiple applications, it is also necessary to carry a plurality of different encryption devices, which is very inconvenient and inefficient. In the solution of the embodiment, the encryption unit in the application access device can provide a key pair for the application in real time during the access process of the application, and the application can apply for a digital certificate in real time, and the encryption unit does not correspond to a specific application. The encryption unit can be used by various applications; for example, the user's tablet is the application access device, and the tablet runs two applications of online banking and securities trading, and the two applications are at runtime tablet. The encryption unit may be requested to generate a key pair for it. The service for generating the key pair may be provided for any application, and each application may apply for a digital certificate corresponding to itself after obtaining the public key. Obviously, the application access device of the embodiment can provide services for various applications, which is very convenient and improves the access efficiency of the application.
是常规技术, 简单说明如下: 应用运行设备向应用服务器发送连接请求, 携带与应用对应的数字证书, 应用服务器会将该数字证书发送至鉴权服务 器(即 VA服务器)进行验证, 如果鉴权服务器对该证书验证通过, 则应 用服务器就会向应用运行设备返回连接响应, 建立与该应用运行设备之间 的连接, 由于该连接是在证书验证通过后再建立的, 因此可以保证应用运 行设备和应用服务器之间的通信安全, 即为安全连接。 其中, 上述的鉴权 服务器对证书的验证, 是该鉴权服务器利用从证书服务器处接收到的数字 证书与从应用服务器接收的证书进行比较, 如果两者一致则验证通过, 证 备鉴权服务器此时进行证书的验证工作。 本实施例的加密单元 32 , 进一步用于在应用运行设备与所述应用服务 器建立连接之后, 使用所述私钥对所述应用运行设备和应用服务器之间传 输的数据进行加密处理。 It is a conventional technology, and is briefly described as follows: The application running device sends a connection request to the application server, and carries a digital certificate corresponding to the application, and the application server sends the digital certificate to the authentication server (ie, the VA server) for verification, if the authentication server After the certificate is verified, the application server returns a connection response to the application running device, and establishes a connection with the running device of the application. Since the connection is established after the certificate verification is passed, the application running device and the device can be guaranteed. The communication security between the application servers is a secure connection. The authentication of the certificate by the authentication server is performed by the authentication server by using the digital certificate received from the certificate server and the certificate received from the application server, and if the two are consistent, the verification is passed. The authentication server performs the verification of the certificate at this time. The encryption unit 32 of the embodiment is further configured to perform encryption processing on data transmitted between the application running device and the application server by using the private key after the application running device establishes a connection with the application server.
这里所述的加密处理包括了: 对应用运行设备与应用服务器之间传输 的数据进行加密, 在应用运行设备侧加密后发送至应用服务器 (例如应用 运行设备利用私钥加密数据, 应用服务器利用公钥解密获得数据, 该公钥 是应用运行设备发送至应用服务器的) , 也包括了对所述数据进行解密, 对应用服务器发送至应用运行设备的数据进行解密 (例如应用服务器利用 公钥加密数据, 应用运行设备利用私钥解密获得数据) 。 本实施例的应用访问设备, 通过由应用访问设备根据用于请求提供应 用安全服务的安全访问请求而生成密钥对, 使得应用运行设备可以使用该 密钥对进行数字证书的申请以及数据的加密处理, 建立与应用服务器的安 全连接, 从而增强了该应用访问设备自身的安全能力, 使得该应用访问设 备可以提供对应用访问的安全保证, 不再需要在该应用访问设备的外部另 外增加使用安全外设, 减少了对安全外设的依赖。  The encryption process described herein includes: encrypting data transmitted between the application running device and the application server, and transmitting the data to the application server after the application running device side encrypts (for example, the application running device encrypts the data by using the private key, and the application server utilizes the public The key decryption obtains data, and the public key is sent by the application running device to the application server, and also includes decrypting the data, and decrypting data sent by the application server to the application running device (for example, the application server encrypts the data by using the public key) , the application running device decrypts the data by using the private key). The application access device of this embodiment generates a key pair by the application access device according to the secure access request for requesting the application security service, so that the application running device can use the key pair to apply for the digital certificate and encrypt the data. Processing, establishing a secure connection with the application server, thereby enhancing the security capability of the application access device itself, so that the application access device can provide security guarantee for application access, and no additional need to increase the use security outside the application access device. Peripherals reduce the reliance on secure peripherals.
