CN105827653A - Application security management method and system - Google Patents
Application security management method and system Download PDFInfo
- Publication number
- CN105827653A CN105827653A CN201610352945.9A CN201610352945A CN105827653A CN 105827653 A CN105827653 A CN 105827653A CN 201610352945 A CN201610352945 A CN 201610352945A CN 105827653 A CN105827653 A CN 105827653A
- Authority
- CN
- China
- Prior art keywords
- data
- critical applications
- critical
- application
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The present invention provides an application security management method that is applied to a mobile terminal. The mobile terminal includes an eUICC device. The eUICC device is provided with a security domain. The method includes the steps of downloading a key application; and storing key data generated in registration of the key application in the security domain. The present invention further provides an application security management system. The key data of the key application is stored in the security domain of the eUICC, therefore, revealing of the key data caused by coexistence of multiple eSIM cards is prevented, and the security of the key data is improved.
Description
[technical field]
The present invention relates to communication technical field, particularly relate to a kind of application security management method and system.
[background technology]
Fast development along with mobile communications network, have subscriber identification module (SubscriberIdentityModule, SIM) being integrated in mobile terminal in the equipment production phase, this kind of SIM is referred to as embedded SIM (embeddedSIM) card, i.e. eSIM card.Unlike the service only supporting a Virtual network operator from current SIM, in eSIM card, storage has the configuration file of multiple Virtual network operator, can support that mobile terminal switches between different network operator services.
Global system for mobile communications alliance (GlobalSystemforMobileCommunicationsAlliance at present, GSMA) eSIM is mainly based upon universal embedded integrated circuit card (embeddedUniversalIntegratedCircuitCard, eUICC) and realizes.Next eUICC chip of normal conditions can download tens eSIM cards of installation, but when multiple eSIM cards coexist, the critical data of the crucial application (such as, stored value card, bank certificate etc.) of user is it may happen that reveal.
[summary of the invention]
In view of the foregoing, it is necessary to a kind of application security management method and system are provided, the critical data of critical applications can be stored in the security domain of eUICC, it is to avoid when multiple eSIM cards coexist, critical data is compromised, improves safety.
A kind of application security management method, is applied in mobile terminal, and described mobile terminal includes eUICC equipment, is provided with security domain in described eUICC equipment, and the method includes:
Download critical applications;And
The critical data produced when registering described critical applications is stored in described security domain.
According to a preferred embodiment of the invention, described critical applications includes that the application program of correspondent bank card, described critical data include encryption and decryption key, signature key, password.
According to a preferred embodiment of the invention, after described critical data being stored in described security domain, described method also includes:
Notice is taken to what signing administrator security route reported described security domain.
According to a preferred embodiment of the invention, the method also includes:
Prestore the data of authentication critical applications.
According to a preferred embodiment of the invention, described method also includes:
Unload described critical applications, including:
Receive the authorization data of user's input;
When determining the data match of authorization data that user inputs and the described authentication critical applications prestored, release taking of the critical data in described security domain;
The notice of the application unloading of described security domain is reported to described signing administrator security route;And
Complete the unloading to described critical applications.
According to a preferred embodiment of the invention, the data of described authentication critical applications include the biological attribute data of user, behavior characteristics data or code data.
A kind of application security management system, is applied in mobile terminal, and described mobile terminal includes eUICC equipment, is provided with security domain in described eUICC equipment, and this system includes:
Download module, is used for downloading critical applications;And
Memory module, for being stored in the critical data produced when registering described critical applications in described security domain.
According to a preferred embodiment of the invention, described critical applications includes that the application program of correspondent bank card, described critical data include encryption and decryption key, signature key, password.
According to a preferred embodiment of the invention, described system also includes:
Reporting module, takies notice for report described security domain to signing administrator security route.
According to a preferred embodiment of the invention, described memory module is additionally operable to:
Prestore the data of authentication critical applications.
According to a preferred embodiment of the invention, described system also includes:
Receiver module, for receiving the authorization data of user's input;
Judge module, for determine authorization data that user inputs whether with the data match of the described authentication critical applications prestored;
Release module, during for determining the data match of authorization data that user inputs and the described authentication critical applications prestored when described judge module, release taking of the critical data in described security domain;
Described reporting module, is additionally operable to report the notice of the application unloading of described security domain to described signing administrator security route;And
Unload module, has been used for the unloading to described critical applications.
According to a preferred embodiment of the invention, the data of described authentication critical applications include the biological attribute data of user, behavior characteristics data or code data.
As can be seen from the above technical solutions, the critical data of critical applications can be stored in the security domain of eUICC by the present invention, it is to avoid when multiple eSIM cards coexist, critical data is compromised, improves safety.
[accompanying drawing explanation]
Fig. 1 is that the present invention is for performing the hardware structure schematic diagram of the mobile terminal preferred embodiment of an application security management system.
Fig. 2 is the schematic flow sheet of the application security management method of first embodiment of the invention.
Fig. 3 is the information flow diagram of the application security management method of first embodiment of the invention.
Fig. 4 is the schematic flow sheet of the application security management method of second embodiment of the invention.
Fig. 5 is the functional block diagram of application security of the present invention management system.
[main element symbol description]
[detailed description of the invention]
In order to make the object, technical solutions and advantages of the present invention clearer, describe the present invention with specific embodiment below in conjunction with the accompanying drawings.
Fig. 1 is that the present invention is for performing the hardware structure schematic diagram of the mobile terminal preferred embodiment of an application security management system.As shown in this hardware structure schematic diagram, mobile terminal 1 includes, but it is not limited to, application security management system 10, storage device 20, processing equipment 30, display device 40 and universal embedded integrated circuit card (embeddedUniversalIntegratedCircuitCard, eUICC) equipment 50.
Described mobile terminal 1 can be a kind of can be according to the instruction being previously set or storing, automatically carrying out the mobile terminal of numerical computations and/or information processing, its hardware includes but not limited to microprocessor, special IC, programmable gate array, digital processing unit, embedded device etc..Described mobile terminal 1 can include subscriber equipment.Described subscriber equipment includes but not limited to that any one can carry out the electronic product of man-machine interaction with user by modes such as keyboard, mouse, remote controller, touch pad or voice-operated devices, such as, personal computer, panel computer, smart mobile phone, personal digital assistant (personaldigitalassistant, PDA), game machine, IPTV (Internetprotocoltelevision, IPTV), intellectual Wearable etc..Wherein, the network residing for described subscriber equipment includes but not limited to the Internet, wide area network, Metropolitan Area Network (MAN), LAN, VPN (virtual private network) (virtualprivatenetwork, VPN) etc..
Described application security management system 10 is for when user downloads critical applications, the critical data of this critical applications is stored in a security domain of eUICC, need when running and/or unload this critical applications read the critical data in eUICC security domain and pass through to perform associative operation during user-defined authentication, so improve the safety of critical applications.Described critical applications is to need the application program of high safeguard protection, includes, but not limited to any application program being associated with bank card, such as, stored value card, Mobile banking and other payment software.The critical data of critical applications includes, but is not limited to, encryption and decryption key, signature key, password.
Described storage device 20 is for storing the program code of each program segment in described application security management system 10.This storage device 20 can be the storage facilities such as smart media card (smartmediacard), safe digital card (securedigitalcard), flash memory cards (flashcard).Described storage device 10 stores user-defined authentication data, such as, the biological attribute data of user and/or behavior characteristics data.Described biological attribute data includes finger print data, human face data, hand data, iris data, retina data, pulse data or auricle data.Described behavior characteristics data include person's handwriting, sound, keystroke dynamics etc..In other embodiments, the user-defined authentication data of described storage device 10 storage also include that the checking password of user setup, described password can be the combinations of numeral, letter, symbol etc. or numeral, letter and symbol etc..
Described processing equipment 30 can be one or more microprocessor, digital processing unit composition.Described processing equipment 30 communicates to connect with described application security management system 10, storage device 20, display device 40 and eUICC equipment 50.Described communication can occur with serial peripheral equipment interface bus or certain other communication paths and agreement.In other embodiments, for ensureing the safety of communication, part or all of communication data can also be encrypted by private cipher key, and described private cipher key can be dynamic random key string code.
Described display device 40 includes, but not limited to touch display screen etc. and has the display device of touch function.
Described eUICC equipment 50 is universal embedded integrated circuit card (embeddedUniversalIntegratedCircuitCard, eUICC), for remotely managing multiple Mobile Network Operator (MobileNetworkOperator, MNO) personal management service, and meet the regulation of global system for mobile communications alliance (GlobalSystemforMobileCommunicationsAlliance, GSMA).
As in figure 2 it is shown, be the flow chart of first embodiment of the invention application security management method.According to different demands, in this flow chart, the order of step can change, and some step can be omitted.
Step 210, downloads critical applications.
In certain embodiments, critical applications can be downloaded by described application security management system 10, it is also possible to log in application store by mobile terminal 1 and download critical applications.Described critical applications refers to need the application program of high safeguard protection, described critical applications to include the application program of correspondent bank card, such as payment software, banking software etc..
Step 212, is stored in the critical data produced when registering described critical applications in a security domain of eUICC equipment 50.
The critical data of described critical applications includes, but is not limited to, encryption and decryption key, signature key, password.
Described eUICC equipment 50 can download multiple eSIM card, and different eSIM cards can select different Mobile Network Operator.In each eSIM card described, storage has the information such as the customized parameter of user identity, user authentication parameter (such as, encryption and decryption key etc.) and algorithm, the telephone directory of user and note data, Mobile Network Operator.
In the present embodiment, each security domain having in the memory space of described eUICC equipment 50 in multiple unassigned security domain, these unassigned security domains can be subsequently allocated to eSIM card.Each unassigned security domain in described eUICC equipment 50 has a permanent and unique identifier ID.Described security domain is for the safety storage of safety value (such as cryptographic key, the critical data of critical applications).In various embodiments, the memory space of described eUICC equipment 50 can preset security domain, and this security domain set in advance can distribute to newly downloaded eSIM card, it is possible to is only used for storing safety value and being not assigned to newly downloaded eSIM card.In other embodiments, described security domain can also provide the access to safety information by one or more standardization agreements as is known to persons skilled in the art.
Step 214, takies notice to what signing administrator security route reported described security domain.
In the present embodiment, described application security management system 10 takies notice by network to what signing administrator security route reported described security domain.
Described signing administrator security route (SubscriptionManagerSecureRouting, SM-SR) is mainly responsible for Security routing and the transmission of eUICC remote profile data.Described application security management system 10 reports the detailed process taking notice of described security domain see Fig. 3 and describe accordingly to SM-SR.
In other embodiments, described application security management method can also include: described application security management system 10 prestores the data of authentication critical applications.
In the present embodiment, described application security management system 10 receives the data of one or more authentication critical applications that user pre-sets and stores the data of described authentication critical applications.The data of described authentication critical applications can be the biological attribute data of user, and the biological attribute data of described user includes finger print data, human face data, hand data, iris data, retina data, pulse data or auricle data etc..The data of described authentication critical applications can also is that the behavior characteristics data of user, and the behavior characteristics data of described user include person's handwriting, sound, keystroke dynamics etc..The data of described authentication critical applications can also is that code data, described password can be the combinations of numeral, letter, symbol etc. or numeral, letter and symbol etc..In other embodiments, the data of described authentication critical applications can also is that the biological attribute data of user, behavior characteristics data, two kinds of code data or whole combinations.
It show the flow of information that described application security management system 10 reports the occupied information of described security domain to SM-SR refering to Fig. 3.According to different demands, in this flow chart, the order of step can change, and some step can be omitted.
S310: mobile terminal 1 sends the application installation of described security domain and takies notice to Mobile Network Operator MNO.
In the present embodiment, the application installation that the application security management system 10 of described mobile terminal 1 sends described security domain by network takies notice to Mobile Network Operator MNO.The application of described security domain is installed and is taken the remaining space information notifying to carry the identifier of security domain, the identifier of described eUICC, described security domain.
S312:MNO with SM-SR is mutually authenticated.
MNO and SM-SR first carry out two-way authentication: MNO confirm SM-SR be legal reliably, SM-SR also confirms that the identification information that MNO is announced is genuine and believable.After two-way authentication success, MNO and SM-SR sets up safe IP and connects (preventing remote configuration information from revealing).
S314:MNO sends the application installation of described security domain and takies notice to SM-SR.
S316:SM-SR by the occupied information record of described security domain in data base.
The critical data of critical applications is stored in a security domain of described eUICC by the present invention, can be effectively improved the safety of described critical data when multiple eSIM cards coexist.
When running described critical applications, need to read the critical data of storage in eUICC.In other embodiments, also need to judge data that user inputs whether with the data match of the described authentication critical applications prestored, only when determining the data match of data that user inputs and the described authentication critical applications prestored, described critical applications can be run.
When unloading critical applications, needing to report the notice of the application unloading of security domain to SM-SR, to meet the SM-SR management to eUICC, detailed process is shown in Figure 4.According to different demands, in this flow chart, the order of step can change, and some step can be omitted.
Step 410, receives the authorization data of user's input.
In certain embodiments, described application security management system 10 can receive user by touching the finger print data of described display device 40 input, hand data, user can also be received by pressing the keystroke dynamics data of described display device 40 input, it is also possible to receive user by writing word on described display device 40 thus the handwriting data that inputs or the code data etc. of input.In certain embodiments, described mobile terminal 1 also includes that speech ciphering equipment, described application security management system 10 can receive the voice data that user is inputted by described speech ciphering equipment.In certain embodiments, described mobile terminal 1 also includes that image capture device, described application security management system 10 can receive human face data, iris data, retina data and the auricle data etc. that user is inputted by described image capture device.
Step 412, it is judged that the authorization data of user's input whether authorization data with the critical applications prestored matches.
Described application security management system 10 judges when the authorization data of the user authorization data inputted and the critical applications prestored matches, and performs step 414.Described application security management system 10 judges when the authorization data of the user authorization data inputted and the critical applications prestored does not mates, and performs step 413.
Step 413, exits the unloading to described critical applications.
In certain embodiments, described step 413 can also include that described application security management system 10 shows the prompting that subscription authentication is failed, or the voice messaging by speech ciphering equipment output dismount failure on described display device 40.
Step 414, releases taking of the critical data in described security domain.
In the present embodiment, described application security management system 10 deletes the critical data in described security domain, to release taking of critical data in described security domain
Step 416, reports the notice of the application unloading of security domain to described SM-SR.
In the present embodiment, described application security management system 10 reports the notice of the application unloading of described security domain by network to SM-SR.
Described application security management system 10 reports the detailed process of the notice of the application unloading of described security domain to take notice with described application security management system 10 to what signing administrator security route reported described security domain to SM-SR.Repeat no more herein.
Step 418, completes the unloading to described critical applications.
As it is shown in figure 5, described application security management system 10 includes download module 500, memory module 501, reporting module 502, receiver module 503, judge module 504, exits module 505, releasing module 506, Unload module 507 and reminding module 508.Module alleged by the present invention refers to that a kind of equipment 30 that can be processed is performed and can complete the series of computation machine program segment of fixing function, and it is stored in storage device 20.In the present embodiment, the function about each module will describe in detail in follow-up embodiment.
Described download module 500 is used for downloading critical applications.
In certain embodiments, described download module 500 can log in application store by mobile terminal 1 and download critical applications.Described critical applications refers to need the application program of high safeguard protection, described critical applications to include the application program of correspondent bank card, such as payment software, banking software etc..
Described memory module 501 is for being stored in the critical data produced when registering described critical applications in a security domain of eUICC equipment 50.
The critical data of described critical applications includes, but is not limited to, encryption and decryption key, signature key, password.
Described eUICC equipment 50 can download multiple eSIM card, and different eSIM cards can select different Mobile Network Operator.In each eSIM card described, storage has the information such as the customized parameter of user identity, user authentication parameter (encryption and decryption key etc.) and algorithm, the telephone directory of user and note data, Mobile Network Operator.
In the present embodiment, each security domain having in the memory space of described eUICC equipment 50 in multiple unassigned security domain, these unassigned security domains can be subsequently allocated to eSIM card.Each unassigned security domain in described eUICC equipment 50 has a permanent and unique identifier ID.Described security domain is for the safety storage of safety value (such as cryptographic key, the critical data of critical applications).In various embodiments, the memory space of described eUICC equipment 50 can preset security domain, and this security domain set in advance can distribute to newly downloaded eSIM card, it is possible to is only used for storing safety value and being not assigned to newly downloaded eSIM card.In other embodiments, described security domain can also provide the access to safety information by one or more standardization agreements as is known to persons skilled in the art.
Described reporting module 502 takies notice for report described security domain to signing administrator security route.
In the present embodiment, described reporting module 502 takies notice by network to what signing administrator security route reported described security domain.
Described signing administrator security route (SubscriptionManagerSecureRouting, SM-SR) is mainly responsible for Security routing and the transmission of eUICC remote profile data.Described application security management system 10 reports the detailed process taking notice of described security domain see Fig. 3 and describe accordingly to SM-SR.
Described memory module 501 is additionally operable to prestore the data of authentication critical applications.
In the present embodiment, described memory module 501 receives the data of one or more authentication critical applications that user pre-sets and stores described data.The data of described authentication critical applications can be the biological attribute data of user, and the biological attribute data of described user includes finger print data, human face data, hand data, iris data, retina data, pulse data or auricle data etc..The data of described authentication critical applications can also is that the behavior characteristics data of user, and the behavior characteristics data of described user include person's handwriting, sound, keystroke dynamics etc..The data of described authentication critical applications can also is that code data, described password can be the combinations of numeral, letter, symbol etc. or numeral, letter and symbol etc..In other embodiments, the data of described authentication critical applications can also is that the biological attribute data of user, behavior characteristics data, two kinds of code data or whole combinations.
The critical data of critical applications is stored in a security domain of described eUICC by the present invention, can be effectively improved the safety of described critical data when multiple eSIM cards coexist.
When running described critical applications, need to read the critical data of storage in eUICC.In other embodiments, also need to judge data that user inputs whether with the data match of the described authentication critical applications prestored, only when determining the data match of data that user inputs and the described authentication critical applications prestored, described critical applications can be run.
When unloading critical applications, need to report the application unloading release notice of security domain to SM-SR, to meet the SM-SR management to eUICC.
Described receiver module 503 is for receiving the authorization data of user's input.
In the present embodiment, described receiver module 503 can receive user by touching the finger print data of described display device 40 input, hand data, user can also be received by pressing the keystroke dynamics data of described display device 40 input, it is also possible to receive user by writing word on described display device 40 thus the handwriting data that inputs or the code data etc. of input.In certain embodiments, described mobile terminal 1 also includes that speech ciphering equipment, described receiver module 503 can receive the voice data that user is inputted by described speech ciphering equipment.In certain embodiments, described mobile terminal 1 also includes that image capture device, described receiver module 503 can receive human face data, iris data, retina data and auricle data etc. that user is inputted by described image capture device.
The authorization data that described judge module 504 inputs for judging user whether authorization data with the critical applications prestored matches.
The described module 505 that exits for exiting the unloading to described critical applications with the authorization data of the critical applications prestored when the authorization data that user inputs does not mates.
Described releasing module 506 is for deleting the critical data in described security domain, to release taking of critical data in described security domain.
Described reporting module 502 is additionally operable to report the notice of the application unloading of security domain to described SM-SR.
In the present embodiment, described reporting module 502 reports the notice of the application unloading of described security domain by network to SM-SR.
Described Unload module 507 is for completing the unloading to described critical applications when the authorization data of user's input matches with the authorization data of the critical applications prestored.
Described reminding module 508 is for pointing out subscription authentication failure on described display device 40, or the voice messaging by speech ciphering equipment output dismount failure.
In several embodiments provided by the present invention, it should be understood that disclosed system, equipment and method, can realize by another way.Such as, apparatus embodiments described above is only schematically, such as, the division of described module, it is only a kind of logic function and divides, actual can have other dividing mode when realizing.
The described module illustrated as separating component can be or may not be physically separate, and the parts shown as module can be or may not be physical location, i.e. may be located at a place, or can also be distributed on multiple NE.Some or all of module therein can be selected according to the actual needs to realize the purpose of the present embodiment scheme.
It addition, each functional module in each embodiment of the present invention can be integrated in a processing unit, it is also possible to be that unit is individually physically present, it is also possible to two or more unit are integrated in a unit.Above-mentioned integrated unit both can realize to use the form of hardware, it would however also be possible to employ hardware adds the form of software function module and realizes.
The above-mentioned integrated unit realized with the form of software function module, can be stored in a computer read/write memory medium.Above-mentioned software function module is stored in a storage medium, including some instructions with so that a computer equipment (can be personal computer, server, or the network equipment etc.) or processor (processor) perform the part steps of method described in each embodiment of the present invention.
It is obvious to a person skilled in the art that the invention is not restricted to the details of above-mentioned one exemplary embodiment, and without departing from the spirit or essential characteristics of the present invention, it is possible to realize the present invention in other specific forms.Therefore, no matter from the point of view of which point, embodiment all should be regarded as exemplary, and be nonrestrictive, the scope of the present invention is limited by claims rather than described above, it is intended that all changes fallen in the implication of equivalency and scope of claim be included in the present invention.Should not be considered as limiting involved claim by any reference in claim.Furthermore, it is to be understood that " an including " word is not excluded for other unit or step, odd number is not excluded for plural number.In system claims, multiple unit or the equipment of statement can also be realized by software or hardware by a unit or equipment.The first, the second word such as grade is used for representing title, and is not offered as any specific order.
Finally it should be noted that, above example is only in order to illustrate technical scheme and unrestricted, although the present invention being described in detail with reference to preferred embodiment, it will be understood by those within the art that, technical scheme can be modified or equivalent, without deviating from the spirit and scope of technical solution of the present invention.
Claims (12)
1. an application security management method, is applied in mobile terminal, and described mobile terminal includes eUICC equipment, is provided with security domain, it is characterised in that the method includes in described eUICC equipment:
Download critical applications;And
The critical data produced when registering described critical applications is stored in described security domain.
2. application security management method as claimed in claim 1, it is characterised in that described critical applications includes that the application program of correspondent bank card, described critical data include encryption and decryption key, signature key, password.
3. application security management method as claimed in claim 1, it is characterised in that after described critical data being stored in described security domain, the method also includes:
Notice is taken to what signing administrator security route reported described security domain.
4. application security management method as claimed in claim 1, it is characterised in that the method also includes:
Prestore the data of authentication critical applications.
5. application security management method as claimed in claim 4, it is characterised in that the method also includes:
Unload described critical applications, including:
Receive the authorization data of user's input;
When determining the data match of authorization data that user inputs and the described authentication critical applications prestored, release taking of the critical data in described security domain;
The notice of the application unloading of described security domain is reported to described signing administrator security route;And
Complete the unloading to described critical applications.
6. the application security management method as described in any one of claim 4-5, it is characterised in that the data of described authentication critical applications include the biological attribute data of user, behavior characteristics data or code data.
7. an application security management system, is applied in mobile terminal, and described mobile terminal includes eUICC equipment, is provided with security domain, it is characterised in that this system includes in described eUICC equipment:
Download module, is used for downloading critical applications;And
Memory module, for being stored in the critical data produced when registering described critical applications in described security domain.
8. application security management system as claimed in claim 7, it is characterised in that described critical applications includes that the application program of correspondent bank card, described critical data include encryption and decryption key, signature key, password.
9. application security management system as claimed in claim 7, it is characterised in that described system also includes:
Reporting module, for when described critical data is stored in described security domain after, route to signing administrator security report described security domain take notice.
10. application security management system as claimed in claim 7, it is characterised in that described memory module is additionally operable to prestore the data of authentication critical applications.
11. application security as claimed in claim 10 management systems, it is characterised in that described system also includes:
Receiver module, for receiving the authorization data of user's input;
Judge module, for determine authorization data that user inputs whether with the data match of the described authentication critical applications prestored;
Release module, during for determining the data match of authorization data that user inputs and the described authentication critical applications prestored when described judge module, release taking of the critical data in described security domain;
Described reporting module, is additionally operable to report the notice of the application unloading of described security domain to described signing administrator security route;And
Unload module, has been used for the unloading to described critical applications.
The 12. application security management systems as described in any one of claim 10-11, it is characterised in that the data of described authentication critical applications include the biological attribute data of user, behavior characteristics data or code data.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610352945.9A CN105827653A (en) | 2016-05-25 | 2016-05-25 | Application security management method and system |
| PCT/CN2016/097464 WO2017201908A1 (en) | 2016-05-25 | 2016-08-31 | Application program security management method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610352945.9A CN105827653A (en) | 2016-05-25 | 2016-05-25 | Application security management method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105827653A true CN105827653A (en) | 2016-08-03 |
Family
ID=56531221
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610352945.9A Pending CN105827653A (en) | 2016-05-25 | 2016-05-25 | Application security management method and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN105827653A (en) |
| WO (1) | WO2017201908A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017201908A1 (en) * | 2016-05-25 | 2017-11-30 | 宇龙计算机通信科技(深圳)有限公司 | Application program security management method and system |
| WO2018053903A1 (en) * | 2016-09-22 | 2018-03-29 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for managing file, and mobile terminal |
| CN108966205A (en) * | 2018-07-04 | 2018-12-07 | 深圳高新兴物联科技有限公司 | A kind of method, equipment and computer readable storage medium being compatible with a variety of eSIM management regulations |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE102021002193A1 (en) | 2021-04-26 | 2022-10-27 | Giesecke+Devrient Mobile Security Gmbh | Payment solution, especially digital payment solution |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140004827A1 (en) * | 2012-06-27 | 2014-01-02 | Rogers Communications Inc. | System and method for remote provisioning of embedded universal integrated circuit cards |
| CN104469737A (en) * | 2014-11-17 | 2015-03-25 | 中国联合网络通信集团有限公司 | Embedded universal integrated circuit card and user subscription information activation method thereof |
| CN105122769A (en) * | 2013-02-18 | 2015-12-02 | 欧贝特科技公司 | Method for creating a profile in a security domain of a secured element |
| CN105282732A (en) * | 2014-07-17 | 2016-01-27 | 三星电子株式会社 | Method and device for updating profile management server |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10164953B2 (en) * | 2014-10-06 | 2018-12-25 | Stmicroelectronics, Inc. | Client accessible secure area in a mobile device security module |
| CN105827653A (en) * | 2016-05-25 | 2016-08-03 | 宇龙计算机通信科技(深圳)有限公司 | Application security management method and system |
-
2016
- 2016-05-25 CN CN201610352945.9A patent/CN105827653A/en active Pending
- 2016-08-31 WO PCT/CN2016/097464 patent/WO2017201908A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140004827A1 (en) * | 2012-06-27 | 2014-01-02 | Rogers Communications Inc. | System and method for remote provisioning of embedded universal integrated circuit cards |
| US9137656B2 (en) * | 2012-06-27 | 2015-09-15 | Rogers Communications Inc. | System and method for remote provisioning of embedded universal integrated circuit cards |
| CN105122769A (en) * | 2013-02-18 | 2015-12-02 | 欧贝特科技公司 | Method for creating a profile in a security domain of a secured element |
| CN105282732A (en) * | 2014-07-17 | 2016-01-27 | 三星电子株式会社 | Method and device for updating profile management server |
| CN104469737A (en) * | 2014-11-17 | 2015-03-25 | 中国联合网络通信集团有限公司 | Embedded universal integrated circuit card and user subscription information activation method thereof |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017201908A1 (en) * | 2016-05-25 | 2017-11-30 | 宇龙计算机通信科技(深圳)有限公司 | Application program security management method and system |
| WO2018053903A1 (en) * | 2016-09-22 | 2018-03-29 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for managing file, and mobile terminal |
| CN108966205A (en) * | 2018-07-04 | 2018-12-07 | 深圳高新兴物联科技有限公司 | A kind of method, equipment and computer readable storage medium being compatible with a variety of eSIM management regulations |
| CN108966205B (en) * | 2018-07-04 | 2021-08-27 | 高新兴物联科技有限公司 | Method, equipment and computer readable storage medium compatible with multiple eSIM management specifications |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2017201908A1 (en) | 2017-11-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105848134B (en) | Virtual SIM card management device, communication terminal, access control method and management method | |
| US8600355B1 (en) | Systems and methods for authenticating applications for access to secure data using identity modules | |
| CN105447406B (en) | A kind of method and apparatus for accessing memory space | |
| KR102325912B1 (en) | Holistic module authentication with a device | |
| US7886355B2 (en) | Subsidy lock enabled handset device with asymmetric verification unlocking control and method thereof | |
| AU2011330044B2 (en) | Method for providing active security authentication, and terminal and system for supporting same | |
| CN101517591B (en) | Architecture for virtual security module | |
| US10771455B2 (en) | System and method for enabling secure authentication | |
| US8990906B2 (en) | Methods and systems for replacing shared secrets over networks | |
| US20080003980A1 (en) | Subsidy-controlled handset device via a sim card using asymmetric verification and method thereof | |
| CN113079134B (en) | Mobile terminal access method, mobile terminal access device, computer equipment and medium | |
| CN1906560A (en) | Method and apparatus for implementing subscriber identity module (SIM) capabilities in an open platform | |
| WO2016025318A2 (en) | Restricting system calls using protected storage | |
| CN105827653A (en) | Application security management method and system | |
| US20130246268A1 (en) | Method and system for dedicated secure processors for handling secure processing in a handheld communication device | |
| KR101441581B1 (en) | Multi-layer security apparatus and multi-layer security method for cloud computing environment | |
| CN103765925B (en) | Method and corresponding system for accessing at least one service | |
| CN113472774A (en) | Account login-free method, system, device and computer readable storage medium | |
| EP2618284B1 (en) | Information processing device, method of controlling information processing device, information processing device control program and computer readable recording medium with information processing device control program recorded thereon | |
| CN111628863B (en) | Data signature method and device, electronic equipment and storage medium | |
| CN102354353A (en) | Method for acquiring data and terminal | |
| WO2017153990A1 (en) | System and method for device authentication using hardware and software identifiers | |
| KR101221728B1 (en) | The certification process server and the method for graphic OTP certification | |
| CN105245526B (en) | Call the method and apparatus of SIM card application | |
| CN113807856A (en) | Resource transfer method, device and equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160803 |
|
| RJ01 | Rejection of invention patent application after publication |