CN103747437B - The method and device of safe processing of over-the-air download service - Google Patents
The method and device of safe processing of over-the-air download service Download PDFInfo
- Publication number
- CN103747437B CN103747437B CN201410040104.5A CN201410040104A CN103747437B CN 103747437 B CN103747437 B CN 103747437B CN 201410040104 A CN201410040104 A CN 201410040104A CN 103747437 B CN103747437 B CN 103747437B
- Authority
- CN
- China
- Prior art keywords
- configured information
- usim
- ota messages
- ota
- mac
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention provides a kind of method and device of safe processing of over-the-air function.Method, including:USIM USIM receives the OTA messages that management server sends;The USIM reads the configured information carried on indicating bit from the OTA messages;The USIM determines whether the configured information for reading is the first configured information;If the configured information is the first configured information, then the USIM carries out Message Authentication Code MAC verifications to the data included in the OTA messages, if MAC verifications pass through, then the USIM sends to receive to the management server and confirms POR message, if MAC verifications do not pass through, OTA messages described in the USIM terminations;If the configured information is not the first configured information, OTA messages described in the USIM terminations.The present invention can effectively improve the safety of USIM.
Description
Technical field
The present invention relates to communication technical field, more particularly to a kind of aerial download (Over the Air, hereinafter referred to as:
OTA) the method and device of safe processing of business.
Background technology
Over-the-air function be with USIM (Universe subscriber identity module, below
Referred to as:USIM) it is one of basic value-added service of telecom intelligent card of representative, the business is that user and operator provide and pass through
The approach that mobile network's transmission means is managed to the content on usim card.
Current over-the-air function is mainly by Message Authentication Code (Message Authentication Code, below letter
Claim:MAC) verify and receive and confirm that (POR) mechanism carrys out assuring data security.USIM is receiving management server transmission
After OTA messages, MAC verifications are carried out to the data included in OTA messages using the algorithm of agreement, no matter whether MAC verifications lead to
Cross, USIM will send POR message to management server, will also include which in the POR message that USIM is sent to management server
Voluntarily calculated MAC.
Easily used by attacker, if attacker sends datagram to USIM, USIM is being received above-mentioned safe handling mechanism
To after data message, MAC verifications must not passed through, and USIM will return POR message to attacker, include in the POR message
USIM adopts the algorithm that arranges with management server voluntarily calculated MAC, and so, attacker is repeating to obtain some
After POR message, you can obtain several MAC, consequently, it is possible to being derived by USIM with management server about according to several MAC
Fixed checking algorithm, so that attacker can be implanted into malicious application to USIM, has a strong impact on the safety of USIM.
Content of the invention
The present invention provides a kind of method and device of safe processing of over-the-air function.
The present invention provides a kind of security processing of over-the-air function, including:
USIM USIM receives the OTA messages that management server sends;
The USIM reads the configured information carried on indicating bit from the OTA messages;
The USIM determines whether the configured information for reading is the first configured information;
If the configured information is the first configured information, the USIM is carried out to the data included in the OTA messages
Message Authentication Code MAC is verified, if MAC verifications pass through, the USIM sends to receive to the management server and confirms that POR disappears
Breath, if MAC verifications do not pass through, OTA messages described in the USIM terminations;
If the configured information is not the first configured information, OTA messages described in the USIM terminations.
The present invention provides the security processing of another kind of over-the-air function, including:
Management server generates OTA messages, carries configured information on the indicating bit in the OTA messages;
The management server sends the OTA messages to USIM, so that indicating bits of the USIM from the OTA messages
Upper reading configured information, determines whether the configured information for reading is the first configured information;If the configured information is indicated for first
Information, then the data to including in the OTA messages carry out Message Authentication Code MAC verifications, if MAC verifications pass through, to described
Management server sends to receive and confirms POR message, if MAC verifications do not pass through, OTA messages described in termination;If the finger
It is not the first configured information to show information, then OTA messages described in termination.
The present invention provides a kind of USIM, including:
Receiver module, for receiving the OTA messages of management server transmission;
Acquisition module, for reading configured information on the indicating bit from the OTA messages;
Determining module, for determining whether the configured information for reading is the first configured information;
Secure processing module, if being the first configured information for the configured information, to included in the OTA messages
Data carry out Message Authentication Code MAC verifications, if MAC verifications pass through, send reception to the management server and confirm that POR disappears
Breath, if MAC verifications do not pass through, OTA messages described in termination;If the configured information is not the first configured information, eventually
The OTA message is only processed.
