CN115484593A - Key retrieving method, server and user identity identification card - Google Patents

Key retrieving method, server and user identity identification card Download PDF

Info

Publication number
CN115484593A
CN115484593A CN202211062339.5A CN202211062339A CN115484593A CN 115484593 A CN115484593 A CN 115484593A CN 202211062339 A CN202211062339 A CN 202211062339A CN 115484593 A CN115484593 A CN 115484593A
Authority
CN
China
Prior art keywords
key
identification card
terminal
destination address
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211062339.5A
Other languages
Chinese (zh)
Inventor
田新雪
李朝霞
肖征荣
马书惠
杨子文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202211062339.5A priority Critical patent/CN115484593A/en
Publication of CN115484593A publication Critical patent/CN115484593A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The application discloses a secret key retrieving method, a server and a user identity identification card, and belongs to the technical field of communication. The method comprises the following steps: sending a key retrieval instruction to the first user identification card in response to a key retrieval request sent by the terminal; under the condition of receiving an authentication request returned by a first user identification card, sending an information acquisition request to a terminal; receiving a first key parameter and a preset destination address returned by a terminal; according to the first key parameter and the destination address, performing identity authentication with the first user identity identification card; and under the condition of passing the identity authentication, sending an authentication passing message to the operator security server so that the operator security server obtains a first secret key through decryption, and configuring a second user identity identification card according to the first secret key and a second secret key parameter sent by the terminal so that the terminal logs in the preset client through the second user identity identification card. The method can safely retrieve the secret key, thereby ensuring the information safety and the asset safety of the user.

Description

Key retrieving method, server and user identity identification card
Technical Field
The present application relates to the field of communications technologies, and in particular, to a key retrieving method, a server, and a user identification card.
Background
The metauniverse (Metaverse) is a virtual world which is linked and created by using scientific and technological means, is mapped and interacted with the real world, and is provided with a digital living space of a novel social system. The user information and assets in the metasequoium are both present in digital form, and the identification of the user identity depends on the user's private key, which if lost may result in the collapse of the user's personal universe.
In the related art, after the user loses the private key, the private key can be retrieved by the operator,
however, since the operator has relatively absolute control right on the private key, it is easy for lawless persons to maliciously obtain the private key of the user through the operator, thereby causing a relatively high risk to the assets of the user in the metasequoium, and failing to effectively guarantee the benefits of the user.
Disclosure of Invention
Therefore, the key retrieving method, the server and the user identity identification card are provided to solve the problem that a lawless person maliciously obtains a user private key through an operator to cause loss of user information and assets.
In order to achieve the above object, a first aspect of the present application provides a key retrieving method applied to an operator service server, the method including:
responding a key retrieval request sent by a terminal, and sending a key retrieval instruction to a first user identity card, wherein the key retrieval request is a request sent by the terminal under the condition that the first user identity card is lost, a first key and a first key parameter used for logging in a preset client side are arranged in the first user identity card, and the key retrieval instruction is used for indicating the first user identity card to generate an identity verification request;
under the condition of receiving the authentication request returned by the first user identification card, sending an information acquisition request to the terminal;
receiving the first key parameter and a preset destination address returned by the terminal;
according to the first key parameter and the destination address, performing identity verification with the first user identity identification card;
and sending a verification passing message to an operator security server under the condition of passing identity verification so that the operator security server receives a second key and the first key parameter sent by the terminal, decrypting the second key according to the first key parameter to obtain the first key, configuring a second user identification card according to the first key and the second key parameter sent by the terminal, so that the terminal logs in the preset client through the second user identification card, and the second key is generated by encrypting the first key by using the first key parameter through the first user identification card and is sent to the key of the destination address.
Further, the performing authentication with the first subscriber identity module card according to the first key parameter and the destination address includes:
encrypting the destination address by using the first key parameter to obtain a first encryption result;
sending the first encryption result to the first user identification card so that the first user identification card can obtain an identity verification result according to the first encryption result and a second encryption result, wherein the second encryption result is obtained by encrypting the destination address according to a first key parameter by the first user identification card;
receiving the authentication result returned by the first user identification card;
and determining whether the identity authentication is passed or not according to the identity authentication result.
Further, the destination address is a specified address built in the first subscriber identity module card, or the destination address is a temporary address provided by the terminal;
under the condition that the destination address is a temporary address provided by the terminal, after receiving the first key parameter and a preset destination address returned by the terminal, the method further includes:
and sending the destination address to the first user identification card.
In order to achieve the above object, a second aspect of the present application provides a key recovery method applied to an operator security server, the method including:
responding to a verification passing message sent by an operator service server, and acquiring a second key and a first key parameter provided by a terminal;
the verification passing message is a message sent by the operator service server under the condition of identity verification through a first user identity identification card, a first key and a first key parameter used for logging in a preset client are arranged in the first user identity identification card, and the second key is a key generated by the first user identity identification card by using the first key parameter to encrypt the first key and sent to a destination address;
decrypting the second key according to the first key parameter to obtain the first key;
and under the condition of acquiring a second key parameter provided by the terminal, configuring a second user identification card according to the first key and the second key parameter, so that the terminal can log in the preset client through the second user identification card.
In order to achieve the above object, a third aspect of the present application provides a key recovery method applied to a first subscriber identity card, including:
receiving a key retrieval instruction sent by an operator service server, wherein the key retrieval instruction is an instruction sent by the operator service server in response to a key retrieval request of a terminal;
sending an identity authentication request to the operator service server;
using a preset destination address and a first key parameter built in the first user identification card to carry out identity authentication on the operator service server;
under the condition that the operator service server passes identity authentication, encrypting the first key by using the first key parameter to obtain a second key;
and sending the second key to the destination address, so that the terminal can obtain the second key from the destination address, providing the second key and the first key parameter to an operator security server, enabling the operator security server to decrypt the second key according to the first key parameter to obtain the first key, and configuring a second user identification card according to the first key and the second key parameter provided by the terminal, so that the terminal can log in the preset client through the second user identification card.
Further, the destination address is a designated address built in the first subscriber identity module card, or the destination address is a temporary address provided by the terminal and forwarded by the operator service server.
Further, the authenticating the operator service server by using a preset destination address and a first key parameter built in the first subscriber identity module card includes:
receiving a first encryption result sent by the operator service server, wherein the first encryption result is a result obtained by encrypting a destination address provided by the terminal by using a first key parameter provided by the operator service server;
encrypting the destination address according to the first key parameter to obtain a second encryption result;
obtaining an identity verification result according to the first encryption result and the second encryption result;
and sending the identity verification result to the operator service server.
In order to achieve the above object, a fourth aspect of the present application provides an operator service server, including:
the first sending module is used for sending a key retrieving instruction to a first user identification card in response to a key retrieving request sent by a terminal, wherein the key retrieving request is a request sent by the terminal under the condition that the first user identification card is lost, a first key and a first key parameter which are used for logging in a preset client side are arranged in the first user identification card, and the key retrieving instruction is used for indicating the first user identification card to generate an authentication request;
the second sending module is used for sending an information acquisition request to the terminal under the condition of receiving the identity authentication request returned by the first user identity identification card;
the first receiving module is used for receiving the first key parameter and a preset destination address returned by the terminal;
the first verification module is used for performing identity verification with the first user identity identification card according to the first key parameter and the destination address;
and the third sending module is used for sending a verification passing message to an operator security server under the condition of passing identity verification so that the operator security server receives a second key and the first key parameter sent by the terminal, decrypts the second key according to the first key parameter to obtain the first key, and configures a second user identity identification card according to the first key and the second key parameter sent by the terminal so that the terminal logs in the preset client through the second user identity identification card, wherein the second key is generated by encrypting the first key by using the first key parameter through the first user identity identification card and is sent to the key of the destination address.
In order to achieve the above object, a fifth aspect of the present application provides an operator security server, including:
the acquisition module is used for responding to a verification passing message sent by the operator service server and acquiring a second key and a first key parameter provided by the terminal;
the verification passing message is a message sent by the operator service server under the condition of identity verification through a first user identity identification card, a first key and a first key parameter used for logging in a preset client are arranged in the first user identity identification card, and the second key is a key generated by the first user identity identification card by using the first key parameter to encrypt the first key and sent to a destination address;
the decryption module is used for decrypting the second key according to the first key parameter to obtain the first key;
and the configuration module is used for configuring a second user identity identification card according to the first key and the second key parameter under the condition of receiving the second key parameter sent by the terminal, so that the terminal can log in the preset client through the second user identity identification card.
In order to achieve the above object, a sixth aspect of the present invention provides a user identification card, including:
a second receiving module, configured to receive a key retrieving instruction sent by an operator service server, where the key retrieving instruction is an instruction sent by the operator service server in response to a key retrieving request of a terminal;
a fourth sending module, configured to send an authentication request to the operator service server;
the second verification module is used for verifying the identity of the operator service server by using a preset destination address and a first key parameter which is built in the first user identity identification card;
the encryption module is used for encrypting the first key by using the first key parameter under the condition that the operator service server passes identity authentication to obtain a second key;
a fifth sending module, configured to send the second key to the destination address, so that the terminal obtains the second key from the destination address, and provides the second key and the first key parameter to an operator security server, so that the operator security server decrypts the second key according to the first key parameter, obtains the first key, and configures a second subscriber identity module card according to the first key and the second key parameter provided by the terminal, so that the terminal logs in the preset client through the second subscriber identity module card.
This application has following advantage:
according to the key retrieving method, the server and the user identity identification card, the operator business server responds to a key retrieving request sent by the terminal, sends a key retrieving instruction to the first user identity identification card, carries out identity authentication according to a first key parameter, a preset destination address and the first user identity identification card, and sends an authentication passing message to the operator safety server under the condition of passing the identity authentication; the operator safety server obtains a second key and a first key parameter provided by the terminal, decrypts the second key according to the first key parameter to obtain a first key, and configures a second user identity identification card according to the first key and the second key parameter; and the terminal logs in the preset client through the second user identity identification card. The method divides a server at an operator side into an operator business server and an operator safety server, the operator business server executes services such as identity authentication and the like, the operator safety server executes operations such as key decryption and the like, and the safety of a user key retrieving process is guaranteed through service division and server division, so that the occurrence of the situations that lawbreakers maliciously obtain a user private key through the operator to cause loss of user information and assets and the like is effectively reduced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application and not to limit the application.
Fig. 1 is a flowchart of a key recovery method according to an embodiment of the present application;
fig. 2 is a flowchart of a key recovery method according to an embodiment of the present application;
fig. 3 is a flowchart of a key recovery method according to an embodiment of the present application;
fig. 4 is a block diagram of an operator service server provided in an embodiment of the present application;
fig. 5 is a block diagram of an operator security server provided in an embodiment of the present application;
fig. 6 is a block diagram of a user identification card according to an embodiment of the present application;
fig. 7 is a schematic diagram of a key recovery system according to an embodiment of the present application;
fig. 8 is a schematic diagram of an operating process of a key recovery method according to an embodiment of the present application;
fig. 9 is a block diagram of an electronic device provided in an embodiment of the present application.
Detailed Description
The following detailed description of embodiments of the present application will be made with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the preferred embodiment of the invention, are given by way of illustration and explanation only, not limitation.
As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
When the terms "comprises" and/or "comprising … …" are used in this application, the presence of the stated features, integers, steps, operations, elements and/or components are specified, but does not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components and/or groups thereof.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present application and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
The meta universe is a virtual world which is linked and created by using scientific and technological means, is mapped and interacted with the real world, and has a digital living space of a novel social system. User information and assets in the metasma exist in a digital form, identification of user identity depends on a private key (namely a secret key) of a user, and the user can log in a metasma client through a user identity identification card of the user to check related information or perform transaction.
If the key is lost once, it may cause a collapse of the user's personal universe. In the related art, after a user loses a key, the user can retrieve the key through an operator, but the operator has absolute control right on the key, so that a lawbreaker can easily maliciously obtain a private key of the user through the operator, thereby causing a great risk to assets of the user in the metastic space, and effectively guaranteeing the benefit of the user.
Therefore, in the embodiment of the application, when retrieving the user key, the operator service server and the first user identification card perform authentication first, and after passing the authentication, the operator security server with a higher security level completes the key retrieval and the operation of configuring a new card. Because the operation process and the operation result of the operator security server are not displayed outwards (including the operator business server), the security of information such as keys can be effectively guaranteed.
In a first aspect, an embodiment of the present application provides a key recovery method.
Fig. 1 is a flowchart of a key recovery method provided in an embodiment of the present application, where the key recovery method is applicable to an operator service server. As shown in fig. 1, the key recovery method includes the following steps:
and step S101, responding to a key retrieval request sent by the terminal, and sending a key retrieval instruction to the first user identification card.
The key retrieval request is a request sent by the terminal under the condition that the first user identification card is lost, a first key and a first key parameter which are used for logging in a preset client are arranged in the first user identification card, and the key retrieval instruction is used for indicating the first user identification card to generate an authentication request.
In some possible implementation manners, the first Subscriber Identity module Card is a Subscriber Identity Module (SIM) Card, and the Subscriber embeds the first key and the first key parameter in the first Subscriber Identity module Card in advance, so that the Subscriber can log in the preset client based on the first key. The preset client may be a metastic client, and the first key parameter is a parameter for retrieving the first key, which may be a password, an authentication code, or the like.
In some possible implementations, after the user loses the first subscriber identity card, the user sends a key recovery request to the operator service server in an online or offline manner. And the operator service server instructs the terminal to provide the identity authentication information, and sends a key retrieval instruction to the first user identity identification card under the condition that the operator service server verifies that the user is a real and credible user through the identity authentication information. The identification information may be identification card information of the user or a security answer corresponding to a preset security question, and the like, which is not limited in the embodiment of the present application.
It should be noted that, the operator service server sends the key retrieving instruction to the first subscriber identity card through the signaling channel, and the key retrieving instruction can be received as long as the terminal where the first subscriber identity card is located is in the power-on state.
It should be noted that the current implementation subject is an operator service server, and for an operator, the current implementation subject also includes an operator security server. In general, an operator service server is mainly used for executing a conventional service, an operator security server is used for executing a service with a higher security level, and an operation process and an operation result of the operator security server are not displayed outwards, so that the security of related information is guaranteed.
Step S102, under the condition that an identity authentication request returned by the first user identity identification card is received, an information acquisition request is sent to the terminal.
In some possible implementations, after receiving the key retrieval instruction, the first subscriber identity card needs to determine the validity of the operator service server through an identity verification operation, so as to prevent a third party from illegally stealing the key by means of the identity of the operator service server.
In one example, the first subscriber identity card sends an authentication request to the operator service server in response to the key retrieval instruction. And the operator service server sends an information acquisition request to the terminal under the condition of receiving the identity authentication request. The information acquisition request may carry a description of information to be acquired. For example, a first key parameter and a destination address need to be obtained.
It should be understood that if the key retrieval instruction is not the instruction sent by the operator service server, the operator service server no longer responds to the authentication request, and may send a prompt message to the corresponding terminal.
And step S103, receiving the first key parameter and the preset destination address returned by the terminal.
In some possible implementation manners, if the scenario is an online scenario, the terminal returns the first key parameter and the preset destination address to the operator service server through the mobile communication network or another communication network. The destination address may be a mailbox or other designated address.
In some possible implementations, if the scene is an offline scene, the operator service server instructs the user to input the related information, and the user inputs the first key parameter and the destination address through the security keyboard.
In some possible implementations, the destination address is a designated address built in the first subscriber identity card, or the destination address is a temporary address provided by the terminal. In the case where the destination address is a temporary address provided by the terminal, after step S102, the method further includes: and the operator service server sends the destination address to the first user identification card.
And step S104, performing identity authentication with the first user identity identification card according to the first key parameter and the destination address.
In some possible implementations, the operator service server encrypts the destination address using the first key parameter, obtains a first encryption result, and sends the first encryption result to the first subscriber identity card. The first user identification card encrypts the destination address according to the built-in first key parameter to obtain a second encryption result, obtains an authentication result according to the first encryption result and the second encryption result, and then sends the authentication result to the operator service server. And the operator service server receives an authentication result returned by the first user identification card and determines whether the authentication is passed or not according to the authentication result.
In one example, the first encryption result is a result obtained by encrypting the destination address by using the first key parameter according to a pre-agreed encryption algorithm by the operator service server. For example, the first encryption result C1= E PWD (addr), wherein PWD is the first key parameter provided by the terminal, addr is the destination address, and E () represents the encryption algorithm. Correspondingly, the second encryption result is obtained by encrypting the destination address by the first subscriber identity identification card according to a pre-agreed encryption algorithm by using the built-in first key parameter. For example, the second encryption result C2= E PWD’ (addr '), where PWD ' is a built-in first key parameter, addr ' is a destination address corresponding to the first subscriber identity module card, and E () represents an encryption algorithm. When C1 is the same as C2, the first user identification card determines that the verification is passed, and when C1 is different from C2, the first user identification card determines that the verification is not passed.
It should be noted that, if the terminal is a legal terminal, the PWD provided by the terminal should be the same as the PWD 'built in the first identity card, and addr should also be the same as addr'.
And step S105, in the case of passing the identity authentication, sending an authentication passing message to the operator security server.
In some possible implementation manners, the operator security server receives a second key and a first key parameter sent by the terminal, decrypts the second key according to the first key parameter to obtain a first key, configures a second user identification card according to the first key and the second key parameter sent by the terminal, so that the terminal logs in a preset client through the second user identification card, and the second key is a key generated by the first user identification card by encrypting the first key by using the first key parameter and sent to the destination address.
Fig. 2 is a flowchart of a key recovery method provided in an embodiment of the present application, where the key recovery method is applicable to an operator security server. As shown in fig. 2, the key recovery method includes the following steps:
step S201, in response to the verification passing message sent by the operator service server, acquiring the second key and the first key parameter provided by the terminal.
The verification passing message is a message sent by the operator service server under the condition of identity verification through a first user identity identification card, a first key and a first key parameter used for logging in a preset client are arranged in the first user identity identification card, and a second key is a key generated by the first user identity identification card through encrypting the first key by using the first key parameter and sent to a destination address.
In some possible implementation manners, when the first subscriber identity card passes the authentication of the operator service server, the first subscriber identity card encrypts the first key using the first key parameter to generate a second key, and sends the second key to the destination address. Since the destination address is an address agreed by the user (terminal) and the first subscriber identity card, the user (terminal) can obtain the second key from the destination address. After obtaining the second key, in an online scene, the user sends the second key and the first key parameter to the operator security server through the terminal; in an online scene, a user inputs a second key and a first key parameter to an operator security server through a security keyboard.
It should be noted that the operator service server cannot acquire information such as the second key, and therefore, the information security of the user can be guaranteed in the degree of mobility, thereby guaranteeing the asset security of the user in the metasystem.
Step S202, the second key is decrypted according to the first key parameter, and the first key is obtained.
In some possible implementations, the second key SK' = F PWD’ (SK), where SK represents the first key, PWD' is the first key parameter built into the card, and F () represents the corresponding encryption algorithm. Correspondingly, the operator security server adopts a decryption algorithm corresponding to the F () and decrypts the SK' by using a first key parameter PWD provided by the terminal, so as to obtain a first key SK.
Step S203, configuring a second user identification card according to the first key and the second key parameter when the second key parameter provided by the terminal is obtained, so that the terminal can log in the preset client through the second user identification card.
In some possible implementations, the second key parameter is a new key parameter, and if the first key is retrieved after the second subscriber identity card is lost, the key retrieval method needs to be performed based on the second key parameter.
In some possible implementations, the second subscriber identity card is a new SIM card, and after configuring the SIM card according to the first key and the second key parameter, the final second subscriber identity card is obtained. And the terminal downloads a specified client based on the second user identification card and logs in the client by using a first secret key built in the card.
Fig. 3 is a flowchart of a key recovery method according to an embodiment of the present application, where the key recovery method is applicable to a first user identification card, and a first key parameter for logging in a preset client are built in the first user identification card. As shown in fig. 3, the key recovery method includes the following steps:
step S301, receiving a key retrieving instruction sent by the operator service server.
Wherein the key retrieving instruction is an instruction sent by the operator service server in response to the key retrieving request of the terminal.
In some possible implementations. The operator service server sends the key retrieval instruction through the signaling channel. The key retrieving instruction can be received as long as the terminal where the first user identification card is located is in a power-on state.
Step S302, an identity authentication request is sent to the operator service server.
In some possible implementations, after receiving the key retrieval instruction, the first subscriber identity card needs to determine the validity of the operator service server through an identity verification operation, so as to prevent a third party from illegally stealing the key by means of the identity of the operator service server.
In one example, the authentication request may take the form of a challenge-response. For example, the first subscriber identity card sends a challenge question and answer to the operator service server, and requests the operator service server to encrypt the destination address by using the first key parameter, obtain a first encryption result, and return the first encryption result to the first subscriber identity card.
Step S303, using a preset destination address and a first key parameter built in the first user identification card to perform identity authentication on the operator service server.
In some possible implementations, the destination address is a designated address built in the first subscriber identity card, or the destination address is a temporary address provided by the terminal. Under the condition that the destination address is a temporary address provided by the terminal, the operator service server needs to send the destination address provided by the terminal to the first user identification card through the signaling channel so that the first user identification card can execute identity verification and subsequent operation based on the destination address; when the destination address is a designated address built in the first user identification card, the first user identification card directly uses the designated address to execute the authentication and the subsequent operation.
In some possible implementations, the operator service server encrypts the destination address using the first key parameter, obtains a first encryption result, and sends the first encryption result to the first subscriber identity card. The first user identification card encrypts the destination address according to the built-in first key parameter to obtain a second encryption result, obtains an authentication result according to the first encryption result and the second encryption result, and then sends the authentication result to the operator service server. And the operator service server receives an authentication result returned by the first user identification card and determines whether the authentication is passed according to the authentication result.
In one example, the first encryption result is a result obtained by encrypting the destination address by using the first key parameter according to a pre-agreed encryption algorithm by the operator service server. For example, the first encryption result C1= E PWD (addr) where PWD is the first key parameter, addr is the destination address, and E () represents the encryption algorithm. Correspondingly, the second encryption result is obtained by encrypting the destination address by the first subscriber identity module card according to a pre-agreed encryption algorithm by using the built-in first key parameter. For example, the second encryption result C2= E PWD’ (addr '), where PWD ' is a built-in first key parameter, addr ' is a destination address corresponding to the first subscriber identity module card, and E () represents an encryption algorithm. When C1 is the same as C2, the first user identification card determines that the verification is passed, and when C1 is different from C2, the first user identification card determines that the verification is not passed.
Step S304, when the operator service server passes the authentication, the first key parameter is used to encrypt the first key, and a second key is obtained.
In some possible implementations, the second key SK' = F PWD’ (SK), where SK represents the first key, PWD' is the first key parameter built in the card, and F () represents the phaseThe corresponding encryption algorithm.
Step S305, the second key is sent to the destination address.
In some possible implementations, since the destination address is an address agreed by the user (terminal) and the first subscriber identity card, the user (terminal) may obtain the second key from the destination address. After obtaining the second key, in an online scene, the user sends the second key and the first key parameter to the operator security server through the terminal; in an online scene, a user inputs a second key and a first key parameter to an operator security server through a security keyboard. And the operator safety server decrypts the second key by using the first key parameter according to a predetermined decryption algorithm to obtain the first key, and configures the second user identification card according to the first key and the second key parameter provided by the terminal. And the terminal downloads a specified client based on the second user identification card and logs in the client by using a first key built in the card.
The steps of the above methods are divided for clarity, and the implementation may be combined into one step or split some steps, and the steps are divided into multiple steps, so long as the same logical relationship is included, which are all within the protection scope of the present patent; it is within the scope of the patent to add insignificant modifications to the algorithms or processes or to introduce insignificant design changes to the core design without changing the algorithms or processes.
In a second aspect, an embodiment of the present application provides an operator service server, an operator security server, and a user identity card.
Fig. 4 is a block diagram of an operator service server according to an embodiment of the present application. As shown in fig. 4, the operator service server includes the following modules:
the first sending module 401 is configured to send a key retrieving instruction to the first subscriber identity card in response to a key retrieving request sent by the terminal.
The key retrieval request is a request sent by the terminal under the condition that the first user identification card is lost, a first key and a first key parameter used for logging in a preset client are arranged in the first user identification card, and the key retrieval instruction is used for indicating the first user identification card to generate an authentication request.
A second sending module 402, configured to send an information obtaining request to the terminal when receiving an authentication request returned by the first user identification card.
A first receiving module 403, configured to receive the first key parameter and the preset destination address returned by the terminal.
In some possible implementations, the destination address is a designated address built in the first subscriber identity card, or the destination address is a temporary address provided by the terminal. When the destination address is a temporary address provided by the terminal, the operator service server needs to send the destination address provided by the terminal to the first subscriber identity module card through a signaling channel.
The first authentication module 404 is configured to authenticate with the first subscriber identity module card according to the first key parameter and the destination address.
In some possible implementations, the first verification module 404 includes: the device comprises a first encryption unit, a first sending unit, a first receiving unit and a result determining unit. The first encryption unit is used for encrypting the destination address by using the first key parameter to obtain a first encryption result; the first sending unit is used for sending the first encryption result to the first user identification card so that the first user identification card can obtain an identity verification result according to the first encryption result and the second encryption result, and the second encryption result is obtained by encrypting the destination address according to the first key parameter by the first user identification card; the first receiving unit is used for receiving an authentication result returned by the first user identification card; and the result determining unit is used for determining whether the identity authentication is passed according to the identity authentication result.
A third sending module 405, configured to send an authentication passing message to the operator security server under the condition that the authentication passes, so that the operator security server receives the second key and the first key parameter sent by the terminal, decrypts the second key according to the first key parameter, obtains the first key, configures the second user identification card according to the first key and the second key parameter sent by the terminal, so that the terminal logs in the preset client through the second user identification card, and the second key is a key generated by the first user identification card by encrypting the first key using the first key parameter, and is sent to the destination address.
Fig. 5 is a block diagram of an operator security server according to an embodiment of the present application. As shown in fig. 5, the operator security server includes the following modules:
an obtaining module 501, configured to obtain the second key and the first key parameter provided by the terminal in response to the verification passing message sent by the operator service server.
The verification passing message is a message sent by the operator service server under the condition of identity verification through a first user identity identification card, a first key and a first key parameter used for logging in a preset client are arranged in the first user identity identification card, and a second key is a key generated by the first user identity identification card through encryption of the first key parameter and sent to a destination address.
The decryption module 502 is configured to decrypt the second key according to the first key parameter to obtain the first key.
The configuration module 503 is configured to configure the second user identification card according to the first key and the second key parameter when receiving the second key parameter sent by the terminal, so that the terminal can log in the preset client through the second user identification card.
Fig. 6 is a block diagram of a user identification card according to an embodiment of the present application. As shown in fig. 6, the user identification card includes the following modules:
a second receiving module 601, configured to receive a key retrieving instruction sent by the operator service server.
Wherein the key retrieving instruction is an instruction sent by the operator service server in response to the key retrieving request of the terminal.
A fourth sending module 602, configured to send an authentication request to the operator service server.
