WO2017166976A1 - Method, device, and system for distributing and verifying application service - Google Patents

Method, device, and system for distributing and verifying application service Download PDF

Info

Publication number
WO2017166976A1
WO2017166976A1 PCT/CN2017/075760 CN2017075760W WO2017166976A1 WO 2017166976 A1 WO2017166976 A1 WO 2017166976A1 CN 2017075760 W CN2017075760 W CN 2017075760W WO 2017166976 A1 WO2017166976 A1 WO 2017166976A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
service
terminal
operator
issuance request
Prior art date
Application number
PCT/CN2017/075760
Other languages
French (fr)
Chinese (zh)
Inventor
冯春来
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2017166976A1 publication Critical patent/WO2017166976A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0892Network architectures or network communication protocols for network security for authentication of entities by using authentication-authorization-accounting [AAA] servers or protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of wireless, and in particular, to a method, device and system for issuing and verifying an application service.
  • the mobile phone number Since the mobile phone number has already achieved legal mandatory real-name authentication, the mobile phone number is of great significance to the user.
  • a large number of personal mobile applications use the short message verification code as the main auxiliary method to confirm the identity of the user terminal during the user registration or business use process.
  • today's users have a large number of user names in various applications, passwords, passwords forgotten to become a very common phenomenon, this time a common strategy for password recovery is to retrieve through the mobile phone SMS verification code.
  • the telecommunication application service such as wifi-based voice service (vowifi), LTE-based voice service (volte), or the like, or the Internet provides the user with various application services (Over The Top, OTT) application services.
  • the service opening of the application service bound to the user's mobile phone number is mostly verified by sending a short message verification code to the mobile phone. The reason is that the short message channel is based on the operator channel, and the operator is authenticated. Only the mobile phone where the mobile phone number is located can Receive text messages and therefore have the ability to resist counterfeiting.
  • the service provider will send a short message verification code to the mobile phone to confirm the mobile phone, and ensure that the user service belongs to the user to which the mobile phone number belongs. initiate.
  • the embodiment of the invention provides a method, a device and a system for issuing and verifying an application service, so as to provide a reliable service delivery verification solution that does not depend on a short message of a mobile phone.
  • the first aspect provides a method for issuing and verifying an application service, including:
  • the terminal When receiving the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service release request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
  • an authentication parameter used by the terminal for the EAP authentication of the extensible authentication protocol and transmitting, by using the first security channel, the authentication parameter to the operator authentication center, by using the operator
  • the authentication center will describe the The weight parameter is passed to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the carrier network;
  • the terminal acquires a second MSISDN of the terminal;
  • the terminal forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center. .
  • the terminal acquires an authentication parameter used by the terminal for EAP authentication, including:
  • the terminal interacts with a user identification module embedded in the terminal to obtain an authentication parameter used by the terminal for EAP authentication.
  • the method further includes: after the terminal forwards the service issuance request to the application provider corresponding to the service release request by using the operator authentication center, the method further includes:
  • the terminal removes a first secure channel from the authentication center.
  • the acquiring, by the terminal, the MSISDN of the terminal includes:
  • the terminal interacts with a user identification module embedded in the terminal to obtain an international mobile subscriber identity (IMSI) of the terminal, and sends the IMSI to the operator authentication center by using the first secure channel.
  • IMSI international mobile subscriber identity
  • the operator authentication center sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
  • the terminal forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center, including:
  • the second aspect provides a method for issuing and verifying an application service, including:
  • the operator authentication center establishes a first secure channel between the terminal and the terminal, and uses the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal.
  • Extensible authentication protocol EAP authentication with the AAA server;
  • the operator authentication center transmits the authentication parameter to the AAA server for EAP authentication, and the AAA server is located in the operator network;
  • the operator authentication center receives the service issuance request sent by the terminal, and sends the service release request to the application provider corresponding to the service release request.
  • the operator authentication center before receiving the service issuance request sent by the terminal, the operator authentication center further includes:
  • the operator authentication center receives the international mobile subscriber identity (IMSI) of the terminal sent by the terminal by using the first secure channel, and sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI, and Sending the MSISDN to the terminal through the first secure channel.
  • IMSI international mobile subscriber identity
  • the operator authentication center receives the service issuance request sent by the terminal, and sends the service release request to the application provider corresponding to the service release request, including :
  • the operator authentication center receives the service release request sent by the terminal by using the first secure channel, and uses the second secure channel between the service security center and the application provider corresponding to the service release request, Forwarding the service release request to an application provider corresponding to the service release request.
  • an apparatus for issuing and verifying an application service including:
  • the establishing unit when receiving the service issuance request, establishes a first security channel with the operator authentication center, where the service issuance request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
  • a processing unit configured to obtain an authentication parameter of the device for extensible authentication protocol EAP authentication, and use the first secure channel to transmit the authentication parameter to the operator authentication center, by using the The operator authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the carrier network;
  • the service issuance request is forwarded by the operator authentication center to the application provider corresponding to the service issuance request.
  • the processing unit acquires an authentication parameter used by the device for EAP authentication, specifically for:
  • the processing unit forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, the establishing unit further Used for:
  • the first secure passage between the authentication center and the authentication center is removed.
  • the processing unit when the processing unit acquires the MSISDN of the device, the processing unit is specifically configured to:
  • IMSI International Mobile Subscriber Identity
  • the processing unit is specifically configured to: when the service delivery request is forwarded to the application provider corresponding to the service release request by the operator authentication center, specifically:
  • the service issuance request is forwarded to an application provider corresponding to the service issuance request.
  • a fourth aspect provides a device for issuing and verifying an application service, including:
  • a transceiver unit configured to establish a first secure channel with the terminal, and use the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal Extensible authentication protocol EAP authentication with the AAA server;
  • An authentication unit configured to pass the authentication parameter to an AAA server for performing an Extensible Authentication Protocol (EAP) authentication, where the AAA server is located in an operator network;
  • EAP Extensible Authentication Protocol
  • the transceiver unit is further configured to: after the EAP authentication is passed, receive a service issuance request sent by the terminal, and send the service release request to an application provider corresponding to the service release request.
  • the transceiver unit is further configured to: before receiving the service issuance request sent by the terminal,
  • the first secure channel Receiving, by the first secure channel, the international mobile subscriber identity (IMSI) of the terminal sent by the middle station, sending the IMSI to an operator BOSS, acquiring an MSISDN corresponding to the IMSI, and adopting the first security A channel transmits the MSISDN to the terminal.
  • IMSI international mobile subscriber identity
  • the transceiver unit receives the service issuance request sent by the terminal,
  • the service issuance request is sent to the application provider corresponding to the service issuance request, it is specifically used to:
  • a terminal device comprising a processor, a memory, a transmitter, and a receiver, wherein the memory stores a computer readable program, and the processor runs the program in the memory And controlling the transmitter and the receiver to implement an issuance verification method of the application service related to the first aspect.
  • a server device comprising a processor, a memory, a transceiver, wherein the memory stores a computer readable program, and the processor controls the program by running a program in the memory
  • the transmitter and the receiver implement the verification verification method for the application service involved in the second aspect.
  • the seventh aspect provides an application verification verification system, where the application verification verification system includes a first device and a second device, where the first device is a device related to the third aspect or the fifth aspect relates to A terminal device, which is the device related to the fourth aspect or the server device related to the sixth aspect.
  • the terminal When the terminal receives the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service delivery request carries the first MSISDN, and the terminal obtains the authentication parameter. Passing the authentication parameter to the operator authentication center, and transmitting the authentication parameter to the AAA server for EAP authentication through the operator authentication center, and acquiring the second terminal after the EAP authentication is passed.
  • the MSISDN when the first MSISDN is the same as the second MSISDN, the terminal forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, compared to the prior art, the application When the service is issued, the authentication scheme of the mobile phone short message is used.
  • the application service provider does not need to use the operator to send the short message verification code to the terminal, thereby eliminating the dependence on the short message and reducing the dependency.
  • the application cost of the application service reduces the development difficulty of the service side of the operator.
  • FIG. 1 is a schematic diagram of an application verification and verification system in an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a terminal device according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of a network side device according to an embodiment of the present invention.
  • FIG. 4 is a flowchart of a method for issuing and verifying an application service according to an embodiment of the present invention
  • FIG. 5 is a flowchart of a method for issuing and verifying an application service in an application scenario according to an embodiment of the present disclosure
  • FIG. 6 is a flowchart of a method for issuing and verifying an application service in another application scenario according to an embodiment of the present disclosure
  • FIG. 7 is a schematic diagram of an apparatus for issuing and verifying an application service on a terminal side according to an embodiment of the present invention.
  • FIG. 8 is a schematic diagram of a device for issuing and verifying a network-side application service according to an embodiment of the present invention.
  • the embodiment of the invention provides a method and device for issuing and verifying an application service, and considers that after the lapse of the short message service in the future, a trusted terminal authentication solution that does not depend on the mobile phone short message is used to distribute the APP self-service service.
  • Terminal authentication provides protection. This solution requires the same trusted credibility as the short message authentication method by means of the Internet-based trusted authentication method of the wifi network accessed by the terminal.
  • an embodiment of the present invention provides an application verification and verification system, including a terminal 11 with an authentication application, an operator authentication center 12, authentication, authorization, and accounting (Authentication, Authorization, Accounting, AAA).
  • the terminal 11 is configured to establish a first secure channel with the operator authentication center 12 when receiving the service issuance request, where the service issuance request carries the first international public subscriber identification number (Mobile Subscriber International ISDN/PSTN number) Obtaining an authentication parameter of the terminal for Extensible Authentication Protocol (EAP) authentication, and transmitting the authentication parameter to the operator authentication by using the first secure channel
  • the center 12 transmits the authentication parameter to the AAA server 13 for EAP authentication through the operator authentication center 12; after the EAP authentication is passed, acquires the second MSISDN of the terminal;
  • the service issuance request is forwarded by the operator authentication center 12 to the application provider corresponding to the service issuance request.
  • the operator authentication center 12 is configured to establish a first secure channel with the terminal 11, and use the first secure channel to receive an authentication parameter sent by the terminal 11 for the received service release request, where the authentication is performed.
  • the parameter is used for EAP authentication between the terminal and the AAA server 13; the authentication parameter is transmitted to the AAA server 13 for EAP authentication; after the EAP authentication is passed, the service issuance request sent by the terminal is received. And sending the service issuance request to an application provider corresponding to the service issuance request.
  • an embodiment of the present invention provides a terminal device 200, which may be a mobile phone terminal or a tablet computer capable of running a Subscriber Identity Module (SIM) card.
  • SIM Subscriber Identity Module
  • 1 shows a block diagram of a terminal device 200 including a processor 201 and a memory 202, optionally including an input unit, a display unit, a gravitational acceleration sensor, a proximity light sensor, etc., in accordance with some embodiments.
  • FIG. 2 is only an example of the terminal device 200, and does not constitute a limitation of the terminal device, and may include more or less components than those illustrated, or combine some components or different components. .
  • the input unit is operative to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the portable multifunction device.
  • the input unit can include a touch screen as well as other input devices.
  • the touch screen may collect a touch operation on or near the user (such as an operation of the user using a finger, a joint, a stylus, or the like on the touch screen or in the vicinity of the touch screen), and drive the corresponding according to a preset program. Connect the device.
  • the touch screen can detect a user's touch action on the touch screen, convert the touch action into a touch signal and send the signal to the processor 201, and can receive and execute a command sent by the processor 201; the touch signal includes at least a touch Point coordinate information.
  • the touch screen may provide an input interface and an output interface between the terminal device 200 and a user.
  • touch screens can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves.
  • the input unit may also include other input devices.
  • other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as a volume control button, a switch button processor 201, etc.), a trackball, a mouse, a joystick, and the like.
  • the display unit terminal device 200 can be used to display information input by a user or information provided to a user and various menus of the terminal device 200.
  • the touch screen may cover the display panel, and when the touch screen detects a touch operation on or near it, the touch screen is transmitted to the processor 201 to determine the type of the touch event, and then the processor 201 provides corresponding on the display panel according to the type of the touch event.
  • Visual output In this embodiment, the touch screen and the display unit can be integrated into one component to implement the input, output, and display functions of the terminal device 200.
  • the embodiment of the present invention uses the touch screen to represent the function set of the touch screen and the display unit; In an embodiment, the touch screen and the display unit can also function as two separate components.
  • the gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally three axes), and the gravity acceleration sensor can also be used to detect the magnitude and direction of gravity when the terminal is stationary, and can be used to identify the gesture of the mobile phone (such as horizontal and vertical). Screen switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; in the embodiment of the invention, the gravity acceleration sensor is used to acquire a user's touch motion contact touch screen in z Gravity acceleration in the axial direction.
  • the terminal device 200 may also include one or more proximity light sensors for turning off and disabling the touch screen to avoid erroneous operation of the touch screen by the user when the terminal device 200 is closer to the user (eg, close to the ear when the user is making a call)
  • the terminal device 200 may also include one or more ambient light sensors for keeping the touch screen off when the terminal device 200 is located in a user's pocket or other dark area to prevent the terminal device 200 from consuming unnecessary battery power when in the locked state.
  • the proximity light sensor and the ambient light sensor may be integrated into one component or as two separate components.
  • the terminal device 200 can also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, and the like, and details are not described herein again.
  • FIG. 2 shows the proximity photosensor and the ambient light sensor, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the memory 202 can be used to store instructions and data, the memory 202 can mainly include a storage instruction area and a storage data area, the storage data area can store an association relationship between the joint touch gesture and the application function; the storage instruction area can store an operating system, at least one The instructions and the like are required for the function; the instruction may cause the processor 201 to perform the following method, the specific method includes: when receiving the service issuance request, establishing a first secure channel with the operator authentication center, where the service issuance request is carried The first international public subscriber identification number MSISDN, the authentication center is located in the operator network; the authentication parameter used by the terminal device 200 for EAP authentication is obtained, and the authentication parameter is transmitted to the first secure channel to The operator authentication center transmits the authentication parameter to the AAA server for EAP authentication through the operator authentication center, and the AAA server is located in the carrier network; after the EAP authentication is passed, the acquiring a second MSISDN of the terminal; when the first MSISDN carried in the service issuance request is the same as the second MSISDN, the service
  • the processor 201 is a control center of the terminal device 200, and connects various parts of the entire mobile phone by using various interfaces and lines, and executes the terminal device 200 by operating or executing an instruction stored in the memory 202 and calling data stored in the memory 202.
  • the processor 201 may include one or more processing units; preferably, the processor 201 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like. , the main processing of the modem processor Wireless communication. It can be understood that the above modem processor may not be integrated into the processor 201.
  • the processors, memories can be implemented on a single chip, and in some embodiments, they can also be implemented separately on separate chips.
  • the processor 201 is further configured to invoke an instruction in the memory to implement terminal authentication verification in an application service release process.
  • the code corresponding to the method shown in FIG. 4 is solidified into the chip, so that the chip can perform the operation function of the terminal in the method shown in FIG. 4 during operation.
  • How to design and program the processor is a technique well known to those skilled in the art, and details are not described herein.
  • the radio frequency unit can be used for receiving and transmitting signals during the transmission and reception of information or during the call.
  • the processing is performed by the processor 201.
  • the data designed for the uplink is sent to the base station.
  • RF circuits include, but are not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like.
  • the radio unit can communicate with network devices and other devices through wireless communication.
  • the wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code). Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc.
  • GSM Global System of Mobile communication
  • GPRS General Packet Radio Service
  • CDMA Code Division Multiple Access
  • WCDMA Wideband Code Division Multiple Access
  • LTE Long
  • An audio circuit, a speaker, and a microphone can provide an audio interface between the user and the terminal device 200.
  • the audio circuit can transmit the converted electrical signal of the received audio data to the speaker and convert it into a sound signal output by the speaker; on the other hand, the microphone converts the collected sound signal into an electrical signal, which is received by the audio circuit and converted into audio.
  • the data is processed by the audio data output processor 201, sent to the terminal such as another terminal via the radio frequency unit, or outputted to the memory 202 for further processing.
  • the audio circuit may also include a headphone jack 163 for providing audio. The interface between the circuit and the headset.
  • WiFi is a short-range wireless transmission technology
  • the terminal device 200 can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module, which provides wireless broadband Internet access for users.
  • FIG. 2 shows the WiFi module, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
  • Bluetooth is a short-range wireless communication technology. With Bluetooth technology, communication between mobile communication terminal devices such as handheld computers, notebook computers, and mobile phones can be effectively simplified, and communication between the above devices and the Internet can be successfully simplified.
  • the terminal device 200 is enabled by the Bluetooth module.
  • the data transmission between the terminal device 200 and the Internet becomes more rapid and efficient, broadening the road for wireless communication.
  • Bluetooth technology is an open solution for wireless transmission of voice and data.
  • FIG. 2 shows the Bluetooth module, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
  • the terminal device 200 also includes a power source (such as a battery) that supplies power to the various components.
  • a power source such as a battery
  • the power source can be logically coupled to the processor 201 through the power management system 194 to manage charging, discharging, and power management through the power management system 194.
  • the terminal device 200 further includes an external interface, which may be a standard Micro USB interface, or a multi-pin connector, which may be used to connect the terminal device 200 to communicate with other devices, or may be used to connect the charger to the terminal. Device 200 is charged.
  • an external interface which may be a standard Micro USB interface, or a multi-pin connector, which may be used to connect the terminal device 200 to communicate with other devices, or may be used to connect the charger to the terminal. Device 200 is charged.
  • the terminal device 200 may further include a camera, a flash, and the like, and details are not described herein again.
  • an embodiment of the present invention provides a network side device 300.
  • the device 300 includes a processor 301 and a memory 302.
  • the program code for executing the solution of the present invention is stored in the memory 302 and controlled by the processor 301. carried out.
  • the program stored in the memory 302 is used by the instruction processor 301 to perform the issuance verification method of the application service, including: establishing a first secure channel with the terminal, and receiving, by using the first secure channel, the terminal to issue the service for the received service.
  • An authentication parameter requested to be sent the authentication parameter being used for EAP authentication of the extensible authentication protocol between the terminal and the AAA server; and the authentication parameter is transmitted to the AAA server for performing an Extensible Authentication Protocol (EAP)
  • EAP Extensible Authentication Protocol
  • the AAA server is located in the carrier network; after the EAP authentication is passed, the service issuance request sent by the terminal is received, and the service issuance request is sent to the application provider corresponding to the service issuance request.
  • the processor involved in the foregoing apparatus 300 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more.
  • One or more memories included in the computer system which may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or Other types of dynamic storage devices that store information and instructions may also be disk storage. These memories are connected to the processor via a bus.
  • a memory such as a RAM, holds an operating system and a program for executing the inventive scheme.
  • the operating system is a program that controls the running of other programs and manages system resources.
  • These memories can be connected to the processor via a bus or can be connected to the processor via dedicated connection lines.
  • the code corresponding to the method shown in FIG. 4 is solidified into the chip, so that the chip can perform the operation function of the operator authentication center in the method shown in FIG. 4 during operation.
  • How to design and program the processor is a technique well known to those skilled in the art, and details are not described herein.
  • an embodiment of the present invention provides a method for issuing and verifying an application service, and the process of the method is as follows.
  • Step 41 The terminal receives a service issuance request, where the service issuance request carries the first MSISDN.
  • the first MSISDN may obtain the MSISDN corresponding to the user information according to the user information input by the user, and the first MSISDN and the application involved in the service issuance request are in a one-to-one binding relationship.
  • Step 42 The terminal establishes a first secure channel with the operator authentication center.
  • the first secure channel is a secure connection channel based on a Transport Layer Security (TLS) protocol.
  • TLS Transport Layer Security
  • Step 43 The terminal acquires an authentication parameter used by the terminal for EAP authentication, and transmits the authentication parameter to the AAA server through the operator authentication center to perform an EAP authentication process.
  • the terminal transmits the authentication parameter to the operator authentication center through the first secure channel, and the operator authentication center forwards the authentication parameter to the AAA server for EAP authentication.
  • Step 44 After the EAP authentication is passed, the terminal acquires the second MSISDN of the terminal.
  • the terminal interacts with a user identification module embedded in the terminal to obtain an international mobile subscriber identification number (IMSI) of the terminal, and the terminal sends the IMSI to the operator for authentication.
  • IMSI international mobile subscriber identification number
  • Center the operator authentication center sends the IMSI to the operator's business operation support
  • the system Business & Operation Support System. BOSS
  • BOSS Business & Operation Support System
  • Step 45 The terminal forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center when the first MSISDN is the same as the second MSISDN.
  • the terminal sends the service issuance request to the operator authentication center by using the first secure channel
  • the application security center uses an application provider corresponding to the service release request.
  • the second security channel forwards the service release request to the application provider corresponding to the service release request.
  • the operator authentication center establishes a second secure channel with each application provider in the configuration phase, and the second secure channel is a TLS-based secure connection channel.
  • the following is a description of the method in FIG. 4 by taking the terminal as a mobile phone terminal as an example.
  • the specific application scenario is: setting the operator authentication center on the operator side and setting the client authentication application on the mobile terminal side to operate the mobile terminal and the mobile terminal.
  • a trusted secure channel is established between the business authentication centers through the Internet, and the authentication parameters of the mobile terminal are obtained by the client's authentication application, and the authentication parameters are transmitted to the AAA server on the operator side to authenticate the terminal.
  • EAP authentication after the authentication is passed, the authentication application of the client obtains the second MSISDN of the mobile terminal to match the first MSISDN carried in the service issuance request, and confirms that the service issuance request is verified when the matching succeeds, thereby eliminating the pair.
  • the verification of mobile phone text messages depends.
  • the authentication APP under the mobile phone operating system interacts with the operator authentication center to implement the APP service delivery.
  • the APP service provides the services provided by the APP of the application service (Over The Top, OTT) type to the Internet. See Figure 5.
  • Step 51 Establish a secure channel between the operator authentication center and the APP provider, where a long connection based on TLS is established.
  • Step 52 The application APP of the mobile phone client initiates a self-service service issuance request and sends it to the authentication APP of the mobile phone client.
  • the service issuance request carries the mobile phone number bound to the application APP.
  • Step 53 The authentication APP of the mobile client establishes a secure channel between the Internet and the operator's authentication center, where a long connection based on TLS is established.
  • Step 54 The authentication APP of the mobile phone client obtains the orientation system authority by cooperation with the mobile phone operating system manufacturer, and can perform EAP-AKA authentication by using the interface to interact with the mobile phone SIM card to determine the authenticity of the SIM card.
  • Step 55 When the EAP-AKA authentication is passed, the authentication APP of the mobile phone client obtains the real mobile phone number of the mobile phone from the operator BOSS through the operator's authentication center.
  • Step 56 When the mobile phone number bound by the application APP is the same as the real mobile phone number of the mobile phone, the authentication APP of the mobile phone client forwards the self-service service issuance request to the operator authentication center.
  • Step 57 The operator authentication authorization center sends the self-service service issuance request to the APP provider through a secure channel with the APP provider.
  • Step 58 The authentication channel of the mobile phone client is removed from the secure channel established between the operator authentication and authorization center.
  • Step 59 The APP provider receives the self-service provisioning request of the user, and after the service is released, the mobile phone system manufacturer can be notified of the service delivery success message.
  • Step 510 The mobile phone system manufacturer sends a push message to the mobile phone by using the push message server to successfully deliver the service.
  • the APP provider does not need to perform the authenticity verification of the user terminal, so that the SMS verification code does not need to be sent to the user terminal.
  • the application provider for the application service in scenario 2 is the self-service distribution process of the carrier BOSS system. For the specific process, refer to Figure 6.
  • Step 61 The application APP of the mobile client provided by the operator initiates a self-service issuance request, and sends the request to the mobile client's authentication APP.
  • Step 62 The authentication client of the mobile client establishes a secure channel between the Internet and the operator's authentication center, where a long connection based on TLS is established.
  • Step 63 The authentication APP of the mobile phone client obtains the orientation system authority by cooperation with the mobile phone operating system manufacturer, and can perform EAP-AKA authentication by using the interface to interact with the mobile phone SIM card to determine the authenticity of the SIM card.
  • Step 64 When the EAP-AKA authentication is passed, the authentication APP of the mobile phone client obtains the real mobile phone number of the mobile phone from the operator BOSS through the operator's authentication center.
  • Step 65 When the mobile phone number bound by the application APP is the same as the real mobile phone number of the mobile phone, the authentication APP of the mobile phone client forwards the self-service service issuance request to the APP provider, where the APP provider is the operator BOSS system.
  • Step 66 The authentication channel of the mobile client is removed from the secure channel established between the operator and the authorization center of the operator.
  • Step 67 After receiving the self-service provisioning request of the user, the operator BOSS system performs service delivery, and after the service is released, sends a service delivery success message to the operator authentication center.
  • Step 68 The operator authentication center sends a service delivery success message to the mobile phone system manufacturer.
  • Step 69 The mobile phone system manufacturer sends a push message to the mobile phone by using the push message server to successfully deliver the service.
  • FIG. 7 is a schematic structural diagram of a device 700 according to an embodiment of the present invention. As shown in FIG. 7, the device 700 includes an establishing unit 701. And processing unit 702, wherein:
  • the establishing unit 701 when receiving the service issuance request, establishes a first secure channel with the operator authentication center, where the service issuance request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
  • the processing unit 702 is configured to obtain an authentication parameter used by the device for the EAP authentication of the Extensible Authentication Protocol, and use the first secure channel to transmit the authentication parameter to the operator authentication center.
  • the operator authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the operator network;
  • the service issuance request is forwarded by the operator authentication center to the application provider corresponding to the service issuance request.
  • the processing unit 702 is configured to obtain an authentication parameter used by the device for EAP authentication, specifically, to:
  • the establishing unit 701 is further configured to:
  • the first secure passage between the authentication center and the authentication center is removed.
  • the processing unit 702 when the processing unit 702 acquires the MSISDN of the device, the processing unit 702 is specifically configured to:
  • the heart sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
  • IMSI International Mobile Subscriber Identity
  • the processing unit 702 is specifically configured to: when the service issuance request is forwarded to the application provider corresponding to the service issuance request by the operator authentication center, specifically:
  • the service issuance request is forwarded to an application provider corresponding to the service issuance request.
  • the device 700 involved in the above embodiments may be a separate component or integrated into other components.
  • the embodiment of the present invention provides an application verification verification device 800, which can be used to execute the operator certificate in the method described in FIG.
  • the device 800 can be the device described in FIG. 3, and FIG. 8 is a schematic structural diagram of the device 800 according to the embodiment of the present invention.
  • the device 800 includes a transceiver unit 801 and a card.
  • Right unit 802 wherein:
  • the transceiver unit 801 is configured to establish a first secure channel with the terminal, and use the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the Extensible authentication protocol EAP authentication between the terminal and the AAA server;
  • the authentication unit 802 is configured to: pass the authentication parameter to an AAA server for performing an Extensible Identity Authentication Protocol EAP authentication, where the AAA server is located in an operator network;
  • the transceiver unit 801 is further configured to: after the EAP authentication is passed, receive a service issuance request sent by the terminal, and send the service release request to an application provider corresponding to the service release request.
  • the transceiver unit 801 before receiving the service issuance request sent by the terminal, the transceiver unit 801 is further configured to:
  • the first secure channel Receiving, by the first secure channel, the international mobile subscriber identity (IMSI) of the terminal sent by the middle station, sending the IMSI to an operator BOSS, acquiring an MSISDN corresponding to the IMSI, and adopting the first security A channel transmits the MSISDN to the terminal.
  • IMSI international mobile subscriber identity
  • the transceiver unit 801 is configured to: when receiving the service issuance request sent by the terminal, and sending the service release request to the application provider corresponding to the service release request, specifically:
  • the device 800 involved in the above embodiments may be a separate component or integrated into other components.
  • the terminal when the terminal receives the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service issuance request carries the first MSISDN, and the authentication center is located in the operation. And the terminal obtains the authentication parameter used by the terminal for EAP authentication, and uses the first security channel to transmit the authentication parameter to the operator authentication center, and authenticates by the operator.
  • the center passes the authentication parameter to the AAA server for EAP authentication, and the AAA server is located in the carrier network; after the EAP authentication is passed, the terminal acquires the second MSISDN of the terminal;
  • the service issuance request is forwarded to the service delivery request by the operator authentication center.
  • embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
  • computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
  • These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device.
  • the instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in the present invention are a method, a device, and a system for distributing and verifying an application service so as to provide a reliable service distribution and verification solution independent of mobile phone short messages. The method comprises: a terminal, when receiving a service distribution request, establishing a first security channel to an operator authentication center, the service distribution request carrying a first MSISDN therein; the terminal acquiring an authentication parameter, transmitting the authentication parameter to the operator authentication center, and delivering the authentication parameter, by means of the operator authentication center, to an AAA server for EAP authentication, and acquiring, after the EAP authentication is passed, a second MSISDN of the terminal; the terminal forwarding, when the first MSISDN and the second MSISDN are the same, the service distribution request, by means of the operator authentication center, to an application provider to which the service distribution request corresponds. In this way, when an application service is distributed, there is no necessity of sending to the terminal a short message verification code, eliminating the dependence on short messages.

Description

一种应用业务的发放验证方法、装置和系统Method, device and system for issuing verification of application service
本申请要求于2016年3月30日提交中国专利局、申请号为201610195162.4、发明名称为“一种应用业务的发放验证方法、装置和系统”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese Patent Application filed on March 30, 2016, the Chinese Patent Application No. 201610195162.4, the title of the invention is "the application verification method, device and system for application service", the entire contents of which are incorporated by reference. Combined in this application.
技术领域Technical field
本发明涉及无线领域,尤其涉及一种应用业务的发放验证方法、装置和系统。The present invention relates to the field of wireless, and in particular, to a method, device and system for issuing and verifying an application service.
背景技术Background technique
由于手机号码已经实现法律强制实名认证,因此手机号码对于用户具有重要意义,大量的个人移动应用在用户注册开户或业务使用过程中采用发送短信验证码作为主要的辅助方式来进行用户终端身份确认,此外,当今用户在各种应用中都有大量的用户名,密码,密码忘记成为非常常见的现象,这个时候密码找回的一个通常策略就是通过手机短信验证码来进行找回。Since the mobile phone number has already achieved legal mandatory real-name authentication, the mobile phone number is of great significance to the user. A large number of personal mobile applications use the short message verification code as the main auxiliary method to confirm the identity of the user terminal during the user registration or business use process. In addition, today's users have a large number of user names in various applications, passwords, passwords forgotten to become a very common phenomenon, this time a common strategy for password recovery is to retrieve through the mobile phone SMS verification code.
在手机操作系统中,电信类应用业务如基于wifi的语音业务(vowifi),基于LTE的语音业务(volte)等或者互联网向用户提供的各种应用服务(Over The Top,OTT)类应用业务中与用户手机号码绑定的应用业务的业务开通大多通过向手机发送短信验证码的方式进行手机验证,原因是短信通道基于运营商通道,通过运营商鉴权,只有本手机号码所在的手机才能够接收短信,因此具有抵抗仿冒的能力。例如,微信业务及常见的手机网上银行等业务在注册登记时,由于这些业务与手机号码绑定,业务提供商会通过给手机发送短信验证码来进行手机确认,确保用户业务由本手机号码所属的用户发起。In the mobile phone operating system, the telecommunication application service, such as wifi-based voice service (vowifi), LTE-based voice service (volte), or the like, or the Internet provides the user with various application services (Over The Top, OTT) application services. The service opening of the application service bound to the user's mobile phone number is mostly verified by sending a short message verification code to the mobile phone. The reason is that the short message channel is based on the operator channel, and the operator is authenticated. Only the mobile phone where the mobile phone number is located can Receive text messages and therefore have the ability to resist counterfeiting. For example, when the WeChat service and the common mobile Internet banking are registered, because these services are bound to the mobile phone number, the service provider will send a short message verification code to the mobile phone to confirm the mobile phone, and ensure that the user service belongs to the user to which the mobile phone number belongs. initiate.
但是,当移动网络不可用的情况下,如运营商基站未覆盖的区域,用户海外出差没有签约国际漫游等的情况下,用户由于无法接受短信而导致应用业务发放失败,而这种情况下的应用业务发放往往是客户比较急迫的需要,因此亟需一种不依赖于手机短信的、可信赖的业务发放验证解决方案。However, when the mobile network is unavailable, such as an area that is not covered by the carrier's base station, if the user's overseas business trip does not sign international roaming, etc., the user fails to accept the short message, and the application service fails to be issued, and in this case, Application service delivery is often a relatively urgent need of customers, so there is a need for a reliable service delivery verification solution that does not rely on mobile phone text messages.
发明内容Summary of the invention
本发明实施例提供一种应用业务的发放验证方法、装置和系统,以提供一种不依赖于手机短信的、可信赖的业务发放验证解决方案。The embodiment of the invention provides a method, a device and a system for issuing and verifying an application service, so as to provide a reliable service delivery verification solution that does not depend on a short message of a mobile phone.
本发明实施例提供的具体技术方案如下:The specific technical solutions provided by the embodiments of the present invention are as follows:
第一方面,提供一种应用业务的发放验证方法,包括:The first aspect provides a method for issuing and verifying an application service, including:
终端接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,所述业务发放请求中携带第一国际公共用户识别号码MSISDN,所述鉴权中心位于运营商网络;When receiving the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service release request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
所述终端获取所述终端用于可扩展身份验证协议EAP鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴 权参数传递给验证、授权、记账AAA服务器进行EAP鉴权,所述AAA服务器位于运营商网络;Obtaining, by the terminal, an authentication parameter used by the terminal for the EAP authentication of the extensible authentication protocol, and transmitting, by using the first security channel, the authentication parameter to the operator authentication center, by using the operator The authentication center will describe the The weight parameter is passed to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the carrier network;
在EAP鉴权通过后,所述终端获取所述终端的第二MSISDN;After the EAP authentication is passed, the terminal acquires a second MSISDN of the terminal;
所述终端在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商。When the first MSISDN carried in the service issuance request is the same as the second MSISDN, the terminal forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center. .
在第一方面的基础上,可选的,所述终端获取所述终端用于EAP鉴权的鉴权参数,包括:On the basis of the first aspect, optionally, the terminal acquires an authentication parameter used by the terminal for EAP authentication, including:
所述终端与嵌入到所述终端的用户识别模块之间进行交互来获取终端用于EAP鉴权的鉴权参数。The terminal interacts with a user identification module embedded in the terminal to obtain an authentication parameter used by the terminal for EAP authentication.
在第一方面的基础上,可选的,所述终端将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商之后,所述方法还包括:On the basis of the first aspect, the method further includes: after the terminal forwards the service issuance request to the application provider corresponding to the service release request by using the operator authentication center, the method further includes:
所述终端拆除与所述鉴权中心间的第一安全通道。The terminal removes a first secure channel from the authentication center.
在第一方面的基础上,可选的,所述终端获取所述终端的MSISDN,包括:On the basis of the first aspect, optionally, the acquiring, by the terminal, the MSISDN of the terminal includes:
所述终端与嵌入到所述终端的用户识别模块进行交互来获取所述终端的国际移动用户识别码IMSI,将所述IMSI利用所述第一安全通道发送至所述运营商鉴权中心,通过运营商鉴权中心将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN。The terminal interacts with a user identification module embedded in the terminal to obtain an international mobile subscriber identity (IMSI) of the terminal, and sends the IMSI to the operator authentication center by using the first secure channel. The operator authentication center sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
在第一方面的基础上,可选的,所述终端将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商,包括:On the basis of the first aspect, optionally, the terminal forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center, including:
所述终端将所述业务发放请求通过所述第一安全通道发送至所述运营商鉴权中心,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Sending, by the terminal, the service release request to the operator authentication center by using the first secure channel, and using the second security between the service security center and the application provider corresponding to the service release request And the channel forwards the service release request to an application provider corresponding to the service release request.
第二方面,提供一种应用业务的发放验证方法,包括:The second aspect provides a method for issuing and verifying an application service, including:
运营商鉴权中心建立与终端之间的第一安全通道,利用所述第一安全通道接收所述终端针对接收到的业务发放请求发送的鉴权参数,所述鉴权参数用于所述终端与AAA服务器之间的可扩展身份验证协议EAP鉴权;The operator authentication center establishes a first secure channel between the terminal and the terminal, and uses the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal. Extensible authentication protocol EAP authentication with the AAA server;
所述运营商鉴权中心将所述鉴权参数传递给AAA服务器进行可扩展身份验证协议EAP鉴权,所述AAA服务器位于运营商网络;The operator authentication center transmits the authentication parameter to the AAA server for EAP authentication, and the AAA server is located in the operator network;
在EAP鉴权通过后,所述运营商鉴权中心接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商。After the EAP authentication is passed, the operator authentication center receives the service issuance request sent by the terminal, and sends the service release request to the application provider corresponding to the service release request.
在第二方面的基础上,可选的,所述运营商鉴权中心接收所述终端发送的业务发放请求之前,还包括:On the basis of the second aspect, optionally, before receiving the service issuance request sent by the terminal, the operator authentication center further includes:
所述运营商鉴权中心通过所述第一安全通道接收所述终端发送的所述终端的国际移动用户识别码IMSI,将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN,并通过所述第一安全通道将所述MSISDN发送至所述终端。The operator authentication center receives the international mobile subscriber identity (IMSI) of the terminal sent by the terminal by using the first secure channel, and sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI, and Sending the MSISDN to the terminal through the first secure channel.
在第二方面的基础上,可选的,所述运营商鉴权中心接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商,包括:On the basis of the second aspect, optionally, the operator authentication center receives the service issuance request sent by the terminal, and sends the service release request to the application provider corresponding to the service release request, including :
所述运营商鉴权中心通过所述第一安全通道接收所述终端发送的业务发放请求,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。 The operator authentication center receives the service release request sent by the terminal by using the first secure channel, and uses the second secure channel between the service security center and the application provider corresponding to the service release request, Forwarding the service release request to an application provider corresponding to the service release request.
第三方面,提供一种应用业务的发放验证装置,包括:In a third aspect, an apparatus for issuing and verifying an application service is provided, including:
建立单元,接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,所述业务发放请求中携带第一国际公共用户识别号码MSISDN,所述鉴权中心位于运营商网络;The establishing unit, when receiving the service issuance request, establishes a first security channel with the operator authentication center, where the service issuance request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
处理单元,用于获取所述装置用于可扩展身份验证协议EAP鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴权参数传递给验证、授权、记账AAA服务器进行EAP鉴权,所述AAA服务器位于运营商网络;a processing unit, configured to obtain an authentication parameter of the device for extensible authentication protocol EAP authentication, and use the first secure channel to transmit the authentication parameter to the operator authentication center, by using the The operator authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the carrier network;
在EAP鉴权通过后,获取所述装置的第二MSISDN;After the EAP authentication is passed, acquiring the second MSISDN of the device;
在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商。When the first MSISDN carried in the service issuance request is the same as the second MSISDN, the service issuance request is forwarded by the operator authentication center to the application provider corresponding to the service issuance request.
在第三方面的基础上,可选的,所述处理单元在获取所述装置用于EAP鉴权的鉴权参数,具体用于:On the basis of the third aspect, optionally, the processing unit acquires an authentication parameter used by the device for EAP authentication, specifically for:
与嵌入到所述装置的用户识别模块之间进行交互来获取终端用于EAP鉴权的鉴权参数。Interacting with a user identification module embedded in the device to obtain an authentication parameter used by the terminal for EAP authentication.
在第三方面的基础上,可选的,在所述处理单元将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商之后,所述建立单元还用于:On the basis of the third aspect, optionally, after the processing unit forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, the establishing unit further Used for:
拆除与所述鉴权中心间的第一安全通道。The first secure passage between the authentication center and the authentication center is removed.
在第三方面的基础上,可选的,所述处理单元在获取所述装置的MSISDN时,具体用于:On the basis of the third aspect, optionally, when the processing unit acquires the MSISDN of the device, the processing unit is specifically configured to:
与嵌入到所述装置的用户识别模块进行交互来获取所述装置的国际移动用户识别码IMSI,将所述IMSI利用所述第一安全通道发送至所述运营商鉴权中心,通过运营商鉴权中心将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN。Interacting with a subscriber identity module embedded in the device to obtain an International Mobile Subscriber Identity (IMSI) of the device, and transmitting the IMSI to the operator authentication center by using the first secure channel, through an operator's identity The right center sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
在第三方面的基础上,可选的,所述处理单元在将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商时,具体用于:On the basis of the third aspect, the processing unit is specifically configured to: when the service delivery request is forwarded to the application provider corresponding to the service release request by the operator authentication center, specifically:
将所述业务发放请求通过所述第一安全通道发送至所述运营商鉴权中心,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Sending the service release request to the operator authentication center by using the first secure channel, and using the second secure channel between the carrier security center and the application provider corresponding to the service release request, The service issuance request is forwarded to an application provider corresponding to the service issuance request.
第四方面,提供一种应用业务的发放验证装置,包括:A fourth aspect provides a device for issuing and verifying an application service, including:
收发单元,用于建立与终端之间的第一安全通道,利用所述第一安全通道接收所述终端针对接收到的业务发放请求发送的鉴权参数,所述鉴权参数用于所述终端与AAA服务器之间的可扩展身份验证协议EAP鉴权;a transceiver unit, configured to establish a first secure channel with the terminal, and use the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal Extensible authentication protocol EAP authentication with the AAA server;
鉴权单元,用于将所述鉴权参数传递给AAA服务器进行可扩展身份验证协议EAP鉴权,所述AAA服务器位于运营商网络;An authentication unit, configured to pass the authentication parameter to an AAA server for performing an Extensible Authentication Protocol (EAP) authentication, where the AAA server is located in an operator network;
所述收发单元,还用于在EAP鉴权通过后,接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商。The transceiver unit is further configured to: after the EAP authentication is passed, receive a service issuance request sent by the terminal, and send the service release request to an application provider corresponding to the service release request.
在第四方面的基础上,可选的,所述收发单元在接收所述终端发送的业务发放请求之前,还用于:On the basis of the fourth aspect, optionally, the transceiver unit is further configured to: before receiving the service issuance request sent by the terminal,
通过所述第一安全通道接收所述中工段发送的所述终端的国际移动用户识别码IMSI,将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN,并通过所述第一安全通道将所述MSISDN发送至所述终端。Receiving, by the first secure channel, the international mobile subscriber identity (IMSI) of the terminal sent by the middle station, sending the IMSI to an operator BOSS, acquiring an MSISDN corresponding to the IMSI, and adopting the first security A channel transmits the MSISDN to the terminal.
在第四方面的基础上,可选的,所述收发单元在接收所述终端发送的业务发放请求, 并将所述业务发放请求发送至所述业务发放请求对应的应用提供商时,具体用于:On the basis of the fourth aspect, optionally, the transceiver unit receives the service issuance request sent by the terminal, When the service issuance request is sent to the application provider corresponding to the service issuance request, it is specifically used to:
通过所述第一安全通道接收所述终端发送的业务发放请求,利用所述装置与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Receiving, by the first secure channel, a service issuance request sent by the terminal, and forwarding, by using the second secure channel between the application provider and the application provider corresponding to the service issue request, the service issue request to the The application provider corresponding to the service issuance request.
第五方面,提供一种终端设备,该终端设备包括处理器、存储器、发射器和接收器,其中,所述存储器中存有计算机可读程序,所述处理器通过运行所述存储器中的程序,控制所述发射器和接收器,实现第一方面涉及的应用业务的发放验证方法。In a fifth aspect, a terminal device is provided, the terminal device comprising a processor, a memory, a transmitter, and a receiver, wherein the memory stores a computer readable program, and the processor runs the program in the memory And controlling the transmitter and the receiver to implement an issuance verification method of the application service related to the first aspect.
第六方面,提供一种服务器设备,该设备包括处理器、存储器、收发器,其中,所述存储器中存有计算机可读程序,所述处理器通过运行所述存储器中的程序,控制所述发射器和接收器,实现第二方面涉及的应用业务的发放验证验证方法。In a sixth aspect, a server device is provided, the device comprising a processor, a memory, a transceiver, wherein the memory stores a computer readable program, and the processor controls the program by running a program in the memory The transmitter and the receiver implement the verification verification method for the application service involved in the second aspect.
第七方面,提供一种应用业务的发放验证系统,该应用业务的发放验证系统包括第一设备和第二设备,其中,所述第一设备为第三方面涉及的装置或第五方面涉及的终端设备,所述第二设备为第四方面涉及的装置或第六方面涉及的服务器设备。The seventh aspect provides an application verification verification system, where the application verification verification system includes a first device and a second device, where the first device is a device related to the third aspect or the fifth aspect relates to A terminal device, which is the device related to the fourth aspect or the server device related to the sixth aspect.
本发明实施例提供的应用业务的发放验证方案,终端接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,该业务发放请求中携带第一MSISDN,终端获取鉴权参数,将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴权参数传递AAA服务器进行EAP鉴权,在EAP鉴权通过后,获取终端的第二MSISDN;终端在第一MSISDN与第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商,相比于现有技术中,应用业务发放时依赖于手机短信的验证方案,本发明实施例中的方案,在应用业务发放时,应用业务提供商不必利用运营商再向终端发送短信验证码,消除了对短信的依赖,降低了应用业务的发放成本,降低运营商服务侧的开发难度。When the terminal receives the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service delivery request carries the first MSISDN, and the terminal obtains the authentication parameter. Passing the authentication parameter to the operator authentication center, and transmitting the authentication parameter to the AAA server for EAP authentication through the operator authentication center, and acquiring the second terminal after the EAP authentication is passed. The MSISDN; when the first MSISDN is the same as the second MSISDN, the terminal forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, compared to the prior art, the application When the service is issued, the authentication scheme of the mobile phone short message is used. In the solution of the embodiment of the present invention, the application service provider does not need to use the operator to send the short message verification code to the terminal, thereby eliminating the dependence on the short message and reducing the dependency. The application cost of the application service reduces the development difficulty of the service side of the operator.
附图说明DRAWINGS
图1为本发明实施例中的应用业务的发放验证系统示意图;1 is a schematic diagram of an application verification and verification system in an embodiment of the present invention;
图2为本发明实施例中的终端设备结构示意图;2 is a schematic structural diagram of a terminal device according to an embodiment of the present invention;
图3为本发明实施例中的网络侧设备结构示意图;3 is a schematic structural diagram of a network side device according to an embodiment of the present invention;
图4为本发明实施例中的应用业务的发放验证方法流程图;4 is a flowchart of a method for issuing and verifying an application service according to an embodiment of the present invention;
图5为本发明实施例中一种应用场景下的应用业务的发放验证方法流程图;FIG. 5 is a flowchart of a method for issuing and verifying an application service in an application scenario according to an embodiment of the present disclosure;
图6为本发明实施例中另一种应用场景下的应用业务的发放验证方法流程图;FIG. 6 is a flowchart of a method for issuing and verifying an application service in another application scenario according to an embodiment of the present disclosure;
图7为本发明实施例中的终端侧的应用业务的发放验证装置示意图;FIG. 7 is a schematic diagram of an apparatus for issuing and verifying an application service on a terminal side according to an embodiment of the present invention;
图8为本发明实施例中的网络侧应用业务的发放验证装置示意图。FIG. 8 is a schematic diagram of a device for issuing and verifying a network-side application service according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,并不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实 施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. Based on the embodiments of the present invention, all other realities obtained by those of ordinary skill in the art without creative efforts The examples are all within the scope of protection of the present invention.
本发明实施例提供一种应用业务的发放验证方法和装置,考虑在未来短信业务消亡以后,以提供一种不依赖于手机短信的,可信赖的终端鉴权方案来为APP自助业务发放过程中的终端鉴权提供保障。这种方案需要能够通过终端接入的wifi网络这种互联网化的可信认证方式来实现与短信验证方式相同的可信性。The embodiment of the invention provides a method and device for issuing and verifying an application service, and considers that after the lapse of the short message service in the future, a trusted terminal authentication solution that does not depend on the mobile phone short message is used to distribute the APP self-service service. Terminal authentication provides protection. This solution requires the same trusted credibility as the short message authentication method by means of the Internet-based trusted authentication method of the wifi network accessed by the terminal.
请参见图1,本发明实施例提供一种应用业务的发放验证系统,包括安装有鉴权应用的终端11,运营商鉴权中心12,验证、授权和记账(Authentication、Authorization、Accounting,AAA)服务器13,其中,所述运营商鉴权中心12、所述AAA服务器13均位于运营商网络中,其中,所述终端可以为图2所示的终端设备200,所述运营商鉴权中心12可以为图3所示的网络侧设备,具体的:Referring to FIG. 1 , an embodiment of the present invention provides an application verification and verification system, including a terminal 11 with an authentication application, an operator authentication center 12, authentication, authorization, and accounting (Authentication, Authorization, Accounting, AAA). a server 13 in which the operator authentication center 12 and the AAA server 13 are both located in a carrier network, wherein the terminal may be the terminal device 200 shown in FIG. 2, and the operator authentication center 12 can be the network side device shown in Figure 3, specifically:
所述终端11,用于接收到业务发放请求时,建立与运营商鉴权中心12的第一安全通道,所述业务发放请求中携带第一国际公共用户识别号码(Mobile Subscriber International ISDN/PSTN number,MSISDN);获取所述终端用于可扩展身份验证协议(Extensible Authentication Protocol,EAP)鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心12,通过所述运营商鉴权中心12将所述鉴权参数传递给AAA服务器13进行EAP鉴权;在EAP鉴权通过后,获取所述终端的第二MSISDN;在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心12转发给所述业务发放请求对应的应用提供商。The terminal 11 is configured to establish a first secure channel with the operator authentication center 12 when receiving the service issuance request, where the service issuance request carries the first international public subscriber identification number (Mobile Subscriber International ISDN/PSTN number) Obtaining an authentication parameter of the terminal for Extensible Authentication Protocol (EAP) authentication, and transmitting the authentication parameter to the operator authentication by using the first secure channel The center 12 transmits the authentication parameter to the AAA server 13 for EAP authentication through the operator authentication center 12; after the EAP authentication is passed, acquires the second MSISDN of the terminal; When the first MSISDN carried in the same manner as the second MSISDN, the service issuance request is forwarded by the operator authentication center 12 to the application provider corresponding to the service issuance request.
运营商鉴权中心12,用于建立与终端11之间的第一安全通道,利用所述第一安全通道接收所述终端11针对接收到的业务发放请求发送的鉴权参数,所述鉴权参数用于所述终端与AAA服务器13之间的EAP鉴权;将所述鉴权参数传递给AAA服务器13进行EAP鉴权;在EAP鉴权通过后,接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商。The operator authentication center 12 is configured to establish a first secure channel with the terminal 11, and use the first secure channel to receive an authentication parameter sent by the terminal 11 for the received service release request, where the authentication is performed. The parameter is used for EAP authentication between the terminal and the AAA server 13; the authentication parameter is transmitted to the AAA server 13 for EAP authentication; after the EAP authentication is passed, the service issuance request sent by the terminal is received. And sending the service issuance request to an application provider corresponding to the service issuance request.
参阅图2所示,本发明实施例提供一种终端设备200,该终端设备200可以为能够运行用户身份识别(Subscriber Identity Module,SIM)卡的手机终端或平板电脑。图1示出了根据一些实施例的终端设备200的框图,所述终端设备200包括处理器201和存储器202,可选的,还可以包括输入单元、显示单元、重力加速度传感器、接近光传感器、环境光传感器、射频单元、音频电路、扬声器、麦克风、WiFi(wireless fidelity,无线保真)模块、蓝牙模块、电源、外部接口等部件。As shown in FIG. 2, an embodiment of the present invention provides a terminal device 200, which may be a mobile phone terminal or a tablet computer capable of running a Subscriber Identity Module (SIM) card. 1 shows a block diagram of a terminal device 200 including a processor 201 and a memory 202, optionally including an input unit, a display unit, a gravitational acceleration sensor, a proximity light sensor, etc., in accordance with some embodiments. Ambient light sensor, RF unit, audio circuit, speaker, microphone, WiFi (wireless fidelity) module, Bluetooth module, power supply, external interface and other components.
本领域技术人员可以理解,图2仅仅是终端设备200的举例,并不构成对该终端设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件。It will be understood by those skilled in the art that FIG. 2 is only an example of the terminal device 200, and does not constitute a limitation of the terminal device, and may include more or less components than those illustrated, or combine some components or different components. .
所述输入单元可用于接收输入的数字或字符信息,以及产生与所述便携式多功能装置的用户设置以及功能控制有关的键信号输入。具体地,输入单元可包括触摸屏以及其他输入设备。所述触摸屏可收集用户在其上或附近的触摸操作(比如用户使用手指、关节、触笔等任何适合的物体在触摸屏上或在触摸屏附近的操作),并根据预先设定的程序驱动相应的连接装置。触摸屏可以检测用户对触摸屏的触摸动作,将所述触摸动作转换为触摸信号发送给所述处理器201,并能接收所述处理器201发来的命令并加以执行;所述触摸信号至少包括触点坐标信息。所述触摸屏可以提供所述终端设备200和用户之间的输入界面和输出界面。此外,可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触摸屏。 除了触摸屏,输入单元还可以包括其他输入设备。具体地,其他输入设备可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键处理器201等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit is operative to receive input numeric or character information and to generate key signal inputs related to user settings and function control of the portable multifunction device. In particular, the input unit can include a touch screen as well as other input devices. The touch screen may collect a touch operation on or near the user (such as an operation of the user using a finger, a joint, a stylus, or the like on the touch screen or in the vicinity of the touch screen), and drive the corresponding according to a preset program. Connect the device. The touch screen can detect a user's touch action on the touch screen, convert the touch action into a touch signal and send the signal to the processor 201, and can receive and execute a command sent by the processor 201; the touch signal includes at least a touch Point coordinate information. The touch screen may provide an input interface and an output interface between the terminal device 200 and a user. In addition, touch screens can be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves. In addition to the touch screen, the input unit may also include other input devices. Specifically, other input devices may include, but are not limited to, one or more of a physical keyboard, function keys (such as a volume control button, a switch button processor 201, etc.), a trackball, a mouse, a joystick, and the like.
所述显示单元终端设备200可用于显示由用户输入的信息或提供给用户的信息以及终端设备200的各种菜单。进一步的,触摸屏可覆盖显示面板,当触摸屏检测到在其上或附近的触摸操作后,传送给处理器201以确定触摸事件的类型,随后处理器201根据触摸事件的类型在显示面板上提供相应的视觉输出。在本实施例中,触摸屏与显示单元可以集成为一个部件而实现终端设备200的输入、输出、显示功能;为便于描述,本发明实施例以触摸屏代表触摸屏和显示单元的功能集合;在某些实施例中,触摸屏与显示单元也可以作为两个独立的部件。The display unit terminal device 200 can be used to display information input by a user or information provided to a user and various menus of the terminal device 200. Further, the touch screen may cover the display panel, and when the touch screen detects a touch operation on or near it, the touch screen is transmitted to the processor 201 to determine the type of the touch event, and then the processor 201 provides corresponding on the display panel according to the type of the touch event. Visual output. In this embodiment, the touch screen and the display unit can be integrated into one component to implement the input, output, and display functions of the terminal device 200. For convenience of description, the embodiment of the present invention uses the touch screen to represent the function set of the touch screen and the display unit; In an embodiment, the touch screen and the display unit can also function as two separate components.
所述重力加速度传感器可检测各个方向上(一般为三轴)加速度的大小,同时,所述重力加速度传感器还可用于检测终端静止时重力的大小及方向,可用于识别手机姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;在本发明实施例中,所述重力加速度传感器用于获取用户的触摸动作接触触摸屏在z轴方向的重力加速度。The gravity acceleration sensor can detect the magnitude of acceleration in each direction (generally three axes), and the gravity acceleration sensor can also be used to detect the magnitude and direction of gravity when the terminal is stationary, and can be used to identify the gesture of the mobile phone (such as horizontal and vertical). Screen switching, related games, magnetometer attitude calibration), vibration recognition related functions (such as pedometer, tapping), etc.; in the embodiment of the invention, the gravity acceleration sensor is used to acquire a user's touch motion contact touch screen in z Gravity acceleration in the axial direction.
终端设备200还可以包括一个或多个接近光传感器,用于当所述终端设备200距用户较近时(例如当用户正在打电话时靠近耳朵)关闭并禁用触摸屏以避免用户对触摸屏的误操作;终端设备200还可以包括一个或多个环境光传感器,用于当终端设备200位于用户口袋里或其他黑暗区域时保持触摸屏关闭,以防止终端设备200在锁定状态时消耗不必要的电池功耗或被误操作,在一些实施例中,接近光传感器和环境光传感器可以集成在一颗部件中,也可以作为两个独立的部件。至于终端设备200还可配置陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。虽然图2示出了接近光传感器和环境光传感器,但是可以理解的是,其并不属于终端设备200的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。The terminal device 200 may also include one or more proximity light sensors for turning off and disabling the touch screen to avoid erroneous operation of the touch screen by the user when the terminal device 200 is closer to the user (eg, close to the ear when the user is making a call) The terminal device 200 may also include one or more ambient light sensors for keeping the touch screen off when the terminal device 200 is located in a user's pocket or other dark area to prevent the terminal device 200 from consuming unnecessary battery power when in the locked state. Or being mishandled, in some embodiments, the proximity light sensor and the ambient light sensor may be integrated into one component or as two separate components. The terminal device 200 can also be configured with other sensors such as a gyroscope, a barometer, a hygrometer, a thermometer, an infrared sensor, and the like, and details are not described herein again. Although FIG. 2 shows the proximity photosensor and the ambient light sensor, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
所述存储器202可用于存储指令和数据,存储器202可主要包括存储指令区和存储数据区,存储数据区可存储关节触摸手势与应用程序功能的关联关系;存储指令区可存储操作系统、至少一个功能所需的指令等;所述指令可使处理器201执行以下方法,具体方法包括:接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,所述业务发放请求中携带第一国际公共用户识别号码MSISDN,所述鉴权中心位于运营商网络;获取所述终端设备200用于EAP鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴权参数传递给AAA服务器进行EAP鉴权,所述AAA服务器位于运营商网络;在EAP鉴权通过后,获取所述终端的第二MSISDN;在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商。The memory 202 can be used to store instructions and data, the memory 202 can mainly include a storage instruction area and a storage data area, the storage data area can store an association relationship between the joint touch gesture and the application function; the storage instruction area can store an operating system, at least one The instructions and the like are required for the function; the instruction may cause the processor 201 to perform the following method, the specific method includes: when receiving the service issuance request, establishing a first secure channel with the operator authentication center, where the service issuance request is carried The first international public subscriber identification number MSISDN, the authentication center is located in the operator network; the authentication parameter used by the terminal device 200 for EAP authentication is obtained, and the authentication parameter is transmitted to the first secure channel to The operator authentication center transmits the authentication parameter to the AAA server for EAP authentication through the operator authentication center, and the AAA server is located in the carrier network; after the EAP authentication is passed, the acquiring a second MSISDN of the terminal; when the first MSISDN carried in the service issuance request is the same as the second MSISDN, the service is sent Forwarding the request by the operator authentication center to the service corresponding to the request issuance application provider.
处理器201是终端设备200的控制中心,利用各种接口和线路连接整个手机的各个部分,通过运行或执行存储在存储器202内的指令以及调用存储在存储器202内的数据,执行终端设备200的各种功能和处理数据,从而对终端进行整体监控。可选的,处理器201可包括一个或多个处理单元;优选的,处理器201可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作系统、用户界面和应用程序等,调制解调处理器主要处理 无线通信。可以理解的是,上述调制解调处理器也可以不集成到处理器201中。在一些实施例中,处理器、存储器、可以在单一芯片上实现,在一些实施例中,他们也可以在独立的芯片上分别实现。在本发明实施例中,处理器201还用于调用存储器中的指令以实现应用业务发放过程中的终端鉴权验证。The processor 201 is a control center of the terminal device 200, and connects various parts of the entire mobile phone by using various interfaces and lines, and executes the terminal device 200 by operating or executing an instruction stored in the memory 202 and calling data stored in the memory 202. Various functions and processing data to monitor the terminal as a whole. Optionally, the processor 201 may include one or more processing units; preferably, the processor 201 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application, and the like. , the main processing of the modem processor Wireless communication. It can be understood that the above modem processor may not be integrated into the processor 201. In some embodiments, the processors, memories, can be implemented on a single chip, and in some embodiments, they can also be implemented separately on separate chips. In the embodiment of the present invention, the processor 201 is further configured to invoke an instruction in the memory to implement terminal authentication verification in an application service release process.
通过对处理器进行设计编程,将下面图4所示的方法所对应的代码固化到芯片内,从而使芯片在运行时能够执行图4所示的方法中终端的运行功能。如何对处理器进行设计编程为本领域技术人员所公知的技术,这里不再赘述。By programming the processor, the code corresponding to the method shown in FIG. 4 is solidified into the chip, so that the chip can perform the operation function of the terminal in the method shown in FIG. 4 during operation. How to design and program the processor is a technique well known to those skilled in the art, and details are not described herein.
所述射频单元可用于收发信息或通话过程中信号的接收和发送,特别地,将基站的下行信息接收后,给处理器201处理;另外,将设计上行的数据发送给基站。通常,RF电路包括但不限于天线、至少一个放大器、收发信机、耦合器、低噪声放大器(Low Noise Amplifier,LNA)、双工器等。此外,射频单元还可以通过无线通信与网络设备和其他设备通信。所述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯系统(Global System of Mobile communication,GSM)、通用分组无线服务(General Packet Radio Service,GPRS)、码分多址(Code Division Multiple Access,CDMA)、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)、长期演进(Long Term Evolution,LTE)、电子邮件、短消息服务(Short Messaging Service,SMS)等。The radio frequency unit can be used for receiving and transmitting signals during the transmission and reception of information or during the call. In particular, after receiving the downlink information of the base station, the processing is performed by the processor 201. In addition, the data designed for the uplink is sent to the base station. Generally, RF circuits include, but are not limited to, an antenna, at least one amplifier, a transceiver, a coupler, a Low Noise Amplifier (LNA), a duplexer, and the like. In addition, the radio unit can communicate with network devices and other devices through wireless communication. The wireless communication may use any communication standard or protocol, including but not limited to Global System of Mobile communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code). Division Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), E-mail, Short Messaging Service (SMS), etc.
音频电路、扬声器、麦克风可提供用户与终端设备200之间的音频接口。音频电路可将接收到的音频数据转换后的电信号,传输到扬声器,由扬声器转换为声音信号输出;另一方面,麦克风将收集的声音信号转换为电信号,由音频电路接收后转换为音频数据,再将音频数据输出处理器201处理后,经射频单元以发送给比如另一终端,或者将音频数据输出至存储器202以便进一步处理,音频电路也可以包括耳机插孔163,用于提供音频电路和耳机之间的连接接口。An audio circuit, a speaker, and a microphone can provide an audio interface between the user and the terminal device 200. The audio circuit can transmit the converted electrical signal of the received audio data to the speaker and convert it into a sound signal output by the speaker; on the other hand, the microphone converts the collected sound signal into an electrical signal, which is received by the audio circuit and converted into audio. The data is processed by the audio data output processor 201, sent to the terminal such as another terminal via the radio frequency unit, or outputted to the memory 202 for further processing. The audio circuit may also include a headphone jack 163 for providing audio. The interface between the circuit and the headset.
WiFi属于短距离无线传输技术,终端设备200通过WiFi模块可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图2示出了WiFi模块,但是可以理解的是,其并不属于终端设备200的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。WiFi is a short-range wireless transmission technology, and the terminal device 200 can help users to send and receive emails, browse web pages, and access streaming media through the WiFi module, which provides wireless broadband Internet access for users. Although FIG. 2 shows the WiFi module, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
蓝牙是一种短距离无线通讯技术。利用蓝牙技术,能够有效地简化掌上电脑、笔记本电脑和手机等移动通信终端设备之间的通信,也能够成功地简化以上这些设备与因特网(Internet)之间的通信,终端设备200通过蓝牙模块使终端设备200与因特网之间的数据传输变得更加迅速高效,为无线通信拓宽道路。蓝牙技术是能够实现语音和数据无线传输的开放性方案。虽然图2示出了蓝牙模块,但是可以理解的是,其并不属于终端设备200的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。Bluetooth is a short-range wireless communication technology. With Bluetooth technology, communication between mobile communication terminal devices such as handheld computers, notebook computers, and mobile phones can be effectively simplified, and communication between the above devices and the Internet can be successfully simplified. The terminal device 200 is enabled by the Bluetooth module. The data transmission between the terminal device 200 and the Internet becomes more rapid and efficient, broadening the road for wireless communication. Bluetooth technology is an open solution for wireless transmission of voice and data. Although FIG. 2 shows the Bluetooth module, it can be understood that it does not belong to the essential configuration of the terminal device 200, and may be omitted as needed within the scope of not changing the essence of the invention.
终端设备200还包括给各个部件供电的电源(比如电池),优选的,电源可以通过电源管理系统194与处理器201逻辑相连,从而通过电源管理系统194实现管理充电、放电、以及功耗管理等功能。The terminal device 200 also includes a power source (such as a battery) that supplies power to the various components. Preferably, the power source can be logically coupled to the processor 201 through the power management system 194 to manage charging, discharging, and power management through the power management system 194. Features.
终端设备200还包括外部接口,所述外部接口可以是标准的Micro USB接口,也可以使多针连接器,可以用于连接终端设备200与其他装置进行通信,也可以用于连接充电器为终端设备200充电。The terminal device 200 further includes an external interface, which may be a standard Micro USB interface, or a multi-pin connector, which may be used to connect the terminal device 200 to communicate with other devices, or may be used to connect the charger to the terminal. Device 200 is charged.
尽管未示出,终端设备200还可以包括摄像头、闪光灯等,在此不再赘述。 Although not shown, the terminal device 200 may further include a camera, a flash, and the like, and details are not described herein again.
参阅图3所示,本发明实施例提供一种网络侧设备300,所述设备300包括处理器301和存储器302,执行本发明方案的程序代码保存在存储器302中,并由处理器301来控制执行。Referring to FIG. 3, an embodiment of the present invention provides a network side device 300. The device 300 includes a processor 301 and a memory 302. The program code for executing the solution of the present invention is stored in the memory 302 and controlled by the processor 301. carried out.
存储器302中存储的程序用于指令处理器301执行应用业务的发放验证方法,包括:建立与终端之间的第一安全通道,利用所述第一安全通道接收所述终端针对接收到的业务发放请求发送的鉴权参数,所述鉴权参数用于所述终端与AAA服务器之间的可扩展身份验证协议EAP鉴权;将所述鉴权参数传递给AAA服务器进行可扩展身份验证协议EAP鉴权,所述AAA服务器位于运营商网络;在EAP鉴权通过后,接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商。The program stored in the memory 302 is used by the instruction processor 301 to perform the issuance verification method of the application service, including: establishing a first secure channel with the terminal, and receiving, by using the first secure channel, the terminal to issue the service for the received service. An authentication parameter requested to be sent, the authentication parameter being used for EAP authentication of the extensible authentication protocol between the terminal and the AAA server; and the authentication parameter is transmitted to the AAA server for performing an Extensible Authentication Protocol (EAP) The AAA server is located in the carrier network; after the EAP authentication is passed, the service issuance request sent by the terminal is received, and the service issuance request is sent to the application provider corresponding to the service issuance request.
可以理解的是,本发明实施例上述设备300中涉及的处理器可以是一个通用中央处理器(CPU),微处理器,特定应用集成电路application-specific integrated circuit(ASIC),或一个或多个用于控制本发明方案程序执行的集成电路。计算机系统中包括的一个或多个存储器,可以是只读存储器read-only memory(ROM)或可存储静态信息和指令的其他类型的静态存储设备,随机存取存储器random access memory(RAM)或者可存储信息和指令的其他类型的动态存储设备,也可以是磁盘存储器。这些存储器通过总线与处理器相连接。It is to be understood that the processor involved in the foregoing apparatus 300 may be a general-purpose central processing unit (CPU), a microprocessor, an application-specific integrated circuit (ASIC), or one or more. An integrated circuit for controlling the execution of the program of the present invention. One or more memories included in the computer system, which may be read-only memory (ROM) or other types of static storage devices that can store static information and instructions, random access memory (RAM) or Other types of dynamic storage devices that store information and instructions may also be disk storage. These memories are connected to the processor via a bus.
存储器,如RAM,保存有操作系统和执行本发明方案的程序。操作系统是用于控制其他程序运行,管理系统资源的程序。A memory, such as a RAM, holds an operating system and a program for executing the inventive scheme. The operating system is a program that controls the running of other programs and manages system resources.
这些存储器可以通过总线与处理器相连接,或者也可以通过专门的连接线分别与处理器连接。These memories can be connected to the processor via a bus or can be connected to the processor via dedicated connection lines.
通过对处理器进行设计编程,将下面图4所示的方法所对应的代码固化到芯片内,从而使芯片在运行时能够执行图4所示的方法中运营商鉴权中心的运行功能。如何对处理器进行设计编程为本领域技术人员所公知的技术,这里不再赘述。By designing and programming the processor, the code corresponding to the method shown in FIG. 4 is solidified into the chip, so that the chip can perform the operation function of the operator authentication center in the method shown in FIG. 4 during operation. How to design and program the processor is a technique well known to those skilled in the art, and details are not described herein.
下面介绍本发明实施例提供的方法。The method provided by the embodiment of the present invention is described below.
基于图1所示的系统架构,请参见图4,本发明实施例提供一种应用业务的发放验证方法,该方法的流程介绍如下。Based on the system architecture shown in FIG. 1 , referring to FIG. 4 , an embodiment of the present invention provides a method for issuing and verifying an application service, and the process of the method is as follows.
步骤41:终端接收业务发放请求,所述业务发放请求中携带第一MSISDN。Step 41: The terminal receives a service issuance request, where the service issuance request carries the first MSISDN.
所述第一MSISDN可以通过用户输入,也可以根据用户输入的用户信息获取到该用户信息对应的MSISDN,所述第一MSISDN与所述业务发放请求中涉及的应用为一一绑定关系。The first MSISDN may obtain the MSISDN corresponding to the user information according to the user information input by the user, and the first MSISDN and the application involved in the service issuance request are in a one-to-one binding relationship.
步骤42:终端建立与运营商鉴权中心的第一安全通道。Step 42: The terminal establishes a first secure channel with the operator authentication center.
所述第一安全通道为基于安全传输层协议(Transport Layer Security,TLS)的安全连接通道。The first secure channel is a secure connection channel based on a Transport Layer Security (TLS) protocol.
步骤43:终端获取所述终端用于EAP鉴权的鉴权参数,并将所述鉴权参数通过运营商鉴权中心传递至AAA服务器之间进行EAP鉴权过程。Step 43: The terminal acquires an authentication parameter used by the terminal for EAP authentication, and transmits the authentication parameter to the AAA server through the operator authentication center to perform an EAP authentication process.
具体的,终端将所述鉴权参数通过第一安全通道传递给所述运营商鉴权中心,所述运营商鉴权中心将所述鉴权参数转发给AAA服务器进行EAP鉴权。Specifically, the terminal transmits the authentication parameter to the operator authentication center through the first secure channel, and the operator authentication center forwards the authentication parameter to the AAA server for EAP authentication.
步骤44:在EAP鉴权通过后,终端获取所述终端的第二MSISDN。Step 44: After the EAP authentication is passed, the terminal acquires the second MSISDN of the terminal.
具体的,所述终端与嵌入到所述终端的用户识别模块之间进行交互来获取终端的国际移动用户识别码(nternational Mobile Subscriber Identification Number,IMSI),终端将所述IMSI发送给运营商鉴权中心,运营商鉴权中心将IMSI送给运营商业务运营支撑 系统(Business&Operation Support System。BOSS),运营商BOSS查询该IMSI对应的第二MSISDN,并将所述第二MSISDN通过运营商鉴权中心反馈至所述终端。Specifically, the terminal interacts with a user identification module embedded in the terminal to obtain an international mobile subscriber identification number (IMSI) of the terminal, and the terminal sends the IMSI to the operator for authentication. Center, the operator authentication center sends the IMSI to the operator's business operation support The system (Business & Operation Support System. BOSS), the operator BOSS queries the second MSISDN corresponding to the IMSI, and feeds the second MSISDN to the terminal through the operator authentication center.
步骤45:终端在第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商。Step 45: The terminal forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center when the first MSISDN is the same as the second MSISDN.
具体的,所述终端将所述业务发放请求通过所述第一安全通道发送至所述运营商鉴权中心,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Specifically, the terminal sends the service issuance request to the operator authentication center by using the first secure channel, and the application security center uses an application provider corresponding to the service release request. And the second security channel forwards the service release request to the application provider corresponding to the service release request.
需要说明的是,所述运营商鉴权中心在配置阶段建立与各应用提供商之间的第二安全通道,所述第二安全通道为基于TLS的安全连接通道。It should be noted that the operator authentication center establishes a second secure channel with each application provider in the configuration phase, and the second secure channel is a TLS-based secure connection channel.
下面以终端为手机终端为例来说明图4中的方法,具体的应用场景是,通过在运营商侧设置运营商鉴权中心,在手机终端侧设置客户端的鉴权应用来在手机终端与运营商鉴权中心之间通过互联网建立可信的安全通道,由客户端的鉴权应用获取手机终端的鉴权参数,并将所述鉴权参数传递至运营商侧的AAA服务器对终端进行可信的EAP鉴权,在鉴权通过后,客户端的鉴权应用获取手机终端的第二MSISDN与业务发放请求中携带的第一MSISDN进行匹配,在匹配成功时确认业务发放请求验证通过,从而来消除对手机短信的验证依赖。The following is a description of the method in FIG. 4 by taking the terminal as a mobile phone terminal as an example. The specific application scenario is: setting the operator authentication center on the operator side and setting the client authentication application on the mobile terminal side to operate the mobile terminal and the mobile terminal. A trusted secure channel is established between the business authentication centers through the Internet, and the authentication parameters of the mobile terminal are obtained by the client's authentication application, and the authentication parameters are transmitted to the AAA server on the operator side to authenticate the terminal. EAP authentication, after the authentication is passed, the authentication application of the client obtains the second MSISDN of the mobile terminal to match the first MSISDN carried in the service issuance request, and confirms that the service issuance request is verified when the matching succeeds, thereby eliminating the pair. The verification of mobile phone text messages depends.
应用场景一Application scenario 1
手机操作系统下的鉴权APP与运营商鉴权中心进行交互来实现APP业务发放,该APP业务为互联网向用户提供各种应用服务(Over The Top,OTT)类型的APP提供的业务,具体过程参阅图5所示。The authentication APP under the mobile phone operating system interacts with the operator authentication center to implement the APP service delivery. The APP service provides the services provided by the APP of the application service (Over The Top, OTT) type to the Internet. See Figure 5.
步骤51:运营商鉴权中心与APP提供商间建立安全通道,这里建立基于TLS长连接。Step 51: Establish a secure channel between the operator authentication center and the APP provider, where a long connection based on TLS is established.
步骤52:手机客户端的应用APP发起自助业务发放请求,将其发送给手机客户端的鉴权APP,业务发放请求中携带有与该应用APP绑定的手机号码。Step 52: The application APP of the mobile phone client initiates a self-service service issuance request and sends it to the authentication APP of the mobile phone client. The service issuance request carries the mobile phone number bound to the application APP.
步骤53:手机客户端的鉴权APP通过互联网与运营商的鉴权中心之间建立安全通道,这里建立基于TLS长连接。Step 53: The authentication APP of the mobile client establishes a secure channel between the Internet and the operator's authentication center, where a long connection based on TLS is established.
步骤54:手机客户端的鉴权APP通过与手机操作系统厂商合作获取定向系统权限,能够使用接口与手机SIM卡进行交互来进行EAP-AKA鉴权,确定SIM卡的真实性。Step 54: The authentication APP of the mobile phone client obtains the orientation system authority by cooperation with the mobile phone operating system manufacturer, and can perform EAP-AKA authentication by using the interface to interact with the mobile phone SIM card to determine the authenticity of the SIM card.
步骤55:在EAP-AKA鉴权通过时,手机客户端的鉴权APP通过运营商的鉴权中心从运营商BOSS中获取该手机的真实手机号码。Step 55: When the EAP-AKA authentication is passed, the authentication APP of the mobile phone client obtains the real mobile phone number of the mobile phone from the operator BOSS through the operator's authentication center.
步骤56:在应用APP绑定的手机号码与手机的真实手机号码相同时,手机客户端的鉴权APP将自助业务发放请求转发给运营商鉴权中心。Step 56: When the mobile phone number bound by the application APP is the same as the real mobile phone number of the mobile phone, the authentication APP of the mobile phone client forwards the self-service service issuance request to the operator authentication center.
步骤57:运营商鉴权授权中心通过与APP提供商间的安全通道将自助业务发放请求发送给APP提供商。Step 57: The operator authentication authorization center sends the self-service service issuance request to the APP provider through a secure channel with the APP provider.
步骤58:手机客户端的鉴权APP拆除与运营商鉴权授权中心之间建立的安全通道。Step 58: The authentication channel of the mobile phone client is removed from the secure channel established between the operator authentication and authorization center.
步骤59:APP提供商收到用户的自助业务发放请求,在业务发放完成后,可以将业务发放成功消息通知手机系统厂商。Step 59: The APP provider receives the self-service provisioning request of the user, and after the service is released, the mobile phone system manufacturer can be notified of the service delivery success message.
步骤510:手机系统厂商利用推送消息服务器将业务发放成功的推送消息发送给手机。Step 510: The mobile phone system manufacturer sends a push message to the mobile phone by using the push message server to successfully deliver the service.
根据该方案,由于运营商鉴权中心的权威性,APP提供商不需要再进行用户终端的真实性验证,从而不必再向用户终端发送短信验证码。According to the solution, due to the authority of the operator authentication center, the APP provider does not need to perform the authenticity verification of the user terminal, so that the SMS verification code does not need to be sent to the user terminal.
应用场景二 Application scenario 2
应用场景二中针对应用业务的应用提供商为运营商BOSS系统时的自助业务发放过程,具体过程可参阅图6所示。The application provider for the application service in scenario 2 is the self-service distribution process of the carrier BOSS system. For the specific process, refer to Figure 6.
步骤61:由运营商提供的手机客户端的应用APP发起自助业务发放请求,将其发送给手机客户端的鉴权APPStep 61: The application APP of the mobile client provided by the operator initiates a self-service issuance request, and sends the request to the mobile client's authentication APP.
步骤62:手机客户端的鉴权APP通过互联网与运营商的鉴权中心间建立安全通道,这里建立基于TLS长连接。Step 62: The authentication client of the mobile client establishes a secure channel between the Internet and the operator's authentication center, where a long connection based on TLS is established.
步骤63:手机客户端的鉴权APP通过与手机操作系统厂商合作获取定向系统权限,能够使用接口与手机SIM卡进行交互来进行EAP-AKA鉴权,确定SIM卡的真实性。Step 63: The authentication APP of the mobile phone client obtains the orientation system authority by cooperation with the mobile phone operating system manufacturer, and can perform EAP-AKA authentication by using the interface to interact with the mobile phone SIM card to determine the authenticity of the SIM card.
步骤64:在EAP-AKA鉴权通过时,手机客户端的鉴权APP通过运营商的鉴权中心从运营商BOSS中获取该手机的真实手机号码。Step 64: When the EAP-AKA authentication is passed, the authentication APP of the mobile phone client obtains the real mobile phone number of the mobile phone from the operator BOSS through the operator's authentication center.
步骤65:在应用APP绑定的手机号码与手机的真实手机号码相同时,手机客户端的鉴权APP将自助业务发放请求转发给APP提供商,这里的APP提供商为运营商BOSS系统。Step 65: When the mobile phone number bound by the application APP is the same as the real mobile phone number of the mobile phone, the authentication APP of the mobile phone client forwards the self-service service issuance request to the APP provider, where the APP provider is the operator BOSS system.
步骤66:手机客户端的鉴权APP拆除与运营商鉴权授权中心之间建立的安全通道。Step 66: The authentication channel of the mobile client is removed from the secure channel established between the operator and the authorization center of the operator.
步骤67:运营商BOSS系统收到用户的自助业务发放请求后,进行业务发放,在业务发放完成后,将业务发放成功消息发送给运营商鉴权中心。Step 67: After receiving the self-service provisioning request of the user, the operator BOSS system performs service delivery, and after the service is released, sends a service delivery success message to the operator authentication center.
步骤68:运营商鉴权中心将业务发放成功消息发送给手机机系统厂商。Step 68: The operator authentication center sends a service delivery success message to the mobile phone system manufacturer.
步骤69:手机系统厂商利用推送消息服务器将业务发放成功的推送消息发送给手机。Step 69: The mobile phone system manufacturer sends a push message to the mobile phone by using the push message server to successfully deliver the service.
基于上述实施例提供的应用业务的发放验证方法,本发明实施例提供一种应用业务的发放验证证装置700,该装置可以用于执行上述图4-图6所述的方法中终端的执行过程,其中,所述装置700可以是终端或者安装于所述终端上的装置,图7所示为本发明实施例提供的装置700的结构示意图,如图7所示,该装置700包括建立单元701和处理单元702,其中:Based on the method for issuing and verifying the application service provided by the foregoing embodiment, the embodiment of the present invention provides an application verification certificate issuing device 700, which can be used to execute the execution process of the terminal in the method described in FIG. 4-6. The device 700 can be a terminal or a device installed on the terminal. FIG. 7 is a schematic structural diagram of a device 700 according to an embodiment of the present invention. As shown in FIG. 7, the device 700 includes an establishing unit 701. And processing unit 702, wherein:
建立单元701,接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,所述业务发放请求中携带第一国际公共用户识别号码MSISDN,所述鉴权中心位于运营商网络;The establishing unit 701, when receiving the service issuance request, establishes a first secure channel with the operator authentication center, where the service issuance request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
处理单元702,用于获取所述装置用于可扩展身份验证协议EAP鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴权参数传递给验证、授权、记账AAA服务器进行EAP鉴权,所述AAA服务器位于运营商网络;The processing unit 702 is configured to obtain an authentication parameter used by the device for the EAP authentication of the Extensible Authentication Protocol, and use the first secure channel to transmit the authentication parameter to the operator authentication center. The operator authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the operator network;
在EAP鉴权通过后,获取所述装置的第二MSISDN;After the EAP authentication is passed, acquiring the second MSISDN of the device;
在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商。When the first MSISDN carried in the service issuance request is the same as the second MSISDN, the service issuance request is forwarded by the operator authentication center to the application provider corresponding to the service issuance request.
可选的,所述处理单元702在获取所述装置用于EAP鉴权的鉴权参数,具体用于:Optionally, the processing unit 702 is configured to obtain an authentication parameter used by the device for EAP authentication, specifically, to:
与嵌入到所述装置的用户识别模块之间进行交互来获取终端用于EAP鉴权的鉴权参数。Interacting with a user identification module embedded in the device to obtain an authentication parameter used by the terminal for EAP authentication.
可选的,在所述处理单元702将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商之后,所述建立单元701还用于:Optionally, after the processing unit 702 forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center, the establishing unit 701 is further configured to:
拆除与所述鉴权中心间的第一安全通道。The first secure passage between the authentication center and the authentication center is removed.
可选的,所述处理单元702在获取所述装置的MSISDN时,具体用于:Optionally, when the processing unit 702 acquires the MSISDN of the device, the processing unit 702 is specifically configured to:
与嵌入到所述装置的用户识别模块进行交互来获取所述装置的国际移动用户识别码IMSI,将所述IMSI利用所述第一安全通道发送至所述运营商鉴权中心,通过运营商鉴权中 心将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN。Interacting with a subscriber identity module embedded in the device to obtain an International Mobile Subscriber Identity (IMSI) of the device, and transmitting the IMSI to the operator authentication center by using the first secure channel, through an operator's identity Right The heart sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
可选的,所述处理单元702在将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商时,具体用于:Optionally, the processing unit 702 is specifically configured to: when the service issuance request is forwarded to the application provider corresponding to the service issuance request by the operator authentication center, specifically:
将所述业务发放请求通过所述第一安全通道发送至所述运营商鉴权中心,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Sending the service release request to the operator authentication center by using the first secure channel, and using the second secure channel between the carrier security center and the application provider corresponding to the service release request, The service issuance request is forwarded to an application provider corresponding to the service issuance request.
本发明实施例上述涉及的装置700,可以是独立的部件,也可以是集成于其他部件中。The device 700 involved in the above embodiments may be a separate component or integrated into other components.
需要说明的是,本发明实施例中的装置700的各个单元的功能实现以及交互方式可以进一步参照相关方法实施例的描述,在此不再赘述。It should be noted that the function implementation and the interaction mode of the various units of the apparatus 700 in the embodiment of the present invention may be further referred to the description of the related method embodiments, and details are not described herein again.
基于上述实施例提供的应用业务的发放验证方法,本发明实施例提供一种应用业务的发放验证验证装置800,该装置800可以用于执行上述图4-图6所述的方法中运营商鉴权中心的执行过程,该装置800可以为图3所述的设备,图8所示为本发明实施例提供的装置800的结构示意图,如图8所示,该装置800包括收发单元801和鉴权单元802,其中:Based on the method for issuing and verifying the application service provided by the foregoing embodiment, the embodiment of the present invention provides an application verification verification device 800, which can be used to execute the operator certificate in the method described in FIG. The device 800 can be the device described in FIG. 3, and FIG. 8 is a schematic structural diagram of the device 800 according to the embodiment of the present invention. As shown in FIG. 8, the device 800 includes a transceiver unit 801 and a card. Right unit 802, wherein:
收发单元801,用于建立与终端之间的第一安全通道,利用所述第一安全通道接收所述终端针对接收到的业务发放请求发送的鉴权参数,所述鉴权参数用于所述终端与AAA服务器之间的可扩展身份验证协议EAP鉴权;The transceiver unit 801 is configured to establish a first secure channel with the terminal, and use the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the Extensible authentication protocol EAP authentication between the terminal and the AAA server;
鉴权单元802,用于将所述鉴权参数传递给AAA服务器进行可扩展身份验证协议EAP鉴权,所述AAA服务器位于运营商网络;The authentication unit 802 is configured to: pass the authentication parameter to an AAA server for performing an Extensible Identity Authentication Protocol EAP authentication, where the AAA server is located in an operator network;
所述收发单元801,还用于在EAP鉴权通过后,接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商。The transceiver unit 801 is further configured to: after the EAP authentication is passed, receive a service issuance request sent by the terminal, and send the service release request to an application provider corresponding to the service release request.
可选的,所述收发单元801在接收所述终端发送的业务发放请求之前,还用于:Optionally, before receiving the service issuance request sent by the terminal, the transceiver unit 801 is further configured to:
通过所述第一安全通道接收所述中工段发送的所述终端的国际移动用户识别码IMSI,将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN,并通过所述第一安全通道将所述MSISDN发送至所述终端。Receiving, by the first secure channel, the international mobile subscriber identity (IMSI) of the terminal sent by the middle station, sending the IMSI to an operator BOSS, acquiring an MSISDN corresponding to the IMSI, and adopting the first security A channel transmits the MSISDN to the terminal.
可选的,所述收发单元801在接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商时,具体用于:Optionally, the transceiver unit 801 is configured to: when receiving the service issuance request sent by the terminal, and sending the service release request to the application provider corresponding to the service release request, specifically:
通过所述第一安全通道接收所述终端发送的业务发放请求,利用所述装置与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Receiving, by the first secure channel, a service issuance request sent by the terminal, and forwarding, by using the second secure channel between the application provider and the application provider corresponding to the service issue request, the service issue request to the The application provider corresponding to the service issuance request.
本发明实施例上述涉及的装置800,可以是独立的部件,也可以是集成于其他部件中。The device 800 involved in the above embodiments may be a separate component or integrated into other components.
需要说明的是,本发明实施例中的装置800的各个单元的功能实现以及交互方式可以进一步参照相关方法实施例的描述,在此不再赘述。It should be noted that the function implementation and the interaction mode of the various units of the apparatus 800 in the embodiment of the present invention may be further referred to the description of the related method embodiments, and details are not described herein again.
综上所述,本发明实施例中,终端接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,所述业务发放请求中携带第一MSISDN,所述鉴权中心位于运营商网络;所述终端获取所述终端用于EAP鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴权参数传递给AAA服务器进行EAP鉴权,所述AAA服务器位于运营商网络;在EAP鉴权通过后,所述终端获取所述终端的第二MSISDN;所述终端在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应 用提供商。这样,只要终端能够成功接入互联网,既可以实现应用业务的自助发放,无需向终端发送短信验证码,消除了对短信的依赖,从而降低了应用业务的发放成本。In summary, in the embodiment of the present invention, when the terminal receives the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service issuance request carries the first MSISDN, and the authentication center is located in the operation. And the terminal obtains the authentication parameter used by the terminal for EAP authentication, and uses the first security channel to transmit the authentication parameter to the operator authentication center, and authenticates by the operator. The center passes the authentication parameter to the AAA server for EAP authentication, and the AAA server is located in the carrier network; after the EAP authentication is passed, the terminal acquires the second MSISDN of the terminal; When the first MSISDN carried in the service issuance request is the same as the second MSISDN, the service issuance request is forwarded to the service delivery request by the operator authentication center. Use provider. In this way, as long as the terminal can successfully access the Internet, the self-service issuance of the application service can be realized, and the short message verification code is not sent to the terminal, thereby eliminating the dependence on the short message, thereby reducing the application cost of the application service.
本领域内的技术人员应明白,本发明的实施例可提供为方法、系统、或计算机程序产品。因此,本发明可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本发明可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art will appreciate that embodiments of the present invention can be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or a combination of software and hardware. Moreover, the invention can take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) including computer usable program code.
本发明是参照根据本发明实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present invention has been described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (system), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing device to produce a machine for the execution of instructions for execution by a processor of a computer or other programmable data processing device. Means for implementing the functions specified in one or more of the flow or in a block or blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The apparatus implements the functions specified in one or more blocks of a flow or a flow and/or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device such that a series of operational steps are performed on a computer or other programmable device to produce computer-implemented processing for execution on a computer or other programmable device. The instructions provide steps for implementing the functions specified in one or more of the flow or in a block or blocks of a flow diagram.
尽管已描述了本发明的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例作出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本发明范围的所有变更和修改。While the preferred embodiment of the invention has been described, it will be understood that Therefore, the appended claims are intended to be interpreted as including the preferred embodiments and the modifications and
显然,本领域的技术人员可以对本发明实施例进行各种改动和变型而不脱离本发明实施例的精神和范围。这样,倘若本发明实施例的这些修改和变型属于本发明权利要求及其等同技术的范围之内,则本发明也意图包含这些改动和变型在内。 It is apparent that those skilled in the art can make various modifications and variations to the embodiments of the invention without departing from the spirit and scope of the embodiments of the invention. Thus, it is intended that the present invention cover the modifications and modifications of the embodiments of the invention.

Claims (17)

  1. 一种应用业务的发放验证方法,其特征在于,包括:An application verification verification method for an application service, comprising:
    终端接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,所述业务发放请求中携带第一国际公共用户识别号码MSISDN,所述鉴权中心位于运营商网络;When receiving the service issuance request, the terminal establishes a first security channel with the operator authentication center, where the service release request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
    所述终端获取所述终端用于可扩展身份验证协议EAP鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴权参数传递给验证、授权、记账AAA服务器进行EAP鉴权,所述AAA服务器位于运营商网络;Obtaining, by the terminal, an authentication parameter used by the terminal for the EAP authentication of the extensible authentication protocol, and transmitting, by using the first security channel, the authentication parameter to the operator authentication center, by using the operator The authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the operator network;
    在EAP鉴权通过后,所述终端获取所述终端的第二MSISDN;After the EAP authentication is passed, the terminal acquires a second MSISDN of the terminal;
    所述终端在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商。When the first MSISDN carried in the service issuance request is the same as the second MSISDN, the terminal forwards the service release request to the application provider corresponding to the service release request by using the operator authentication center. .
  2. 如权利要求1所述的方法,其特征在于,所述终端获取所述终端用于EAP鉴权的鉴权参数,包括:The method of claim 1, wherein the acquiring, by the terminal, the authentication parameter used by the terminal for EAP authentication comprises:
    所述终端与嵌入到所述终端的用户识别模块之间进行交互来获取终端用于EAP鉴权的鉴权参数。The terminal interacts with a user identification module embedded in the terminal to obtain an authentication parameter used by the terminal for EAP authentication.
  3. 如权利要求1所述的方法,其特征在于,所述终端将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商之后,所述方法还包括:The method according to claim 1, wherein the method further comprises: after the terminal forwards the service issuance request to the application provider corresponding to the service issuance request, by the operator authentication center, the method further includes:
    所述终端拆除与所述鉴权中心间的第一安全通道。The terminal removes a first secure channel from the authentication center.
  4. 如权利要求2所述的方法,其特征在于,所述终端获取所述终端的MSISDN,包括:The method of claim 2, wherein the acquiring, by the terminal, the MSISDN of the terminal comprises:
    所述终端与嵌入到所述终端的用户识别模块进行交互来获取所述终端的国际移动用户识别码IMSI,将所述IMSI利用所述第一安全通道发送至所述运营商鉴权中心,通过运营商鉴权中心将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN。The terminal interacts with a user identification module embedded in the terminal to obtain an international mobile subscriber identity (IMSI) of the terminal, and sends the IMSI to the operator authentication center by using the first secure channel. The operator authentication center sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
  5. 如权利要求1所述的方法,其特征在于,所述终端将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商,包括:The method according to claim 1, wherein the terminal forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, including:
    所述终端将所述业务发放请求通过所述第一安全通道发送至所述运营商鉴权中心,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Sending, by the terminal, the service release request to the operator authentication center by using the first secure channel, and using the second security between the service security center and the application provider corresponding to the service release request And the channel forwards the service release request to an application provider corresponding to the service release request.
  6. 一种应用业务的发放验证方法,其特征在于,包括:An application verification verification method for an application service, comprising:
    运营商鉴权中心建立与终端之间的第一安全通道,利用所述第一安全通道接收所述终端针对接收到的业务发放请求发送的鉴权参数,所述鉴权参数用于所述终端与AAA服务器之间的可扩展身份验证协议EAP鉴权;The operator authentication center establishes a first secure channel between the terminal and the terminal, and uses the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal. Extensible authentication protocol EAP authentication with the AAA server;
    所述运营商鉴权中心将所述鉴权参数传递给AAA服务器进行可扩展身份验证协议EAP鉴权,所述AAA服务器位于运营商网络;The operator authentication center transmits the authentication parameter to the AAA server for EAP authentication, and the AAA server is located in the operator network;
    在EAP鉴权通过后,所述运营商鉴权中心接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商。After the EAP authentication is passed, the operator authentication center receives the service issuance request sent by the terminal, and sends the service release request to the application provider corresponding to the service release request.
  7. 如权利要求6所述的方法,其特征在于,所述运营商鉴权中心接收所述终端发送的业务发放请求之前,还包括:The method of claim 6, wherein before the operator authentication center receives the service issuance request sent by the terminal, the method further includes:
    所述运营商鉴权中心通过所述第一安全通道接收所述终端发送的所述终端的国际移动用户识别码IMSI,将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN,并通过所 述第一安全通道将所述MSISDN发送至所述终端。The operator authentication center receives the international mobile subscriber identity (IMSI) of the terminal sent by the terminal by using the first secure channel, and sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI, and Pass through The first secure channel sends the MSISDN to the terminal.
  8. 如权利要求6所述的方法,其特征在于,所述运营商鉴权中心接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商,包括:The method according to claim 6, wherein the operator authentication center receives a service issuance request sent by the terminal, and sends the service issuance request to an application provider corresponding to the service issuance request. include:
    所述运营商鉴权中心通过所述第一安全通道接收所述终端发送的业务发放请求,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。The operator authentication center receives the service release request sent by the terminal by using the first secure channel, and uses the second secure channel between the service security center and the application provider corresponding to the service release request, Forwarding the service release request to an application provider corresponding to the service release request.
  9. 一种应用业务的发放验证装置,其特征在于,包括:An apparatus for issuing and verifying an application service, comprising:
    建立单元,接收到业务发放请求时,建立与运营商鉴权中心的第一安全通道,所述业务发放请求中携带第一国际公共用户识别号码MSISDN,所述鉴权中心位于运营商网络;The establishing unit, when receiving the service issuance request, establishes a first security channel with the operator authentication center, where the service issuance request carries the first international public subscriber identification number MSISDN, and the authentication center is located in the operator network;
    处理单元,用于获取所述装置用于可扩展身份验证协议EAP鉴权的鉴权参数,利用所述第一安全通道将所述鉴权参数传递给所述运营商鉴权中心,通过所述运营商鉴权中心将所述鉴权参数传递给验证、授权、记账AAA服务器进行EAP鉴权,所述AAA服务器位于运营商网络;a processing unit, configured to obtain an authentication parameter of the device for extensible authentication protocol EAP authentication, and use the first secure channel to transmit the authentication parameter to the operator authentication center, by using the The operator authentication center passes the authentication parameter to the authentication, authorization, and accounting AAA server for EAP authentication, and the AAA server is located in the carrier network;
    在EAP鉴权通过后,获取所述装置的第二MSISDN;After the EAP authentication is passed, acquiring the second MSISDN of the device;
    在所述业务发放请求中携带的第一MSISDN与所述第二MSISDN相同时,将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商。When the first MSISDN carried in the service issuance request is the same as the second MSISDN, the service issuance request is forwarded by the operator authentication center to the application provider corresponding to the service issuance request.
  10. 如权利要求9所述的装置,其特征在于,所述处理单元在获取所述装置用于EAP鉴权的鉴权参数,具体用于:The device according to claim 9, wherein the processing unit acquires an authentication parameter used by the device for EAP authentication, specifically for:
    与嵌入到所述装置的用户识别模块之间进行交互来获取终端用于EAP鉴权的鉴权参数。Interacting with a user identification module embedded in the device to obtain an authentication parameter used by the terminal for EAP authentication.
  11. 如权利要求9所述的装置,其特征在于,在所述处理单元将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商之后,所述建立单元还用于:The apparatus according to claim 9, wherein after the processing unit forwards the service issuance request to the application provider corresponding to the service issuance request through the operator authentication center, the establishing unit Also used for:
    拆除与所述鉴权中心间的第一安全通道。The first secure passage between the authentication center and the authentication center is removed.
  12. 如权利要求10所述的装置,其特征在于,所述处理单元在获取所述装置的MSISDN时,具体用于:The device according to claim 10, wherein when the processing unit acquires the MSISDN of the device, the processing unit is specifically configured to:
    与嵌入到所述装置的用户识别模块进行交互来获取所述装置的国际移动用户识别码IMSI,将所述IMSI利用所述第一安全通道发送至所述运营商鉴权中心,通过运营商鉴权中心将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN。Interacting with a subscriber identity module embedded in the device to obtain an International Mobile Subscriber Identity (IMSI) of the device, and transmitting the IMSI to the operator authentication center by using the first secure channel, through an operator's identity The right center sends the IMSI to the operator BOSS to obtain the MSISDN corresponding to the IMSI.
  13. 如权利要求9所述的装置,其特征在于,所述处理单元在将所述业务发放请求通过所述运营商鉴权中心转发给所述业务发放请求对应的应用提供商时,具体用于:The device according to claim 9, wherein the processing unit is configured to: when the service issuance request is forwarded to the application provider corresponding to the service issuance request by the operator authentication center, specifically:
    将所述业务发放请求通过所述第一安全通道发送至所述运营商鉴权中心,利用所述运营商安全中心与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Sending the service release request to the operator authentication center by using the first secure channel, and using the second secure channel between the carrier security center and the application provider corresponding to the service release request, The service issuance request is forwarded to an application provider corresponding to the service issuance request.
  14. 一种应用业务的发放验证装置,其特征在于,包括:An apparatus for issuing and verifying an application service, comprising:
    收发单元,用于建立与终端之间的第一安全通道,利用所述第一安全通道接收所述终端针对接收到的业务发放请求发送的鉴权参数,所述鉴权参数用于所述终端与AAA服务器之间的可扩展身份验证协议EAP鉴权;a transceiver unit, configured to establish a first secure channel with the terminal, and use the first secure channel to receive an authentication parameter sent by the terminal for the received service release request, where the authentication parameter is used by the terminal Extensible authentication protocol EAP authentication with the AAA server;
    鉴权单元,用于将所述鉴权参数传递给AAA服务器进行可扩展身份验证协议EAP鉴权,所述AAA服务器位于运营商网络;An authentication unit, configured to pass the authentication parameter to an AAA server for performing an Extensible Authentication Protocol (EAP) authentication, where the AAA server is located in an operator network;
    所述收发单元,还用于在EAP鉴权通过后,接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商。 The transceiver unit is further configured to: after the EAP authentication is passed, receive a service issuance request sent by the terminal, and send the service release request to an application provider corresponding to the service release request.
  15. 如权利要求14所述的装置,其特征在于,所述收发单元在接收所述终端发送的业务发放请求之前,还用于:The device according to claim 14, wherein the transceiver unit is further configured to: before receiving the service issuance request sent by the terminal:
    通过所述第一安全通道接收所述中工段发送的所述终端的国际移动用户识别码IMSI,将所述IMSI发送至运营商BOSS来获取所述IMSI对应的MSISDN,并通过所述第一安全通道将所述MSISDN发送至所述终端。Receiving, by the first secure channel, the international mobile subscriber identity (IMSI) of the terminal sent by the middle station, sending the IMSI to an operator BOSS, acquiring an MSISDN corresponding to the IMSI, and adopting the first security A channel transmits the MSISDN to the terminal.
  16. 如权利要求14所述的装置,其特征在于,所述收发单元在接收所述终端发送的业务发放请求,并将所述业务发放请求发送至所述业务发放请求对应的应用提供商时,具体用于:The device according to claim 14, wherein the transceiver unit receives the service issuance request sent by the terminal, and sends the service issuance request to the application provider corresponding to the service issuance request, specifically Used for:
    通过所述第一安全通道接收所述终端发送的业务发放请求,利用所述装置与所述业务发放请求对应的应用提供商之间的第二安全通道,将所述业务发放请求转发给所述业务发放请求对应的应用提供商。Receiving, by the first secure channel, a service issuance request sent by the terminal, and forwarding, by using the second secure channel between the application provider and the application provider corresponding to the service issue request, the service issue request to the The application provider corresponding to the service issuance request.
  17. 一种应用业务的发放验证系统,其特征在于,包括:如权利要求8-13所述的装置和如权利要求14-16所述的装置。 An issuance verification system for an application service, comprising: the apparatus of claims 8-13 and the apparatus of claims 14-16.
PCT/CN2017/075760 2016-03-30 2017-03-06 Method, device, and system for distributing and verifying application service WO2017166976A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610195162.4 2016-03-30
CN201610195162.4A CN105744520B (en) 2016-03-30 2016-03-30 Method, device and system for issuing and verifying application service

Publications (1)

Publication Number Publication Date
WO2017166976A1 true WO2017166976A1 (en) 2017-10-05

Family

ID=56253562

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/075760 WO2017166976A1 (en) 2016-03-30 2017-03-06 Method, device, and system for distributing and verifying application service

Country Status (2)

Country Link
CN (1) CN105744520B (en)
WO (1) WO2017166976A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105744520B (en) * 2016-03-30 2019-12-24 华为技术有限公司 Method, device and system for issuing and verifying application service
CN107222861B (en) * 2017-05-19 2020-10-09 珠海市魅族科技有限公司 Identity authentication method, identity authentication device, terminal and nonvolatile storage medium
CN109903022B (en) * 2018-10-25 2023-08-22 创新先进技术有限公司 Resource distribution method, device, equipment and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729578A (en) * 2008-10-27 2010-06-09 华为技术有限公司 Application service access authentication method and application service access authentication agent
CN102572815A (en) * 2010-12-29 2012-07-11 中国移动通信集团公司 Method, system and device for processing terminal application request
WO2014094822A1 (en) * 2012-12-17 2014-06-26 Telefonaktiebolaget L M Ericsson (Publ) Authenticating public land mobile networks to mobile stations
CN105744520A (en) * 2016-03-30 2016-07-06 华为技术有限公司 Application service provisioning verification methods, apparatuses and system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101848434B (en) * 2009-03-24 2013-10-09 华为技术有限公司 Configuration management method and system of equipment and business
CN102075933B (en) * 2009-11-19 2013-03-13 中国移动通信集团吉林有限公司 Method and system for running application software on intelligent terminal as well as related equipment
CN102231746B (en) * 2011-07-11 2014-03-12 华为技术有限公司 Method for validating identification information and terminal thereof
CN102724647B (en) * 2012-06-06 2014-08-13 电子科技大学 Method and system for access capability authorization

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729578A (en) * 2008-10-27 2010-06-09 华为技术有限公司 Application service access authentication method and application service access authentication agent
CN102572815A (en) * 2010-12-29 2012-07-11 中国移动通信集团公司 Method, system and device for processing terminal application request
WO2014094822A1 (en) * 2012-12-17 2014-06-26 Telefonaktiebolaget L M Ericsson (Publ) Authenticating public land mobile networks to mobile stations
CN105744520A (en) * 2016-03-30 2016-07-06 华为技术有限公司 Application service provisioning verification methods, apparatuses and system

Also Published As

Publication number Publication date
CN105744520B (en) 2019-12-24
CN105744520A (en) 2016-07-06

Similar Documents

Publication Publication Date Title
US10637668B2 (en) Authentication method, system and equipment
US11488234B2 (en) Method, apparatus, and system for processing order information
WO2015101273A1 (en) Security verification method, and related device and system
EP3605989A1 (en) Information sending method, information receiving method, apparatus, and system
AU2018421189B2 (en) Method for quickly opening application or application function, and terminal
WO2017118412A1 (en) Method, apparatus and system for updating key
EP2798904B1 (en) Simplified mobile communication device
CN107483213B (en) Security authentication method, related device and system
US9635018B2 (en) User identity verification method and system, password protection apparatus and storage medium
WO2017041599A1 (en) Service processing method and electronic device
CN108920366B (en) Sub-application debugging method, device and system
CN110198301B (en) Service data acquisition method, device and equipment
US20170373869A1 (en) Method, apparatus, and system for providing specified communications service, and terminal
KR101304006B1 (en) Communication system providing wireless authentication for private data access and related methods
WO2015027712A1 (en) Network access method of mobile terminal, mobile terminal, and terminal device
CN111542822A (en) Electronic device and method for sharing screen data
CN108288154B (en) Starting method and device of payment application program and mobile terminal
CN108881103B (en) Network access method and device
CN106550361B (en) Data transmission method, equipment and computer readable storage medium
CN108075899B (en) Identity authentication method, mobile terminal and computer readable storage medium
CN105704712B (en) Network resource sharing method, mobile terminal and server
CN104954126A (en) Sensitive operation verification method, device and system
CN109102297A (en) A kind of voidable method of payment and device
WO2017166976A1 (en) Method, device, and system for distributing and verifying application service
CN106713319B (en) Remote control method, device and system between terminals and mobile terminal

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17773007

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17773007

Country of ref document: EP

Kind code of ref document: A1