The present invention provides a kind of management server, including:
Generation module, for generating OTA messages, carries configured information on the indicating bit in the OTA messages;
Sending module, for sending the OTA messages to USIM, so that indicating bits of the USIM from the OTA messages
Upper reading configured information, determines whether the configured information for reading is the first configured information;If the configured information is indicated for first
Information, then the data to including in the OTA messages carry out Message Authentication Code MAC verifications, if MAC verifications pass through, to described
Management server sends to receive and confirms POR message, if MAC verifications do not pass through, OTA messages described in termination;If the finger
It is not the first configured information to show information, then OTA messages described in termination.
In the present invention, USIM can be read from OTA messages after the OTA messages for receiving management server transmission
The configured information carried on indicating bit;If it is determined that the configured information for reading is the first configured information, then can determine the OTA messages
Can be processed, if not the first configured information, then USIM terminations OTA messages, further, however, it is determined that reading
Configured information is the first configured information, and USIM can carry out MAC verifications to the data included in OTA messages, if MAC verifications are obstructed
Cross, then the USIM same terminations OTA messages are without feeding back POR message.Therefore, the present embodiment judges machine using two-layer
System, the configured information for either reading are not the first configured informations, or MAC verifications do not pass through, and can all terminate to the OTA reports
The process of text, so as to ensure the safety of USIM as far as possible, and, it is obstructed out-of-date to verify in MAC, will not be as prior art
Still feedback carries the POR message of the MAC that the USIM is voluntarily generated, so as to avoid illegal third party that may be present from obtaining USIM
The MAC for voluntarily generating, and then avoid illegal third party from obtaining the checking algorithm that makes an appointment between USIM and management server, carry
The high safety of USIM.
Description of the drawings
In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
Accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are these
Some bright embodiments, for those of ordinary skill in the art, without having to pay creative labor, can be with
Other accompanying drawings are obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the security processing embodiment one of over-the-air function of the present invention;
Fig. 2 is the flow chart of the security processing embodiment two of over-the-air function of the present invention;
Fig. 3 is the structural representation of USIM embodiments of the present invention;
Fig. 4 is the structural representation of management server embodiment of the present invention.
Specific embodiment
Purpose, technical scheme and advantage for making the embodiment of the present invention is clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, to the embodiment of the present invention in technical scheme be clearly and completely described, it is clear that described embodiment is
The a part of embodiment of the present invention, rather than whole embodiments.Embodiment in based on the present invention, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
Fig. 1 is the flow chart of the security processing embodiment one of over-the-air function of the present invention, as shown in figure 1, the present embodiment
Method can include:
S101, USIM receive the OTA messages that management server sends;
S102, USIM read the configured information carried on indicating bit from the OTA messages;
S103, USIM determine whether the configured information for reading is the first configured information;If the configured information refers to for first
Show information, then execute S104, if the configured information is not the first configured information, execute S106;
S104, the USIM carry out MAC verifications to the data included in the OTA messages, if MAC verifications pass through, hold
Row S105, if MAC verifications do not pass through, executes S106;
S105, USIM send POR message to the management server;
OTA messages described in S106, USIM termination.
Specifically, in the prior art, management server and USIM can make an appointment identical checking algorithm, management
Server can carry out checking treatment using the algorithm to the data for being sent to USIM and obtain MAC, and the MAC is attached to number
According to afterwards, management server can send OTA messages to USIM, comprising data and corresponding with the data in the OTA messages
MAC.After USIM receives the OTA messages, checking treatment can be carried out to the data in OTA messages using identical algorithm and be obtained
MAC, then, subsidiary MAC after the data in voluntarily calculated MAC and OTA messages can be compared by USIM, such as
Fruit comparative result is identical, then MAC verifications pass through, and USIM can return the POR message being properly received to management server, if ratio
Relatively result is differed, then MAC verifications do not pass through, and USIM will return the POR message of garbled-reception to management server, and the mistake connects
Using algorithm predetermined in advance the data for receiving are carried out in the POR message of receipts with the MAC of checking treatment generation comprising USIM.
It follows that in the prior art, no matter MAC verifications are not by still passing through, USIM is intended to send POR message,
Also, for verifying unsanctioned situation for MAC, the MAC which is also voluntarily calculated by USIM is carried in the POR message.
And attacker exactly make use of this technological deficiency such that it is able to obtain the verification that arranges between USIM and management server and calculate
Method.
For this purpose, in the present embodiment, management server can carry specific instruction in the OTA message which is sent to USIM
Information.USIM can receive the OTA messages of management server transmission, read configured information, such as from the indicating bit of the OTA messages
Fruit read configured information be specific configured information, i.e. the first configured information, then USIM can allow to the OTA messages enter advance
The process of one step, otherwise USIM can directly determine the OTA messages for invalid packet, so as to terminate the process to the OTA messages.
When implementing, the present embodiment can utilize the private data of existing OTA messages to indicate (Security
Parameters Indication, hereinafter referred to as:SPI), the SPI totally two bytes, wherein, first character is saved in indicating to close
In the configuration information of MAC verification modes, encryption and enumerator, second byte is used for indicating that PoR is arranged, and, at second
There is reserved bit in byte, therefore, the present embodiment is specifically indicated by the use of the reserved bit in second byte of SPI as carrying
The indicating bit of information, first of second byte and second for example with the SPI is used as indicating bit.Specifically, this refers to
Show that the first configured information carried on position can be 11.
Further, determine the configured information for after the first configured information in USIM, can then to the OTA messages in
Comprising data carry out MAC verifications.Specific MAC checking procedures are same as the prior art, i.e. USIM can be adopted and management clothes
The algorithm that business device is made an appointment carries out checking treatment to the data in OTA messages and obtains MAC, and then, USIM voluntarily can be counted
In the MAC for obtaining and OTA messages, subsidiary MAC after the data is compared;If comparative result is identical, MAC is verified
Pass through, if comparative result is differed, MAC verifications do not pass through.
For the situation that MAC verifications pass through, USIM can determine that the data in the OTA messages are strictly that management server is sent out
Send, and data are not changed, then USIM can return the POR message being properly received to management server, verify for MAC
Unsanctioned situation, USIM can determine that the OTA messages may not be that data that management server sends or therein are possible
It is modified, now, USIM will not still feed back the POR message for carrying the MAC that the USIM is voluntarily generated as prior art,
But the POR message is no longer fed back, the termination OTA messages.Therefore, when MAC verifications do not pass through, existing skill can be avoided
In art, the MAC for voluntarily generating is leaked to third party, the possibility of such as attacker by USIM.
In the present embodiment, USIM can read from OTA messages after the OTA messages for receiving management server transmission
Take the configured information carried on indicating bit;If it is determined that the configured information for reading is the first configured information, then can determine the OTA reports
Text can be processed, if not the first configured information, then USIM terminations OTA messages, further, however, it is determined that read
Configured information be the first configured information, USIM can carry out MAC verifications to the data included in OTA messages, if MAC is verified not
Pass through, then the USIM same terminations OTA messages are without feeding back POR message.Therefore, the present embodiment judges machine using two-layer
System, the configured information for either reading are not the first configured informations, or MAC verifications do not pass through, and can all terminate to the OTA reports
The process of text, so as to ensure the safety of USIM as far as possible, and, it is obstructed out-of-date to verify in MAC, will not be as prior art
Still feedback carries the POR message of the MAC that the USIM is voluntarily generated, so as to avoid illegal third party that may be present from obtaining USIM
The MAC for voluntarily generating, and then avoid illegal third party from obtaining the checking algorithm that makes an appointment between USIM and management server, carry
The high safety of USIM.
Fig. 2 is the flow chart of the security processing embodiment two of over-the-air function of the present invention, as shown in Fig. 2 the present embodiment
Method can include:
S201, management server generate OTA messages, carry configured information on the indicating bit in the OTA messages;
S202, management server send the OTA messages to USIM, so that instructions of the USIM from the OTA messages
Configured information is read on position, determines whether the configured information for reading is the first configured information;If the configured information refers to for first
Show information, then the data to including in the OTA messages carry out Message Authentication Code MAC verifications, if MAC verifications pass through, to institute
State management server and send to receive and confirm POR message, if MAC verifications do not pass through, OTA messages described in termination;If described
Configured information is not the first configured information, then OTA messages described in termination.
When implementing, the indicating bit can be the first of second byte that the private data of OTA messages indicates SPI
Position and second.
The present embodiment is the technical side that management server side corresponding with the technical scheme of the execution of USIM shown in Fig. 1 executes
Case, its realize that principle is similar with technique effect, and here is omitted.
Fig. 3 is the structural representation of USIM embodiments of the present invention, as shown in figure 3, the USIM of the present embodiment can include:Connect
Module 11, acquisition module 12, determining module 13 and secure processing module 14 is received, wherein:
Receiver module 11, for receiving the OTA messages of management server transmission;
Acquisition module 12, for reading configured information on the indicating bit from the OTA messages;
Determining module 13, for determining whether the configured information for reading is the first configured information;
Secure processing module 14, if being the first configured information for the configured information, to including in the OTA messages
Data carry out Message Authentication Code MAC verifications, if MAC verification pass through, to the management server send receive confirm POR disappear
Breath, if MAC verifications do not pass through, OTA messages described in termination;If the configured information is not the first configured information, eventually
The OTA message is only processed.
Further, the indicating bit for being adopted can be for:
The private data of the OTA messages indicates first and second of second byte of SPI.
Further, first configured information can be 11.
The USIM of the present embodiment, can be used for the technical scheme for executing embodiment of the method shown in Fig. 1, and which realizes principle and skill
Art effect is similar to, and here is omitted.
Fig. 4 is the structural representation of management server embodiment of the present invention, as shown in figure 4, the management service of the present embodiment
Device can include:Generation module 21, sending module 22, wherein:
Generation module 21, for generating OTA messages, carries configured information on the indicating bit in the OTA messages;
Sending module 22, for sending the OTA messages to USIM, so that instructions of the USIM from the OTA messages
Configured information is read on position, determines whether the configured information for reading is the first configured information;If the configured information refers to for first
Show information, then the data to including in the OTA messages carry out Message Authentication Code MAC verifications, if MAC verifications pass through, to institute
State management server and send to receive and confirm POR message, if MAC verifications do not pass through, OTA messages described in termination;If described
Configured information is not the first configured information, then OTA messages described in termination.
Further, the indicating bit for being adopted can be for:
The private data of the OTA messages indicates first and second of second byte of SPI.
The management server of the present embodiment, can be used for the technical scheme for executing embodiment of the method shown in Fig. 2, and which realizes former
Reason is similar with technique effect, and here is omitted.
One of ordinary skill in the art will appreciate that:Realize that all or part of step of above-mentioned each method embodiment can be led to
Cross the related hardware of programmed instruction to complete.Aforesaid program can be stored in a computer read/write memory medium.The journey
Sequence upon execution, executes the step of including above-mentioned each method embodiment;And aforesaid storage medium includes:ROM, RAM, magnetic disc or
Person's CD etc. is various can be with the medium of store program codes.
Finally it should be noted that:Various embodiments above only in order to technical scheme to be described, rather than a limitation;To the greatest extent
Pipe has been described in detail to the present invention with reference to foregoing embodiments, it will be understood by those within the art that:Its according to
So the technical scheme described in foregoing embodiments can be modified, or which part or all technical characteristic are entered
Row equivalent;And these modifications or replacement, do not make the essence of appropriate technical solution depart from various embodiments of the present invention technology
The scope of scheme.
Claims (10)
1. a kind of aerial download over-the-air function security processing, it is characterised in that include:
USIM USIM receives the OTA messages that management server sends;
The USIM reads the configured information carried on indicating bit from the OTA messages;
The USIM determines whether the configured information for reading is the first configured information;
If the configured information is the first configured information, the USIM carries out message to the data included in the OTA messages
Authentication code MAC is verified, if MAC verifications pass through, the USIM sends to receive to the management server and confirms POR message, if
MAC verifications do not pass through, then OTA messages described in the USIM terminations;
If the configured information is not the first configured information, OTA messages described in the USIM terminations.
2. method according to claim 1, it is characterised in that the indicating bit is:
The private data of the OTA messages indicates first and second of second byte of SPI.
3. method according to claim 2, it is characterised in that first configured information is 11.
4. a kind of security processing of over-the-air function, it is characterised in that include:
Management server generates OTA messages, carries configured information on the indicating bit in the OTA messages;
The management server sends the OTA messages to USIM, so that the USIM reads from the indicating bit of the OTA messages
Configured information is taken, determines whether the configured information for reading is the first configured information;If the configured information is the first configured information,
Then the data to including in the OTA messages carry out Message Authentication Code MAC verifications, if MAC verifications pass through, to the management clothes
Business device sends to receive and confirms POR message, if MAC verifications do not pass through, OTA messages described in termination;If the configured information
Be not the first configured information, then OTA messages described in termination.
5. method according to claim 4, it is characterised in that the indicating bit is that the private data of the OTA messages refers to
Show first and second of second byte of SPI.
6. a kind of USIM, it is characterised in that include:
Receiver module, for receiving the OTA messages of management server transmission;
Acquisition module, for reading configured information on the indicating bit from the OTA messages;
Determining module, for determining whether the configured information for reading is the first configured information;
Secure processing module, if being the first configured information for the configured information, to the data included in the OTA messages
Message Authentication Code MAC verifications are carried out, if MAC verifications pass through, is sent to the management server and is received confirmation POR message, if
MAC verifications do not pass through, then OTA messages described in termination;If the configured information is not the first configured information, termination
The OTA messages.
7. USIM according to claim 6, it is characterised in that the indicating bit is:
The private data of the OTA messages indicates first and second of second byte of SPI.
8. USIM according to claim 7, it is characterised in that first configured information is 11.
9. a kind of management server, it is characterised in that include:
Generation module, for generating OTA messages, carries configured information on the indicating bit in the OTA messages;
Sending module, for sending the OTA messages to USIM, so that the USIM reads from the indicating bit of the OTA messages
Configured information is taken, determines whether the configured information for reading is the first configured information;If the configured information is the first configured information,
Then the data to including in the OTA messages carry out Message Authentication Code MAC verifications, if MAC verifications pass through, to the management clothes
Business device sends to receive and confirms POR message, if MAC verifications do not pass through, OTA messages described in termination;If the configured information
Be not the first configured information, then OTA messages described in termination.
10. server according to claim 9, it is characterised in that the indicating bit is:
The private data of the OTA messages indicates first and second of second byte of SPI.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410040104.5A CN103747437B (en) | 2014-01-27 | 2014-01-27 | The method and device of safe processing of over-the-air download service |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410040104.5A CN103747437B (en) | 2014-01-27 | 2014-01-27 | The method and device of safe processing of over-the-air download service |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103747437A CN103747437A (en) | 2014-04-23 |
CN103747437B true CN103747437B (en) | 2017-03-15 |
Family
ID=50504417
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410040104.5A Active CN103747437B (en) | 2014-01-27 | 2014-01-27 | The method and device of safe processing of over-the-air download service |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103747437B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106332061B (en) * | 2015-06-23 | 2019-11-05 | 南京中兴软件有限责任公司 | It eats dishes without rice or wine to guide setting processing method and terminal device |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101222514A (en) * | 2008-01-31 | 2008-07-16 | 中兴通讯股份有限公司 | Apparatus and method for implementing OTA based on bearer independent protocol |
CN101267307A (en) * | 2008-02-29 | 2008-09-17 | 北京中电华大电子设计有限责任公司 | Method for realizing remote management of mobile phone digital certificate using OTA system |
-
2014
- 2014-01-27 CN CN201410040104.5A patent/CN103747437B/en active Active
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101222514A (en) * | 2008-01-31 | 2008-07-16 | 中兴通讯股份有限公司 | Apparatus and method for implementing OTA based on bearer independent protocol |
CN101267307A (en) * | 2008-02-29 | 2008-09-17 | 北京中电华大电子设计有限责任公司 | Method for realizing remote management of mobile phone digital certificate using OTA system |
Also Published As
Publication number | Publication date |
---|---|
CN103747437A (en) | 2014-04-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101378582B (en) | User recognizing module, authentication center, authentication method and system | |
CN103186850B (en) | For obtaining the method for evidence for payment, equipment and system | |
CN104765999A (en) | User resource information processing method, terminal and server | |
CN107743115B (en) | Identity authentication method, device and system for terminal application | |
CN104079581A (en) | Identity authentication method and device | |
CN103905194B (en) | Identity traceability authentication method and system | |
CN105427106B (en) | Authorization processing method and payment processing method of electronic cash data and virtual card | |
CN102694780A (en) | Digital signature authentication method, payment method containing the same and payment system | |
US11102006B2 (en) | Blockchain intelligent security implementation | |
CA2355928C (en) | Method and system for implementing a digital signature | |
CN108174377B (en) | Method and system for opening number | |
CN106027250A (en) | Identity card information safety transmission method and system | |
CN107113613A (en) | Server, mobile terminal, real-name network authentication system and method | |
CN102821112A (en) | Mobile equipment, server and mobile equipment data verification method | |
CN105184567A (en) | Information processing method, processing device and mobile terminal | |
CN108449735A (en) | Method, car-mounted terminal, equipment and the computer readable storage medium of OTA communications | |
CN105765941A (en) | Illegal access server prevention method and device | |
CN101909279A (en) | Authentication method for mobile phone video monitoring | |
CN104506321A (en) | Method for updating seed data in dynamic token | |
CN107819766A (en) | Safety certifying method, system and computer-readable recording medium | |
CN106656993A (en) | Dynamic verification code verifying method and apparatus | |
CN106559386A (en) | A kind of authentication method and device | |
CN104955029A (en) | Address book protection method, address book protection device and communication system | |
CN107911335B (en) | Method, device and system for checking Uniform Resource Identifier (URI) | |
CN103747437B (en) | The method and device of safe processing of over-the-air download service |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant |