阅读说明：本技术 可信应用程序的调用方法、装置、设备及计算机存储介质 (Calling method, device and equipment of trusted application program and computer storage medium ) 是由 刘耕 骆平 于 2020-04-26 设计创作，主要内容包括：本发明实施例提供了一种可信应用程序的调用方法、装置、设备及计算机存储介质。该可信应用程序的调用方法,包括：接收客户端应用程序发送的第一通信信息；判断第一通信信息是否满足预设条件；若第一通信信息满足预设条件,则控制客户端应用程序调用客户端应用程序对应的可信应用程序。根据本发明实施例的可信应用程序的调用方法、装置、设备及计算机存储介质,能够更加安全地进行可信应用程序的调用。(The embodiment of the invention provides a method, a device and equipment for calling a trusted application program and a computer storage medium. The calling method of the trusted application program comprises the following steps: receiving first communication information sent by a client application program; judging whether the first communication information meets a preset condition or not; and if the first communication information meets the preset condition, controlling the client application program to call a trusted application program corresponding to the client application program. According to the calling method, the calling device, the calling equipment and the computer storage medium of the trusted application program, the trusted application program can be called more safely.)

1. A method for calling a trusted application, comprising:

receiving first communication information sent by a client application program;

judging whether the first communication information meets a preset condition or not;

and if the first communication information meets the preset condition, controlling the client application program to call a trusted application program corresponding to the client application program.

2. The method for calling the trusted application program according to claim 1, wherein the preset condition comprises a composition structure condition and/or an information content condition that communication information should satisfy; the judging whether the first communication information meets a preset condition includes:

judging whether the first communication information meets the composition structure condition and/or the information content condition;

if the first communication information meets the preset condition, controlling the client application program to call a trusted application program corresponding to the client application program, including:

and if the first communication information meets the composition structure condition and/or the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program.

3. The method for calling the trusted application according to claim 2, wherein the component structure condition is: the communication information consists of a random character string, preset information and a timestamp; if the first communication information meets the composition structure condition and the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program, including:

when the first communication information is judged to meet the composition structure condition, determining first preset information in the first communication information;

judging whether the first preset information meets the information content condition or not;

and if the first preset information meets the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program.

4. The method for calling the trusted application according to claim 3, wherein the preset condition further includes an exclusivity condition that the random string in the communication information should satisfy, and/or an expiration condition that the timestamp in the communication information should satisfy; after the determining that the first communication information satisfies the composition structure condition, the method further includes:

determining a first random string and/or a first timestamp in the first communication;

determining whether the first random string satisfies the exclusivity condition and/or determining whether the first timestamp satisfies the expiration condition;

and if the first random character string meets the exclusive condition and/or if the first timestamp meets the valid period condition, controlling the client application program to call a trusted application program corresponding to the client application program.

5. The method for calling the trusted application according to claim 1, wherein the receiving the first communication information sent by the client application comprises:

receiving second communication information sent by the client application program; the second communication information is encrypted communication information;

and decrypting the second communication information by using a preset first key to obtain the first communication information.

6. The method for invoking the trusted application as claimed in claim 5, wherein before the decrypting the second communication information with the preset first key to obtain the first communication information, the method further comprises:

generating the first key based on an encryption algorithm; the encryption algorithm comprises at least one of a symmetric encryption algorithm, an asymmetric encryption algorithm and a multiple hybrid Hash encryption algorithm.

7. The method for invoking trusted application as claimed in claim 6, wherein said generating said first key based on an encryption algorithm comprises:

generating a second key according to the asymmetric encryption algorithm;

encrypting the second key based on the symmetric encryption algorithm or the multiple hybrid hash encryption algorithm to obtain a third key;

determining the third key as the first key.

8. An apparatus for invoking a trusted application, comprising:

the receiving module is used for receiving first communication information sent by a client application program;

the judging module is used for judging whether the first communication information meets a preset condition or not;

and the control module is used for controlling the client application program to call a trusted application program corresponding to the client application program if the first communication information meets the preset condition.

9. An electronic device, characterized in that the electronic device comprises: a processor, and a memory storing computer program instructions;

the processor reads and executes the computer program instructions to implement a method of calling a trusted application as claimed in any one of claims 1 to 7.

10. A computer storage medium having computer program instructions stored thereon which, when executed by a processor, implement a method of invoking a trusted application as claimed in any one of claims 1 to 7.

Technical Field

The invention belongs to the technical field of information security, and particularly relates to a method and a device for calling a trusted application program, electronic equipment and a computer storage medium.

Background

With the development of network information technology, the information security problem also becomes more important. However, in the process of completing the corresponding service, in order to improve the service processing efficiency, the processor in the related field (e.g., the financial field) is time-shared by two isolated systems (the Trusted Execution Environment (TEE) and the Rich instruction Execution Environment (REE)).

The TEE is a set of software and hardware components, and can provide necessary facilities for application programs. Trusted Application (TA) is an Application that runs in a TEE environment, and the TA must have a signature of the TEE OS. The TEE OS is an operating system in a TEE environment, such as an open source OPTEE. The REE corresponds to the TEE, and a Client Application (CA) is an Application program operating in the REE environment.

At present, in the process of completing the corresponding service by a processor, a CA on a REE side needs to be controlled to call a TA on a TEE side, and only whether a signature of a TEE OS on the TA is legal is checked, so that a certain information security risk exists.

Therefore, how to make the call of the trusted application more safely is a technical problem that needs to be solved urgently by those skilled in the art.

Disclosure of Invention

Embodiments of the present invention provide a method and an apparatus for calling a trusted application program, an electronic device, and a computer storage medium, which can more safely call the trusted application program.

In a first aspect, an embodiment of the present invention provides a method for calling a trusted application, including:

receiving first communication information sent by a client application program;

judging whether the first communication information meets a preset condition or not;

and if the first communication information meets the preset condition, controlling the client application program to call a trusted application program corresponding to the client application program.

Optionally, the preset condition includes a composition structure condition and/or an information content condition that the communication information should satisfy; judging whether the first communication information meets a preset condition or not, including:

judging whether the first communication information meets a composition structure condition and/or an information content condition;

if the first communication information meets the preset condition, controlling the client application program to call a trusted application program corresponding to the client application program, wherein the steps of:

and if the first communication information meets the composition structure condition and/or the information content condition, controlling the client application program to call the trusted application program corresponding to the client application program.

Optionally, the compositional structural conditions are: the communication information consists of a random character string, preset information and a timestamp; if the first communication information meets the composition structure condition and the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program, wherein the steps of:

when the first communication information is judged to meet the composition structure condition, determining first preset information in the first communication information;

judging whether the first preset information meets the information content condition or not;

and if the first preset information meets the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program.

Optionally, the preset condition further includes an exclusivity condition that the random character string in the communication information should satisfy, and/or an expiry date condition that the timestamp in the communication information should satisfy; after determining that the first communication information satisfies the composition structure condition, the method further includes:

determining a first random string and/or a first timestamp in the first communication;

judging whether the first random character string meets an exclusive condition and/or judging whether the first timestamp meets an expiration date condition;

and if the first random character string meets the exclusive condition and/or if the first timestamp meets the valid period condition, controlling the client application program to call the trusted application program corresponding to the client application program.

Optionally, receiving the first communication information sent by the client application includes:

receiving second communication information sent by the client application program; the second communication information is encrypted communication information;

and decrypting the second communication information by using a preset first key to obtain the first communication information.

Optionally, before decrypting the second communication information with the preset first key to obtain the first communication information, the method further includes:

generating a first key based on an encryption algorithm; the encryption algorithm comprises at least one of a symmetric encryption algorithm, an asymmetric encryption algorithm and a multiple hybrid Hash encryption algorithm.

Optionally, generating the first key based on an encryption algorithm comprises:

generating a second key according to an asymmetric encryption algorithm;

encrypting the second key based on a symmetric encryption algorithm or a multiple hybrid Hash encryption algorithm to obtain a third key;

the third key is determined to be the first key.

In a second aspect, an embodiment of the present invention provides an apparatus for calling a trusted application, including:

the receiving module is used for receiving first communication information sent by a client application program;

the judging module is used for judging whether the first communication information meets a preset condition or not;

and the control module is used for controlling the client application program to call the trusted application program corresponding to the client application program if the first communication information meets the preset condition.

Optionally, the preset condition includes a composition structure condition and/or an information content condition that the communication information should satisfy; the judging module is used for judging whether the first communication information meets the composition structure condition and/or the information content condition; and the control module is used for controlling the client application program to call the trusted application program corresponding to the client application program if the first communication information meets the composition structure condition and/or the information content condition.

Optionally, the compositional structural conditions are: the communication information consists of a random character string, preset information and a timestamp; the control module is used for determining first preset information in the first communication information when the first communication information is judged to meet the composition structure condition; judging whether the first preset information meets the information content condition or not; and if the first preset information meets the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program.

Optionally, the preset condition further includes an exclusivity condition that the random character string in the communication information should satisfy, and/or an expiry date condition that the timestamp in the communication information should satisfy; the judging module is further used for determining a first random character string and/or a first timestamp in the first communication information; judging whether the first random character string meets an exclusive condition and/or judging whether the first timestamp meets an expiration date condition; and if the first random character string meets the exclusive condition and/or if the first timestamp meets the valid period condition, controlling the client application program to call the trusted application program corresponding to the client application program.

Optionally, the receiving module is configured to receive second communication information sent by the client application; the second communication information is encrypted communication information; and decrypting the second communication information by using a preset first key to obtain the first communication information.

Optionally, the calling apparatus of the trusted application further includes a key generation module, configured to generate a first key based on an encryption algorithm; the encryption algorithm comprises at least one of a symmetric encryption algorithm, an asymmetric encryption algorithm and a multiple hybrid Hash encryption algorithm.

Optionally, the key generating module is configured to generate a second key according to an asymmetric encryption algorithm; encrypting the second key based on a symmetric encryption algorithm or a multiple hybrid Hash encryption algorithm to obtain a third key; the third key is determined to be the first key.

In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: a processor, and a memory storing computer program instructions;

the processor reads and executes the computer program instructions to implement the calling method of the trusted application in the first aspect or any alternative implementation manner of the first aspect.

In a fourth aspect, an embodiment of the present invention provides a computer storage medium, where computer program instructions are stored on the computer storage medium, and when the computer program instructions are executed by a processor, the method for invoking a trusted application program in the first aspect or any optional implementation manner of the first aspect is implemented.

The calling method and device of the trusted application program, the electronic equipment and the computer storage medium can more safely call the trusted application program. According to the calling method of the trusted application program, after first communication information sent by the client application program is received, whether the client application program is legal or not is judged by judging whether the first communication information meets a preset condition or not. And controlling the client application program to call the trusted application program corresponding to the client application program when the first communication information meets the preset condition, namely judging that the client application program is legal. Compared with the prior art, the calling method of the trusted application program carries out validity detection on the client application program, and safety is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the embodiments of the present invention will be briefly described below, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

FIG. 1 is a schematic diagram of a REE and TEE structure in the prior art;

fig. 2 is a flowchart illustrating a method for calling a trusted application according to an embodiment of the present invention;

fig. 3 is a flowchart illustrating a validity detection process of a first communication according to an embodiment of the present invention;

fig. 4 is a schematic structural diagram of a calling device of a trusted application according to an embodiment of the present invention;

fig. 5 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

Features and exemplary embodiments of various aspects of the present invention will be described in detail below, and in order to make objects, technical solutions and advantages of the present invention more apparent, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not to be construed as limiting the invention. It will be apparent to one skilled in the art that the present invention may be practiced without some of these specific details. The following description of the embodiments is merely intended to provide a better understanding of the present invention by illustrating examples of the present invention.

It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

At present, in the process of completing corresponding services by a processor, developers design the CAs and TAs corresponding to the service functions first. The TA must be signed by the TEE OS and then the CA and TA are deployed to the specified locations, respectively. And initiating a normal service function through an upper-layer service APK, executing a function code to a CA (certificate Authority) at the REE side, initiating a TA (timing advance) call by a CA program, then performing system switching, switching from the REE environment to a safe TEE environment, checking whether a legal signature exists on the TA by a TEE OS (trusted operator), starting to execute and load the TA after the checking is passed, and then executing the code. Since only the signature of the TEE OS on the TA is checked for legitimacy, there is a certain information security risk.

As shown in FIG. 1, Normal World is REE, and Secure World is TEE. In FIG. 1, User is the User and Kernel is the Kernel. Normal World includes: client APP (Client application), TEE-Client request, TEE Client API (trusted execution environment Client application program interface), Generic TEE API (ioctl) (universal trusted execution environment application program interface), TEE subsystem (trusted execution environment subsystem), OP-TEE driver (trusted execution environment driver), OP-TEE Msg SMCcall (trusted execution environment SMSC call). Secure World includes: dynamic Trusted APP (application), TEE Internal APIs (Trusted execution environment Internal application program interface), OP-TEE Trusted OS (Trusted execution environment Trusted operating system) and Static Trusted APP (Static Trusted application).

During this transaction, the default CA is secure, but the CA may also be illegal. If the CA is illegal, it will cause a certain information security risk after calling the TA.

For example, in the current fingerprint payment schemes in the financial field, each fingerprint payment scheme implementation method needs to utilize a key pre-embedded in a secure storage area to generate a subsequent series of business operation keys. Therefore, the key pre-embedded in the secure storage area is important, and once it is destroyed, the fingerprint payment function cannot be used. In the current fingerprint payment schemes, the function code of the key pre-implanted in the secure storage area is integrated in the TA, and if the TA is abnormally called by an illegal CA, a significant information security risk is caused.

In addition, an illegal CA may also cause that the service function of the device cannot be executed normally, which affects the normal use of the device. If the illegal CA executes the damage instruction, the important data which is pre-implanted into the firmware from the factory may be damaged, and the important data can only be returned to the factory for maintenance, so that the cost is high. These situations all bring bad user experience to the user.

The inventor finds that the root cause of the problems is that during the service processing, the CA is directly defaulted to be safe, and the validity of the CA is not detected. Therefore, in order to make the call of the trusted application more secure, the validity of the CA may be detected before the control client application calls the trusted application corresponding to the client application. How to detect the validity of the CA can be determined by judging whether the first communication information sent by the CA meets a preset condition, namely, when the first communication information meets the preset condition, the CA is judged to be valid; when the first communication information does not satisfy the preset condition, it is determined that the CA is illegal. Only when the CA is judged to be legal, the CA is allowed to call the corresponding TA, and the calling of the TA can be carried out more safely compared with the prior art.

In order to solve the problem of the prior art, embodiments of the present invention provide a method and an apparatus for calling a trusted application, an electronic device, and a computer storage medium. First, a method for calling a trusted application provided in an embodiment of the present invention is described below.

Fig. 2 is a flowchart illustrating a method for calling a trusted application according to an embodiment of the present invention. As shown in fig. 2, the calling method of the trusted application program may include the following steps:

s110, receiving first communication information sent by the client application program.

In order to increase the security of information transmission, the step S110 may include: receiving second communication information sent by the client application program; the second communication information is encrypted communication information; and decrypting the second communication information by using a preset first key to obtain the first communication information.

It can be seen that, in this embodiment, the first communication information is encrypted by the CA as the second communication information, and the CA may include an encryption module, where the encryption module generates a key for information encryption according to an encryption algorithm, and encrypts the first communication information by using the key for information encryption to obtain the second communication information.

The encryption algorithm may include at least one of a symmetric encryption algorithm (e.g., DES encryption algorithm), an asymmetric encryption algorithm (e.g., RSA encryption algorithm), and a multiple hybrid hash encryption algorithm (including MD5 encryption algorithm, SHA1 encryption algorithm, etc.).

It should be noted that the key for information encryption may be generated by sequentially using a plurality of encryption algorithms, for example, an asymmetric encryption algorithm may be used to generate a key, and then a symmetric encryption algorithm or a multiple hybrid hash encryption algorithm may be used to encrypt the key to obtain the key finally used for information encryption.

After receiving the second communication information, decrypting the second communication information by using a preset first key, wherein the preset first key is a key for decryption and corresponds to a key for encryption, namely the generation process of the preset first key corresponds to the generation process of the key for encryption.

For example, the generating process of the first key may include: generating a first key based on an encryption algorithm; the encryption algorithm comprises at least one of a symmetric encryption algorithm, an asymmetric encryption algorithm and a multiple hybrid Hash encryption algorithm.

It should be noted that, since the key for information encryption can be generated by sequentially using a plurality of encryption algorithms, the first key can also be generated by sequentially using a plurality of encryption algorithms.

In one embodiment, the generating the first key based on the encryption algorithm may include: generating a second key according to an asymmetric encryption algorithm; encrypting the second key based on a symmetric encryption algorithm or a multiple hybrid Hash encryption algorithm to obtain a third key; the third key is determined to be the first key.

As can be seen from the above, the first communication information is a communication information to be verified, and step S120 may be executed to verify the first communication information; upon completion of step S120, step S130 may be performed in order to satisfy the business requirements.

And S120, judging whether the first communication information meets a preset condition.

And S130, if the first communication information meets the preset condition, controlling the client application program to call a trusted application program corresponding to the client application program.

And judging whether the first communication information meets a preset condition, namely judging whether the first communication information is legal communication information. The following first describes the relevant content of the legal communication information, which is as follows:

and when the user calls the CA for business operation, the CA generates a string of messages according to a preset rule. Optionally, the CA may include an information generation module, and the information generation module may generate the legitimate communication information according to a preset rule.

Wherein, the preset rule can be: a section of fixed-length random character string, plus the information content agreed in advance by both communication parties, plus a time stamp. For example, each time the CA initiates a call, a 64-bit random string may be generated, and the random string for each call is different. The composition structure of the legitimate communication may be as follows:

{ a 64-bit random string + agreed message content + current time (yyymmddhmiss) }

Here, the "current time (yyymmddhmiss)" is a 14-bit timestamp. Based on the above configuration, it can be understood that, when analyzing the communication information, 64 bits are taken as a random character string from the head, 14 bits are taken as a time stamp from the tail, and the rest of the intermediate data is taken as the contents of the message of the contract.

It should be noted that the legitimate communication can also be encrypted using the key and then transmitted encrypted. The legitimate communication may also be encrypted using an encryption algorithm, which may also include at least one of a symmetric encryption algorithm, an asymmetric encryption algorithm, and a multiple hybrid hash encryption algorithm.

For example, when transmitting data, the CA will perform a multiple hybrid hash encryption of the key stored on the REE storage medium, and the encryption process may include: respectively encrypting the key and the encrypted password on the storage medium by an MD5 encryption algorithm to respectively obtain two corresponding hash strings, splicing the two hash strings by a cascade function to obtain a new character string, and encrypting the new character string by using an SHA1 encryption algorithm to obtain a new key:

NewKey＝SHA1(Concat(MD5(key),MD5(password)))

and then, encrypting the generated communication message by using the new key, and finally transmitting the encrypted ciphertext message to the TA corresponding to the TEE side through a mechanism of initiating and calling the attached parameter by the CA.

The above description has been made on the relevant content of the legitimate communication information, and based on the above, the preset condition that the first communication information should satisfy can be determined.

In order to more accurately perform validity detection on the first communication information, in an embodiment, if the preset condition includes a composition structure condition and/or an information content condition that the communication information should satisfy, step S120 may include: and judging whether the first communication information meets the composition structure condition and/or the information content condition.

Accordingly, step S130 may include: and if the first communication information meets the composition structure condition and/or the information content condition, controlling the client application program to call the trusted application program corresponding to the client application program.

In order to more accurately detect the validity of the first communication information, in one embodiment, the following structural conditions are set: the communication information is composed of a random character string, preset information and a time stamp. If the first communication information satisfies the composition structure condition and the information content condition, controlling the client application program to call the trusted application program corresponding to the client application program may include: when the first communication information is judged to meet the composition structure condition, determining first preset information in the first communication information; judging whether the first preset information meets the information content condition or not; and if the first preset information meets the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program.

In addition, in order to more accurately detect the validity of the first communication information, in one embodiment, the preset condition further includes an exclusivity condition that should be satisfied by the random character string in the communication information, and/or an expiration condition that should be satisfied by the timestamp in the communication information. After determining that the first communication information satisfies the composition structure condition, the method may further include: determining a first random string and/or a first timestamp in the first communication; judging whether the first random character string meets an exclusive condition and/or judging whether the first timestamp meets an expiration date condition; and if the first random character string meets the exclusive condition and/or if the first timestamp meets the valid period condition, controlling the client application program to call the trusted application program corresponding to the client application program.

On the basis of the above embodiments, in order to more accurately perform validity detection on the first communication information, in an embodiment, the verification module may perform multiple validity detections on the first communication information, as shown in fig. 3, and the specific process is as follows:

step (1): and decrypting the encrypted first communication information sent by the CA by using a preset secret key. If the decryption is successful, performing the step (2); if the decryption fails, the first communication information is illegal, that is, the CA is illegal, and the TA call fails.

Step (2): and (3) decomposing the first communication information decrypted in the step (1) to obtain a random character string of the head. The random string is compared with the random string of the last operation. If the two are different, the step (3) is carried out; if the two are the same, the first communication information is illegal, that is, the CA is illegal, and the TA call fails. It should be noted that, if the random string of the previous operation is empty, the random string of the current operation is different from the default.

And (3): and (4) acquiring middle part data of the decrypted first communication information, and if the message content of the middle part data is consistent with the appointed message content, performing the step (4), otherwise, the first communication information is illegal, namely the CA is illegal, and the TA calling fails.

And (4): and acquiring tail data, namely a time stamp, of the decrypted first communication information. And judging whether the time stamp is within the valid period, if so, judging that the first communication information is legal, namely the CA is legal, and calling the TA successfully. Otherwise, the first communication information is illegal, that is, the CA is illegal, and the TA call fails.

In summary, the embodiments of the present invention provide a method for calling a trusted application, where after receiving first communication information sent by a client application, whether the client application is legal is determined by determining whether the first communication information satisfies a preset condition. And controlling the client application program to call the trusted application program corresponding to the client application program when the first communication information meets the preset condition, namely judging that the client application program is legal. Compared with the prior art, the calling method of the trusted application program carries out validity detection on the client application program, and safety is improved.

In addition, in some embodiments, the preset condition is limited, and/or the decryption condition needs to be satisfied, so that the validity of the first communication information can be more accurately detected, the validity of the client application program can be more accurately detected, and the security is improved.

In the foregoing, the method for calling a trusted application according to the embodiment of the present invention is described, and an apparatus for calling a trusted application according to the embodiment of the present invention is also provided, as shown in fig. 4, where the apparatus for calling a trusted application includes:

a receiving module 301, configured to receive first communication information sent by a client application program;

a determining module 302, configured to determine whether the first communication information meets a preset condition;

the control module 303 is configured to control the client application program to invoke a trusted application program corresponding to the client application program if the first communication information meets a preset condition.

Optionally, in an embodiment, the preset condition includes a composition structure condition and/or an information content condition that the communication information should satisfy; a judging module 302, configured to judge whether the first communication information satisfies a composition structure condition and/or an information content condition; the control module 303 is configured to control the client application program to invoke a trusted application program corresponding to the client application program if the first communication information meets the composition structure condition and/or the information content condition.

Optionally, in one embodiment, the compositional structure conditions are: the communication information consists of a random character string, preset information and a timestamp; the control module 303 is configured to determine first preset information in the first communication information when it is determined that the first communication information satisfies the composition structure condition; judging whether the first preset information meets the information content condition or not; and if the first preset information meets the information content condition, controlling the client application program to call a trusted application program corresponding to the client application program.

Optionally, in an embodiment, the preset condition further includes an exclusivity condition that the random character string in the communication information should satisfy, and/or an expiry date condition that the timestamp in the communication information should satisfy; the judging module 302 is further configured to determine a first random character string and/or a first timestamp in the first communication information; judging whether the first random character string meets an exclusive condition and/or judging whether the first timestamp meets an expiration date condition; and if the first random character string meets the exclusive condition and/or if the first timestamp meets the valid period condition, controlling the client application program to call the trusted application program corresponding to the client application program.

Optionally, in an embodiment, the receiving module 301 is configured to receive second communication information sent by the client application; the second communication information is encrypted communication information; and decrypting the second communication information by using a preset first key to obtain the first communication information.

Optionally, in an embodiment, the invoking device of the trusted application further includes a key generation module 304, configured to generate a first key based on an encryption algorithm; the encryption algorithm comprises at least one of a symmetric encryption algorithm, an asymmetric encryption algorithm and a multiple hybrid Hash encryption algorithm.

Optionally, in an embodiment, the key generation module 304 is configured to generate a second key according to an asymmetric encryption algorithm; encrypting the second key based on a symmetric encryption algorithm or a multiple hybrid Hash encryption algorithm to obtain a third key; the third key is determined to be the first key.

Each module in the apparatus shown in fig. 4 has a function of implementing each step shown in fig. 2, and can achieve the corresponding technical effect, and for brevity, the description is not repeated here.

Fig. 5 shows a schematic structural diagram of an electronic device according to an embodiment of the present invention.

The electronic device may include a processor 401 and a memory 402 storing computer program instructions.

Specifically, the processor 401 may include a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement the embodiments of the present invention.

Memory 402 may include mass storage for data or instructions. By way of example, and not limitation, memory 402 may include a Hard Disk Drive (HDD), floppy Disk Drive, flash memory, optical Disk, magneto-optical Disk, tape, or Universal Serial Bus (USB) Drive or a combination of two or more of these. In one example, memory 302 can include removable or non-removable (or fixed) media, or memory 402 is non-volatile solid-state memory. The memory 402 may be internal or external to the electronic device.

In one example, the Memory 402 may be a Read Only Memory (ROM). In one example, the ROM may be mask programmed ROM, programmable ROM (prom), erasable prom (eprom), electrically erasable prom (eeprom), electrically rewritable ROM (earom), or flash memory, or a combination of two or more of these.

The processor 401 reads and executes the computer program instructions stored in the memory 402 to implement the method in the embodiment shown in fig. 2, and achieve the corresponding technical effect achieved by the embodiment shown in fig. 2 executing the method, which is not described herein again for brevity.

In one example, the electronic device may also include a communication interface 403 and a bus 410. As shown in fig. 5, the processor 401, the memory 402, and the communication interface 403 are connected via a bus 410 to complete communication therebetween.

The communication interface 403 is mainly used for implementing communication between modules, apparatuses, units and/or devices in the embodiments of the present invention.

Bus 410 includes hardware, software, or both to couple the components of the electronic device to each other. By way of example, and not limitation, a Bus may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (Front Side Bus, FSB), a Hyper Transport (HT) interconnect, an Industry Standard Architecture (ISA) Bus, an infiniband interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a Micro Channel Architecture (MCA) Bus, a Peripheral Component Interconnect (PCI) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a video electronics standards association local (VLB) Bus, or other suitable Bus or a combination of two or more of these. Bus 410 may include one or more buses, where appropriate. Although specific buses have been described and shown in the embodiments of the invention, any suitable buses or interconnects are contemplated by the invention.

In addition, embodiments of the present invention may be implemented by providing a computer storage medium. The computer storage medium having computer program instructions stored thereon; the computer program instructions, when executed by a processor, implement a method for invoking any of the trusted applications in the above embodiments.

It is to be understood that the invention is not limited to the specific arrangements and instrumentality described above and shown in the drawings. A detailed description of known methods is omitted herein for the sake of brevity. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and illustrated, and those skilled in the art can make various changes, modifications and additions or change the order between the steps after comprehending the spirit of the present invention.

The functional blocks shown in the above-described structural block diagrams may be implemented as hardware, software, firmware, or a combination thereof. When implemented in hardware, it may be, for example, an electronic Circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, plug-in, function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine-readable medium or transmitted by a data signal carried in a carrier wave over a transmission medium or a communication link. A "machine-readable medium" may include any medium that can store or transfer information. Examples of a machine-readable medium include electronic circuits, semiconductor memory devices, ROM, flash memory, Erasable ROM (EROM), floppy disks, CD-ROMs, optical disks, hard disks, fiber optic media, Radio Frequency (RF) links, and so forth. The code segments may be downloaded via computer networks such as the internet, intranet, etc.

It should also be noted that the exemplary embodiments mentioned in this patent describe some methods or systems based on a series of steps or devices. However, the present invention is not limited to the order of the above-described steps, that is, the steps may be performed in the order mentioned in the embodiments, may be performed in an order different from the order in the embodiments, or may be performed simultaneously.

As described above, only the specific embodiments of the present invention are provided, and it can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the system, the module and the unit described above may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again. It should be understood that the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present invention, and these modifications or substitutions should be covered within the scope of the present invention.