Subscribe mobile communication terminal, service provider terminal, the system and method for telecommunications service
Technical field
The present invention relates to communication network field, particularly network safety filed is a kind of mobile communication terminal, service provider terminal, system and method for subscribing telecommunications service concretely.
Background technology
Now, China Telecom's value-added service is in continuous growth, meanwhile, the service trap has also brought some bad influences to people's life, rubbish short message (SMS) for example, by defrauding of money of short message, the user is carried out price cheating (for example allowing user's transmission more than once serve confirmation, to obtain the more information expense).These present situations have suffered that people more and more complain.More than in the negative product that brings by telecommunications industry development price cheating much cause by service provider (SP) malice, this situation is more and more serious.
The service provider may customized certain service of force users, and for example, the service provider can send some information on services to the user by telecom operators' management and the active of technology leak, and collects the charges from user's account automatically.Some service providers may be provided with trap on the Internet or WAP site, when the user clicks the button on certain webpage accidentally or registers, this user will certain service of compulsory reservation, and any service has been subscribed in the many times also unclear operation just now of user at this moment, thereby suffers loss economically.Along with the development of mobile internet, people's internet usage is also more frequent, and the service provider of some malice is easy to make the user of view Internet to subscribe some service by the design webpage, and these services are not that the user wishes to obtain.Perhaps SP forges the short message of user's booking service, adds subscriber directory number therein, provides this subscription information to operator, allows operator that this user is chargeed.
Another deception is called as the answer trap, some service providers utilize short message or instant chat software to send the information that some have temptation to the user, for example, congratulate the user and suffered Grand Prix in so-and-so sweepstake, perhaps thereby the identity spoofing user with friend allows user's answer short message cease, and has just subscribed a certain service behind user's answer short message breath.Some service provider's propaganda certain service on probation that the user can be free in several days, after the user has tried out this service a period of time not or forget the cancellation free trial, then rate are still automatically deducted by system from user's account, and this moment, the user did not also know.
The user transmits the customized information of short message or other value-added telecom services by telecom operators to the service provider, and the service provider transmits rates ground to telecom operators, and telecom operators carry out generation to this user and charge.Sometimes the service provider can obtain irrational interests to means such as the user cheat, and the user sometimes also can to its some customized service deny, cause some troubles of telecom operators and service provider.Present telecom operators use a lot of methods to go to overcome the above problems, if but there is not non-repudiation mechanism, operator is difficult to judge whether the reservation of service is the expression of the true wish of user, or service provider's deception.Operator has no idea also to confirm whether the operation of withholing has obtained user's mandate, and it all is very big so causing user's loss and loss on telecom operators' fame economically.
Non-repudiation mechanism is applied in mobile electron consumption (e-commerce) and Email, makes network service safer.
Can partly address the above problem by the mode of unified service provider's access code at present, development along with telecommunications service and market structure, it is very fast that service provider's quantity increases, a service provider can provide multiple service for a plurality of telecom operators, in China, service provider's short message (SMS) access code is by telecom operators' appointment, so the access code for the different same service providers of telecom operators may be different, it is very inconvenient that this makes that the user remembers these access codes, and these service providers of supervision and oversight are also very not convenient, for example, a service provider is owing to cheated the user, suffered to forbid that this service provider telecom operators that can also use other carry out fraudulent activity so at some telecom operators place.Provisions of the Ministry of Information Industry service provider must unify at the access code of different telecom operators, the work of unified access code will be implemented on October 31st, 2007, will solve the behavior of service provider's user cheating so to a certain extent, do not charge and the means of payment but this mode still changes, telecom operators can't confirm still whether the charging that the user is obtained to serve is proper.
Another kind can the part solution to the problems described above be the management platform of unified telecom operators.Telecom operators in the past just provide services on the Internet to the service provider, information such as user's data, charging, payment are all under each different service provider's management, China moved and set up a management platform in August, 2004, name is called Mobile Information Service Center, other telecom operators also set up similar platform one after another with unified certification, managed service provider, for the service provider to the user for charging, follow the trail of information on services, user's registration and payment information, even can also the monitor service content.The so effective overall process of leading subscriber subscribed services, prevent service provider's user cheating, but the method for monitoring of this unified platform can not overcome the above problems fully, because the user only need reply simple short message (SMS), sometimes the information of Hui Fuing even be empty just can to serve by customized certain, so telecom operators can't determine still whether this service is that the user wishes to obtain.
Cryptographic system (ID-based cryptosystem) based on identity is a kind of common key cryptosystem, certificate does not use public-key, client public key can derive out according to disclosed subscriber identity information, and this common key cryptosystem is mainly used in the e-mail system.Traditional common key cryptosystem PKI based on certificate, the work load of certificate management is heavy, and PKI requires all users to register in advance, and this hinders this method of application and solves the problem that above-mentioned telecommunication user runs into.And eliminated the deficiency of key management in the PKI cryptographic system based on the cryptographic system of identity, and can make the light more and safety of user authority management, for example Alice sends an envelope mail to Bob, the address is bobcompany.com, encryption system based on identity uses bobcompany.com to encrypt as PKI, does not need to learn the public key certificate of Bob.Can also have some information relevant with subscriber identity information in cryptographic system, for example, temporal information can limit Bob according to the identity of Bob and temporal information and when could be decrypted this envelope letter.Reduced former PKI system key administration overhead by cryptographic system, and strengthened management means based on identity.
Summary of the invention
In order to overcome the above problems, the object of the present invention is to provide the mobile communication terminal of subscribing telecommunications service, can realize user's signature, be that subscriber authorisation sends with the information of guaranteeing reservation service.
The present invention also provides a kind of service provider terminal, is used to receive the information of above-mentioned booking service, and whether the checking user's signature is effective, to guarantee the legitimacy of user's subscribed services.
The present invention also provides a kind of system of subscribing telecommunications service, realizes the fail safe of predetermined telecommunications service.
The present invention also provides a kind of method of subscribing telecommunications service, prevents service provider's user cheating and telecom operators.Because the number of user's mobile communication terminal and service provider terminal is unique, the present invention utilizes the public key cryptography mechanism of this characteristics use based on identity, improves a lot in the fail safe to existing mobile communications network booking service management.
A kind of method of subscribing telecommunications service may further comprise the steps:
Step 1 is used user's private key that particular data is signed at mobile communication terminal, and is sent it to the service provider;
Step 2, whether described service provider utilizes the user's signature in the described particular data of described user's public key verifications effective, and wherein, described client public key generates according to this user's telephone number at least; If effectively then enter step 3, otherwise enter step 4;
Step 3 is stored described particular data, provides information to described user, and described particular data is transmitted to for billing terminal to carry out the generation charging;
Step 4 returns to described mobile communication terminal error message.
Wherein said particular data comprises the short message of booking service, perhaps the wap data of booking service, the perhaps service subscription information of transmitting based on internet.Described private key for user is to be produced by the master key at key authentication center, key algorithm parameter and described user's PKI join operation.Described service provider derives client public key according to the identity information of user in the short message that receives, all do not go KAC to take the PKI at family when so just not needing to verify user's signature at every turn, this derivation algorithm can use existing based on the algorithm in the identity public key cryptographic system, and additional this user's PKI is so that described service provider obtains this PKI in the short message of general described booking service.
According to further aspect of the inventive method, in described step 3, also comprise, step 5, described generation billing terminal utilize described user's the user's signature of the described reservation service information of public key verifications whether effective, if effectively then enter step 6, otherwise enter step 7; Step 6 is carried out generation to described user and is chargeed; Step 7 is returned error message to described service provider.
According to another further aspect of the inventive method, in described step 6, send announcement information to the user for billing terminal, inform described user should for billing terminal will carry out for billing operation.
According to the inventive method further aspect again, in described step 1, use this user's private key to sign after, also use described service provider's PKI that the information of described booking service is encrypted; In described step 2, the private key that described service provider utilizes oneself is decrypted the information of described booking service, verifies described signature again.Described service provider's PKI is according to this service provider's access code (can also comprise parameters such as time) generation at least; Described service provider's private key is to be produced by the master key at described key authentication center, key algorithm parameter and described service provider's PKI join operation.
According to another further aspect of the inventive method, described user's PKI and private key are by user's request renewal or regular update, and described service provider's PKI and private key upgrade or regular update by described service provider's demand; Described user can obtain the PKI after described service provider upgrades from the disclosed data in key authentication center, perhaps the PKI that generates described service provider according to described service provider's access code (can also comprise other parameters such as time) and the algorithm on the mobile communication terminal.
A kind of mobile communication terminal of subscribing telecommunications service, comprise memory cell, communication unit, processing unit, described memory cell is connected with described processing unit, be used to store user's PKI and private key data, described communication unit is connected with described processing unit, is used for the interface of this mobile communication terminal and extraneous network devices communicating; Also comprise signature blocks, be connected, utilize the private key for user that is stored in the described memory cell that the particular data that described mobile communication terminal sends is signed with described processing unit; Wherein, described client public key generates according to this user's telephone number at least.
Wherein particular data comprises the short message of booking service, perhaps the wap data of booking service, the perhaps service subscription information of transmitting based on internet.
The further aspect of mobile communication terminal also comprises an encrypting module according to the present invention, is connected with described processing unit, utilizes service provider's PKI that particular data that described user sends is encrypted.Can protect privacy of user like this, user's reservation service information can not known by other SP or individual.
The further again aspect of mobile communication terminal according to the present invention, also comprise a update module, be connected with described processing unit,, upgrade client public key and private key data in the described memory cell according to the data of described key authentication center about this client public key and private key.
A kind of service provider terminal comprises communication unit, memory cell, and processing unit, described communication unit is connected with described processing unit, is used for the interface of this service provider terminal and extraneous network devices communicating; Described memory cell is connected with described processing unit, is used to store this service provider's PKI and private key data; Also comprise authentication module, be connected, the particular data that utilizes user's public key verifications to receive with described user's signature by described communication unit with described processing unit; Wherein, described client public key generates according to this user's telephone number at least.
Wherein said particular data comprises the short message of booking service, perhaps the wap data of booking service.
The further aspect of service provider terminal also comprises a deciphering module according to the present invention, is connected with described processing unit, utilizes the private key of described service provider terminal that described particular data is decrypted.
The further again aspect of service provider terminal according to the present invention, also comprise a update module, be connected with described processing unit,, upgrade this service provider's PKI in the described memory cell and the data of private key according to the data of key authentication center about this service provider's PKI and private key.
A kind of system of subscribing telecommunications service comprises,
The key authentication center, at least the identity information according to the mobile communication terminal respective user generates its PKI, described identity information comprises this user's telephone number (can also comprise parameters such as time), PKI join operation according to master key, key algorithm parameter and the described user at described key authentication center generates its private key, and described private key is distributed to the corresponding mobile communication terminal;
Described mobile communication terminal, the memory cell that comprises mobile communication terminal, the communication unit of mobile communication terminal, the processing unit of mobile communication terminal, the memory cell of described mobile communication terminal is connected with the processing unit of described mobile communication terminal, be used to store user's PKI and private key data, the communication unit of described mobile communication terminal is connected with the processing unit of described mobile communication terminal, and is connected with the communication unit of service provider terminal by network; Also comprise signature blocks, be connected, utilize the private key for user that is stored in the described mobile communication terminal memory cell that the particular data that is about to send is signed with the processing unit of described mobile communication terminal;
Service provider terminal comprises the communication unit of service provider terminal, the memory cell of service provider terminal, the processing unit of service provider terminal; The communication unit of described service provider terminal is connected with the processing unit of described service provider terminal, and is connected with the communication unit of described mobile communication terminal by network; The memory cell of described service provider terminal is connected with the processing unit of described service provider terminal, is used to store this service provider's PKI and private key data; Also comprise authentication module, be connected, utilize the above-mentioned particular data of described client public key checking through signature with the processing unit of described service provider terminal;
For billing terminal, receive the described particular data of transmitting by service provider terminal, and this user is carried out generation charge.Wherein, described particular data comprises the short message of booking service, perhaps the wap data of booking service, the perhaps service subscription information of transmitting based on internet.
The further aspect of system according to the invention, described generation billing terminal comprise an authentication module, utilize user's the described particular data of public key verifications through signature.
The further again aspect of system according to the invention, described key authentication center generates its PKI and private key according to the identity information of service provider terminal at least, described identity information comprises this service provider's access code (can also comprise parameters such as time), and described private key is distributed to the corresponding service provider terminal; Described mobile communication terminal also comprises an encrypting module, is connected with the processing unit of described mobile communication terminal, utilizes the PKI of described service provider's end that described particular data through signature is encrypted; Described service provider terminal also comprises a deciphering module, is connected with the processing unit of described service provider terminal, utilizes the private key of described service provider terminal that above-mentioned particular data is decrypted.
Subscribe further aspect of telecom service system according to the present invention, described mobile communication terminal also comprises a update module, be connected with the processing unit of described mobile communication terminal, according to the data of described key authentication center, upgrade this client public key and private key data in the described memory cell about this client public key and private key; Described service provider terminal also comprises a update module, be connected with the processing unit of described service provider terminal, according to the data of key authentication center, upgrade this service provider's PKI in the described memory cell and the data of private key about this service provider's PKI and private key.
Beneficial effect of the present invention is, can prevent that the deception that occurs during booking service prevents that insecure service provider from forging the information of user's booking service in existing mobile communication system, carries out the deception of generation charging by telecom operators; The credit grade that prevents the user is also subscribed some service to the service provider inadequately, causes service provider's loss; And can prevent that situation about after user's booking service its reservation behavior being denied from taking place.Strengthen the fail safe of booking service in the mobile communication by the present invention, and helped the orderly development in market.
Description of drawings
Fig. 1 obtains the flow chart of private key process from KAC for service provider of the present invention;
Fig. 2 is that the present invention is at booking service and charging stage signal flow graph;
Fig. 3 is a flow chart of the present invention;
Fig. 4 is the structure chart of mobile communication terminal of the present invention;
Fig. 5 is a service provider terminal structure chart of the present invention;
Fig. 6 is the system construction drawing of short message booking service of the present invention.
Embodiment
Below, carry out following detailed description for the present invention in conjunction with the accompanying drawings.
The present invention is in mobile communications network, when solving in the background technology relevant issues, with user's the phone number unique identifier as the user, service provider's access code is as this service provider's unique identifier, based on the cryptographic system of identity sign, work such as authentication.
In the present invention, have a key authentication center (KAC) and be in charge of key.KAC produces system parameters and master key, system parameters is open parameter, master key is the key of KAC, and KAC utilizes the ID parameters such as (access codes) of master key, system parameters, user ID (telephone number) or SP to generate the private key of each user and SP, to guarantee the reliability of this private key.In the cryptographic system in the present invention, user's PKI is a user's telephone number, service provider's (SP) PKI is this service provider's a access code, the PKI of user or SP also comprises information such as time, role, for example, user's PKI comprises temporal information, has stipulated the effective time that this user can use public-key; The PKI of SP has comprised temporal information, has stipulated this SP can provide service as reliable service provider to the user in which section period.Each user's private key is generated by system parameters, master key and the client public key join operation of KAC, and the private key of SP is generated by the PKI join operation of system parameters, master key and the SP of KAC.When the user when SP sends short message and subscribes certain service, this user uses its oneself private key that the booking service short message is signed.Because this short message has user's oneself signature, so this user can't deny; And with the PKI of SP the short message of booking service is encrypted, this is for the right of privacy of protection user booking service in communication process, has only the corresponding SP of PKI could the short message of this booking service be decrypted.After SP receives the short message of this booking service, use the private key of oneself to be decrypted, use the signature of transmit leg user's PKI (the transmit leg user's telephone number can also comprise parameters such as time, role) checking transmit leg again.
As further embodiment, booking service can be short message, also can be by WAP mode or the reservation service information on internet, sent.
As further embodiment, the PKI of user and SP and private key all will upgrade as required, perhaps Ding Shi renewal.If user's PKI has upgraded, user's private key also will upgrade accordingly according to the variation of PKI, because the telephone number of general PKI can not change, just other parameters of PKI that change, for example effective time, role etc., so though telephone number does not have to change because the parameter change of PKI whole PKI also just changed, at KAC dispatch user private key is to generate according to master key, system parameters and user's PKI, so PKI and its corresponding private key all together change when upgrading at every turn.The public and private key of SP is to the also right renewal of similar above-mentioned user's public and private key.Renewal work with online carry out or line under carry out, for example, the user downloads the mode of (OTA) in the air and upgrades, that is, the wave point of user mobile phone in the mobile network transmits private key, and is stored among the user mobile phone; SP PKI and private key also can upgrade by OTA or the Internet.KAC can be by open user and SP the mode of PKI realize upgrading PKI, after the user uses new private key to sign, SP will obtain client public key after the renewal from KAC, so that the checking of signing.Perhaps when the user sends the reservation short message, in short message, add this user's PKI automatically, so that SP calls this user's PKI when certifying signature.Perhaps SP optionally also has time parameter, role's parameter etc. according to this user's ID, derives user's PKI.
When the user subscribes a service, be not to send short message all to sign at every turn, have only when the user sends the short message of booking service and just sign, SP checking user's signature is no problem, confirm that this user is a validated user, to guarantee that can there be deception in this user aspect first-class in credit line, and the reservation short message transmitting that will have user's signature is given for billing terminal (be generally telecom operators for billing terminal), by verifying once more for billing terminal whether this user's signature is effective, just in generation, carried out in this booking service when having only user's signature effective and charge, can avoid replying the deception of trap and SP forgery user booking service short message like this.
As further embodiment, the user is when serving by the Internet subscription, generally all be earlier mobile phone to be connected with computer, the user is view Internet on this computer, click the button of certain booking service on the net as this user, when needing the signature of invoke user, import this subscription information into mobile phone, use this user's private key to sign.At this moment, the computing of only under user's permission, just signing.Signing messages with this booking service after signature finishes returns to terminal again, sends service provider terminal to by the Internet.Under the best situation, should protect the execution stream of signature algorithm, this protected mode has much in the prior art.
In cryptographic system based on identity, key updating can realize by regulation key service time (a for example season), for example, service provider's PKI: the SP1 first quarter, here SP1 is an access code, the first quarter is a time parameter, because credit grade that may this each season of SP is different, that is to say that each season of this SP can provide the project of service to be restricted to the user.After the user used the private key of oneself that the reservation short message is signed, the PKI that re-uses SP1 was encrypted, and sends to service provider SP 1.SP1 can only use its private key to be decrypted in the first quarter, and when after the time, the time parameter in the PKI of this SP1 will upgrade, and SP1 need regain private key from KAC.Therefore by controlling public and private key to the term of validity, KAC can effectively control the service provider provides time limit from service to the user, and KAC can also control, have only legal users by using the effective private key can booking service, the behavior of the booking service of amount so also can leading subscriber can not occur surpassing.
As shown in Figure 1, obtain the flow chart of private key process from KAC for service provider of the present invention.
Step S101, service provider SP in the time, for example in the season, is submitted the access code (can also comprise other information, for example Role Information: provide which kind of telecommunication value-added COS etc.) of this SP in validity to KAC.
Step S102, KAC verify whether this SP is the SP of telecom operators' approval.If the SP of telecom operators' approval then enters step S103, otherwise enter step S104.
Step S103 generates the private key of this SP, stores this private key, and is distributed to corresponding SP.When SP obtains private key, also can obtain algorithm (enciphering and deciphering algorithm, signature and certifying signature algorithm) and algorithm parameter.
Step S104 returns error message to SP.
Step S105, SP verify the validity of this private key when receiving above-mentioned SP private key, if this private key is effective, enter step S106, otherwise enter step S107.
Step S106 stores this private key.
Step S107 abandons this private key.
When the user wanted to subscribe certain service, the user obtained private key, algorithm and system parameters from KAC.Private key and algorithm can be stored in the user and indicate in module (SIM) card, use this private key when signing, as illustrated embodiments, SIM card is preferably replaced by the STK card, the STK jig has bigger memory space, and this just makes it can store the private key and the algorithm of more complicated.
Figure 2 shows that the present invention in booking service with for charging stage signal flow graph, the network by telecom operators after the short message 1 of booking service is signed by private key for user sends to service provider (SP1).The checking that utilizes the PKI of user A to sign by SP1 effectively then provide service to the user, is transmitted this information on services by telecom operators if confirm this signature.SP1 is transmitted to telecom operators with user's reservation short message 1, by telecom operators the signature of short message 1 is done checking (this step is optional) again, if verify that the signature of this short message is effective, then the account of this user A is carried out generation and charge, otherwise return to the SP1 miscue at the telecom operators place.As preferred embodiment, when user side sends the short message 1 of booking service, the short message 1 of this signature PKI of serviced provider is again encrypted, can comprise parameters (importing this time parameter by the user) such as time during the input PKI, for example be a season effective time of the PKI of this SP1.
Be illustrated in figure 3 as flow chart of the present invention.
Step S201, when user A subscribes certain service, import the short message of booking service by his mobile phone, use his private key that short message is signed, this subscription information comprises the public key information of user A, the service content of reservation, the time span that user A subscribes this service etc., the process of signature is transparent to the user, whether user decision signs to the short message of booking service, so just can prevent the deceptive practices that the short message of this SP1 forgery user booking service is chargeed to this user.The short message of this booking service is sent to SP1 by the network of telecom operators.
Step S202, SP1 utilize the PKI of user A that the signature of short message is verified.Whether the signature of verifying this short message is effective.If signature effectively then enters step S203,, then enter step S204 if it is invalid to sign
Step S203, SP1 store subscription information and provide respective service to this user, and SP1 to telecom operators provide user A the information of booking service for billing terminal so that carry out generation charging.Have only legal users to obtain private key, so just guaranteed the uniqueness of private key from KAC, obtain user's signature as SP1 after, confirmed to subscribe a certain service with regard to representative of consumer.
Step S204 returns miscue information to the user.
Step S205, telecom operators whether check the signature of user A for billing terminal effective.If signature is effectively, then enters step S206, otherwise enter step S207.
Step S206, telecom operators for billing terminal then to this user for charging.For the safety of managing, A can point out the user once more in telecom operators, reminds the information of user A booking service.
Step S207, this billing error of notice SP1.
Wherein step S205 telecom operation row verifies it is omissible to user's signature, and directly by behind the SP1 checking user's signature, the booking service short message transmitting that will have this user's signature is given telecom operators, and notice operator is for charging.Can alleviate the work load of telecom operators like this.In order to improve the fail safe of booking service, prevent the deception of SP, can carry out signature verification to this reservation short message once more at the telecom operators place.
Be illustrated in figure 4 as mobile communication terminal structural representation of the present invention.This mobile communication terminal comprises memory cell, communication unit, and processing unit, described memory cell is connected with described processing unit, and described communication unit is connected with described processing unit; Described communication unit is the interface of devices communicating in this mobile communication terminal and the extraneous network.Also comprise signature blocks, be connected, utilize the private key that is stored in the described memory cell that the short message that described mobile communication terminal sends is signed with described processing unit.
Also comprise an encrypting module, be connected, utilize PKI that the short message that described user sent is encrypted with service provider's information with described processing unit.
Also comprise a update module, be connected, according to the configuration information in the described memory cell of configuration information update at described key authentication center with described processing unit.
Fig. 5 is a service provider terminal device structure schematic diagram of the present invention.This service provider terminal comprises communication unit, memory cell, and processing unit, described communication unit is connected with described processing unit; Described memory cell is connected with described processing unit; Described communication unit is the interface of devices communicating in this service provider terminal and the extraneous network.Also comprise authentication module, be connected, utilize client public key to verify the short message of the booking service that receives by described communication unit with described user's signature with subscriber identity information with described processing unit.
Also comprise a deciphering module, be connected, utilize the private key of described service provider terminal that the reservation service information with this service provider terminal PKI that is received by described communication unit is decrypted with described processing unit.
Also comprise a update module, be connected, according to the configuration information in the described memory cell of the configuration information update at key authentication center with described processing unit.
Be illustrated in figure 6 as system configuration schematic diagram of the present invention.Mobile communication terminal among the figure is the mobile communication terminal among Fig. 4 of the present invention, and service provider terminal is the service provider terminal among Fig. 5 of the present invention.User's mobile communication terminal and SP terminal link by the network of telecom operators, comprise telecom operation Shang dynasty billing terminal, the mobile communication terminal booking service short message that reception is transmitted by service provider terminal, and the relative users of this mobile communication terminal is carried out generation charge; Also comprise,
The key authentication center generates its PKI and private key according to the subscriber identity information of each mobile communication terminal correspondence, and described private key is distributed to the corresponding mobile communication terminal;
Described mobile communication terminal, the memory cell that comprises mobile communication terminal, the communication unit of mobile communication terminal, the processing unit of mobile communication terminal, the memory cell of described mobile communication terminal is connected with the processing unit of described mobile communication terminal, and the communication unit of described mobile communication terminal is connected with the processing unit of described mobile communication terminal; Also comprise signature blocks, be connected, utilize the private key that is stored in the described mobile communication terminal memory cell that the short message that described mobile communication terminal sends is signed with the processing unit of described mobile communication terminal;
Service provider terminal, the communication unit that comprises service provider terminal, the memory cell of service provider terminal, the processing unit of service provider terminal, the communication unit of described service provider terminal is connected with the processing unit of described service provider terminal; The memory cell of described service provider terminal is connected with the processing unit of described service provider terminal; Authentication module is connected with the processing unit of described service provider terminal; The communication unit of described service provider terminal receives the short message that above-mentioned mobile communication terminal sends, and described authentication module utilization has the public key verifications said short message breath of subscriber identity information.
Described telecom operators comprise an authentication module for billing terminal, utilize to have the described short message of public key verifications of subscriber identity information.
Described key authentication center generates its PKI and private key according to the identity information of each service provider terminal, and described private key is distributed to the corresponding service provider terminal;
Described mobile communication terminal also comprises an encrypting module, is connected with the processing unit of described mobile communication terminal, utilizes the PKI with service provider's client information that the short message that described user sent is encrypted;
Described service provider terminal also comprises a deciphering module, is connected with the processing unit of described service provider terminal, utilizes the private key of described service provider terminal that the said short message breath is decrypted.
Described mobile communication terminal also comprises a update module, is connected with the processing unit of described mobile communication terminal, according to the configuration information in the memory cell of the described mobile communication terminal of configuration information update at described key authentication center;
Described service provider terminal also comprises a update module, is connected with the processing unit of described service provider terminal, according to the configuration information in the memory cell of the described service provider terminal of configuration information update at key authentication center.
Beneficial effect of the present invention is; user's phone number and the access code of SP all are unique; utilize signature mechanism that user's interests are protected; and form a kind of service subscription pattern of non-repudiation; promoted the safety of mobile service; the user uses the PKI of telephone number as the user; SP uses the PKI of access code as SP; do not need a large amount of digital certificate that does not have practical significance of KAC management; saved the memory space of KAC; in the degree of safety of in improving mobile communication system, concluding the business, improved the efficient of cryptographic system again.
Above embodiment only is used to illustrate the present invention, but not is used to limit the present invention.