The second authentication module 603 is configured to authenticate the operator service server by using a preset destination address and a first key parameter embedded in the first subscriber identity module card.
In some possible implementations, the second verification module 603 includes: the device comprises a second receiving unit, a second encryption unit, a verification unit and a second sending unit. The second receiving unit is used for receiving a first encryption result sent by the operator service server, wherein the first encryption result is obtained by encrypting a destination address provided by the terminal by using a first key parameter provided by the terminal by the operator service server; the second encryption unit is used for encrypting the destination address according to the first key parameter to obtain a second encryption result; the authentication unit is used for obtaining an identity authentication result according to the first encryption result and the second encryption result; and the second sending unit is used for sending the authentication result to the operator service server.
The encrypting module 604 is configured to encrypt the first key by using the first key parameter to obtain a second key when the operator service server passes the authentication.
A fifth sending module 605, configured to send the second key to the destination address, so that the terminal obtains the second key from the destination address, and provides the second key and the first key parameter to the operator security server, so that the operator security server decrypts the second key according to the first key parameter, obtains the first key, and configures the second subscriber identity card according to the first key and the second key parameter provided by the terminal, so that the terminal logs in the preset client through the second subscriber identity card.
In some possible implementations, the destination address is a designated address built in the first subscriber identity card, or the destination address is a temporary address provided by the terminal. When the destination address is a temporary address provided by the terminal, the operator service server needs to send the destination address provided by the terminal to the first subscriber identity module card through a signaling channel.
In a third aspect, an embodiment of the present application provides a key recovery system.
Fig. 7 is a schematic diagram of a key recovery system according to an embodiment of the present application. As shown in fig. 7, the key recovery system includes: a terminal 701, an operator security server 702, an operator service server 703, a destination address server 704, a first subscriber identity card 705 and a second subscriber identity card 706.
Referring to fig. 7, after the first subscriber identity card 705 is lost, the terminal 701 sends a key recovery request to the operator service server 703, and the operator service server 703 sends a key recovery instruction to the first subscriber identity card 705 through a signaling channel. The first subscriber identity module 705 performs authentication with the operator service server 703, and if the authentication is passed, the first subscriber identity module 705 encrypts the first key using the first key parameter embedded in the card and sends the first key to the destination address server 704 corresponding to the destination address, so that the terminal 701 obtains the second key from the destination address server 704. The operator security server 702, in response to the verification passing message sent by the operator service server 703, obtains the second key and the first key parameter from the terminal 701, decrypts the second key according to the first key parameter, obtains the first key, and configures the second subscriber identity card 706 according to the first key and the second key parameter provided by the terminal 701. The terminal 701 can log in the preset client by using the second user identification card 706.
Fig. 8 is a schematic diagram of an operating process of a key recovery method according to an embodiment of the present application. As shown in fig. 8, the working process of the key recovery method includes:
step S801, the terminal sends a key recovery request to the operator service server.
Step S802, the operator service server sends a key retrieving instruction to the first subscriber identity card in response to the key retrieving request.
Step S803, the first subscriber identity module sends an identity authentication request to the operator service server.
Step S804, the operator service server sends an information acquisition request to the terminal, and the terminal returns the first key parameter and the destination address to the operator service server.
Step S805, the operator service server encrypts the destination address using the first key parameter, to obtain a first encryption result.
Step S806, the operator service server sends the first encryption result to the first subscriber identity module card.
In step S807, the first subscriber identity module encrypts the preset destination address according to the built-in first key parameter to obtain a second encryption result, and obtains an authentication result according to the first encryption result and the second encryption result.
Step S808, the first subscriber identity module card sends the authentication result to the operator service server.
Step S809, when the operator service server passes the authentication, the first subscriber identity module card encrypts the first key using the first key parameter to obtain a second key.
Step S810, the first subscriber identity module card sends the second key to the destination address server.
Step S811, in case the operator service server passes the authentication, the operator service server sends an authentication passing message to the operator security server.
In step S812, the operator security server sends an information acquisition instruction to the terminal in response to the verification pass message.
In step S813, the terminal acquires the second key from the destination address server in response to the information acquisition instruction.
Step S814, the terminal sends the second key and the first key parameter to the operator security server.
Step S815, the operator security server decrypts the second key according to the first key parameter, and obtains the first key.
Step S816, the operator security server configures the second user identification card according to the first key and the second key parameter sent by the terminal, so that the terminal logs in the preset client through the second user identification card.
The functions or modules included in the apparatus provided in the embodiment of the present application may be used to execute the method described in the method embodiment of the first aspect, and specific implementation and technical effects thereof may refer to the description of the method embodiment above, and for brevity, are not described here again.
Each module in the present embodiment is a logical module, and in practical applications, one logical unit may be one physical unit, may be a part of one physical unit, or may be implemented by a combination of a plurality of physical units. In addition, in order to highlight the innovative part of the present application, a unit that is not so closely related to solving the technical problem proposed by the present application is not introduced in the present embodiment, but it does not indicate that no other unit exists in the present embodiment.
Fig. 9 is a block diagram of an electronic device provided in an embodiment of the present application.
Referring to fig. 9, an embodiment of the present application provides an electronic device, which includes:
one or more processors 901;
a memory 902 having one or more programs stored thereon that, when executed by the one or more processors, cause the one or more processors to implement the key recovery method of any of the above;
one or more I/O interfaces 903 coupled between the processor and the memory and configured to enable information interaction between the processor and the memory.
Among them, the processor 901 is a device with data processing capability, which includes but is not limited to a Central Processing Unit (CPU) or the like; memory 902 is a device having data storage capabilities including, but not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), FLASH memory (FLASH); an I/O interface (read/write interface) 903 is connected between the processor 901 and the memory 902, and can implement information interaction between the processor 901 and the memory 902, which includes but is not limited to a data Bus (Bus) and the like.
In some embodiments, the processor 901, memory 902, and I/O interface 903 are connected to each other and to other components of the computing device by a bus.
The present embodiment further provides a computer readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the key recovery method provided in the present embodiment, and in order to avoid repeated descriptions, specific steps of the key recovery method are not described herein again.
It will be understood by those of ordinary skill in the art that all or some of the steps of the above inventive method, systems, functional modules/units in the apparatus may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a … …" does not exclude the presence of another identical element in a process, method, article, or apparatus that comprises the element.
Those skilled in the art will appreciate that although some embodiments described herein include some features included in other embodiments, not others, combinations of features of different embodiments are meant to be within the scope of the embodiments and form different embodiments.
It is to be understood that the above embodiments are merely exemplary embodiments that are employed to illustrate the principles of the present application, and that the present application is not limited thereto. It will be apparent to those skilled in the art that various changes and modifications can be made therein without departing from the spirit and scope of the application, and these changes and modifications are to be considered as the scope of the application.

Claims (10)

1. A key retrieving method is applied to an operator service server, and comprises the following steps:
sending a key retrieving instruction to a first user identification card in response to a key retrieving request sent by a terminal, wherein the key retrieving request is a request sent by the terminal under the condition that the first user identification card is lost, a first key and a first key parameter which are used for logging in a preset client side are arranged in the first user identification card, and the key retrieving instruction is used for indicating the first user identification card to generate an identity verification request;
under the condition of receiving the authentication request returned by the first user identification card, sending an information acquisition request to the terminal;
receiving the first key parameter and a preset destination address returned by the terminal;
according to the first key parameter and the destination address, performing identity authentication with the first user identity identification card;
and sending a verification passing message to an operator security server under the condition of passing identity verification so that the operator security server receives a second key and the first key parameter sent by the terminal, decrypting the second key according to the first key parameter to obtain the first key, configuring a second user identification card according to the first key and the second key parameter sent by the terminal, so that the terminal logs in the preset client through the second user identification card, and the second key is generated by encrypting the first key by using the first key parameter through the first user identification card and is sent to the key of the destination address.
2. The method for retrieving the key according to claim 1, wherein the performing authentication with the first subscriber identity module card according to the first key parameter and the destination address comprises:
encrypting the destination address by using the first key parameter to obtain a first encryption result;
sending the first encryption result to the first user identification card so that the first user identification card can obtain an identity verification result according to the first encryption result and a second encryption result, wherein the second encryption result is obtained by encrypting the destination address according to a first key parameter by the first user identification card;
receiving the authentication result returned by the first user identification card;
and determining whether the identity authentication is passed or not according to the identity authentication result.
3. The key recovery method according to claim 1, wherein the destination address is a specific address built in the first subscriber identity module card, or the destination address is a temporary address provided by the terminal;
under the condition that the destination address is a temporary address provided by the terminal, after receiving the first key parameter and a preset destination address returned by the terminal, the method further includes:
and sending the destination address to the first user identification card.
4. A key retrieving method applied to an operator security server, the method comprising:
responding to a verification passing message sent by an operator service server, and acquiring a second key and a first key parameter provided by a terminal;
the verification passing message is a message sent by the operator service server under the condition of identity verification through a first user identity identification card, a first key and a first key parameter used for logging in a preset client are arranged in the first user identity identification card, and the second key is a key generated by the first user identity identification card by using the first key parameter to encrypt the first key and sent to a destination address;
decrypting the second key according to the first key parameter to obtain the first key;
and under the condition of acquiring a second key parameter provided by the terminal, configuring a second user identification card according to the first key and the second key parameter, so that the terminal can log in the preset client through the second user identification card.
5. A key retrieving method is applied to a first user identification card, wherein a first key and a first key parameter for logging in a preset client are arranged in the first user identification card, and the method comprises the following steps:
receiving a key retrieval instruction sent by an operator service server, wherein the key retrieval instruction is an instruction sent by the operator service server in response to a key retrieval request of a terminal;
sending an identity authentication request to the operator service server;
using a preset destination address and a first key parameter built in the first user identification card to carry out identity verification on the operator service server;
under the condition that the operator service server passes identity authentication, encrypting the first key by using the first key parameter to obtain a second key;
and sending the second key to the destination address so that the terminal can obtain the second key from the destination address, providing the second key and the first key parameter to an operator security server, enabling the operator security server to decrypt the second key according to the first key parameter to obtain the first key, and configuring a second user identification card according to the first key and the second key parameter provided by the terminal so that the terminal can log in the preset client through the second user identification card.
6. The key recovery method according to claim 5, wherein the destination address is a specific address built in the first subscriber identity card, or the destination address is a temporary address provided by the terminal and forwarded by the operator service server.
7. The method for retrieving the key according to claim 5, wherein the authenticating the operator service server by using a preset destination address and a first key parameter built in the first subscriber identity module card comprises:
receiving a first encryption result sent by the operator service server, wherein the first encryption result is a result obtained by encrypting a destination address provided by the terminal by using a first key parameter provided by the operator service server;
encrypting the destination address according to the first key parameter to obtain a second encryption result;
obtaining an identity verification result according to the first encryption result and the second encryption result;
and sending the identity verification result to the operator service server.
8. An operator services server, comprising:
the first sending module is used for sending a key retrieving instruction to a first user identification card in response to a key retrieving request sent by a terminal, wherein the key retrieving request is a request sent by the terminal under the condition that the first user identification card is lost, a first key and a first key parameter used for logging in a preset client side are arranged in the first user identification card, and the key retrieving instruction is used for indicating the first user identification card to generate an identity verification request;
the second sending module is used for sending an information acquisition request to the terminal under the condition of receiving the identity authentication request returned by the first user identity identification card;
the first receiving module is used for receiving the first key parameter and a preset destination address returned by the terminal;
the first verification module is used for performing identity verification with the first user identity identification card according to the first key parameter and the destination address;
and the third sending module is used for sending a verification passing message to an operator security server under the condition of passing identity verification so that the operator security server receives a second key and the first key parameter sent by the terminal, decrypts the second key according to the first key parameter to obtain the first key, and configures a second user identity identification card according to the first key and the second key parameter sent by the terminal so that the terminal logs in the preset client through the second user identity identification card, wherein the second key is generated by encrypting the first key by using the first key parameter through the first user identity identification card and is sent to the key of the destination address.
9. A carrier security server, comprising:
the acquisition module is used for responding to the verification passing message sent by the operator service server and acquiring a second key and a first key parameter provided by the terminal;
the verification passing message is a message sent by the operator service server under the condition of identity verification through a first user identity identification card, a first key and a first key parameter which are used for logging in a preset client are built in the first user identity identification card, and the second key is a key which is generated by the first user identity identification card through encrypting the first key by using the first key parameter and is sent to a destination address;
the decryption module is used for decrypting the second key according to the first key parameter to obtain the first key;
and the configuration module is used for configuring a second user identity identification card according to the first key and the second key parameter under the condition of receiving the second key parameter sent by the terminal, so that the terminal can log in the preset client through the second user identity identification card.
10. The utility model provides a user identification card which characterized in that is applied to first user identification card, first key and the first key parameter that is used for logging in preset customer end are built-in to first user identification card, user identification card includes:
a second receiving module, configured to receive a key retrieving instruction sent by an operator service server, where the key retrieving instruction is an instruction sent by the operator service server in response to a key retrieving request of a terminal;
a fourth sending module, configured to send an authentication request to the operator service server;
the second verification module is used for verifying the identity of the operator service server by using a preset destination address and a first key parameter which is arranged in the first user identity identification card;
the encryption module is used for encrypting the first key by using the first key parameter under the condition that the operator service server passes identity authentication to obtain a second key;
a fifth sending module, configured to send the second key to the destination address, so that the terminal obtains the second key from the destination address, and provides the second key and the first key parameter to an operator security server, so that the operator security server decrypts the second key according to the first key parameter, obtains the first key, and configures a second subscriber identity module card according to the first key and the second key parameter provided by the terminal, so that the terminal logs in the preset client through the second subscriber identity module card.
CN202211062339.5A 2022-09-01 2022-09-01 Key retrieving method, server and user identity identification card Pending CN115484593A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211062339.5A CN115484593A (en) 2022-09-01 2022-09-01 Key retrieving method, server and user identity identification card

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211062339.5A CN115484593A (en) 2022-09-01 2022-09-01 Key retrieving method, server and user identity identification card

Publications (1)

Publication Number Publication Date
CN115484593A true CN115484593A (en) 2022-12-16

Family

ID=84422457

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211062339.5A Pending CN115484593A (en) 2022-09-01 2022-09-01 Key retrieving method, server and user identity identification card

Country Status (1)

Country Link
CN (1) CN115484593A (en)

Similar Documents

Publication Publication Date Title
CN110798315B (en) Data processing method and device based on block chain and terminal
US20170208049A1 (en) Key agreement method and device for verification information
CA2879910C (en) Terminal identity verification and service authentication method, system and terminal
CN106452770B (en) Data encryption method, data decryption method, device and system
CN109587103B (en) Method and device for executing application in cloud system and cloud system
CN110868291B (en) Data encryption transmission method, device, system and storage medium
CN109660534B (en) Multi-merchant-based security authentication method and device, electronic equipment and storage medium
CN111131416A (en) Business service providing method and device, storage medium and electronic device
EP3809629A1 (en) Authorization method and device for joint account, and authentication method and device for joint account
CN111971929A (en) Secure distributed key management system
WO2020123926A1 (en) Decentralized computing systems and methods for performing actions using stored private data
CN110268406A (en) Cipher safety
CN116458117A (en) Secure digital signatures
US11405782B2 (en) Methods and systems for securing and utilizing a personal data store on a mobile device
CN111294203A (en) Information transmission method
CN107026730B (en) Data processing method, device and system
CN109891823B (en) Method, system, and non-transitory computer readable medium for credential encryption
KR101680536B1 (en) Method for Service Security of Mobile Business Data for Enterprise and System thereof
CN109302442B (en) Data storage proving method and related equipment
CN117041956A (en) Communication authentication method, device, computer equipment and storage medium
CN111901312A (en) Method, system, equipment and readable storage medium for network access control
US9135449B2 (en) Apparatus and method for managing USIM data using mobile trusted module
US11972000B2 (en) Information dispersal for secure data storage
CN115484593A (en) Key retrieving method, server and user identity identification card
KR102094606B1 (en) Apparatus and method for authentication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination