HK1233345A - A data processing method - Google Patents
A data processing method Download PDFInfo
- Publication number
- HK1233345A HK1233345A HK17100292.6A HK17100292A HK1233345A HK 1233345 A HK1233345 A HK 1233345A HK 17100292 A HK17100292 A HK 17100292A HK 1233345 A HK1233345 A HK 1233345A
- Authority
- HK
- Hong Kong
- Prior art keywords
- mobile terminal
- short message
- data
- verification code
- target
- Prior art date
Links
Description
Technical Field
The invention relates to the field of data processing, in particular to a data processing method.
Background
With the development of network technology and information technology, various data information is widely applied, but the colleagues also bring about the problem of data security.
The data information can be divided into general data and sensitive data according to the importance degree, privacy and the like, wherein the sensitive data may contain the privacy information or account information of the user or other data which may threaten the security of the user data, so the protection of the sensitive data needs to be more comprehensive.
In the prior art, sensitive data is generally protected by adopting an encryption mode, but with the popularity of various trojans, viruses and malicious software, the protection of the sensitive data by only adopting the encryption mode is insufficient.
Disclosure of Invention
The embodiment of the invention provides a data processing method which can improve data security.
A method of data processing, comprising:
the mobile terminal reads encrypted data, wherein the encrypted data is obtained by encrypting sensitive data;
the mobile terminal decrypts the encrypted data to obtain target data;
if the target data does not accord with the sensitive data, the mobile terminal determines that the target data is illegal data;
and if the target data is consistent with the sensitive data, displaying the target data through a trusted user interface TUI in a trusted execution environment TEE.
According to the technical scheme, the invention has the following advantages:
after the mobile terminal reads the encrypted data, the encrypted data are decrypted to obtain target data, if the target data are determined to be consistent with the sensitive data, the target data are indicated to be normal data, the target data can be displayed through the TUI in the TEE, and the TEE and the TUI have safety constraint, so that the sensitive data can be prevented from being leaked by displaying the target data through the TUI in the TEE, and the data safety is improved.
Drawings
FIG. 1 is a flow chart of a data processing method of the present invention.
Detailed Description
The embodiment of the invention provides a data processing method which can improve data security.
The basic architecture of Trust Zone is proposed in the prior art, a Trusted Execution Environment (TEE) is a concept proposed by Global Platform organization (GP), is a Trust Zone technology based on arm (advanced RISC machines), and runs in a device to provide a security framework between Rich operating system (Rich OS) and Secure Element (SE).
Wherein, Rich OS: rich operating systems, such as: the android rich execution environment can be operated on mobile devices such as smart phones, tablet computers and smart watches, and provides rich functional interfaces through which android applications can meet various requirements, such as: wireless communication, online shopping, etc. But the security is relatively low and the data is easy to steal.
And SE: the security element, typically provided in the form of a chip. In order to prevent external malicious analysis attack and protect data security, an encryption/decryption logic circuit is arranged in a chip.
Security issues are also of increasing concern for the open environment of mobile devices, not just end users, but also service providers, mobile operators, and chip vendors. The TEE (corresponding to TrustedOS) is a running Environment coexisting with the REE (Rich Execution Environment, corresponding to Rich OS, typically Android Environment, etc.) on the device, and provides a security service to the Rich OS. It has its own execution space, higher security level than Rich OS, and at the same time lower cost than SE (usually a smart card), able to meet the security requirements of most applications.
When the TEE and the REE run on the same device, the TEE can ensure that sensitive data is stored, processed and protected in a Trusted environment, provides a secure execution environment for authorized security software (TA, Trusted application), and realizes end-to-end security through execution protection, confidentiality, integrity and data access authority.
Wherein, CA: the client application, referred to as a third party application, runs on the REE. More well-known application stores include apple's App Store, Google Play Store of Google, BlackBerry's BlackBerry App World, Microsoft's Market al.
TA: trusted applications, which exist to provide security services for CAs in the REE, run on the TEE.