实施例四 本实施例的应用访问设备是为运行在其他设备上的应用提供安全服 务, 该其他设备是与本实施例的应用访问设备通过外部连接进行通信的设 备。 图 4为本发明应用访问设备又一实施例的工作原理示意图。 如图 4所示, 本实施例的应用访问设备以平板电脑为例, 外部设备以 笔记本为例, 应用以网上银行为例, 网上银行是运行在笔记本上的应用, 因此, 平板电脑是应用访问设备, 笔记本是应用运行设备。 本实施例的笔 记本和平板电脑上可以均设置收发单元, 其中, 笔记本上设置有应用处理 单元 21和收发单元 22, 应用处理单元 21用于调用执行安装在笔记本上的 网上银行应用, 该笔记本能够与应用服务器和证书服务器通信, 还能够与 平板电脑通信, 由收发单元 22作为笔记本与上述服务器和平板电脑通信的 接口, 例如, 收发单元 22可以将应用处理单元 21发送的安全访问请求转 发给平板电脑, 并将平板电脑返回的公钥转发至应用处理单元 21。 平板电 脑上也设置有收发单元 33 , 作为平板电脑与笔记本通信的接口。 具体的, 笔记本上的应用处理单元 21调用执行网上银行, 网上银行开 始在笔记本上运行; 在运行过程中 (比如用户在该平板电脑上启动使用网 上银行) , 根据网上银行的设定, 在某个运行时间应用处理单元 21将会根 据该网上银行的预先设定发起安全访问请求, 该安全访问请求将通过笔记 本上的收发单元 22、以及平板电脑上的收发单元 33发送至平板电脑上的接 口单元 31。 接口单元 31根据该安全访问请求指示加密单元 32执行生成密钥对的 服务, 加密单元 32生成的公钥将通过接口单元 31 以及上述的各收发单元 返回给笔记本上的应用处理单元 21。应用处理单元 21再利用该公钥向证书 服务器申请数字证书, 并使用该证书与应用服务器建立安全连接, 该过程 中的与服务器的通信通过收发单元 22转发。 此外, 在笔记本与其应用服务器建立连接之后, 本实施例的平板电脑 上的加密单元 32也可以负责应用处理单元 21与应用服务器之间的数据加 解密处理, 过程与上一实施例类似。 例如, 应用处理单元 21在向应用服务 器发送数据时, 可以通过笔记本上的收发单元 22、 平板电脑上的收发单元 33向接口单元 31发送数据加密请求, 携带需要加密的数据; 接口单元 31 据此指示加密单元 32进行数据加密处理; 加密单元 32对该数据加密后再 通过接口单元 31和上述各收发单元返回给笔记本上的应用处理单元 21 ,应 用处理单元 21再指示收发单元 22传输所述数据至应用服务器。 本实施例中, 所述的笔记本与平板电脑之间通过外部连接进行通信, 所述的外部连接例如是通用串行总线 (Universal Serial BUS, 简称: USB ) 连接、 WIFI连接、 近场通信(Near Field Communication, 简称: NFC )连 接中的任意一种, 当然具体实施中也可以是其他连接方式, 以上几种仅为 举例。 例如,对于 USB连接, 笔记本可以通过 USB口向平板电脑上的接口 单元 31发送安全访问请求; 对于 WIFI连接,笔记本可以通过 WIFI网络接 口与平板电脑上的接口单元 31通信, 其中的 WIFI链路的安全由 802.11协 议保证; 对于 NFC连接, 笔记本通过 NFC接口与平板电脑通信, 其中的 NFC链路的安全由 NFC协议保证。 实施例五 图 5 为本发明应用访问设备又一实施例的工作原理示意图, 本实施例 是以应用在应用访问设备内部运行为例来说明, 本实施例的原理也同样适 用于应用在外部设备运行的情况。 如图 5 所示, 平板电脑在向证书服务器申请获得数字证书之后, 收发 单元 14会将从证书服务器接收到的数字证书发送至应用处理单元 13 ,然后 应用处理单元 13将该数字证书发送至接口单元 11 , 接口单元 11将该证书 发送至加密单元 12。 其中, 应用处理单元 13在向接口单元 11发送数字证 书时, 可以携带上该网上银行应用的标识, 这样接口单元 11就可以将应用 标识以及所述数字证书都发送至加密单元 12。加密单元 12存储接收到的所 述数字证书和应用标识, 并建立该数字证书与应用标识的对应关系, 也即 是建立了数字证书与所述网上银行应用的对应关系。 Embodiment 4 The application access device of this embodiment provides a security service for an application running on another device, and the other device is a device that communicates with the application access device of the embodiment through an external connection. FIG. 4 is a schematic diagram of a working principle of still another embodiment of an application access device according to the present invention. As shown in FIG. 4, the application access device of this embodiment takes a tablet computer as an example, and the external device uses a notebook as an example, and the application uses an online banking as an example. The online banking is an application running on a notebook, and therefore, the tablet is an application access. The device, the notebook is the application running device. The transceiver unit of the embodiment may be provided with a transceiver unit, wherein the notebook is provided with an application processing unit 21 and a transceiver unit 22, and the application processing unit 21 is configured to invoke an online banking application installed on the notebook, and the notebook can Communicating with the application server and the certificate server, and being able to communicate with the tablet computer, the transceiver unit 22 serves as an interface for the notebook to communicate with the server and the tablet. For example, the transceiver unit 22 can transfer the secure access request sent by the application processing unit 21. The tablet is sent to the application processing unit 21 and the public key returned by the tablet is forwarded. A transceiver unit 33 is also provided on the tablet as an interface for communication between the tablet and the notebook. Specifically, the application processing unit 21 on the notebook calls to execute the online banking, and the online banking starts running on the notebook; during the running process (for example, the user starts using the online banking on the tablet), according to the setting of the online banking, in a certain The runtime application processing unit 21 will initiate a secure access request according to the preset of the online banking, and the secure access request will be sent to the interface on the tablet through the transceiver unit 22 on the notebook and the transceiver unit 33 on the tablet. Unit 31. The interface unit 31 instructs the encryption unit 32 to perform a service for generating a key pair according to the secure access request, and the public key generated by the encryption unit 32 is returned to the application processing unit 21 on the notebook through the interface unit 31 and each of the above-described transceiver units. The application processing unit 21 then uses the public key to apply for a digital certificate to the certificate server, and uses the certificate to establish a secure connection with the application server, and the communication with the server in the process is forwarded by the transceiver unit 22. In addition, after the notebook establishes a connection with its application server, the encryption unit 32 on the tablet of the embodiment may also be responsible for data encryption and decryption processing between the application processing unit 21 and the application server, and the process is similar to the previous embodiment. For example, when the application processing unit 21 sends data to the application server, the data encryption request may be sent to the interface unit 31 through the transceiver unit 22 on the notebook, the transceiver unit 33 on the tablet, and the data to be encrypted is carried; the interface unit 31 The encryption unit 32 is instructed to perform data encryption processing; the encryption unit 32 encrypts the data, and then returns it to the application processing unit 21 on the notebook through the interface unit 31 and the above-mentioned transceiver units, and the application processing unit 21 instructs the transceiver unit 22 to transmit the data. To the application server. In this embodiment, the notebook and the tablet communicate with each other through an external connection, such as a Universal Serial Bus (USB) connection, a WIFI connection, and a near field communication (Near). Field Communication, abbreviated as: NFC) Any of the connections, of course, other connection methods may be used in the specific implementation. The above are just examples. For example, for a USB connection, the notebook can send a secure access request to the interface unit 31 on the tablet through the USB port; for the WIFI connection, the notebook can communicate with the interface unit 31 on the tablet through the WIFI network interface, wherein the WIFI link Security is guaranteed by the 802.11 protocol; for NFC connections, the notebook communicates with the tablet through the NFC interface, and the security of the NFC link is guaranteed by the NFC protocol. Embodiment 5 FIG. 5 is a schematic diagram of a working principle of another embodiment of an application access device according to the present invention. This embodiment is described by taking an application running inside an application access device as an example. The principle of this embodiment is also applicable to an external device. The situation of operation. As shown in FIG. 5, after the tablet computer applies for obtaining the digital certificate to the certificate server, the transceiver unit 14 sends the digital certificate received from the certificate server to the application processing unit 13, and then the application processing unit 13 sends the digital certificate to the interface. Unit 11, the interface unit 11 sends the certificate to the encryption unit 12. When the application processing unit 13 sends the digital certificate to the interface unit 11, the identifier of the online banking application can be carried, so that the interface unit 11 can send the application identifier and the digital certificate to the encryption unit 12. The encryption unit 12 stores the received digital certificate and application identifier, and establishes a correspondence between the digital certificate and the application identifier, that is, establishes a correspondence between the digital certificate and the online banking application.
进一步的, 当接口单元 11将应用处理单元 13发送的安全访问请求转 发至加密单元 12时, 即相当于当接口单元 11指示加密单元 12生成密钥对 是否已经存储与所述应用对应的数字证书, 当然, 上述的接口单元 11会将 网上银行应用的标识发送至加密单元 12。 在所述加密单元 12的检测结果为是时, 即存储有网上银行应用的数字 证书, 则加密单元 12会通过接口单元 11将存储的所述数字证书发送至应 用处理单元 13 , 此时应用处理单元 13将不需要再申请数字证书, 而是直接 使用所述数字证书与应用服务器建立连接。  Further, when the interface unit 11 forwards the secure access request sent by the application processing unit 13 to the encryption unit 12, it is equivalent to when the interface unit 11 instructs the encryption unit 12 to generate a key pair that has stored a digital certificate corresponding to the application. Of course, the above-mentioned interface unit 11 sends the identifier of the online banking application to the encryption unit 12. When the detection result of the encryption unit 12 is YES, that is, the digital certificate of the online banking application is stored, the encryption unit 12 sends the stored digital certificate to the application processing unit 13 through the interface unit 11, and the application processing is performed. Unit 13 will not need to apply for a digital certificate any more, but will directly establish a connection with the application server using the digital certificate.
当应用在外部设备运行时, 类似于图 4 所示的情况, 笔记本在向证书 服务器申请获得的数字证书后, 笔记本上的收发单元 22可以将该数字证书 发送给平板电脑进行存储; 具体的, 例如, 笔记本上的收发单元 22将数字 证书发送至平板电脑的收发单元 33 , 同时将与该证书对应的在笔记本上运 行的应用的应用标识也发送至收发单元 33;该收发单元 33再将数字证书和 应用标识发送至接口单元 31 , 接口单元 31发送给加密单元 32。 该加密单 元 32就会存储上述的数字证书和应用标识, 并建立起数字证书与应用标识 的对应关系。 当笔记本下一次要连接应用服务器时, 笔记本上的应用处理 单元 21就会指示收发单元 22将应用标识发送至平板电脑, 同样按照上述 的发送流程最终将应用标识发送至平板电脑的加密单元 32。加密单元 32将 查询是否存储有与该应用标识对应的数字证书, 如果有, 则加密单元 32就 可以按照上述的反向流程将所述数字证书发送给笔记本, 这样笔记本就不 需要再次去证书服务器获取证书了, 而是直接使用该存储的证书与应用服 务器建立连接即可。 如果加密单元 32查询自身没有存储应用标识对应的数 字证书, 则可以直接为笔记本开始进行安全服务, 生成密钥对, 将公钥返 回给笔记本, 以使得笔记本使用该公钥连接证书服务器去申请数字证书, 相关过程可以参见上述实施例, 不再详述。 本实施例的方式, 即相当于应用运行设备在首次需要连接应用服务器 时, 由本实施例的应用访问设备为其提供密钥对, 用于应用运行设备使用 该密钥申请数字证书; 并且, 应用运行设备会将该申请的证书也发送至应 用访问设备进行存储, 这样在应用运行设备下一次启动连接应用服务器时, 应用访问设备检测如果已经存储有该应用对应的证书, 则不再生成密钥对, 直接将所述证书发送至应用运行设备, 也提高了应用访问的效率。 实施例六 在以上的各实施例中, 应用访问设备中的接口单元例如可以釆用 PKCS#11接口, 所述加密单元例如可以是软件或者加密芯片的实现方式。 图 6为本发明应用访问设备又一实施例的结构示意图, 如图 6所示, 该设备是釆用软件方式, 加密单元是软加密模块, 即该加密单元的加密、 解密等处理都是基于软件算法实现, 支持常用的加密解密算法, 例如, 三 重数据加密算法 ( Triple Data Encryption Algorithm, 3DES )、 AESRC4、 消 息摘要算法第五版( Message Digest Algorithm 5 , MD5 )、 DSA和 RSA等。 该软加密模块提供的加密、 解密、 生成密钥对、 以及签名、 签名验证等安 全服务都通过 PKCS#11接口提供给应用。 其中, 这种软件实现方式中, 在加密单元执行数据的加密、 解密、 生 成密钥对等各种处理过程中, 会涉及到一些数据緩存或者数据存储, 其使 用的存储介质是应用访问设备内部的一些存储介质, 比如 emmc 芯片的存 储块, 存储过程是通过对 emmc芯片进行输入输出 ( Input/Output, 简称: 10 )操作实现, 对应用访问设备的文件系统不可见。 图 7为本发明应用访问设备又一实施例的结构示意图, 如图 7所示, 该设备是釆用硬件方式, 加密单元是加密芯片, 即该加密单元的加密、 解 密等处理都是由驱动程序通过该加密芯片实现, 支持常用的加密解密算法。 该加密芯片提供的加密、 解密、 签名、 签名验证、 生成密钥对等安全服务 都通过 PKCS#11接口提供给应用。 When the application is running on the external device, similar to the situation shown in FIG. 4, after the notebook applies for the obtained digital certificate to the certificate server, the transceiver unit 22 on the notebook can send the digital certificate to the tablet for storage; For example, the transceiver unit 22 on the notebook sends the digital certificate to the transceiver unit 33 of the tablet computer, and simultaneously transmits the application identifier of the application running on the notebook corresponding to the certificate to the transceiver unit 33; the transceiver unit 33 then digitizes The certificate and application identifier are sent to the interface unit 31, which sends it to the encryption unit 32. The encryption unit 32 stores the digital certificate and the application identifier described above, and establishes a correspondence between the digital certificate and the application identifier. Application processing on the notebook when the notebook is next connected to the application server The unit 21 instructs the transceiver unit 22 to send the application identification to the tablet, and finally sends the application identification to the encryption unit 32 of the tablet in accordance with the above-described transmission process. The encryption unit 32 will query whether a digital certificate corresponding to the application identifier is stored, and if so, the encryption unit 32 can send the digital certificate to the notebook according to the reverse process described above, so that the notebook does not need to go to the certificate server again. Obtain the certificate, but use the stored certificate to establish a connection with the application server. If the encryption unit 32 queries that it does not store the digital certificate corresponding to the application identifier, it can directly start a security service for the notebook, generate a key pair, and return the public key to the notebook, so that the notebook uses the public key to connect to the certificate server to apply for a number. For the certificate, the related process can be referred to the above embodiment, and will not be described in detail. The method in this embodiment, that is, when the application running device needs to connect to the application server for the first time, the application access device of the embodiment provides a key pair for the application running device to use the key to apply for a digital certificate; and, the application The running device sends the certificate of the application to the application access device for storage. When the application running device starts to connect to the application server next time, the application access device detects that the certificate is no longer generated if the certificate corresponding to the application is already stored. Yes, sending the certificate directly to the application running device also improves the efficiency of application access. Embodiment 6 In the foregoing embodiments, the interface unit in the application access device may use, for example, a PKCS#11 interface, and the encryption unit may be implemented by software or an encryption chip, for example. 6 is a schematic structural diagram of another embodiment of an application access device according to the present invention. As shown in FIG. 6, the device is a software mode, and the encryption unit is a soft encryption module, that is, the encryption, decryption, and the like of the encryption unit are based on Software algorithm implementation, support common encryption and decryption algorithms, such as Triple Data Encryption Algorithm (3DES), AESRC4, Message Digest Algorithm 5 (MD5), DSA and RSA. The encryption, decryption, generation key pair, and security services such as signature and signature verification provided by the soft encryption module are provided to the application through the PKCS#11 interface. In the software implementation manner, in the various processes of encrypting, decrypting, and generating a key pair, the encryption unit may involve some data cache or data storage, and the storage medium used by the application device is an application access device. Some storage media, such as the memory block of the emmc chip, the storage process is through the input and output of the emmc chip (Input/Output, referred to as: 10) Operational implementation, not visible to the file system of the application access device. FIG. 7 is a schematic structural diagram of another embodiment of an application access device according to the present invention. As shown in FIG. 7, the device is in hardware mode, and the encryption unit is an encryption chip, that is, the encryption, decryption, and the like of the encryption unit are driven by the driver. The program is implemented by the encryption chip and supports a common encryption and decryption algorithm. The security services provided by the encryption chip, such as encryption, decryption, signature, signature verification, and key generation, are provided to the application through the PKCS#11 interface.
其中, 这种硬件实现方式中, 在加密单元执行数据的加密、 解密、 生 成密钥对等各种处理过程中, 涉及到的数据存储, 其使用的存储介质是加 密芯片内置的存储器, 存储过程是通过该加密芯片的 10操作实现, 对文件 系统不可见(例如对 android系统不可见)。 实施例七 本实施例提供一种应用访问方法, 该方法是由应用访问设备执行。 图 8为本发明应用访问方法一实施例的流程示意图, 本实施例的方法 是由为运行在设备自身上的应用提供安全服务的应用访问设备执行; 本实 施例对方法仅做简单描述, 具体的执行原理可以结合参见设备实施例所述。 如图 8所示, 可以包括:  Wherein, in the hardware implementation manner, in the various processing processes such as encryption, decryption, and generation of a key pair performed by the encryption unit, the data storage involved is a memory built in the encryption chip, and the storage process It is implemented by 10 operations of the encryption chip, and is invisible to the file system (for example, not visible to the android system). Embodiment 7 This embodiment provides an application access method, which is performed by an application access device. FIG. 8 is a schematic flowchart of an application access method according to an embodiment of the present invention. The method in this embodiment is performed by an application access device that provides a security service for an application running on the device itself. This embodiment only describes the method briefly. The implementation principle can be combined as described in the device embodiment. As shown in Figure 8, it can include:
801、 所述应用访问设备生成安全访问请求, 所述安全访问请求用于请 求为运行在所述应用访问设备上的应用提供应用安全服务; 801. The application access device generates a security access request, where the security access request is used to request an application security service for an application running on the application access device.
802、 所述应用访问设备根据所述安全访问请求, 生成密钥对, 所述密 钥对包括公钥和私钥;  802. The application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key.
803、 所述应用访问设备使用所述公钥向证书服务器申请获得数字证 书, 并且所述应用访问设备通过所述数字证书与应用服务器建立连接;  803. The application access device uses the public key to apply for obtaining a digital certificate to the certificate server, and the application access device establishes a connection with the application server by using the digital certificate.
804、 所述应用访问设备在与所述应用服务器建立连接之后, 使用所述 私钥对所述应用访问设备和应用服务器之间传输的数据进行加密处理。 进一步的, 所述应用访问设备生成安全访问请求之后, 进一步包括: 所述应用访问设备存储所述数字证书与所述应用的对应关系。 进一步的, 在所述应用访问设备生成安全访问请求之后, 根据所述安 全访问请求生成密钥对之前, 进一步包括: 所述应用访问设备根据所述对 应关系, 检测是否已经存储与所述应用对应的数字证书; 在检测结果为是 时, 则直接执行通过存储的所述数字证书与应用服务器建立连接。 图 9为本发明应用访问方法一实施例的流程示意图, 本实施例的方法 施例对方法仅做简单描述, 具体的执行原理可以结合参见设备实施例所述。 如图 9所示, 可以包括: 804. The application access device encrypts data transmitted between the application access device and the application server by using the private key after establishing a connection with the application server. Further, after the application access device generates the security access request, the method further includes: the application access device storing a correspondence between the digital certificate and the application. Further, after the application access device generates the security access request, before generating the key pair according to the security access request, the method further includes: the application access device according to the pair Correspondingly, detecting whether a digital certificate corresponding to the application has been stored; when the detection result is YES, directly establishing a connection with the application server by using the stored digital certificate. FIG. 9 is a schematic flowchart of an application access method according to an embodiment of the present invention. The method of the present embodiment is only described briefly. The specific implementation principle may be as described in conjunction with the device embodiment. As shown in FIG. 9, it may include:
901、 所述应用访问设备接收应用运行设备发送的安全访问请求, 所述 服务; 901. The application access device receives a security access request sent by an application running device, where the service is used.
902、 所述应用访问设备根据所述安全访问请求, 生成密钥对, 所述密 钥对包括公钥和私钥;  902. The application access device generates a key pair according to the security access request, where the key pair includes a public key and a private key.
903、 所述应用访问设备将所述公钥发送至所述应用运行设备, 以使得 所述应用运行设备使用所述公钥向证书服务器申请获得数字证书, 并且所 述应用运行设备通过所述数字证书与应用服务器建立连接;  903. The application access device sends the public key to the application running device, so that the application running device requests the certificate server to obtain a digital certificate by using the public key, and the application running device passes the number. The certificate establishes a connection with the application server;
904、 所述应用访问设备在所述应用运行设备与所述应用服务器建立连 接之后, 使用所述私钥对所述应用运行设备和应用服务器之间传输的数据 进行加密处理。 进一步的, 所述接收应用运行设备发送的安全访问请求, 包括: 所述 应用访问设备接收与所述应用访问设备通过 USB连接、 WIFI连接、 NFC 连接中的任意一种进行连接的所述应用运行设备发送的安全访问请求。 904. After the application running device establishes a connection with the application server, the application access device encrypts data transmitted between the application running device and the application server by using the private key. Further, the receiving the security access request sent by the application running device includes: the application accessing device receiving the application running connected with the application access device by using any one of a USB connection, a WIFI connection, and an NFC connection. A secure access request sent by the device.
进一步的, 所述应用访问设备具体是通过 PKCS#11接口, 接收所述应 用运行设备发送的所述安全访问请求。 进一步的, 所述应用访问设备将所述公钥发送至所述应用运行设备之 后, 进一步包括: 所述应用访问设备接收所述应用运行设备发送的所述数 字证书, 并存储所述数字证书与所述应用的对应关系。 进一步的, 在所述应用访问设备接收应用运行设备发送的安全访问请 求之后, 根据所述安全访问请求生成密钥对之前, 进一步包括: 所述应用 访问设备根据所述对应关系, 检测是否已经存储与所述应用对应的数字证 书; 在检测结果为是时, 则直接执行将存储的所述数字证书发送至所述应 立连接。 本领域普通技术人员可以理解: 实现上述各方法实施例的全部或部分 步骤可以通过程序指令相关的硬件来完成。 前述程序可以存储于一计算机 可读取存储介质中。 该程序在执行时, 执行包括上述各方法实施例的步骤; 而前述存储介质包括: ROM、 RAM, 磁碟或者光盘等可以存储程序代码的 介质。 最后应说明的是: 以上各实施例仅用以说明本发明的技术方案, 而非 对其限制; 尽管参照前述各实施例对本发明进行了详细的说明, 本领域的 普通技术人员应当理解: 其依然可以对前述各实施例所记载的技术方案进 行修改, 或者对其中部分或者全部技术特征进行等同替换; 而这些修改或 者替换, 并不使相应技术方案的本质脱离本发明各实施例技术方案的范围。 Further, the application access device specifically receives the security access request sent by the application running device by using a PKCS#11 interface. Further, after the application access device sends the public key to the application running device, the method further includes: the application access device receiving the digital certificate sent by the application running device, and storing the digital certificate and The corresponding relationship of the application. Further, after the application access device receives the security access request sent by the application running device, before generating the key pair according to the security access request, the method further includes: detecting, by the application access device, whether the storage device has been stored according to the corresponding relationship. Digital certificate corresponding to the application When the detection result is YES, the stored digital certificate is directly sent to the acknowledgment connection. It will be understood by those skilled in the art that all or part of the steps of implementing the above method embodiments may be performed by hardware related to the program instructions. The aforementioned program can be stored in a computer readable storage medium. The program, when executed, performs the steps including the foregoing method embodiments; and the foregoing storage medium includes: a medium that can store program codes, such as a ROM, a RAM, a magnetic disk, or an optical disk. It should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, and are not intended to be limiting; although the present invention has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art The technical solutions described in the foregoing embodiments may be modified, or some or all of the technical features may be equivalently replaced; and the modifications or substitutions do not deviate from the technical solutions of the embodiments of the present invention. range.

Claims

权利要求 Rights request
1、 一种应用访问方法, 其特征在于, 所述方法包括: 应用访问设备生成安全访问请求, 所述安全访问请求用于请求为运行 在所述应用访问设备上的应用提供应用安全服务; 1. An application access method, characterized in that the method includes: the application access device generates a security access request, and the security access request is used to request to provide application security services for an application running on the application access device;
所述应用访问设备根据所述安全访问请求, 生成密钥对, 所述密钥对 包括公钥和私钥; 所述应用访问设备使用所述公钥向证书服务器申请获得数字证书, 并 且所述应用访问设备通过所述数字证书与应用服务器建立连接; The application access device generates a key pair according to the security access request, the key pair includes a public key and a private key; the application access device uses the public key to apply to the certificate server to obtain a digital certificate, and the The application access device establishes a connection with the application server through the digital certificate;
所述应用访问设备在与所述应用服务器建立连接之后, 使用所述私钥 对所述应用访问设备和应用服务器之间传输的数据进行加密处理。 After establishing a connection with the application server, the application access device uses the private key to encrypt data transmitted between the application access device and the application server.
2、 根据权利要求 1所述的方法, 其特征在于, 所述应用访问设备生成 安全访问请求之后, 进一步包括: 2. The method according to claim 1, characterized in that, after the application access device generates a security access request, it further includes:
所述应用访问设备存储所述数字证书与所述应用的对应关系。 The application access device stores the corresponding relationship between the digital certificate and the application.
3、 根据权利要求 2所述的方法, 其特征在于, 在所述应用访问设备生 成安全访问请求之后, 根据所述安全访问请求生成密钥对之前, 进一步包 括: 3. The method according to claim 2, characterized in that, after the application access device generates a secure access request and before generating a key pair according to the secure access request, it further includes:
所述应用访问设备根据所述对应关系, 检测是否已经存储与所述应用 对应的数字证书; The application access device detects whether the digital certificate corresponding to the application has been stored according to the corresponding relationship;
在检测结果为是时, 直接执行通过存储的所述数字证书与应用服务器 建立连接。 When the detection result is yes, directly establish a connection with the application server through the stored digital certificate.
4、 一种应用访问方法, 其特征在于, 所述方法包括: 应用访问设备接收应用运行设备发送的安全访问请求, 所述安全访问 所述应用访问设备根据所述安全访问请求, 生成密钥对, 所述密钥对 包括公钥和私钥; 所述应用访问设备将所述公钥发送至所述应用运行设备, 以使得所述 应用运行设备使用所述公钥向证书服务器申请获得数字证书, 并且所述应 用运行设备通过所述数字证书与应用服务器建立连接; 4. An application access method, characterized in that the method includes: the application access device receives a secure access request sent by an application running device, and the application access device generates a key pair according to the secure access request. , the key pair includes a public key and a private key; the application access device sends the public key to the application running device, so that the application running device uses the public key to apply to the certificate server to obtain a digital certificate , and the said should Use the running device to establish a connection with the application server through the digital certificate;
所述应用访问设备在所述应用运行设备与所述应用服务器建立连接之 后, 使用所述私钥对所述应用运行设备和应用服务器之间传输的数据进行 加密处理。 After the application running device establishes a connection with the application server, the application access device uses the private key to encrypt data transmitted between the application running device and the application server.
5、 根据权利要求 4所述的方法, 其特征在于, 所述接收应用运行设备 发送的安全访问请求, 包括: 5. The method according to claim 4, wherein the receiving the security access request sent by the application running device includes:
所述应用访问设备接收与所述应用访问设备通过 USB连接、 WIFI连 接、 NFC连接中的任意一种进行连接的所述应用运行设备发送的安全访问 请求。 The application access device receives a secure access request sent by the application running device connected to the application access device through any one of USB connection, WIFI connection, and NFC connection.
6、 根据权利要求 4或 5所述的方法, 其特征在于, 所述应用访问设备 接收应用运行设备发送的安全访问请求, 包括: 所述应用访问设备通过 PKCS#11接口, 接收所述应用运行设备发送的 所述安全访问请求。 6. The method according to claim 4 or 5, characterized in that the application access device receives the security access request sent by the application running device, including: the application access device receives the application running request through the PKCS#11 interface. The secure access request sent by the device.
7、 根据权利要求 4或 5所述的方法, 其特征在于, 所述应用访问设备 将所述公钥发送至所述应用运行设备之后, 进一步包括: 7. The method according to claim 4 or 5, characterized in that, after the application access device sends the public key to the application running device, it further includes:
所述应用访问设备接收所述应用运行设备发送的所述数字证书, 并存 储所述数字证书与所述应用的对应关系。 The application access device receives the digital certificate sent by the application running device, and stores the corresponding relationship between the digital certificate and the application.
8、 根据权利要求 7所述的方法, 其特征在于, 在所述应用访问设备接 收应用运行设备发送的安全访问请求之后, 根据所述安全访问请求生成密 钥对之前, 进一步包括: 8. The method according to claim 7, wherein after the application access device receives the security access request sent by the application running device and before generating a key pair according to the security access request, it further includes:
所述应用访问设备根据所述对应关系, 检测是否已经存储与所述应用 对应的数字证书; The application access device detects whether the digital certificate corresponding to the application has been stored according to the corresponding relationship;
在检测结果为是时, 直接执行将存储的所述数字证书发送至所述应用 连接。 When the detection result is yes, sending the stored digital certificate to the application connection is directly performed.
9、 一种应用访问设备, 其特征在于, 包括: 接口单元、 加密单元和应 用处理单元; 所述接口单元, 用于接收应用访问设备生成的安全访问请求, 所述安 全访问请求用于请求为运行在所述应用访问设备上的应用提供应用安全服 务; 9. An application access device, characterized by including: an interface unit, an encryption unit and an application processing unit; The interface unit is configured to receive a security access request generated by an application access device, where the security access request is used to request to provide application security services for an application running on the application access device;
所述加密单元, 用于根据所述安全访问请求, 生成密钥对, 所述密钥 对包括公钥和私钥; 以及, 在与所述应用服务器建立连接之后, 使用所述 私钥对所述应用访问设备和应用服务器之间传输的数据进行加密处理; 所述应用处理单元, 用于使用所述公钥向证书服务器申请获得数字证 书, 并且通过所述数字证书与应用服务器建立连接。 The encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and, after establishing a connection with the application server, use the private key to The data transmitted between the application access device and the application server is encrypted; the application processing unit is configured to use the public key to apply to the certificate server for a digital certificate, and establish a connection with the application server through the digital certificate.
10、 权利要求 9所述的应用访问设备, 其特征在于, 10. The application access device according to claim 9, characterized in that,
11、 权利要求 10所述的应用访问设备, 其特征在于, 所述加密单元, 进一步用于在所述接口单元接收所述安全访问请求之 后, 根据所述安全访问请求生成密钥对之前, 根据存储的所述对应关系, 检测是否已经存储与所述应用对应的数字证书; 所述应用处理单元, 进一步用于在所述加密单元的检测结果为是时, 直接执行通过存储的所述数字证书与应用服务器建立连接。 11. The application access device according to claim 10, wherein the encryption unit is further configured to: after the interface unit receives the secure access request and before generating a key pair according to the secure access request, according to The stored corresponding relationship is used to detect whether the digital certificate corresponding to the application has been stored; the application processing unit is further configured to directly execute the stored digital certificate when the detection result of the encryption unit is yes. Establish a connection with the application server.
12、 一种应用访问设备, 其特征在于, 所述应用访问设备与应用运行 设备建立通信连接, 所述应用访问设备包括: 接口单元和加密单元; 12. An application access device, characterized in that the application access device establishes a communication connection with an application running device, and the application access device includes: an interface unit and an encryption unit;
所述接口单元, 用于接收所述应用运行设备发送的安全访问请求, 所 全服务; 以及将所述加密单元将所述公钥发送至所述应用运行设备, 以使 得所述应用运行设备使用所述公钥向证书服务器申请获得数字证书, 并且 The interface unit is configured to receive a secure access request sent by the application running device to provide all services; and send the public key to the application running device by the encryption unit, so that the application running device uses The public key applies to the certificate server to obtain a digital certificate, and
所述加密单元, 用于根据所述安全访问请求, 生成密钥对, 所述密钥 对包括公钥和私钥; 以及, 在所述应用运行设备与所述应用服务器建立连 接之后, 使用所述私钥对所述应用运行设备和应用服务器之间传输的数据 进行加密处理。 The encryption unit is configured to generate a key pair according to the secure access request, where the key pair includes a public key and a private key; and, after the application running device establishes a connection with the application server, use the The private key encrypts data transmitted between the application running device and the application server.
13、 根据权利要求 12所述的设备, 其特征在于, 所述接口单元, 用于接收与所述应用访问设备通过 USB 连接、 WIFI 连接、 NFC连接中的任意一种进行连接的所述应用运行设备发送的安全访 问请求。 13. The device according to claim 12, characterized in that, The interface unit is configured to receive a secure access request sent by the application running device connected to the application access device through any one of USB connection, WIFI connection, and NFC connection.
14、 根据权利要求 12或 13所述的设备, 其特征在于, 所述接口单元 为 PKCS#11接口。 14. The device according to claim 12 or 13, characterized in that the interface unit is a PKCS#11 interface.
15、 根据权利要求 12或 13所述的设备, 其特征在于, 15. The device according to claim 12 or 13, characterized in that,
后, 接收所述应用运行设备发送的所述数字证书; Then, receive the digital certificate sent by the application running device;
16、 根据权利要求 15所述的设备, 其特征在于, 所述加密单元, 进一步用于在所述接口单元接收应用运行设备发送的 安全访问请求之后, 根据所述安全访问请求生成密钥对之前, 根据存储的 所述对应关系, 检测是否已经存储与所述应用对应的数字证书; 所述接口单元, 进一步用于在所述加密单元的检测结果为是时, 直接 16. The device according to claim 15, wherein the encryption unit is further configured to generate a key pair according to the secure access request after the interface unit receives the secure access request sent by the application running device. , according to the stored corresponding relationship, detect whether the digital certificate corresponding to the application has been stored; the interface unit is further configured to directly detect when the detection result of the encryption unit is yes.
PCT/CN2014/070668 2013-01-31 2014-01-15 Application access method and device WO2014117648A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310038423.8A CN103973647A (en) 2013-01-31 2013-01-31 Application access method and equipment
CN201310038423.8 2013-01-31

Publications (1)

Publication Number Publication Date
WO2014117648A1 true WO2014117648A1 (en) 2014-08-07

Family

ID=51242697

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/070668 WO2014117648A1 (en) 2013-01-31 2014-01-15 Application access method and device

Country Status (2)

Country Link
CN (1) CN103973647A (en)
WO (1) WO2014117648A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017015797A1 (en) * 2015-07-24 2017-02-02 程强 Information security transmission method and system for ordering system
CN106921639A (en) * 2015-12-28 2017-07-04 航天信息股份有限公司 Mobile digital certificate application method and device
CN107359994A (en) * 2017-07-19 2017-11-17 国家电网公司 The integrated encryption device that a kind of quantum cryptography blends with classical password
CN109639427B (en) * 2017-10-09 2021-01-29 华为技术有限公司 Data sending method and equipment
CN108769024B (en) * 2018-05-30 2020-11-13 中国电子信息产业集团有限公司第六研究所 Data acquisition method and multi-data operator negotiation service system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1838141A (en) * 2006-02-05 2006-09-27 刘亚威 Technology for improving security of accessing computer application system by mobile phone
CN101527024A (en) * 2008-03-06 2009-09-09 同方股份有限公司 Safe web bank system and realization method thereof
CN102054258A (en) * 2010-12-16 2011-05-11 中国建设银行股份有限公司 Electronic bank safety certificating method and system based on mobile equipment

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101676925B (en) * 2008-09-16 2011-04-27 联想(北京)有限公司 Computer system and method of setting authentication information in security chip
CN101527634B (en) * 2008-12-31 2011-08-17 北京飞天诚信科技有限公司 System and method for binding account information with certificates
CN101547095B (en) * 2009-02-11 2011-05-18 广州杰赛科技股份有限公司 Application service management system and management method based on digital certificate
CN101957958A (en) * 2010-09-19 2011-01-26 中兴通讯股份有限公司 Method and mobile phone terminal for realizing network payment
CN102904865B (en) * 2011-07-29 2016-05-25 中国移动通信集团公司 A kind of management method, system and equipment of the multiple digital certificates based on mobile terminal
CN102523095B (en) * 2012-01-12 2015-04-15 公安部第三研究所 User digital certificate remote update method with intelligent card protection function
CN102811224A (en) * 2012-08-02 2012-12-05 天津赢达信科技有限公司 Method, device and system for implementation of SSL (secure socket layer)/TLS (transport layer security) connection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1838141A (en) * 2006-02-05 2006-09-27 刘亚威 Technology for improving security of accessing computer application system by mobile phone
CN101527024A (en) * 2008-03-06 2009-09-09 同方股份有限公司 Safe web bank system and realization method thereof
CN102054258A (en) * 2010-12-16 2011-05-11 中国建设银行股份有限公司 Electronic bank safety certificating method and system based on mobile equipment

Also Published As

Publication number Publication date
CN103973647A (en) 2014-08-06

Similar Documents

Publication Publication Date Title
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
CN108476404B (en) Apparatus and method for pairing
JP6797828B2 (en) Cloud-based cryptographic machine key injection methods, devices, and systems
EP3424195B1 (en) Encrypted password transport across untrusted cloud network
USH2270H1 (en) Open protocol for authentication and key establishment with privacy
US11134069B2 (en) Method for authorizing access and apparatus using the method
US11190503B2 (en) Resource processing method, apparatus, and system, and computer-readable medium
RU2756040C2 (en) Addressing trusted execution environment using signature key
TWI734854B (en) Information security verification method, device and system
WO2016011778A1 (en) Data processing method and apparatus
WO2014183392A1 (en) Secure communication authentication method and system in distributed environment
US9948616B2 (en) Apparatus and method for providing security service based on virtualization
WO2020042822A1 (en) Cryptographic operation method, method for creating work key, and cryptographic service platform and device
US10601590B1 (en) Secure secrets in hardware security module for use by protected function in trusted execution environment
TWI636373B (en) Method and device for authorizing between devices
WO2014117648A1 (en) Application access method and device
TW201638822A (en) Method and device for identity authentication of process
JP5827724B2 (en) Method and apparatus for entering data
US20210328779A1 (en) Method and apparatus for fast symmetric authentication and session key establishment
US11997192B2 (en) Technologies for establishing device locality
WO2019120231A1 (en) Method and device for determining trust state of tpm, and storage medium
US20240028759A1 (en) Database access method and apparatus
WO2023246509A1 (en) Gene data processing method and apparatus, device and medium
US20220353062A1 (en) Integrated circuit module functioning for information security
CN114065170A (en) Method and device for acquiring platform identity certificate and server

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14746741

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14746741

Country of ref document: EP

Kind code of ref document: A1