CN108718238B - Universal personalization method and system - Google Patents

Universal personalization method and system Download PDF

Info

Publication number
CN108718238B
CN108718238B CN201810447082.2A CN201810447082A CN108718238B CN 108718238 B CN108718238 B CN 108718238B CN 201810447082 A CN201810447082 A CN 201810447082A CN 108718238 B CN108718238 B CN 108718238B
Authority
CN
China
Prior art keywords
tsm
instruction stream
personalized
service
interface
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810447082.2A
Other languages
Chinese (zh)
Other versions
CN108718238A (en
Inventor
贾建明
刘丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing WatchSmart Technologies Co Ltd
Original Assignee
Beijing WatchSmart Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing WatchSmart Technologies Co Ltd filed Critical Beijing WatchSmart Technologies Co Ltd
Priority to CN201810447082.2A priority Critical patent/CN108718238B/en
Publication of CN108718238A publication Critical patent/CN108718238A/en
Application granted granted Critical
Publication of CN108718238B publication Critical patent/CN108718238B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/51Discovery or management thereof, e.g. service location protocol [SLP] or web services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Abstract

The invention relates to a universal personalized method and a universal personalized system, which are realized by a batch block issuing method and a technology of an instruction stream. The method and the system of the invention are adopted, the upper layer service only needs to call the personalized interfaces in sequence, and the calling interfaces and the calling sequence do not need to be modified when the personalized process of the new application provider is supported by subsequent upgrading.

Description

Universal personalization method and system
Technical Field
The invention belongs to the field of aerial card issuing of smart cards, and particularly relates to an aerial card issuing personalization method and system.
Background
A credible service management platform (TSM) is a system for realizing space management, application access and over-the-air card issuing to a Security module (SE) based on a one-card multi-application technology, and integrates an IC card technology, a big data processing technology and a cryptology principle.
TSMs fall into two categories: a security module provider TSM (SEI-TSM) and a service provider TSM (SP-TSM). The SEI-TSM is responsible for providing secure chip lifecycle and security domain management services to security module providers, while the SP-TSM is responsible for providing application lifecycle services to service providers.
Because the authorization authority modes of the SEI-TSM to the carrier auxiliary security domain are different, the application operation authorities of the SP-TSM to the auxiliary security domain and the auxiliary security domain are also different. In an entrusting mode or a common mode of an SEI-TSM, the SP-TSM wants to operate a security module, each issued APDU command needs the SEI-TSM to authorize and verify an APDU response, the calculation of an authorization code depends on the response of the previous APDU, and a server and a client can only send and receive one APDU command and response result each time in the mode. When one service can be completed only by including a plurality of instructions, the network interaction times of the client and the server are increased, and the time overhead of the network seriously affects the processing speed of the service, so that the user experience is poor.
The SP-TSM can involve the downloading, installation and personalization operations of the application in the card issuing process. Because the application implementation of each manufacturer is different, the personalized operation script instructions are different, and the additional operations need to be executed before and after the execution of each part are also different, external authentication operations are generally added at places related to sensitive data, so that the security is improved, but the internal security implementation mechanisms of applets of each manufacturer are different, and the places and times of external authentication are also different, so that the personalization process is finally added with a lot of additional processing and uncertainty of the personalization process. When a new application needs to be added in the subsequent maintenance of the TSM server, in order to add the support for the personalized process of the new application, a new personalized process support is often added, and the business layer is changed accordingly, so that the whole personalized process cannot be processed uniformly. Meanwhile, maintenance upgrading causes associated modification, and maintenance cost is increased.
Disclosure of Invention
In view of the deficiencies in the prior art, it is an object of the present invention to provide a method and system for universal personalization.
The invention optimizes the personalized processing flow issued by the background, reduces the instruction interaction network connection times of the background and the card, optimizes the time performance, and simultaneously encapsulates and unifies the personalized interface of the background, so that the background service program can be upgraded and modified under the condition of not changing the personalized interface calling flow in the later period, and supports the personalized realization of different manufacturers.
In order to achieve the above purposes, the invention adopts the technical scheme that:
a method of universal personalization, comprising the steps of:
s1, abstracting each personalized service and managing by adopting an independent interface, wherein the personalized service sequentially comprises the following steps: creating a file structure, initializing data, generating a key pair, calculating a P10 signature, writing a certificate and updating a personalized life cycle state, wherein each personalized service corresponds to a corresponding instruction stream;
s2, adding a preprocessing interface in front of each personalized service interface to perform preprocessing service, adding an expansion processing interface behind each personalized service interface to perform expansion processing service, wherein each preprocessing service and each expansion processing service correspond to a corresponding instruction stream;
s3, packaging each interface according to the personalized service sequence;
and S4, calling each interface in sequence, acquiring the instruction stream, and performing personalization processing.
Preferably, before each interface is called in turn to obtain the instruction stream, the instruction stream is processed in blocks, and each block contains a plurality of instructions.
Preferably, the block partitioning point for partitioning the instruction stream is set at a position where the calculation of the next instruction requires the result of the response of the previous instruction to participate in the operation.
Preferably, the specific step of blocking the instruction stream is:
s11, the TSM uses an authorization mode for the auxiliary security domain and distributes an initial key for the auxiliary security domain;
s12, the TSM supports an authorization mode, the TSM applies for the use right of the auxiliary security domain to the TSM, the TSM shares the initial key or the key generation rule to the TSM after successfully authenticating the TSM, the TSM monitors the auxiliary security domain and the use channel of the application, and judges whether the TSM is an authorized TSM and accesses the application;
and S13, the service provider TSM divides the instruction stream into each block according to the block division point, and encapsulates each block of instruction stream.
A system for universal personalization, comprising the following means: safety module, host computer, write in terminal, safety module provider TSM, service provider TSM, wherein service provider TSM still includes:
the personalized service unit abstracts each personalized service and manages by adopting an independent interface, and each personalized service corresponds to a corresponding instruction stream;
the preprocessing unit is used for adding a preprocessing interface in front of each personalized service interface, and each preprocessing unit corresponds to a corresponding instruction stream;
an expansion processing unit, which adds an expansion processing interface behind each personalized service interface, each expansion processing unit corresponds to a corresponding instruction stream,
and the upper computer sequentially calls the preprocessing unit, the personalized service unit and the expansion processing unit of the TSM according to the sequence, acquires the instruction stream, issues the instruction stream to the write-in terminal, and the write-in terminal carries out personalized processing on the security module according to the instruction stream.
Preferably, the personalization service sequentially comprises: creating a file structure, initializing data, generating a key pair, computing a P10 signature, writing a certificate, updating the personalized lifecycle state.
Preferably, the service provider TSM further includes an instruction splitting unit that performs a blocking process on the instruction stream, each block including a plurality of instructions.
Preferably, the block partitioning point for partitioning the instruction stream is set at a position where the calculation of the next instruction requires the result of the response of the previous instruction to participate in the operation.
Preferably, the secure module provider TSM further includes:
the TSM uses an authorization mode for the auxiliary security domain and distributes an initial key for the auxiliary security domain;
an authorization access unit, wherein the TSM supports an authorization mode, applies for the use right of the auxiliary security domain to the TSM, shares the initial key or key generation rule to the TSM after the TSM successfully authenticates the TSM, monitors the auxiliary security domain and the application use channel written in the terminal, judges whether the TSM is an authorized TSM and accesses and uses the application written in the terminal,
when the instruction division unit divides the instruction stream into blocks, dividing the instruction stream into each block according to a block division point, and packaging each block of instruction stream; the upper computer is used for acquiring each instruction stream and issuing each instruction stream to the write-in terminal once.
The invention has the following effects: the method and the system can be adopted to:
1) The unified calling flow of the personalized interface is achieved, the flow does not need to be changed in the subsequent upgrading maintenance, and the upgrading maintenance cost is reduced;
2) The method and the device realize batch and block issuing of the instruction stream, reduce unnecessary network interaction times, optimize time performance, improve service execution efficiency and reduce the risk of failure of the service caused by network problems.
Drawings
FIG. 1 is a flow chart of a method of the present invention;
FIG. 2 is a block diagram of the present invention with the addition of a pre-processing interface and an extended processing interface;
FIG. 3 is a schematic diagram of the present invention for sequentially invoking each personalized service interface;
FIG. 4 is a block diagram of the system of the present invention;
Detailed Description
The invention is further described with reference to the following figures and detailed description.
As shown in FIG. 1, the present invention provides a method for universal personalization, comprising the steps of:
s1, abstracting each personalized service, and managing each personalized service by adopting an independent interface, wherein although the application implementation of each manufacturer is different and the personalized script instructions are different, the personalized service flow generally comprises several parts of file structure creation, data initialization, key pair generation, P10 signature calculation, certificate writing, personalized life cycle state updating and the like in sequence. Each personalized service corresponds to a respective instruction stream.
S2, adding a preprocessing interface in front of each personalized service interface to perform preprocessing service, adding an extended processing interface behind each personalized service interface to perform extended processing service, and processing differentiated parts, wherein each preprocessing service and each extended processing service respectively correspond to corresponding instruction streams;
s3, packaging each interface according to the personalized service sequence;
specifically, the personalized service sequence includes the personalized service part and the preprocessing service added before each personalized service, and the part for performing the expansion processing service is added after each personalized service, and the steps of preprocessing for creating the file structure, processing for creating the file structure, and processing for creating the file structure expansion are sequentially repeated according to the personalized service flow, and the specific sequence is as shown in fig. 2 and fig. 3.
And S4, calling each interface in sequence to obtain the instruction stream, and performing personalization processing.
Specifically, after each interface is packaged, the service provider TSM performs unified management of each interface, the upper computer calls each interface, organizes the instruction stream corresponding to each service, and transmits the instruction stream to the upper computer through an interface message in butt joint with the upper computer.
As shown in fig. 2, an optimized personalized service is provided, in which a preprocessing interface is added before each personalized service is executed, and an extension processing interface is added after each personalized service is executed, that is, each personalized service is executed according to the sequence of personalized service preprocessing, personalized service processing, and personalized service extension processing.
In this embodiment, the preprocessing interface and the extended processing interface are responsible for processing differentiated parts of various manufacturers, differentiated processing can be added in the preprocessing and the extended processing according to needs, the preprocessing interface and the extended processing interface are injected into the system in a dynamic injection manner, subsequent optimization and upgrade only need to be achieved by adding the preprocessing interface and the extended processing interface, personalized business processes of various application providers integrated in the system are processed in this mode, and the system performs uniform personalized interface calling without modifying interface definitions, calling programs and calling processes. The method shields the differentiation part of each manufacturer, is compatible with the card issuing process of each card application provider, and also provides a uniform calling interface for the upper computer.
As shown in fig. 3, a schematic diagram is given for sequentially calling each personalized service interface to acquire an instruction stream and processing each personalized service. Firstly, an application needs to be selected, a secure channel is established, and then calling processing is carried out. The calling of each personalized service interface sequence comprises the steps of creating a file structure, initializing data, generating a key pair, calculating a P10 signature, writing a certificate, updating a personalized life cycle state and the like in sequence, and calling and processing according to the sequence of personalized service preprocessing, personalized service processing and personalized service expansion processing of each personalized service flow.
In this embodiment, before each interface is sequentially called to obtain an instruction stream, the instruction stream is subjected to block processing to implement instruction issuing and personalization processing, and each instruction stream includes a plurality of APDU instructions.
In this embodiment, the minimum requirement of the partitioning point of the instruction stream partitioning is set to be the position where the operation of the next APDU instruction requires the response result obtained by the previous APDU instruction to participate in the operation, and in such a partitioning manner, the instruction issuing frequency is reduced, the service operation network interaction frequency of the server and the client is reduced, the time overhead is reduced, the time performance is optimized, the card issuing efficiency is improved, meanwhile, the risk of service failure caused by a network problem is reduced, and the user experience is improved. The minimum requirement of the division point is set so that the next APDU instruction is associated with the previous APDU instruction, the previous APDU instruction needs to receive a response result to participate in the operation of the next APDU instruction, and if the previous APDU instruction and the next APDU instruction are placed in a block of instruction stream to be issued at the moment, the next APDU instruction cannot be normally operated.
In this embodiment, the division point of the instruction stream block may also be divided by setting the maximum number of instructions, but the last instruction of the previous instruction stream is required to be unrelated to the first instruction of the next instruction stream, that is, the operation of the first instruction of the next instruction stream does not require the response result obtained by the last instruction of the previous instruction stream to participate in the operation, that is, the minimum required division point must be used as a precondition.
In this embodiment, the TSM (SEI-TSM) of the security module uses an authorization mode for the auxiliary security domain, and in the authorization mode, the TSM (SP-TSM) of the service provider does not need to request the TSM of the security module to authorize and verify the APDU command operated by the auxiliary security domain, and supports issuing multiple commands at one time to operate the application in the terminal.
Specifically, in the present invention, the specific steps of blocking the instruction stream are as follows:
s11, a security module provider TSM uses an authorization mode for an auxiliary security domain of a terminal and distributes an initial key for the auxiliary security domain;
s12, the service provider TSM supports an authorization mode, when the TSM applies for the use right of an auxiliary security domain of the terminal, the TSM shares an initial key or a key generation rule to the TSM after successfully authenticating the TSM, the TSM monitors the auxiliary security domain and a use channel of application in the terminal, and judges whether the TSM is an authorized service provider TSM and accesses and uses the application in the terminal;
and S13, the service provider TSM divides the instruction stream into each block according to the block division point, and encapsulates each block of instruction stream.
As shown in fig. 4, the present invention provides a universal personalization system, which includes a security module, an upper computer, a write terminal, a security module provider TSM, and a service provider TSM.
In this embodiment, the upper computer is connected to the write-in terminal and the service provider TSM; the TSM is connected with the service provider; the write-in terminal is provided with a security module interface and is simultaneously connected with a security module provider TSM and a service provider TSM; the safety module is accessed into the writing terminal.
Wherein the service provider TSM further comprises:
the personalized service unit abstracts each personalized service and manages each personalized service by adopting an independent interface, and the personalized service generally comprises a plurality of parts such as file structure creation, data initialization, key pair generation, P10 signature calculation, certificate writing, personalized life cycle state updating and the like in sequence; each personalization service corresponds to a corresponding instruction stream.
The personalized service is the personalized service of each service provider TSM (SP-TSM) integrated in the system;
the preprocessing unit is used for adding a preprocessing interface in front of each personalized service interface, each preprocessing service corresponds to a corresponding instruction stream, and differential parts are processed;
an expansion processing unit, which adds an expansion processing interface behind each personalized service interface, each expansion processing service corresponds to a corresponding instruction stream, processes the differentiated part,
in this embodiment, the preprocessing interface and the extended processing interface are injected into the system in a dynamic injection manner, and subsequent personalized optimization and upgrade only needs to be implemented by adding the preprocessing interface and the extended processing interface.
The upper computer calls the service provider TSM preprocessing unit, the personalized service unit and the expansion processing unit, namely the calling unit interface in sequence to obtain the instruction stream, the instruction stream is issued to the write-in terminal, and the write-in terminal carries out personalized processing on the security module according to the instruction stream.
Specifically, the upper computer sequentially calls a preprocessing unit of the TSM, performs personalized business preprocessing for creating a file structure, calls a personalized business unit of the TSM, performs personalized business processing for creating the file structure, calls an expansion processing unit of the TSM, and performs personalized business expansion processing for creating the file structure; and then, continuously calling a preprocessing unit of the TSM to carry out next personalized service preprocessing, and repeating the above mode. The specific sequence flow is shown in fig. 2 and 3.
In this embodiment, the service provider TSM further includes an instruction splitting unit, which performs block processing on the instruction stream, where each block includes a plurality of instructions.
In this embodiment, the block partitioning point for issuing the instruction stream in blocks is set at a position where the calculation of the next instruction requires the result of the previous instruction response to participate in the operation.
In this embodiment, the TSM of the system further includes:
a key distribution unit, wherein the TSM uses an authorization mode for an auxiliary security domain written in the terminal and distributes an initial key for the auxiliary security domain;
an authorized access unit, wherein the TSM supports an authorization mode, applies for the TSM to the security module provider for the right of use of the auxiliary security domain written in the terminal, shares the initial key or key generation rule with the TSM after the TSM successfully authenticates the TSM, monitors the auxiliary security domain and the application channel written in the terminal, judges whether the TSM is an authorized service provider and accesses and uses the application written in the terminal,
when the instruction division unit carries out the instruction stream blocking processing of the service provider TSM, dividing the instruction stream into each block according to the block division point, and packaging each block of instruction stream, wherein each block of instruction stream comprises a plurality of instructions; the upper computer is used for acquiring each instruction stream, issuing each instruction stream to the write-in terminal once, and the write-in terminal carries out personalized processing on the security module according to the instruction stream.
The instruction stream of the service provider TSM includes an instruction stream of a pre-processing service, an instruction stream of a personalized service and an instruction stream of an extended processing service.
It will be appreciated by those skilled in the art that the method and system of the present invention is not limited to the embodiments described in the detailed description, and that the foregoing detailed description is for the purpose of illustrating the invention and is not to be taken in a limiting sense. Other embodiments will be apparent to those skilled in the art from the following detailed description, which is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention as defined by the appended claims.

Claims (5)

1. A method of universal personalization, comprising the steps of:
s1, abstracting each personalized service and managing by adopting an independent interface, wherein the personalized service sequentially comprises the following steps: creating a file structure, initializing data, generating a key pair, calculating a P10 signature, writing a certificate and updating a personalized life cycle state, wherein each personalized service corresponds to a corresponding instruction stream;
s2, adding a preprocessing interface in front of each personalized service interface, adding an extended processing interface behind each personalized service interface, wherein each preprocessing service and each extended processing service correspond to a corresponding instruction stream;
s3, packaging each interface according to the personalized service sequence;
s4, the instruction stream is processed in a blocking mode, each block comprises a plurality of instructions, and the specific steps are as follows:
s11, the TSM uses an authorization mode for the auxiliary security domain and distributes an initial key for the auxiliary security domain;
s12, the TSM supports an authorization mode, applies for the use right of the auxiliary security domain to the TSM, shares an initial key or a key generation rule to the TSM after the TSM successfully authenticates the TSM, monitors the auxiliary security domain and a use channel of an application, and judges whether the TSM is an authorized TSM and accesses the application;
s13, the TSM divides the instruction stream into blocks according to the block division points and encapsulates the instruction stream;
and S5, calling each interface in sequence to obtain an instruction stream and carrying out personalization processing.
2. A method of universal personalization as claimed in claim 1, wherein: and the block partitioning point for partitioning the instruction stream is arranged at the position where the calculation of the next instruction needs the result responded by the previous instruction to participate in the operation.
3. A system for universal personalization, comprising the following: safety module, host computer, write in terminal, safety module provider TSM, service provider TSM, its characterized in that, service provider TSM still includes:
the personalized service unit abstracts each personalized service and manages by adopting an independent interface, and each personalized service corresponds to a corresponding instruction stream;
the preprocessing unit is used for adding a preprocessing interface in front of each personalized service interface, and each preprocessing unit corresponds to a corresponding instruction stream;
the extension processing unit is used for adding an extension processing interface behind each personalized service interface, and each extension processing unit corresponds to a corresponding instruction stream;
an instruction dividing unit that divides an instruction stream into blocks, each block including a plurality of instructions;
the upper computer sequentially calls a preprocessing unit, a personalized service unit, an expansion processing unit and an instruction segmentation unit of the TSM according to the sequence to obtain an instruction stream, the instruction stream is issued to a write-in terminal, and the write-in terminal carries out personalized processing on the security module according to the instruction stream;
the secure module provider TSM further comprises:
a key distribution unit, wherein the TSM uses an authorization mode for the auxiliary security domain and distributes an initial key for the auxiliary security domain;
the system comprises an authorized access unit, a service provider TSM (service provider) supporting an authorized mode, and applying for the use right of an auxiliary security domain written in a terminal to the TSM, the TSM sharing an initial key or a key generation rule to the TSM after successfully authenticating the TSM, and the TSM monitoring the auxiliary security domain and an application use channel written in the terminal and judging whether the TSM is an authorized service provider TSM to access and use the application written in the terminal;
when the instruction stream is partitioned by the instruction partitioning unit, partitioning the instruction stream into each block according to a block partitioning point, and packaging each block of the instruction stream; the upper computer is used for acquiring each instruction stream and issuing each instruction stream to the write-in terminal once.
4. A system for universal personalization as in claim 3 wherein: the personalized service sequentially comprises: creating a file structure, initializing data, generating a key pair, computing a P10 signature, writing a certificate, updating the personalized lifecycle state.
5. A system for universal personalization as in claim 3 wherein: and setting the block partitioning point for partitioning the instruction stream at the position where the calculation of the next instruction needs the result responded by the previous instruction to participate in the operation.
CN201810447082.2A 2018-05-11 2018-05-11 Universal personalization method and system Active CN108718238B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810447082.2A CN108718238B (en) 2018-05-11 2018-05-11 Universal personalization method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810447082.2A CN108718238B (en) 2018-05-11 2018-05-11 Universal personalization method and system

Publications (2)

Publication Number Publication Date
CN108718238A CN108718238A (en) 2018-10-30
CN108718238B true CN108718238B (en) 2023-04-18

Family

ID=63899799

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810447082.2A Active CN108718238B (en) 2018-05-11 2018-05-11 Universal personalization method and system

Country Status (1)

Country Link
CN (1) CN108718238B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001078020A1 (en) * 2000-04-11 2001-10-18 Visa International Service Association Integrated production of smart cards
CN1407477A (en) * 2001-09-07 2003-04-02 肖志明 Universal high speed IC card issuing apparatus and method
CN103714295A (en) * 2013-12-27 2014-04-09 北京大唐智能卡技术有限公司 Financial integrated circuit card personalized data detecting method and system
CN105592033A (en) * 2014-12-30 2016-05-18 中国银联股份有限公司 Trusted service management system and method
CN206270963U (en) * 2016-08-23 2017-06-20 广东岭南通股份有限公司 A kind of contact intelligent card personalization system and write-in terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001078020A1 (en) * 2000-04-11 2001-10-18 Visa International Service Association Integrated production of smart cards
CN1407477A (en) * 2001-09-07 2003-04-02 肖志明 Universal high speed IC card issuing apparatus and method
CN103714295A (en) * 2013-12-27 2014-04-09 北京大唐智能卡技术有限公司 Financial integrated circuit card personalized data detecting method and system
CN105592033A (en) * 2014-12-30 2016-05-18 中国银联股份有限公司 Trusted service management system and method
CN206270963U (en) * 2016-08-23 2017-06-20 广东岭南通股份有限公司 A kind of contact intelligent card personalization system and write-in terminal

Also Published As

Publication number Publication date
CN108718238A (en) 2018-10-30

Similar Documents

Publication Publication Date Title
EP2988470B1 (en) Automatic purposed-application creation
US20190089810A1 (en) Resource access method, apparatus, and system
US11126753B2 (en) Secure processor chip and terminal device
CN108845812A (en) Update of plug-in method, apparatus, computer equipment and storage medium
JP2017536603A (en) Mobile payment apparatus and method
CN110764846B (en) Method for realizing cross-browser calling of computer external equipment based on local proxy service
CN111526111B (en) Control method, device and equipment for logging in light application and computer storage medium
EP4033349A1 (en) Method and apparatus for generating mirror image file, and computer-readable storage medium
US10771462B2 (en) User terminal using cloud service, integrated security management server for user terminal, and integrated security management method for user terminal
CN108108597A (en) Authentication method and device based on NGTP architecture
US11636184B2 (en) Method for providing cloud-based service
US10025575B2 (en) Method for installing security-relevant applications in a security element of a terminal
CN105812370A (en) Smart card processing method, device and system
CN107995230B (en) A kind of method for down loading and terminal
CN108718238B (en) Universal personalization method and system
CN106778193B (en) Client and UI interaction method
JP7445685B2 (en) Open interface management methods, electronic devices, and storage media
CN107315610A (en) Realize method, device and the computer-readable recording medium of cryptographic function
CN111414625A (en) Method and system for realizing computer trusted software stack supporting active trusted capability
TW202029036A (en) System for using embedded browser module to manage certificate and method thereof
KR101351243B1 (en) Method and system for application authentication
CN117034233B (en) Application management method and device based on permission, computing equipment and storage medium
US20240129136A1 (en) Guarding device onboarding ownership vouchers against unauthorized ownership changes
CN115835164A (en) Mobile terminal based on trusted execution environment, trusted service system and trusted application management method
CN116318782A (en) Bank-enterprise direct connection system and method based on embedded multi-bank fund management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant