TRUSTED EXECUTION ENVIRONMENT (TEE)-BASED PASSWORD MANAGEMENT METHOD AND SYSTEM
20210374227 ยท 2021-12-02
Assignee
Inventors
Cpc classification
G06F21/45
PHYSICS
G06F2221/2141
PHYSICS
H04L63/0861
ELECTRICITY
G06F21/34
PHYSICS
G06F21/46
PHYSICS
G06F21/74
PHYSICS
G06F21/53
PHYSICS
G06F21/32
PHYSICS
International classification
G06F21/46
PHYSICS
G06F21/32
PHYSICS
G06F21/53
PHYSICS
Abstract
The present disclosure discloses a trusted execution environment (TEE)-based password management method and system. This method assumes a hardware trusted environment on a mobile end. A user authorizes the hardware trusted environment, and an independent operating system in the trusted environment automatically performs password management operations. The TEE registers an independent strong password for each account, and stores a correspondence between accounts and applications (or websites) in a hardware security zone. When an application requests login, an account list corresponding to the application is returned for a user to select. Through point-to-point encrypted transmission, different trusted devices can synchronize stored password information. In addition, a trusted mobile end can manage applications (or websites) on other devices without a TEE such as laptops. This method solves the problem that users are difficult to remember a large number of complex passwords, and ensures the security of the password management system itself.
Claims
1. A trusted execution environment (TEE)-based password management method, comprising: a) when receiving a request for entering a password from an application, sending the request to a TEE for processing; b) creating, by the TEE, a strong password for an account of the application; and c) storing a correspondence between the application and the account in a hardware security zone, and returning a stored account list for a user to select upon application login.
2. The TEE-based password management method according to claim 1, wherein the method further comprises: creating, by the application, a new strong password for the account in the TEE, wherein application-account binding information is stored in a trust zone, and registration of a plurality of new accounts and passwords is supported.
3. The TEE-based password management method according to claim 1, wherein when the application requests login, a plurality of bound registered accounts are retrieved in the TEE and returned, and a user selects an account for login.
4. The TEE-based password management method according to claim 1, wherein a password operation involving the TEE requires user authorization, comprising but not limited to fingerprint recognition, iris recognition, face recognition, and super password input; and the password operation is rejected if authentication fails.
5. The TEE-based password management method according to claim 1, wherein in addition to managing accounts of local applications, the TEE is able to manage websites simply by taking a picture or copying the websites to a management system.
6. The TEE-based password management method according to claim 1, wherein a trusted device is also used to manage other devices without a TEE, comprising but not limited to computers; the trusted device is connected to a computer through an encrypted point-to-point channel; a computer-end management system transmits an application ID or a URL; after TEE authorization succeeds, the trusted device registers or retrieves a corresponding account and returns it to the computer; and the computer management system performs automatic login, wherein the trusted device is a mobile phone.
7. A TEE-based password management system, comprising: a) a generation module, configured to receive a request for generating a password from a TEE, and randomly generate a strong password for an account, wherein the generation module is connected to a storage module; b) the storage module, configured to receive application information and account information, and store them in a hardware security zone in pairs, wherein the storage module is connected to the generation module, an output module, and an authentication module; c) the output module, configured to receive the application information, retrieve a corresponding account in the storage module, and return it to a requester application after authentication by the authentication module, wherein the output module is connected to the storage module; d) the authentication module, connected to the storage module, wherein all read and write operations on the storage module need to be authenticated, and the authentication module comprises but is not limited to a fingerprint authentication module, an iris authentication module, a face recognition module, and a super password input module in a mobile phone.
8. The TEE-based password management system according to claim 7, wherein the system further supports point-to-point interconnection between storage modules of two different trusted devices; and when both parties are authenticated by authentication modules, data in a security zone is synchronized through an encrypted point-to-point channel in device replacement, backup, or addition scenarios.
Description
BRIEF DESCRIPTION OF DRAWINGS
[0026]
[0027]
[0028]
DETAILED DESCRIPTION
[0029] To more clearly describe the specific implementations of this system, the following describes the steps in detail with reference to the schematic diagrams.
[0030] As shown in
[0031] S1.An application requests to create a new account.
[0032] Specifically, the application requests a password management system to create a new account. The password management system includes a client application and a trusted-end application, which are responsible for the non-password part and the password part, respectively. The non-password part is forwarded to a normal operating system through a client interface, and is input by a user. The password part is forwarded to a TEE through a trusted end interface, and is automatically created by the TEE. The TEE is a security zone in a CPU. It runs in an independent environment and runs concurrently with the operating system. The client interface and the trusted end interface are identified by a universal unique identifier (UUID). Only two parties with the same UUID can interact with each other.
[0033] The TEE requests user authorization. The authorization methods may include but are not limited to face recognition, fingerprint recognition, and iris recognition. A fingerprint template in the TEE is compared with a fingerprint entered by a user. If the comparison fails, the operation is prohibited. If the comparison succeeds, the TEE stores an application ID and corresponding created account information in a trust zone. The trust zone is a system-level chip-level security technology, which isolates a hardware system from the security environment. The content in the trust zone cannot be directly accessed by the application. For a web end, an application ID can be entered or a photo can be taken to obtain its URL as the application ID. A plurality of accounts can be created for the same application ID.
[0034] S2. A client application requests login.
[0035] Specifically, the client requests login and sends an application ID to the TEE. The TEE requests user authorization. The authorization methods may include but are not limited to face recognition, fingerprint recognition, and iris recognition. A fingerprint template in the TEE is compared with a fingerprint entered by a user. If the comparison fails, the operation is prohibited. If the comparison succeeds, the TEE retrieves and returns accounts corresponding to the application ID. The user selects one of the accounts to log in.
[0036] S3. Perform cross-device management.
[0037] As shown in
[0038] Specifically, the password management client is installed on the computer end. For a computer-end application, a computer-end password management system detects its application ID. If the application is a web application, its application ID is obtained from its URL through an SHA-1 hash value. The computer-end password management system transmits the application ID to the mobile end through an encrypted point-to-point channel. After authorization, the mobile end selects a login account, and returns it to the computer-end password management system, which then controls the login.
[0039] As shown in
[0040] Generation module. When a request command is generate, the TEE generates a random password through the generation module. The generated password uses an application ID as a random number seed.
[0041] Storage module. When a request command is write, the storage module calls the generation module to generate a random password, and stores the password in a hardware security zone together with the application ID and an account.
[0042] Output module. When a request command is read, the output module reads a corresponding account list based on the application ID from the storage module, and returns it for a user to select an account for login.
[0043] Authentication module. When being read or written, the storage module calls the authentication module. The authentication module requests user authorization, including but not limited to fingerprint recognition, iris recognition, face recognition, and super password. After the user passes identity authentication, the authentication module authorizes the storage module to read or write the password.
[0044] The storage module can be connected through an encrypted point-to-point channel, including but not limited to Bluetooth and WLAN connection. When both parties are authenticated by the authentication module, data in a security zone can be synchronized through an encrypted point-to-point channel in scenarios such as device replacement, backup, or addition.