The interface between TEE and Rich OS is called TEE client API (application programming interface), which GP standardizes in 2010 and the TEE internal API between TA and Trusted OS in 2011. Of course, there are also supplementary functional APIs, such as: the TEE function API.
In particular, the CA may access the TA through a TEE client API located in the REE, the TEE may support multiple TAs developed by different providers that execute independently of each other, and the TAs may gain controlled access to secure resources and services through the TEE internal API. Examples of TEE security services include: key storage and management, encryption, secure clocks, trusted user interfaces, etc.
Wherein, TUI: the trusted user interface means that when key information is displayed and key data (such as password) of a user is input, hardware resources such as a screen display and a keyboard are completely controlled and accessed by the TEE, but software in the Rich OS cannot access the hardware resources.
It should be noted that, in order to guarantee the TA of the TEE itself, the TEE is authenticated and isolated from the Rich OS during the secure boot process. In TEE, each TA is independent of each other and cannot access each other without authorization. With the TUI of the TEE, since the TUI has a display characteristic that prohibits all applications from performing a screen capture operation on the current screen, in the TEE, it is possible to provide protection in terms of user authentication, transaction confirmation, transaction processing, and the like.
Referring to fig. 1, a data processing method includes:
101. the mobile terminal reads the encrypted data;
in this embodiment, the encrypted data is obtained by encrypting the sensitive data, wherein in some possible embodiments, the encryption manner may be an encryption algorithm conforming to a data encryption standard, and the encryption algorithm may be obtained by other standards, which is not limited herein.
The sensitive data may include at least one of an identification number, a validity period, an amount of money, a password, and a verification code, but is not limited thereto.
102. The mobile terminal decrypts the encrypted data to obtain target data;
in some possible embodiments, when the mobile terminal decrypts the encrypted data, the decryption algorithm may be an inverse operation of the encryption algorithm in step 101, or may be other operations, as long as the sensitive data and the decrypted data are the same when neither the sensitive data nor the encrypted data is tampered with, and this is not limited herein.
In some possible embodiments, the decryption algorithm may decrypt each part of the encrypted data, and combine each part obtained from the decrypted data into a character string according to a preset rule, as the original sensitive data, or decrypt the decrypted data as a whole to obtain a whole character string, as the original sensitive data, which is not limited herein.
103. If the target data does not accord with the sensitive data, the mobile terminal determines that the target data is illegal data;
and the mobile terminal decrypts the encrypted data to obtain target data, and if the target data is not accordant with the sensitive data, the mobile terminal determines that the target data is illegal data.
In other possible embodiments, when the decryption fails or the target data and the sensitive data obtained by the decryption are not the same, the mobile terminal considers that the sensitive data or the encrypted data are tampered. And if the tampered data is only data sensitive data, decrypting to obtain the original sensitive data of the target data. If the data is tampered with, the decryption may fail, or the decrypted data may be a garbled code, which is different from the sensitive data even if the data is a normal character string. Therefore, when the decryption is unsuccessful or the target data and the sensitive data obtained by the decryption are different, the encrypted data or the sensitive data can be considered to be tampered.
It should be noted that, if it is determined that the sensitive data is tampered, the mobile terminal deletes the illegal data and gives an alarm to the user.
104. And if the target data is consistent with the sensitive data, displaying the target data through a trusted user interface TUI in a trusted execution environment TEE.
And the mobile terminal decrypts the encrypted data to obtain target data, and if the target data is consistent with the sensitive data, the target data is displayed through a trusted user interface TUI in a trusted execution environment TEE.
In some feasible embodiments, when the decryption is successful and the obtained target data is the same as the sensitive data, that is, when the character string formed by combining the target data through a certain rule obtained by decryption is compared with the character string formed by combining the sensitive data according to a certain preset rule one by one, when the character string is completely consistent, the target data and the sensitive data are considered to be the same. The mobile terminal considers that the sensitive data is not tampered, and the sensitive data is still safe.
In some possible embodiments, the target is obtained if the mobile terminal successfully decrypts the encrypted data. Since the encrypted data is encrypted by using a specific encryption algorithm, if the obtained number is tampered, the original data is probably not obtained by decryption, and therefore when the decryption is successful, the encrypted data is considered to be not tampered. When the obtained target is the same as the sensitive data, the target is regarded as the original correct sensitive data, so that the sensitive data can be known to be not tampered by comparison if the target is the same as the sensitive data. When the sensitive data and the sensitive data are not tampered, the sensitive data can be considered to be safe.
Specifically, the sensitive data in this embodiment is verification code information;
the mobile terminal reading the encrypted data comprises:
the mobile terminal receives a request for displaying the verification code information in a rich execution environment REE;
and the mobile terminal reads the encrypted data corresponding to the verification code information according to the request.
In this embodiment, before the mobile terminal reads the encrypted data, the method further includes:
the mobile terminal carries out rule combination on the verification code information to obtain a character string;
and the mobile terminal encrypts the character string in the TEE by adopting a preset encryption algorithm to obtain the encrypted data.
In this embodiment, the reading, by the mobile terminal, the encrypted data corresponding to the verification code information according to the request includes:
and the mobile terminal extracts the encrypted data from the appointed storage position according to the request.
The specifying the storage location in this embodiment includes:
any one of a shared memory of the TEE and the REE, a storage unit in the TEE, an encryption database in the REE, and a memory in the REE.
In this embodiment, the verification code information is included in the verification code short message;
the method further comprises the following steps:
the mobile terminal receives a target short message;
and the mobile terminal judges whether the target short message is a verification code short message, and if so, the mobile terminal reads the encrypted data.
In this embodiment, the determining, by the mobile terminal, whether the target short message is a verification code short message includes:
the mobile terminal judges whether a sender of the target short message is in a white list, wherein the white list is a registered application list capable of sending the verification code short message;
if yes, the mobile terminal determines that the target short message is a white list short message;
in the REE, the mobile terminal judges whether the content of the white list short message contains text information;
if so, the mobile terminal determines the white list short message as a text short message;
in REE, the mobile terminal judges whether the text information of the text short message contains key words and numbers and/or letters of a verification code;
and if so, the mobile terminal determines the text short message as a verification code short message.
Or, in this embodiment, it may also be determined whether the target short message is a verification code short message through other manners, which specifically includes:
the mobile terminal judges whether a sender of the target short message is in a white list, wherein the white list is a registered application list capable of sending the verification code short message;
if yes, the mobile terminal determines that the target short message is a white list short message;
the mobile terminal judges whether a Protocol Data Unit (PDU) field of the white list short message contains a verification code short message flag bit;
and if so, the mobile terminal determines the white list short message as a verification code short message.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (9)
1. A data processing method, comprising:
the mobile terminal reads encrypted data, wherein the encrypted data is obtained by encrypting sensitive data;
the mobile terminal decrypts the encrypted data to obtain target data;
if the target data does not accord with the sensitive data, the mobile terminal determines that the target data is illegal data;
and if the target data is consistent with the sensitive data, displaying the target data through a trusted user interface TUI in a trusted execution environment TEE.
2. The method of claim 1, wherein the sensitive data is captcha information;
the mobile terminal reading the encrypted data comprises:
the mobile terminal receives a request for displaying the verification code information in a rich execution environment REE;
and the mobile terminal reads the encrypted data corresponding to the verification code information according to the request.
3. The method of claim 2, wherein before the mobile terminal reads the encrypted data, the method further comprises:
the mobile terminal carries out rule combination on the verification code information to obtain a character string;
and the mobile terminal encrypts the character string in the TEE by adopting a preset encryption algorithm to obtain the encrypted data.
4. The method according to claim 3, wherein the reading, by the mobile terminal, the encrypted data corresponding to the verification code information according to the request comprises:
and the mobile terminal extracts the encrypted data from the appointed storage position according to the request.
5. The method of claim 4, wherein the specifying a storage location comprises:
any one of a shared memory of the TEE and the REE, a storage unit in the TEE, an encryption database in the REE, and a memory in the REE.
6. The method of claim 5, wherein the verification code information is included in a verification code short message;
the method further comprises the following steps:
the mobile terminal receives a target short message;
and the mobile terminal judges whether the target short message is a verification code short message, and if so, the mobile terminal reads the encrypted data.
7. The method of claim 6, wherein the determining, by the mobile terminal, whether the target short message is a verification code short message comprises:
the mobile terminal judges whether a sender of the target short message is in a white list, wherein the white list is a registered application list capable of sending the verification code short message;
if yes, the mobile terminal determines that the target short message is a white list short message;
in the REE, the mobile terminal judges whether the content of the white list short message contains text information;
if so, the mobile terminal determines the white list short message as a text short message;
in REE, the mobile terminal judges whether the text information of the text short message contains key words and numbers and/or letters of a verification code;
and if so, the mobile terminal determines the text short message as a verification code short message.
8. The method of claim 6, wherein the determining, by the mobile terminal, whether the target short message is a verification code short message comprises:
the mobile terminal judges whether a sender of the target short message is in a white list, wherein the white list is a registered application list capable of sending the verification code short message;
if yes, the mobile terminal determines that the target short message is a white list short message;
the mobile terminal judges whether a Protocol Data Unit (PDU) field of the white list short message contains a verification code short message flag bit;
and if so, the mobile terminal determines the white list short message as a verification code short message.
9. The method according to any one of claims 1 to 8, wherein after the mobile terminal determines that the target data is illegal data, the method further comprises:
and the mobile terminal deletes the illegal data and gives an alarm to a user.
Publications (3)
| Publication Number | Publication Date |
|---|---|
| HK1233345A true HK1233345A (en) | 2018-01-26 |
| HK1233345A1 HK1233345A1 (en) | 2018-01-26 |
| HK1233345B HK1233345B (en) | 2019-06-14 |
Family
ID=
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110677418B (en) | Trusted voiceprint authentication method and device, electronic equipment and storage medium | |
| US12526129B2 (en) | Data encryption method, data decryption method, terminal, and storage medium | |
| US9800562B2 (en) | Credential recovery | |
| CN105975867B (en) | Data processing method | |
| CN111404696B (en) | Collaborative signature method, security service middleware, related platform and system | |
| US20250307808A1 (en) | Decryption method for payment key | |
| KR102221541B1 (en) | Method and device for providing and obtaining graphic code information, and terminal | |
| RU2445689C2 (en) | Method to increase limitation of access to software | |
| EP4553738A2 (en) | Terminal for conducting electronic transactions | |
| US9448949B2 (en) | Mobile data vault | |
| CN109412812B (en) | Data security processing system, method, device and storage medium | |
| US20170055146A1 (en) | User authentication and/or online payment using near wireless communication with a host computer | |
| US20020066039A1 (en) | Anti-spoofing password protection | |
| CN108616352B (en) | Dynamic password generation method and system based on secure element | |
| CN111625829A (en) | Application activation method and device based on trusted execution environment | |
| US20120137372A1 (en) | Apparatus and method for protecting confidential information of mobile terminal | |
| CN107438849A (en) | For the system and method for the integrality for verifying electronic equipment | |
| US11288381B2 (en) | Calculation device, calculation method, calculation program and calculation system | |
| WO2015180689A1 (en) | Method and apparatus for acquiring verification information | |
| CN108335105B (en) | Data processing method and related equipment | |
| CN111614698A (en) | Method and device for erasing terminal data | |
| WO2007089266A2 (en) | Administration of data encryption in enterprise computer systems | |
| CN115529591A (en) | Token-based authentication method, device, equipment and storage medium | |
| US20110154436A1 (en) | Provider Management Methods and Systems for a Portable Device Running Android Platform | |
| CN103370718B (en) | Data protection method, device and system using distributed security keys |