CN107343276B - Method and system for protecting SIM card locking data of terminal - Google Patents

Method and system for protecting SIM card locking data of terminal Download PDF

Info

Publication number
CN107343276B
CN107343276B CN201610280771.XA CN201610280771A CN107343276B CN 107343276 B CN107343276 B CN 107343276B CN 201610280771 A CN201610280771 A CN 201610280771A CN 107343276 B CN107343276 B CN 107343276B
Authority
CN
China
Prior art keywords
data
communication processor
sim card
locking
ciphertext
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610280771.XA
Other languages
Chinese (zh)
Other versions
CN107343276A (en
Inventor
周磊
刘志勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Spreadtrum Communications Shanghai Co Ltd
Original Assignee
Spreadtrum Communications Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Spreadtrum Communications Shanghai Co Ltd filed Critical Spreadtrum Communications Shanghai Co Ltd
Priority to CN201610280771.XA priority Critical patent/CN107343276B/en
Publication of CN107343276A publication Critical patent/CN107343276A/en
Application granted granted Critical
Publication of CN107343276B publication Critical patent/CN107343276B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Abstract

A method and a system for protecting SIM card lock data of a terminal, wherein the terminal comprises a communication processor, and the method comprises the following steps: and transmitting and storing the SIM card locking data to a first storage area of the communication processor through a locking and unlocking tool. By adopting the scheme, the safety and the universality of the SIM card locking data can be improved.

Description

Method and system for protecting SIM card locking data of terminal
Technical Field
The invention relates to the field of communication, in particular to a method and a system for protecting SIM card locking data of a terminal.
Background
The operator restricts the configurations of countries, registered networks, subnets, group networks, etc. allowed by the terminal of the Universal Subscriber Identity Module (USIM) through relevant information in the USIM, and the principles of implementation are as follows: and comparing the relevant information stored in the USIM with the relevant information stored in the terminal, and judging whether the current terminal is a customized device or not and whether the current terminal is allowed to be active in the current network or not according to a comparison result. A SIM Lock (SIM Lock) is a software Lock used to protect the relevant information of the USIM, and in order to ensure the security of the data information related to the software Lock of the USIM Lock, it is necessary to protect the key information (such as white list, software Lock state, etc.) related to the SIM Lock data to prevent the key information from being tampered by hackers through illegal software or by way of reinstallation.
Currently, there are two methods to protect the SIM Lock data: the first method comprises the following steps: the SIM Lock data encrypted by the RSA private key is stored in the CP side, the RSA public key is hard-coded in the AP side, the RSA public key is transmitted to the CP by a Boot Loader (Universal Boot Loader) every time the system is started, and the verification of the SIM Lock data is completed by the CP. And the second method comprises the following steps: and storing the SIM Lock data encrypted by the RSA private key in the AP side, sending the SIM Lock data to the CP side by Uboot in the second starting process, and re-encrypting and further storing the SIM Lock data by the CP side.
However, if the SIM Lock data is protected by the above method, the security of the SIM Lock data and the versatility of the protection method are low.
Disclosure of Invention
The invention solves the problem of how to improve the safety and the universality of SIM card locking data.
In order to solve the above problem, an embodiment of the present invention provides a method for protecting SIM card lock data of a terminal, where the terminal includes a communication processor, and the method includes: and transmitting and storing the SIM card locking data to a first storage area of the communication processor through a locking and unlocking tool.
Optionally, the SIM card lock data is stored in a hard coding manner or a soft coding manner.
Optionally, before transmitting the SIM card lock data to the communication processor, the method further includes: transmitting and storing a public key to the communication processor through the locking and unlocking tool; and the communication processor adopts the public key to authenticate the locking and unlocking tool and pass the authentication.
Optionally, the authenticating the locking and unlocking tool by the communication processor using the public key includes: the communication processor detects whether the public key is matched with a private key held by the locking and unlocking tool; the communication processor determines to pass the authentication of the unlocking tool when it is determined that the public key matches a private key held by a source of the SIM card lock data.
Optionally, the SIM card lock data comprises static data.
Optionally, before the locking and unlocking tool sends the SIM card lock data to the communication processor, the method further includes: the locking and unlocking tool encrypts static data in the SIM card locking data through a private key matched with the public key to generate a first ciphertext and sends the first ciphertext to the communication processor; the communication processor decrypts the first ciphertext by using the public key; after the decryption of the first ciphertext is successfully completed, the communication processor generates a first encryption key, performs double-layer encryption on the decrypted first ciphertext by using the first encryption key and the public key to generate a second ciphertext, and sends the second ciphertext to the encryption and unlocking tool; and the locking and unlocking tool replaces static data in the SIM card locking data with the second ciphertext.
Optionally, the SIM card lock data includes static data and dynamic data.
Optionally, before the communication processor stores the SIM card lock data, further comprising: the locking and unlocking tool encrypts the dynamic data and signs the static data by adopting the private key and sends the dynamic data and the static data to the communication processor; and the communication processor verifies the signature and decrypts the dynamic data, and encrypts and signs the verified signature and the decrypted dynamic data again and stores the encrypted and signed signature.
Optionally, the locking and unlocking tool encrypts the dynamic data and signs the static data by using the private key, and sends the encrypted dynamic data and the signed static data to the communication processor; the method comprises the following steps: and the encryption and decryption tool encrypts the dynamic data to generate a third ciphertext, signs the static data to generate a first signature value, and sends the third ciphertext and the static data carrying the first signature value to the communication processor.
Optionally, the verifying the signature and decrypting the dynamic data by the communication processor, and encrypting and signing the verified signature and decrypted dynamic data again and storing the signature and the decrypted dynamic data by the communication processor includes: the communication processor checks the first signature value and decrypts the third ciphertext; and after the third ciphertext is decrypted by checking the first signature value and the second signature value, the communication processor generates a second encryption key, encrypts the first signature value by using the second encryption key to generate a fourth ciphertext, signs the dynamic data by using the second encryption key to generate a second signature value, and stores the decrypted static data, the decrypted dynamic data, the decrypted second signature value and the fourth ciphertext.
Optionally, before the locking and unlocking tool transmits and stores the public key to the communication processor, the method further includes: the communication processor determines a uniqueness of data interaction with the locking and unlocking tool.
Optionally, the communication processor determining uniqueness of data interaction with the locking and unlocking tool comprises: transmitting and storing a random number to a second storage area of the communication processor through the locking and unlocking tool; wherein: the data in the second storage area is not changeable; the encryption and decryption tool adopts the random number and the public key to carry out operation to obtain a first operation value, encrypts the first operation value to obtain a first encryption value, and sends the first encryption value and the public key to the communication processor together; the communication processor encrypts the public key to obtain a second encrypted value and judges whether the first encrypted value is the same as the second encrypted value; the communication processor determines that the tool-to-unlock data interaction is unique when the first cryptographic value is the same as the second cryptographic value.
Optionally, the data in the first storage area may be altered.
Optionally, the terminal further includes an application processor, and data interaction between the communication processor and the locking and unlocking tool is conducted through the application processor.
The embodiment of the invention provides a system for protecting SIM card lock data, which comprises: a locking and unlocking tool and a terminal coupled thereto, wherein: the terminal, including: the communication processor is suitable for receiving the SIM card lock data transmitted by the locking and unlocking tool and storing the SIM card lock data in a first storage area; the locking and unlocking tool is suitable for transmitting the SIM card locking data to a communication processor of the terminal.
Optionally, the communication processor is adapted to store the SIM card lock data in a hard coding manner or a soft coding manner.
Optionally, the locking and unlocking means is further adapted to transmit and store a public key to the communication processor before transmitting the SIM card lock data to the communication processor;
the communication processor is further adapted to authenticate and pass the authentication of the locking and unlocking tool using the public key.
Optionally, the communication processor is adapted to detect whether the public key matches a private key held by the unlocking tool, and to determine that the authentication of the unlocking tool is passed when it is determined that the public key matches a private key held by a source of the SIM card lock data.
Optionally, the SIM card lock data comprises static data.
Optionally, the locking and unlocking tool is further adapted to encrypt static data in the SIM card lock data by a private key matched with the public key before sending the SIM card lock data to the communication processor, generate a first ciphertext, and send the first ciphertext to the communication processor; the communication processor is further adapted to decrypt the first ciphertext using the public key; and after the decryption of the first ciphertext is successfully completed, generating a first encryption key, performing double-layer encryption on the decrypted first ciphertext by using the first encryption key and the public key to generate a second ciphertext, and sending the second ciphertext to the locking and unlocking tool, so that the locking and unlocking tool replaces static data in the SIM card locking data with the second ciphertext.
Optionally, the SIM card lock data includes static data and dynamic data.
Optionally, the locking and unlocking tool is further adapted to encrypt the dynamic data and sign the static data with the private key before the communication processor stores the SIM card lock data, and send the encrypted dynamic data and the signed static data to the communication processor; the communication processor is also suitable for verifying the signature and decrypting the dynamic data, and encrypting and signing the verified signature and the decrypted dynamic data again and storing the signature and the decrypted dynamic data.
Optionally, the locking and unlocking tool is adapted to encrypt the dynamic data to generate a third ciphertext, sign the static data to generate a first signature value, and send the third ciphertext and the static data carrying the first signature value to the communication processor.
Optionally, the communication processor is further adapted to check the first signature value and decrypt the third ciphertext; and after the third ciphertext is decrypted by checking the first signature value and the second signature value, generating a second encryption key, encrypting the first signature value by using the second encryption key to generate a fourth ciphertext, signing the dynamic data by using the second encryption key to generate a second signature value, and storing the decrypted static data, the decrypted dynamic data, the decrypted second signature value and the fourth ciphertext.
Optionally, the communication processor is further adapted to determine uniqueness of data interaction with the locking and unlocking tool before the locking and unlocking tool transmits and stores a public key to the communication processor.
Optionally, the data in the first storage area may be altered.
Optionally, the terminal further comprises an application processor adapted to pass through data between the communication processor and the locking and unlocking tool.
Optionally, the communication processor is further adapted to transmit, with the locking and unlocking tool, the id code data of the terminal through a cipher text, and store the id code data in the first storage area.
Compared with the prior art, the technical scheme of the invention has the following advantages:
the SIM Lock data can be obtained from an external locking and unlocking tool through the communication processor, the application processor is not required, and the data is stored in the communication processor, so that the method can be suitable for products such as a function machine, a data card and the like, and the universality of the SIM Lock Lock data protection method can be improved. Furthermore, since the source code data of the communication processor is not open content, that is, the data in the communication processor is not easily falsified, the security of data protection can be improved by storing the data in the communication processor.
Further, before the communication processor receives the SIM card locking data from the locking and unlocking tool, the communication processor adopts the public key to authenticate the locking and unlocking tool and passes the authentication, so that the transmission of the SIM card locking data to the communication processor after other non-specific locking and unlocking tools change the SIM card locking data is avoided, and the data security can be further improved.
Further, before the data is received, the communication processor interacts with a locking and unlocking tool, static data of SIM card locking data in the locking and unlocking tool is replaced by ciphertext which cannot be identified by the locking and unlocking tool, and the static data in the locking and unlocking tool can be prevented from being modified, so that the safety of the data can be further improved.
Further, before the public key is transmitted and stored to the communication processor by the locking and unlocking tool, the uniqueness of data interaction with the locking and unlocking tool is determined by the communication processor, so that the random setting of the public key can be avoided, and the safety of data can be further improved.
Drawings
FIG. 1 is a schematic flow chart illustrating a method for protecting SIM card lock data according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a system for protecting SIM card lock data according to an embodiment of the present invention;
FIG. 3 is a signaling diagram of data interaction between a locking/unlocking tool and a communication processor according to an embodiment of the present invention;
fig. 4 is a schematic flowchart illustrating a process of verifying SIM card lock data by a terminal according to an embodiment of the present invention.
Detailed Description
The operator restricts the configurations of countries, registered networks, subnets, group networks, etc. allowed by the terminal of the Universal Subscriber Identity Module (USIM) through relevant information in the USIM, and the principles of implementation are as follows: and comparing the relevant information stored in the USIM with the relevant information stored in the terminal, and judging whether the current terminal is a customized device or not and whether the current terminal is allowed to be active in the current network or not according to a comparison result.
A SIM Lock (SIM Lock) is a software Lock used to protect the relevant information of the USIM, and in order to ensure the security of the data information related to the software Lock of the USIM Lock, it is necessary to protect the key information (such as white list, software Lock state, etc.) related to the SIM Lock data to prevent the key information from being tampered by hackers through illegal software or by way of reinstallation.
Currently, there are two methods to protect the SIM Lock data: the first method comprises the following steps: the SIM Lock data encrypted by the RSA private key is stored in the CP side, the RSA public key is hard-coded in the AP side, the RSA public key is transmitted to the CP by an open source code (universal boot Loader, Uboot) every time the system is started, and the verification of the SIM Lock data is completed by the CP. And the second method comprises the following steps: and storing the SIM Lock data encrypted by the RSA private key in the AP side, sending the SIM Lock data to the CP side by Uboot in the second starting process, and re-encrypting and further storing the SIM Lock data by the CP side.
However, if the SIM Lock data is protected by the above method, the security of the SIM Lock data and the versatility of the protection method are low.
In order to solve the above problem, an embodiment of the present invention provides a method for protecting SIM card Lock data of a terminal, where a communication processor can obtain the SIM card Lock data from an external locking/unlocking tool, and the method is not dependent on an application processor, and the data is stored in the communication processor, so that the method is applicable to products such as a function machine and a data card, and therefore the versatility of the method for protecting SIM Lock data can be improved, and source code data of the communication processor is not open content, that is, data in the communication processor is not easy to be tampered, so that the data is stored in the communication processor, and the security of data protection can also be improved.
In order to make the aforementioned objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
The following provides a method for protecting SIM card lock data of a terminal in an embodiment of the present invention, as shown in fig. 1, where the terminal includes a communication processor, and the method is described in detail in the following steps with reference to fig. 1:
s11: and the locking and unlocking tool sends the SIM card locking data to a communication processor.
In order to avoid data interaction between any locking and unlocking tool and a terminal or tampering with SIM card locking data, so as to improve data security, in a specific implementation, before the SIM card locking data is transmitted to the communication processor, a public key may be transmitted and stored to the communication processor through the locking and unlocking tool, and then the communication processor authenticates and passes authentication on the locking and unlocking tool by using the public key.
In a specific implementation, the communication processor may detect whether the public key matches a private key held by the locking and unlocking tool, and if it is determined that the public key matches the private key held by the source of the SIM card locking data, may determine that the unlocking tool is authenticated. It should be noted that the private key may be stored in the unlocking tool or the dongle, or in the client server, so as to enhance the security of the private key, but the unlocking tool can obtain the private key wherever the private key is stored. The location where the private key is stored does not set any limit to the scope of the present invention.
In order to determine the uniqueness of data interaction with the locking and unlocking tool, in an embodiment of the present invention, before the locking and unlocking tool transmits and stores a public key to the communication processor, a random number may be transmitted and stored in a second storage area of the communication processor by the locking and unlocking tool in an encrypted manner; wherein: the data in the second storage area is not alterable.
The encryption and decryption tool adopts the random number and the public key to carry out operation to obtain a first operation value, encrypts the first operation value to obtain a first encryption value, and sends the first encryption value and the public key to the communication processor together; the communication processor encrypts the public key to obtain a second encrypted value and judges whether the first encrypted value is the same as the second encrypted value; the communication processor determines uniqueness of data interaction with the locking and unlocking tool when the first cryptographic value is the same as the second cryptographic value.
It should be noted that there are many ways for the communication processor to obtain the SIM card lock data from the locking and unlocking tool, for example, the SIM card lock data can be directly obtained from the locking and unlocking tool, so that since the data obtaining and the data storing are independently completed at the communication processor, the dependence on other components in the terminal can be avoided, and the universality of the data protection method and the data security can be improved.
For example, the SIM card lock data may be obtained by an application processor included in the terminal, and in the process of obtaining the SIM card lock data, the application processor only plays a role of transparent transmission and does not perform any processing on the data obtained from the locking and unlocking tool. This improves the security of data.
The SIM card lock data includes static data, which is important to avoid human damage or malware modification, so in an embodiment of the present invention, the locking and unlocking tool may interact with the communication processor before sending the SIM card lock data to the communication processor, so that the static data cannot be modified by the locking and unlocking tool.
Specifically, the encryption and unlocking tool encrypts static data in the SIM card locking data through a private key matched with the public key to generate a first ciphertext, and sends the first ciphertext to the communication processor, then the communication processor decrypts the first ciphertext with the public key, and further after successfully completing decryption of the first ciphertext, the communication processor may generate a first encryption key, perform double-layer encryption on the decrypted first ciphertext by using the first encryption key and the public key to generate a second ciphertext, and send the second ciphertext to the encryption and unlocking tool, and then the encryption and unlocking tool replaces the static data in the SIM card locking data with the second ciphertext. In this way, the encryption and unlocking tool cannot know the first encryption key and cannot know the encryption method of the static data, so that the security of the static data can be improved.
S12: and the communication processor stores the SIM card lock data in a first storage area.
In particular implementations, the communication processor may store the received SIM card lock data in the first storage area in a variety of ways. For example, the SIM card lock data may be stored in a hard coded manner, and the data may also be stored in a soft coded manner.
In order to increase the customizability of the SIM card lock data, i.e. to allow for a reasonable modification of the data in the SIM card lock, in an embodiment of the invention, the data in the first storage area may be modified, i.e. the first storage area may be an area in which data may be modified a number of times.
In order to comprehensively consider the security of data and the efficiency of data transmission, in a specific implementation, before the communication processor stores the SIM card lock data, the encryption and unlocking tool may encrypt the dynamic data and sign the static data by using the private key, and send the encrypted dynamic data and the static data to the communication processor, so that the communication processor verifies the signature and decrypts the dynamic data, and encrypts and signs the verified signature and the decrypted dynamic data again and stores the encrypted signature and the decrypted dynamic data.
In an embodiment of the present invention, the encryption and decryption tool may encrypt the dynamic data to generate a third ciphertext, sign the static data to generate a first signature value, and send the third ciphertext and the static data carrying the first signature value to the communication processor, so as to encrypt the dynamic data and sign the static data.
In another embodiment of the present invention, the communication processor verifies the signature and decrypts the dynamic data, and encrypts and signs the verified signature and the decrypted dynamic data again and stores them.
The specific process can be as follows in sequence: the communication processor firstly checks the first signature value and decrypts the third ciphertext, and then if the third ciphertext is checked and decrypted, a second encryption key can be generated, the second encryption key is used for encrypting the first signature value to generate a fourth ciphertext, the second encryption key is used for signing the dynamic data to generate a second signature value, and the decrypted static data, dynamic data, the second signature value and the fourth ciphertext are stored.
In order to make the present invention better understood and realized by those skilled in the art, the following provides a system for protecting SIM card lock data in an embodiment of the present invention, as shown in fig. 2, the system may include: locking and unlocking tool 1 and terminal 2 coupled thereto, wherein:
the terminal 2 includes: a communication processor 21, wherein the communication processor 21 is adapted to receive the SIM card lock data transmitted by the locking and unlocking tool 1 and store the SIM card lock data in a first storage area;
the locking and unlocking tool 1 is suitable for transmitting the SIM card locking data to a communication processor 21 of the terminal 2.
In a specific implementation, the communication processor 21 is adapted to store the SIM card lock data by hard coding or soft coding.
In a specific implementation, the locking and unlocking tool 1 is further adapted to transmit and store a public key to the communication processor 21 before transmitting the SIM card lock data to the communication processor 21; the communication processor 21 is further adapted to authenticate and pass the authentication of the locking and unlocking tool 1 using the public key.
In a specific implementation, the communication processor 21 is adapted to detect whether the public key matches a private key held by the unlocking tool 1, and to determine that the unlocking tool is authenticated when it is determined that the public key matches a private key held by a source of the SIM card lock data.
In an implementation, the SIM card lock data includes static data.
In a specific implementation, before sending the SIM card lock data to the communication processor 21, the locking and unlocking tool 1 is further adapted to encrypt static data in the SIM card lock data by a private key matching the public key, generate a first ciphertext, and send the first ciphertext to the communication processor 21;
the communication processor 21 is further adapted to decrypt the first ciphertext with the public key; and after the decryption of the first ciphertext is successfully completed, generating a first encryption key, performing double-layer encryption on the decrypted first ciphertext by using the first encryption key and the public key to generate a second ciphertext, and sending the second ciphertext to the locking and unlocking tool 1, so that the locking and unlocking tool 1 replaces static data in the SIM card locking data with the second ciphertext.
In one embodiment, the SIM card lock data includes static data and dynamic data.
In a specific implementation, before the communication processor 21 stores the SIM card lock data, the locking and unlocking tool 1 is further adapted to encrypt the dynamic data and sign the static data by using the private key, and send the encrypted dynamic data and the signed static data to the communication processor 21; the communication processor 21 is further adapted to verify the signature and decrypt the dynamic data, and encrypt and sign the verified signature and decrypted dynamic data again, and store them.
In a specific implementation, the locking and unlocking tool 1 is adapted to encrypt the dynamic data to generate a third ciphertext, sign the static data to generate a first signature value, and send the third ciphertext and the static data carrying the first signature value to the communication processor 21.
In a specific implementation, the communication processor 21 is further adapted to check the first signature value and decrypt the third ciphertext; and after the third ciphertext is decrypted by checking the first signature value and the second signature value, generating a second encryption key, encrypting the first signature value by using the second encryption key to generate a fourth ciphertext, signing the dynamic data by using the second encryption key to generate a second signature value, and storing the decrypted static data, the decrypted dynamic data, the decrypted second signature value and the fourth ciphertext.
In a specific implementation, the communication processor 21 is further adapted to determine the uniqueness of the data interaction with the locking and unlocking tool 1 before the locking and unlocking tool 1 transmits and stores the public key to the communication processor 21.
In a specific implementation, the communication processor 21 is further adapted to receive a random number from the locking and unlocking tool 1 and store the random number in a second storage area of the communication processor 21; wherein: the data in the second storage area is not alterable.
The encryption and decryption tool is further adapted to perform an operation using the random number and the public key to obtain a first operation value, encrypt the first operation value to obtain a first encrypted value, and send the first encrypted value and the public key to the communication processor 21 together; the communication processor 21 is further adapted to encrypt the public key to obtain a second encrypted value, and determine whether the first encrypted value is the same as the second encrypted value; when the first encryption value and the second encryption value are the same, the communication processor 21 determines the uniqueness of data interaction with the locking and unlocking tool 1.
In particular implementations, the data in the first storage area may be altered.
In a specific implementation, the terminal 2 further includes an application processor 22, and data interaction between the communication processor 21 and the locking and unlocking tool 1 is conducted through the application processor 22.
In order to make those skilled in the art better understand and implement the present invention, a signaling diagram of data interaction between a locking/unlocking tool and a communication processor in the embodiment of the present invention is provided below, as shown in fig. 3, and a method for protecting SIM card lock data in the embodiment of the present invention is described in detail in steps with reference to fig. 3 as follows:
s301: the random number N1 is sent to the communication processor 32.
It should be noted that the tool referred to herein may be a locking and unlocking tool 31, and in consideration of the requirement of different product forms for generality of the method, the locking and unlocking tool 31 may perform data writing when the terminal is in the calibration mode and in the normal mode, so that the scheme of the present invention may be completely completed by the communication processor 32 side.
In a specific implementation, the unlocking tool 31 may generate a pair of RSA (Ron Rivest, Adi Shamir, LeoN1ard Adleman) keys, namely a Public Key (PK) and a private Key (SK), through a dongle, where SK is stored by a client customized by SIM Lock, and PK may be transmitted to the communication processor 32 and stored.
Since the PK is important, in order to prevent the PK from being randomly set and ensure the uniqueness of the operation, the locking and unlocking tool 31 may first generate a random number N1 of 128 bits (or 256 bits) before the PK is transmitted, and then may transmit the random number N1 to the communication processor 32.
It is understood that the number of bytes occupied by the random number N1 is not a limitation to the present invention, and those skilled in the art can generate random numbers N1 with other numbers of bytes.
S302: the communication processor 32 stores the random number N1 in a reprogrammable hardware circuit.
In a particular implementation, the communication processor 32 may store the random number N1 in a reprogrammable hardware circuit.
In one embodiment of the present invention, the reprogrammable hardware circuit may be an electrically programmable fuse (eFUSE). The data in the eFUSEs may not be altered, and the security of data interaction may be improved by the communication processor 32 storing the random number N1 in the eFUSEs.
It is understood that if the communication processor 32 successfully receives the random number N1, an acknowledgement receipt message is sent to the unlocking tool 31, and the process is not described herein again.
S303: (PK, M1) is sent to the communication processor 32.
In a specific implementation, after the locking and unlocking tool 31 successfully sends the random number N1, the public key and the random number N1 may be hashed and summed to obtain (hash (pk) + N1), and then the (hash (pk) + N1) is encrypted by using Advanced Encryption Standard (AES) to generate the data M1 (the key encrypted by the AES may be agreed by the communication processor 32 and the locking and unlocking tool 31). The locking and unlocking tool 31 may then send (PK, M1) to the communication processor 32.
S304: and generating M2, checking M1, and if the check is passed, generating encrypted data SPK and storing the PK and the SPK.
In a specific implementation, the communication processor 32 may encrypt the received PK again according to the agreed AES key and the previously stored random number N1, generate encrypted data M2, compare M1 with M2, and if M1 and M2 are the same, indicate that the PK is successfully sent, i.e. ensure the uniqueness of data interaction between the communication processor 32 and the locking and unlocking tool 31.
And after the communication processor 32 successfully receives the PK, a new AES password (Key) may be generated by using the device Identification (UID) of the communication processor 32, and in this operation, since each chip, that is, the UID of each communication processor 32 is theoretically different, uniqueness of the AES Key may be ensured, thereby also providing a certain guarantee for security of the PK, and then the PK is encrypted by using the AES algorithm to generate encrypted data SPK, which may be stored (PK, SPK).
In one embodiment of the present invention, the (PK, SPK) may be stored in a block of N1V. Of course, those skilled in the art may store the information in other areas of the communication processor 32 according to actual needs.
S305: an authentication request is sent.
In order to improve the data security, in an implementation, the communication processor 32 may authenticate the locking and unlocking tool 31, so that the locking and unlocking tool 31 may send an authentication request to the communication processor 32. If the locking and unlocking tool 31 passes the authentication of the communication processor 32, the data reading and writing operation can be carried out; if the locking and unlocking tool 31 is not authenticated by the communication processor 32, data interaction with the locking and unlocking tool 31 may not be continued or data from the locking and unlocking tool 31 may not be received.
S306: a random number N2 is generated and encrypted with PK to generate a ciphertext M1.
In a specific implementation, after the communication processor 32 receives the authentication request from the locking and unlocking tool 31, a random number N2 may be generated, and then the stored PK is used to encrypt N2, generating a ciphertext M1.
S307: the ciphertext M1 is transmitted back to the tool.
S308: m1 is decrypted by SK, a random number N2 is obtained, and N2 is encrypted with SK, generating a ciphertext M2.
In a specific implementation, after the ciphertext M1 is successfully received, the unlocking and locking tool 31 may acquire, through the dongle, the previously generated SK that matches the PK, then decrypt the ciphertext M1 using the SK, and encrypt the decrypted data N2 using the SK again to generate the ciphertext M2.
S309: m2 is sent to the communication processor 32.
S310: decrypting to obtain N3, comparing N2 with N3, and confirming the authentication result.
In a specific implementation, after receiving the ciphertext M2, the communication processor 32 may decrypt M2 through the stored PK, recover the random number N3, compare N3 with N2, and determine whether the authentication of the lock/unlock tool 31 is passed according to the comparison result. If N3 is the same as N2, the authentication of the locking and unlocking tool 31 is allowed, otherwise, the authentication of the locking and unlocking tool 31 is not allowed.
It should be noted that, no matter whether the communication processor 32 passes the authentication of the locking and unlocking tool 31, the authentication result of the locking and unlocking tool 31 is notified, and the flow of notification is not limited herein, and therefore, no further description is given here.
It is understood that after the unlocking/locking tool 31 passes the authentication of the communication processor 32, the execution may continue to S311; otherwise, the two do not continue to interact.
S311: ciphertext M3 is transmitted.
It should be noted that the SIMLOCK data includes two parts: static data and dynamic data. The static data refers to encrypted data such as PIN/PUK (please supplement), signature of a static data segment, and the like, and theoretically cannot be changed after the terminal leaves a factory unless artificially damaged or modified by malicious software, and the static data is developed by device software or stored in the terminal device after being signed by a manufacturer through a private key.
Meanwhile, the dynamic data refers to data content that needs to be dynamically changed in the use process of the mobile phone, such as decrement and recovery of the unlocking times, change of the status bit of SIMLock, and the like, and the data can also be called as user data.
In a specific implementation, as an important component of the SIMLock static data, the PIN/PUK data is also the most critical content of the entire data segment of the SIM Lock, and in order to prevent the data from being rewritten and eventually causing the SIM Lock data to be cracked, the processing of the data may be performed by encrypting the data by the communication processor 32 before configuration, and then handing the encrypted data to a tool for processing.
In an embodiment of the present invention, the locking and unlocking tool 31 may encrypt the PIN/PUK data in the SIM Lock data through RSA SK to generate a ciphertext M3, and then send the ciphertext M3 to the communication processor 32.
S312: m3 is decrypted and then encrypted to generate M4.
In a specific implementation, after the communication processor 32 correctly receives the ciphertext M3, the ciphertext M3 may be decrypted by RSA PK, and after successful decryption, the communication processor 32 may generate an AES Key by UID, perform double-layer encryption of AES and RSA PK on the decrypted PIN/PUK, and generate the ciphertext M4.
S313: m4 is returned to the tool.
S314: m4 is substituted for static data in the SIM Lock data.
In a specific implementation, the locking and unlocking tool 31 may, after receiving the ciphertext M4, place the ciphertext M4 in a corresponding position of the static data in the SIM Lock data. Thus, since the AES cipher cannot be known from the unlock data and the encryption method of the static data by the communication processor 32 cannot be known, the static data cannot be tampered with.
S315: signing the static data to obtain S1; the dynamic data is encrypted to generate M5.
In order to better protect the static data of the SIM Lock and prevent malicious tampering, in a specific implementation, the SIM Lock static data may be signed by using RSA SK before SIM Lock data writing.
In this way, the signature is verified before the communication processor 32 is powered on each time, and once the static data is destroyed, the signature verification fails directly, and then the terminal communication function cannot be used normally. And because the whole block of data area of the SIM Lock is large, if ciphertext transmission is realized, segmented encryption transmission is required, and in order to avoid the complexity of scheme realization possibly caused by data splitting and recombination, in specific implementation, the SIMLock data can be transmitted by adopting a signature and ciphertext mixed transmission mode.
In an embodiment of the present invention, after the PIN/PUK is configured by the ciphertext, the unlocking tool 31 may use RSA SK to sign the SIMLock static data, generate a signature S1, and then place S1 in the SIMLock data to wait for transmission. Since the dynamic data area in the SIM Lock is small, the locking and unlocking tool 31 may directly use RSA SK to encrypt the part of data, so as to generate the ciphertext M5.
S316: the (SIMLock static data, S1, M5) is sent to the communication processor 32.
S317: decrypting M5 and verifying S1, and if the decryption and the verification are successful, re-encrypting S1 to generate M6; the dynamic data is signed, generating S2.
In particular implementations, after the communication processor 32 receives the data correctly, the SIMLock dynamic data M5 may be decrypted using RSA PK and verified S1. If the communication processor 32 successfully decrypts the M5 and successfully verifies the S1, it can generate AES Key through UID, further sign SIMLock dynamic data, generate signature value S2, and perform AES re-encryption on S1, generating M6.
Finally, the communication processor 32 may update the successfully decrypted SIMLock static data, M6, SIMLock dynamic data, and S2 to NV corresponding locations. Since the data on NV can be changed, if a subsequent user needs to modify the data in SIM Lock, the data can be rewritten into NV according to the flow from S301 to S317, so that the customizability of the data can be improved.
In specific implementation, the writing of the IMEI data can be performed while the SIM Lock data is written. The process comprises the following steps: ciphertext M7 is first generated: the locking and unlocking tool 31 encrypts IMEI data through RSA SK, generates a ciphertext M7, and directly transmits M7 to the communication processor 32.
After the communication processor 32 successfully receives the M7, the M7 is decrypted by RSA PK, and the decrypted IMEI data is re-encrypted by AES to generate a ciphertext M8; AES Key is also generated with the UID and eventually the communication processor 32 may update M8 to the NV corresponding location.
It is understood that if the terminal further includes an application processor, the whole storage operation of the SIM Lock data can be completed on the communication processor 32 side, and the application processor is only responsible for the transparent transmission of the SIM Lock data.
In order to make those skilled in the art better understand and implement the present invention, the following also provides the security verification steps involved in the terminal when the communication processor is next started after the protection method of the SIM card lock data in the embodiment of the present invention is adopted, as shown in fig. 4:
s41: the RSA PK is acquired, and whether the RSA PK is valid is checked.
In an implementation, when the communication processor is started again, the terminal may acquire the RSA PK and check the validity of the RSA PK.
When it is determined that RSA PK is valid, S42 may be performed; otherwise, S43 is executed.
S42: and checking the SIM Lock data.
In specific implementation, the terminal may acquire SIMLock related data, and check the SIMLock data by using AES & RSA algorithm in combination with a secret key generated by the UID to determine whether the SIMLock is tampered.
If the SIM Lock data has been tampered with, S43 may be performed; otherwise, S44 may be performed.
S43: and limiting the use authority of the terminal.
In particular implementation, in order to avoid performing a destructive operation on the terminal or securing information of the user, the usage right of the terminal may be limited, such as only allowing use of functions such as emergency calls.
S44: and continuing to complete the starting process of the protocol stack.
In a specific implementation, if it is determined that the PK and SIM Lock data are both error-free, the boot process of the protocol stack may be continuously completed, so that the terminal may be normally used.
According to the security inspection process of the starting process, the communication processor can check the SIM card locking data for multiple times when the terminal is started each time, and the use permission of the terminal can be limited once the data is falsified or the falsification of the public key and other abnormalities occur.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer-readable storage medium, and the storage medium may include: ROM, RAM, magnetic or optical disks, and the like.
Although the present invention is disclosed above, the present invention is not limited thereto. Various changes and modifications may be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (23)

1. A method for protecting SIM card lock data of a terminal, the terminal including a communication processor, the method comprising:
transmitting and storing the SIM card locking data to a first storage area of the communication processor through a locking and unlocking tool, wherein the data of the first storage area can be changed;
before the transmitting and storing the SIM card lock data to the first storage area of the communication processor by the locking and unlocking tool, further comprising: transmitting and storing a random number to a second storage area of the communication processor through the locking and unlocking tool, wherein the data of the second storage area cannot be changed;
before transmitting the SIM card lock data to the communication processor, further comprising: the encryption and unlocking tool adopts the random number and the public key to carry out operation to obtain a first operation value, encrypts the first operation value to obtain a first encryption value, and sends the first encryption value and the public key to the communication processor together; the communication processor encrypts the public key to obtain a second encrypted value and judges whether the first encrypted value is the same as the second encrypted value; the communication processor determines that the tool-to-unlock data interaction is unique when the first cryptographic value is the same as the second cryptographic value.
2. Method for protecting SIM card lock data of a terminal according to claim 1, characterized in that the SIM card lock data is stored in a hard coded or soft coded manner.
3. The method for protecting SIM card lock data of a terminal according to claim 2, further comprising:
and the communication processor adopts the public key to authenticate the locking and unlocking tool and pass the authentication.
4. The method for protecting SIM card lock data of a terminal according to claim 3, wherein the communication processor authenticating the locking and unlocking tool with the public key comprises:
the communication processor detects whether the public key is matched with a private key held by the locking and unlocking tool;
the communication processor determines to pass the authentication of the unlocking tool when it is determined that the public key matches a private key held by a source of the SIM card lock data.
5. Method for protecting SIM card lock data of a terminal according to claim 3, characterized in that the SIM card lock data comprises static data.
6. The method for protecting SIM card lock data according to claim 5, further comprising, before the unlocking tool sends the SIM card lock data to the communication processor:
the locking and unlocking tool encrypts static data in the SIM card locking data through a private key matched with the public key to generate a first ciphertext and sends the first ciphertext to the communication processor;
the communication processor decrypts the first ciphertext by using the public key;
after the decryption of the first ciphertext is successfully completed, the communication processor generates a first encryption key, performs double-layer encryption on the decrypted first ciphertext by using the first encryption key and the public key to generate a second ciphertext, and sends the second ciphertext to the encryption and unlocking tool;
and the locking and unlocking tool replaces static data in the SIM card locking data with the second ciphertext.
7. The method for protecting SIM card lock data of a terminal according to claim 4, wherein the SIM card lock data comprises static data and dynamic data.
8. The method for protecting SIM card lock data of a terminal according to claim 7, further comprising, before the communication processor stores the SIM card lock data:
the locking and unlocking tool encrypts the dynamic data and signs the static data by adopting the private key and sends the dynamic data and the static data to the communication processor;
and the communication processor verifies the signature and decrypts the dynamic data, and encrypts and signs the verified signature and the decrypted dynamic data again and stores the encrypted and signed signature.
9. The method for protecting SIM card lock data of a terminal according to claim 8, wherein the locking/unlocking tool encrypts the dynamic data and signs the static data with the private key, and sends the encrypted dynamic data and the signed static data to the communication processor; the method comprises the following steps:
and the locking and unlocking tool encrypts the dynamic data to generate a third ciphertext, signs the static data to generate a first signature value, and sends the third ciphertext and the static data carrying the first signature value to the communication processor.
10. The method for protecting SIM card lock data of a terminal according to claim 9, wherein the communication processor verifies the signature and decrypts the dynamic data, and re-encrypts and signs the verified signature and the decrypted dynamic data, and stores them, comprising:
the communication processor checks the first signature value and decrypts the third ciphertext;
and after the third ciphertext is decrypted by checking the first signature value and the second signature value, the communication processor generates a second encryption key, encrypts the first signature value by using the second encryption key to generate a fourth ciphertext, signs the dynamic data by using the second encryption key to generate a second signature value, and stores the decrypted static data, the decrypted dynamic data, the decrypted second signature value and the fourth ciphertext.
11. The method for protecting SIM card lock data of a terminal according to claim 1, wherein the terminal further comprises an application processor, and the data interaction between the communication processor and the locking and unlocking tool is transmitted through the application processor.
12. A system for protecting SIM card lock data, comprising: a locking and unlocking tool and a terminal coupled thereto, wherein:
the terminal, including: the communication processor comprises a first storage area and a second storage area, the communication processor is suitable for receiving the SIM card lock data and the random number transmitted by the locking and unlocking tool and storing the SIM card lock data into the first storage area, the random number is stored into the second storage area, the data of the first storage area can be changed, and the data of the second storage area cannot be changed;
the locking and unlocking tool is suitable for transmitting the SIM card locking data and the random number to a communication processor of the terminal;
before the SIM card locking data is transmitted to the communication processor, the locking and unlocking tool adopts the random number and the public key to carry out operation to obtain a first operation value, encrypts the first operation value to obtain a first encryption value, and transmits the first encryption value and the public key to the communication processor together; the communication processor encrypts the public key to obtain a second encrypted value and judges whether the first encrypted value is the same as the second encrypted value; the communication processor determines that the tool-to-unlock data interaction is unique when the first cryptographic value is the same as the second cryptographic value.
13. The system for protecting SIM card lock data of claim 12, wherein said communication processor is adapted to store said SIM card lock data by hard coding or soft coding.
14. The system for protecting SIM card lock data of claim 13, wherein said communication processor is further adapted to authenticate and pass said locking and unlocking tool using said public key.
15. A system for protecting SIM card lock data according to claim 14, characterized in that the communication processor is adapted to detect whether the public key matches a private key held by the unlocking means, and to determine that the authentication of the unlocking means is passed when it is determined that the public key matches a private key held by the source of the SIM card lock data.
16. The system for protecting SIM card lock data of claim 14, wherein said SIM card lock data comprises static data.
17. The system for protecting SIM card lock data according to claim 16, wherein said locking/unlocking tool is further adapted to encrypt static data in the SIM card lock data by a private key matching the public key before transmitting the SIM card lock data to the communication processor, generate a first ciphertext, and transmit the first ciphertext to the communication processor; the communication processor is further adapted to decrypt the first ciphertext using the public key; after the decryption of the first ciphertext is successfully completed, generating a first encryption key, performing double-layer encryption on the decrypted first ciphertext by using the first encryption key and the public key to generate a second ciphertext,
and sending the data to the locking and unlocking tool so that the locking and unlocking tool replaces static data in the SIM card locking data with the second ciphertext.
18. The system for protecting SIM card lock data of claim 15, wherein said SIM card lock data comprises static data and dynamic data.
19. The system for protecting SIM card lock data of claim 18, wherein said locking and unlocking tool is further adapted to encrypt the dynamic data and sign the static data with said private key before said communication processor stores said SIM card lock data, and to send said encrypted dynamic data and said signed static data to said communication processor;
the communication processor is also suitable for verifying the signature and decrypting the dynamic data, and encrypting and signing the verified signature and the decrypted dynamic data again and storing the signature and the decrypted dynamic data.
20. The system for protecting SIM card lock data according to claim 19, wherein the locking/unlocking tool is adapted to encrypt the dynamic data to generate a third ciphertext, sign the static data to generate a first signature value, and send the third ciphertext and the static data carrying the first signature value to the communication processor.
21. The system for protecting SIM card lock data of claim 20, wherein said communication processor is further adapted to check said first signature value and decrypt said third cipher text;
and after the third ciphertext is decrypted by checking the first signature value and the second signature value, generating a second encryption key, encrypting the first signature value by using the second encryption key to generate a fourth ciphertext, signing the dynamic data by using the second encryption key to generate a second signature value, and storing the decrypted static data, the decrypted dynamic data, the decrypted second signature value and the fourth ciphertext.
22. The system for protecting SIM card lock data of claim 12, wherein said terminal further comprises an application processor adapted to pass through data between said communication processor and said locking and unlocking means.
23. The system for protecting SIM card lock data as set forth in claim 12, wherein said communication processor is further adapted to transmit identification code data of said terminal with said locking/unlocking tool through a cipher text and store said identification code data in said first storage area.
CN201610280771.XA 2016-04-29 2016-04-29 Method and system for protecting SIM card locking data of terminal Active CN107343276B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610280771.XA CN107343276B (en) 2016-04-29 2016-04-29 Method and system for protecting SIM card locking data of terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610280771.XA CN107343276B (en) 2016-04-29 2016-04-29 Method and system for protecting SIM card locking data of terminal

Publications (2)

Publication Number Publication Date
CN107343276A CN107343276A (en) 2017-11-10
CN107343276B true CN107343276B (en) 2020-01-07

Family

ID=60221952

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610280771.XA Active CN107343276B (en) 2016-04-29 2016-04-29 Method and system for protecting SIM card locking data of terminal

Country Status (1)

Country Link
CN (1) CN107343276B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111431704A (en) * 2020-03-03 2020-07-17 百度在线网络技术(北京)有限公司 Method and device for generating and analyzing password
CN114598461B (en) * 2022-02-24 2023-10-31 广东天波信息技术股份有限公司 Online unlocking method of terminal equipment, terminal equipment and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018125A (en) * 2007-03-02 2007-08-15 中兴通讯股份有限公司 Radio terminal security network and card locking method based on the ellipse curve public key cipher
CN101860850A (en) * 2010-05-07 2010-10-13 中兴通讯股份有限公司 Method for realizing mobile terminal to lock network or card by utilizing driver
CN102752754A (en) * 2012-06-21 2012-10-24 华为终端有限公司 Method for security certificate of user identification card locking data and mobile terminal
US8752165B2 (en) * 2008-05-29 2014-06-10 Apple Inc. Provisioning secrets in an unsecured environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101018125A (en) * 2007-03-02 2007-08-15 中兴通讯股份有限公司 Radio terminal security network and card locking method based on the ellipse curve public key cipher
US8752165B2 (en) * 2008-05-29 2014-06-10 Apple Inc. Provisioning secrets in an unsecured environment
CN101860850A (en) * 2010-05-07 2010-10-13 中兴通讯股份有限公司 Method for realizing mobile terminal to lock network or card by utilizing driver
CN102752754A (en) * 2012-06-21 2012-10-24 华为终端有限公司 Method for security certificate of user identification card locking data and mobile terminal

Also Published As

Publication number Publication date
CN107343276A (en) 2017-11-10

Similar Documents

Publication Publication Date Title
US10708062B2 (en) In-vehicle information communication system and authentication method
CN107294937B (en) Data transmission method based on network communication, client and server
US10659220B2 (en) Method and system for encrypting and decrypting two-dimensional code mask
CN101828357B (en) Credential provisioning method and device
CN110990827A (en) Identity information verification method, server and storage medium
CN107733636B (en) Authentication method and authentication system
CN106227503A (en) Safety chip COS firmware update, service end, terminal and system
US10263782B2 (en) Soft-token authentication system
CN103067401A (en) Method and system for key protection
CN101588245A (en) A kind of method of authentication, system and memory device
JP2020530726A (en) NFC tag authentication to remote servers with applications that protect supply chain asset management
CN103269271A (en) Method and system for back-upping private key in electronic signature token
CN107944234B (en) Machine refreshing control method for Android equipment
CN112241527B (en) Secret key generation method and system of terminal equipment of Internet of things and electronic equipment
CN106576237A (en) Mobility management entity, home server, terminal, and identity authentication system and method
WO2022192725A8 (en) Authenticated modification of blockchain-based data
CN110611679A (en) Data transmission method, device, equipment and system
CN112769789B (en) Encryption communication method and system
CN107343276B (en) Method and system for protecting SIM card locking data of terminal
CN105873043B (en) Method and system for generating and applying network private key for mobile terminal
CN110445774B (en) Security protection method, device and equipment for IoT (Internet of things) equipment
CN109784072B (en) Security file management method and system
CN103281188A (en) Method and system for backing up private key in electronic signature token
CN114297597B (en) Account management method, system, equipment and computer readable storage medium
CN108242997B (en) Method and apparatus for secure communication

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Zhou Lei

Inventor after: Liu Zhiyong

Inventor before: Zhou Lei

Inventor before: Liu Zhiyong

CB03 Change of inventor or designer information