CN107547573B - authentication method applied to eSIM, RSP terminal and management platform - Google Patents

authentication method applied to eSIM, RSP terminal and management platform Download PDF

Info

Publication number
CN107547573B
CN107547573B CN201710995976.0A CN201710995976A CN107547573B CN 107547573 B CN107547573 B CN 107547573B CN 201710995976 A CN201710995976 A CN 201710995976A CN 107547573 B CN107547573 B CN 107547573B
Authority
CN
China
Prior art keywords
esim
certificate
signature
rsp
management platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710995976.0A
Other languages
Chinese (zh)
Other versions
CN107547573A (en
Inventor
侯晓军
王跃强
周晓宇
叶剑
李贺男
刘明奥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN201710995976.0A priority Critical patent/CN107547573B/en
Publication of CN107547573A publication Critical patent/CN107547573A/en
Application granted granted Critical
Publication of CN107547573B publication Critical patent/CN107547573B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides an authentication method, an RSP terminal and a management platform applied to eSIM, wherein the method comprises the following steps: an RSP terminal provided with an eSIM sends an authentication request to a management platform, wherein the authentication request comprises an identification of an eSIM certificate supported by the eSIM, and the identification of the eSIM certificate is used for the management platform to search a DP certificate consistent with the identification of the eSIM certificate; and the RSP terminal receives an authentication result returned by the management platform, wherein the authentication result is obtained by authenticating the eSIM according to the authentication request after the DP certificate is found by the platform. According to the scheme, the certificates supported by the two parties are confirmed before the authentication process is carried out, mutual authentication between the management platform and the RSP terminal is achieved, and authentication efficiency is improved.

Description

Authentication method applied to eSIM, RSP terminal and management platform
Technical Field
the present invention relates to the field of communications, and in particular, to an authentication method, an RSP terminal, and a management platform for an eSIM.
Background
The existing Subscriber Identity Module (SIM) card writing process includes the following two types: one is a card writing process of a physical SIM card: card data is written into the SIM card through the card writer, the SIM card is in physical contact with the equipment, and the card data can be guaranteed to be written into a correct card without online authentication. The other is a card writing process of the air network card: the operator sends data short message to the card through the number preset in the card, the card data is transmitted into the card, and the SIM card and the operator carry out authentication through the network parameter of the preset number to ensure that the card data is written into a correct terminal. In addition to the above two ways, generally, the entities on the network use digital certificates to perform online mutual authentication, the authentication method is mainly applied to entity SIM card authentication, and an operator determined by the entity SIM card before leaving the factory only needs to perform security authentication with one operator, so that only one relevant parameter required by operator authentication needs to be preset.
The eSIM is a short for embedded SIM, and an electronic terminal product supporting eSIM consumption is called as an RSP (remote SIM provisioning) terminal, which has a remote SIM configuration function, and when an operator opens an account to handle a number selection network access service, the RSP terminal issues operator communication information (electronic card) to the RSP terminal by the management platform to implement a communication function. Specifically, the RSP terminal cannot confirm the operator to be supported before leaving the factory, one RSP terminal may store a plurality of electronic card data, and the electronic card data may come from different operators, which may cause the RSP terminal and the management platform to be unaware of the certificate situation supported by the other party, and a general certificate authentication process cannot support mutual authentication between the RSP terminal and the management platform.
disclosure of Invention
the invention provides an authentication method, an RSP terminal and a management platform applied to eSIM (embedded subscriber identity Module), which are used for realizing mutual authentication between the RSP terminal and the management platform.
a first aspect of the present invention provides an authentication method applied to an eSIM, including: an RSP terminal provided with an eSIM sends an authentication request to a management platform, wherein the authentication request comprises an identification of an eSIM certificate supported by the eSIM, and the identification of the eSIM certificate is used for the management platform to search a DP certificate consistent with the identification of the eSIM certificate; and the RSP terminal receives an authentication result returned by the management platform, wherein the authentication result is obtained by authenticating the eSIM according to the authentication request after the DP certificate is found by the platform.
A second aspect of the present invention provides an authentication method applied to an eSIM, including: the method comprises the steps that a management platform receives an authentication request sent by an RSP terminal provided with an eSIM, wherein the authentication request comprises an identification of an eSIM certificate supported by the eSIM; and the management platform searches for a DP certificate consistent with the identification of the eSIM certificate, authenticates the eSIM according to the authentication request if the DP certificate is found, and returns an authentication result to the RSP terminal.
A third aspect of the present invention provides an RSP terminal provided with an eSIM, the RSP terminal including: a sending module, configured to send an authentication request to a management platform, where the authentication request includes an identifier of an eSIM certificate supported by the eSIM, and the identifier of the eSIM certificate is used for the management platform to search for a DP certificate that is consistent with the identifier of the eSIM certificate; and the receiving module is used for receiving an authentication result returned by the management platform, wherein the authentication result is obtained by authenticating the eSIM according to the authentication request after the DP certificate is found by the platform.
A fourth aspect of the present invention provides a management platform, comprising: the system comprises a receiving module and a sending module, wherein the receiving module is used for receiving an authentication request sent by an RSP terminal provided with an eSIM, and the authentication request comprises an identification of an eSIM certificate supported by the eSIM; and the processing module is used for searching the DP certificate consistent with the identification of the eSIM certificate, authenticating the eSIM according to the authentication request if the DP certificate is found, and returning an authentication result to the RSP terminal.
The RSP terminal sends the certificate identification supported by the eSIM to the management platform, and the management platform determines whether the DP certificate with the consistent identification exists or not by comparing the identification of the certificate supported by each locally supported DP certificate eSIM, and if so, determines that the authentication of the eSIM of the RSP terminal can be supported, thereby confirming the certificates supported by both sides before the authentication process, realizing the mutual authentication between the management platform and the RSP terminal, and improving the authentication efficiency.
Drawings
Reference will now be made in brief to the drawings that are needed in describing embodiments or prior art.
Fig. 1A to fig. 1B are schematic flow charts of an authentication method applied to an eSIM according to an embodiment of the present invention;
Fig. 2A to fig. 2B are schematic flow charts of an authentication method applied to an eSIM according to a second embodiment of the present invention;
Fig. 3A to fig. 3B are schematic structural diagrams of an RSP terminal according to a fourth embodiment of the present invention;
Fig. 4A to 4B are schematic structural diagrams of a management platform according to a fifth embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. First, some nouns and english abbreviations appearing in the present application are explained and illustrated:
The RSP terminal: a Remote SIM Provisioning terminal, a terminal with a Remote SIM card configuration function, such as a mobile phone, a POS machine, and the like;
eSIM card: embedded SIM cards, i.e. Embedded SIM cards;
The eUICC: embedded Universal Integrated Circuit Card, physical form of eSIM Card;
and EUM: eUICC Manufacturer, card merchant;
DP: the short term of (Subscription Manager Data provisioning) SM-DP refers to a Subscription management Data Preparation server, and belongs to a part of a management platform in the present application, and a DP certificate refers to a certificate of the server, and is used for authenticating an eUICC card installed in a terminal.
Fig. 1A is a flowchart illustrating an authentication method applied to an eSIM according to an embodiment of the present invention, where the authentication method applied to an eSIM is applied to an RSP terminal for example, as shown in fig. 1A, the method includes:
101. The RSP terminal provided with the eSIM sends an authentication request to a management platform, wherein the authentication request comprises an identification of an eSIM certificate supported by the eSIM. Wherein the identity of the eSIM certificate is used for the management platform to find a DP certificate that is consistent with the identity of the eSIM certificate;
102. And the RSP terminal receives an authentication result returned by the management platform, wherein the authentication result is obtained by authenticating the eSIM according to the authentication request after the DP certificate is found by the platform.
In practical application, the main functions of the management platform are generation, management and issuing of card data. Before the card data is issued, the management platform and the RSP terminal need to perform mutual authentication, and then the card data can be issued to an eSIM card in the RSP terminal. The executing body of the embodiment may be an RSP terminal provided with an eSIM, and the RSP terminal may include, but is not limited to, a wireless POS machine, a computer, and the like. Since the eUICC is a physical form of an eSIM card, when communication interaction is performed between an eSIM and another interaction subject in an actual application, the communication interaction can be performed through the eUICC.
in order to support more operators, certificates of different roots issued by a plurality of different CAs are preset in the RSP terminal, and similarly, certificates of different roots issued by a plurality of different CAs are also preset in the management platform. Taking the actual scene as an example: after the user selects the operator to handle the service by using the RSP terminal, the RSP terminal can access the management platform according to the information sent by the operator, and the management platform issues the card data to the RSP terminal after mutual authentication. Specifically, in the present solution, when the RSP terminal needs to perform authentication, an authentication request is sent to the management platform, where the authentication request includes an identifier of an eSIM certificate supported by an eSIM in the RSP terminal, and after receiving the authentication request, the management platform first searches whether a DP certificate that is consistent with the identifier of the eSIM certificate exists, and if so, can continue to perform authentication, and finally return an authentication result to the RSP terminal. The identifier of the certificate is used to identify the certificate, and specifically, the identifier of the certificate may be an ID of a root certificate of the certificate. In this embodiment, in order to distinguish the root certificate of each subject locally, the root certificate supported by the eSIM in this embodiment, that is, the eUICC, is referred to as an eSIM certificate, and other names such as an eSIM signature, an eSIM signature body, and the like are only used for distinguishing the names, and the substance corresponding to the names is not limited.
Optionally, if a DP certificate with a consistent identifier is not found, on the basis of the first embodiment, the method may further include: and the RSP terminal receives an error message sent by the management platform, wherein the error message is used for representing that the DP certificate consistent with the identification of the eSIM certificate is not found.
In practical applications, each DP certificate supported by the management platform may be stored locally, or may be stored in a separate DP platform. Assuming that each DP certificate is stored in the DP platform, the management platform may locally maintain only an identification list of the DP certificate, and when receiving the authentication request, the management platform may determine whether there is a certificate that is consistent with a certificate supported by the eSIM in each DP certificate supported by the management platform based on the list, specifically, may search for a certificate that is consistent with the identification by performing a loop traversal on the list. Further, when the management platform needs to call a certain DP certificate, the DP certificate can be called from the DP platform.
Further, a specific authentication method may be as shown in fig. 1B, where fig. 1B is a schematic flow chart of another authentication method applied to an eSIM according to a first embodiment of the present invention, and on the basis of the first embodiment, the authentication request further includes a generated eSIM random number; accordingly, prior to 102, the method may further comprise:
103. the RSP terminal receives the identification of the DP certificate, a DP signature body and a DP signature which are sent by the management platform, and verifies the DP certificate by using a public key of the eSIM certificate which is consistent with the identification of the DP certificate;
104. if the verification is passed, the RSP terminal uses the public key of the DP certificate to sign off the DP signature, compares the DP signature subjected to the sign off with the DP signature body, and if the DP signature body is consistent with the DP signature body, obtains an eSIM signature body according to the DP random number and the information of the eSIM, and signs on the eSIM signature body to obtain an eSIM signature;
105. The RSP terminal transmits the eSIM certificate, the EUM certificate of the eSIM, the eSIM signatory, and the eSIM signature to the management platform, so that the management platform authenticates the eSIM.
Specifically, if the management platform finds a DP certificate that is consistent with an identifier of an eSIM certificate supported by an eSIM, a DP signature body is obtained according to an eSIM random number in an authentication request and a generated DP random number, and the DP certificate and the DP signature body are signed to obtain a DP signature; the management platform sends the identification of the DP certificate, the DP signature body and the DP signature I to the RSP terminal; after receiving the data, the RSP terminal verifies the DP certificate by using the public key of the eSIM certificate consistent with the identification of the DP certificate, if the verification fails, the RSP terminal sends a verification failure message to the management platform, if the verification passes, the RSP terminal further uses the public key of the DP certificate to sign off the DP signature, compares the signed off DP signature with the DP signature, if the comparison is consistent, the RSP terminal packs the DP random number and the information of the eSIM together to generate an eSIM signature body, and signs on the eSIM signature body to obtain the eSIM signature; the RSP terminal sends an eSIM certificate, an EUM certificate of the eSIM, an eSIM signature body and an eSIM signature to a management platform, and optionally, if the comparison in the steps is inconsistent, the RSP terminal returns a verification failure message to the management platform; and the management platform verifies the received eSIM certificate and the EUM certificate according to the DP certificate, if the verification is passed, the management platform signs the eSIM signature by using the public key of the received eSIM certificate, compares the signed eSIM signature with the received eSIM signature body, and if the comparison is consistent, the authentication is successful and the authentication is completed. The information of the eUICC is an information body preset in the eUICC.
The step of signing may be performed by the management platform itself, or may also be performed by authorizing an independent module to perform signing separately, for example, an encryption engine is separately provided, and the management platform sends data that needs to be signed to the encryption engine to perform signing and obtains a signature returned by the encryption engine.
It should be noted that, if the eSIM of the RSP terminal supports multiple eSIM certificates, each eSIM certificate is authenticated according to the authentication method provided in the present solution, so as to implement the multi-operator support function of the RSP terminal.
in the authentication method applied to the eSIM provided in this embodiment, the RSP terminal sends the certificate identifier supported by the eSIM of the RSP terminal to the management platform, and the management platform determines whether a DP certificate with a consistent identifier exists by comparing the identifiers of the certificates supported by the locally supported DP certificates esims, and if so, determines that the authentication of the esims of the RSP terminal can be supported, so that the certificates supported by both parties are confirmed before the authentication process is performed, thereby implementing mutual authentication between the management platform and the RSP terminal, and improving the authentication efficiency.
fig. 2A is a schematic flowchart of an authentication method applied to an eSIM according to a second embodiment of the present invention, which is exemplified by applying the authentication method applied to an eSIM to a management platform, as shown in fig. 2A, the method includes:
201. the method comprises the steps that a management platform receives an authentication request sent by an RSP terminal provided with an eSIM, wherein the authentication request comprises an identification of an eSIM certificate supported by the eSIM;
202. and the management platform searches for a DP certificate consistent with the identification of the eSIM certificate, authenticates the eSIM according to the authentication request if the DP certificate is found, and returns an authentication result to the RSP terminal.
In practical application, the main functions of the management platform are generation, management and issuing of card data. Before the card data is issued, the management platform and the RSP terminal need to perform mutual authentication, and then the card data can be issued to an eSIM card in the RSP terminal. The RSP terminal may include, but is not limited to, a wireless POS, a computer, etc.
also by way of example of a real scenario: after the user selects the operator to handle the service by using the RSP terminal, the RSP terminal can access the management platform according to the information sent by the operator, and the management platform issues the card data to the RSP terminal after mutual authentication. Specifically, in the present solution, when the RSP terminal needs to perform authentication, an authentication request is sent to the management platform, where the authentication request includes an identifier of an eSIM certificate supported by an eSIM in the RSP terminal, and after receiving the authentication request, the management platform first searches whether a DP certificate that is consistent with the identifier of the eSIM certificate exists, and if so, can continue to perform authentication, and finally return an authentication result to the RSP terminal. The identifier of the certificate is used to identify the certificate, and specifically, the identifier of the certificate may be an ID of a root certificate of the certificate.
Optionally, if a DP certificate with a consistent identifier is not found, on the basis of the second embodiment, the method may further include: and if the DP certificate consistent with the identification of the eSIM certificate is not found, the management platform sends an error message to the RSP terminal.
In practical applications, each DP certificate supported by the management platform may be stored locally, or may be stored in a separate DP platform. Assuming that each DP certificate is stored in the DP platform, the management platform may locally maintain only an identification list of the DP certificate, and when receiving the authentication request, the management platform may determine whether there is a certificate that is consistent with a certificate supported by the eSIM in each DP certificate supported by the management platform based on the list, specifically, may search for a certificate that is consistent with the identification by performing a loop traversal on the list. Further, when the management platform needs to call a certain DP certificate, the DP certificate can be called from the DP platform.
further, a specific authentication method may be as shown in fig. 2B, where fig. 2B is a schematic flow chart of another authentication method applied to an eSIM according to a second embodiment of the present invention, and on the basis of the second embodiment, the authentication request further includes a generated eSIM random number; correspondingly, 201 may specifically include:
203. The management platform obtains a DP signature body according to the eSIM random number and the generated DP random number, and signs the DP certificate and the DP signature body to obtain a DP signature;
204. the management platform sends the identification of the DP certificate, the DP signatory and the DP signature to the RSP terminal so that the RSP terminal verifies the DP certificate with a public key of the eSIM certificate consistent with the identification of the DP certificate;
205. the management platform receives the eSIM certificate, the EUM certificate of the eSIM, an eSIM signing body and an eSIM signature sent by the RSP terminal, and verifies the eSIM certificate and the EUM certificate according to the DP certificate;
206. and if the verification is passed, the management platform uses the public key of the eSIM certificate to sign off the eSIM signature, compares the signed eSIM signature with the eSIM signature body, and if the signature is consistent with the eSIM signature body, successfully authenticates the eSIM.
Specifically, if the management platform finds a DP certificate that is consistent with an identifier of an eSIM certificate supported by an eSIM, a DP signature body is obtained according to an eSIM random number in an authentication request and a generated DP random number, and the DP certificate and the DP signature body are signed to obtain a DP signature; the management platform sends the identification of the DP certificate, the DP signature body and the DP signature I to the RSP terminal; after receiving the data, the RSP terminal verifies the DP certificate by using the public key of the eSIM certificate consistent with the identification of the DP certificate, if the verification fails, the RSP terminal sends a verification failure message to the management platform, if the verification passes, the RSP terminal further uses the public key of the DP certificate to sign off the DP signature, compares the signed off DP signature with the DP signature, if the comparison is consistent, the RSP terminal packs the DP random number and the information of the eSIM together to generate an eSIM signature body, and signs on the eSIM signature body to obtain the eSIM signature; the RSP terminal sends an eSIM certificate, an EUM certificate of the eSIM, an eSIM signature body and an eSIM signature to a management platform, and optionally, if the comparison in the steps is inconsistent, the RSP terminal returns a verification failure message to the management platform; and the management platform verifies the received eSIM certificate and the EUM certificate according to the DP certificate, if the verification is passed, the management platform signs the eSIM signature by using the public key of the received eSIM certificate, compares the signed eSIM signature with the received eSIM signature body, and if the comparison is consistent, the authentication is successful and the authentication is completed.
the step of signing may be performed by the management platform itself, or may also be performed by authorizing an independent module to perform signing separately, for example, an encryption engine is separately provided, and the management platform sends data that needs to be signed to the encryption engine to perform signing and obtains a signature returned by the encryption engine.
it should be noted that, if the eSIM of the RSP terminal supports multiple eSIM certificates, each eSIM certificate is authenticated according to the authentication method provided in the present solution, so as to implement the multi-operator support function of the RSP terminal. Specifically, the relevant steps executed by the RSP terminal in this embodiment may refer to the relevant contents in the first embodiment.
in the authentication method applied to the eSIM provided in this embodiment, the RSP terminal sends the certificate identifier supported by the eSIM of the RSP terminal to the management platform, and the management platform determines whether there is a DP certificate with a consistent identifier by comparing each DP certificate supported locally with the identifier of the certificate supported by the eSIM, and if so, determines that the authentication of the eSIM of the RSP terminal can be supported, so that the certificates supported by both sides are confirmed before the authentication process is performed, thereby implementing mutual authentication between the management platform and the RSP terminal, and improving the authentication efficiency.
In practical application, after a user selects an operator to handle a service by using the RSP terminal, the RSP terminal accesses the management platform according to information sent by the operator, and the management platform issues card data to the eUICC embedded in the RSP terminal after mutual authentication. For example, a third embodiment of the present invention provides an authentication method applied to an eSIM, where the method includes:
301. The terminal requests authentication from the management platform, and transmits a random number generated by the eSIM and a root certificate ID list supported by the eSIM;
302. the management platform performs cycle traversal on a root certificate ID list supported by the eSIM, and compares the root certificate ID list with certificate ID fields in a root certificate data table supported by the management platform in sequence;
303. if the root certificate is consistent with the root certificate, ending the traversal retrieval process, storing the root certificate, and if the traversal is ended and the root certificate is not consistent with the root certificate, feeding error information 'the matched root certificate is not found' back to the terminal by the management platform;
304. the management platform searches the platform DP certificate data table to find out a platform DP certificate with the root certificate ID field value in the platform DP certificate data table consistent with the root certificate ID searched in the step 303;
305. the management platform stores the found platform DP certificate;
306. the management platform generates a platform DP random number;
307. The management platform packs the platform DP random number and the eSIM random number received in the step 1 together to generate and store a platform DP signature body;
308. the management platform transmits the platform DP certificate and the platform DP signature body to the encryption machine for signature;
309. the encryption machine finds out a corresponding private key according to the platform DP certificate to sign the platform DP signature body, transmits the generated platform DP signature back to the management platform after the signing is finished, and the management platform stores the platform DP signature;
310. the management platform transmits the ID of the root certificate stored in the previous step 303, the DP certificate of the platform stored in the step 305, the DP signature content of the platform stored in the step 307 and the DP signature of the platform stored in the step 309 back to the terminal;
311. Finding the eSIM certificate according to the ID of the root certificate received in the step 310 by the terminal side, and verifying the platform DP certificate received in the step 310 by using a public key of the eSIM certificate;
312. if the 311 verification is passed, the public key in the platform DP certificate is used for carrying out the label release on the platform DP signature received in the 310 step, then the platform DP signature is compared with the platform DP signature content received in the 310 step, and if the label is not passed, the terminal feeds back error information 'failed verification' to the management platform;
313. The terminal packages the platform DP random number and the eSIM preset information body to create an eSIM signature body and stores the eSIM signature body;
314. the terminal signs the eSIM signing body to generate a signature and stores the signature;
315. the terminal retrieves the supported eSIM certificate according to the root certificate ID in the previous step 310, and the EUM certificate, the eSIM signature body stored in the step 313 and the eSIM signature stored in the step 314 are transmitted back to the terminal;
316. 317, the management platform verifies the eSIM certificate and the EUM certificate according to the root certificate;
318. if the verification is passed, the public key in the eSIM certificate is used for carrying out signature release on the eSIM signature received in the step 315, and the eSIM signature is compared with the signature body received in the step 315, if the signature body is not passed before the verification is passed, an error message of 'failed verification' is fed back to the terminal;
319. And if the verification is passed, finishing the verification of the plurality of the terminals and the management platform.
in practical application, the main functions of the management platform are generation, management and issuing of card data. The RSP terminal may include, but is not limited to, a wireless POS, a computer, etc.
it should be noted that, if the eSIM of the RSP terminal supports multiple eSIM certificates, each eSIM certificate is authenticated according to the authentication method provided in the present solution, so as to implement the multi-operator support function of the RSP terminal.
In the authentication method applied to the eSIM provided in this embodiment, the RSP terminal sends the certificate identifier supported by the eSIM of the RSP terminal to the management platform, and the management platform determines whether there is a DP certificate with a consistent identifier by comparing each DP certificate supported locally with the identifier of the certificate supported by the eSIM, and if so, determines that the authentication of the eSIM of the RSP terminal can be supported, so that the certificates supported by both sides are confirmed before the authentication process is performed, thereby implementing mutual authentication between the management platform and the RSP terminal, and improving the authentication efficiency.
fig. 3A is a schematic structural diagram of an RSP terminal according to a fourth embodiment of the present invention, and as shown in fig. 3A, the RSP terminal is provided with an eSIM, and the RSP terminal includes:
a sending module 31, configured to send an authentication request to a management platform, where the authentication request includes an identifier of an eSIM certificate supported by the eSIM, and the identifier of the eSIM certificate is used for the management platform to find a DP certificate that is consistent with the identifier of the eSIM certificate;
a receiving module 32, configured to receive an authentication result returned by the management platform, where the authentication result is obtained by authenticating, according to the authentication request, the eSIM after the DP certificate is found by the platform.
In practical application, the main functions of the management platform are generation, management and issuing of card data. Before the card data is issued, the management platform and the RSP terminal need to perform mutual authentication, and then the card data can be issued to an eSIM card in the RSP terminal. The RSP terminal may include, but is not limited to, a wireless POS, a computer, etc.
specifically, in this scheme, when the RSP terminal needs to perform authentication, the sending module 31 sends an authentication request to the management platform, where the authentication request includes an identifier of an eSIM certificate supported by an eSIM in the RSP terminal, and after receiving the authentication request, the management platform first searches whether a DP certificate that is consistent with the identifier of the eSIM certificate exists, and if so, can continue to perform authentication, and finally returns an authentication result to the receiving module 32 of the RSP terminal. The identifier of the certificate is used to identify the certificate, and specifically, the identifier of the certificate may be an ID of a root certificate of the certificate.
Optionally, if a DP certificate with a consistent identifier is not found, on the basis of the fourth embodiment, the receiving module 32 is further configured to receive an error message sent by the management platform, where the error message is used to represent that a DP certificate with a consistent identifier of the eSIM certificate is not found.
further, as shown in fig. 3B, fig. 3B is a schematic structural diagram of another RSP terminal according to a fourth embodiment of the present invention, where on the basis of the fourth embodiment, the authentication request further includes a generated eSIM random number; accordingly, the method can be used for solving the problems that,
a receiving module 32, further configured to receive the identifier of the DP certificate, a DP signature body, and a DP signature sent by the management platform, and verify the DP certificate with a public key of the eSIM certificate that is consistent with the identifier of the DP certificate;
The RSP terminal further includes:
the processing module 33 is configured to, if the verification is successful, sign the DP signature using the public key of the DP certificate, compare the DP signature after the sign is signed with the DP signature body, and if the DP signature is consistent with the DP signature body, obtain an eSIM signature body according to the DP random number and the eSIM information, and sign the eSIM signature body to obtain an eSIM signature;
The sending module 31 is further configured to send the eSIM certificate, the EUM certificate of the eSIM, the eSIM signatory, and the eSIM signature to the management platform, so that the management platform authenticates the eSIM.
Specifically, if the management platform finds a DP certificate that is consistent with an identifier of an eSIM certificate supported by an eSIM, a DP signature body is obtained according to an eSIM random number in an authentication request and a generated DP random number, and the DP certificate and the DP signature body are signed to obtain a DP signature; the management platform sends the identification of the DP certificate, the DP signature body, and the DP signature to the receiving module 32; after receiving the data, the receiving module 32 verifies the DP certificate with the public key of the eSIM certificate consistent with the identification of the DP certificate, if the verification fails, the sending module 31 sends a verification failure message to the management platform, if the verification passes, the processing module 33 further uses the public key of the DP certificate to sign off the DP signature, compares the DP signature after the sign off with the DP signature, and if the comparison is consistent, the RSP terminal packs the DP random number and the eSIM information together to generate an eSIM signature body, and signs on the eSIM signature body to obtain an eSIM signature; the sending module 31 sends the eSIM certificate, the EUM certificate of the eSIM, the eSIM signet, and the eSIM signature to the management platform, and optionally, if the comparison in the above steps is inconsistent, the sending module 31 returns a verification failure message to the management platform; and the management platform verifies the received eSIM certificate and the EUM certificate according to the DP certificate, if the verification is passed, the management platform signs the eSIM signature by using the public key of the received eSIM certificate, compares the signed eSIM signature with the received eSIM signature body, and if the comparison is consistent, the authentication is successful and the authentication is completed.
It should be noted that, if the eSIM of the RSP terminal supports multiple eSIM certificates, each eSIM certificate is authenticated according to the authentication method provided in the present solution, so as to implement the multi-operator support function of the RSP terminal.
the RSP terminal provided in this embodiment sends the certificate identifier supported by its own eSIM to the management platform, and the management platform determines whether there is a DP certificate with a consistent identifier by comparing each DP certificate supported locally with the identifier of the certificate supported by the eSIM, and if so, determines that it can support authentication on the eSIM of the RSP terminal, thereby confirming the certificates supported by both parties before performing an authentication procedure, implementing mutual authentication between the management platform and the RSP terminal, and improving authentication efficiency.
Fig. 4A is a schematic structural diagram of a management platform according to a fifth embodiment of the present invention, and as shown in fig. 4A, the management platform includes:
A receiving module 41, configured to receive an authentication request sent by an RSP terminal provided with an eSIM, where the authentication request includes an identifier of an eSIM certificate supported by the eSIM;
And the processing module 42 is configured to search for a DP certificate that is consistent with the identifier of the eSIM certificate, authenticate the eSIM according to the authentication request if the DP certificate is found, and return an authentication result to the RSP terminal.
In practical application, the main functions of the management platform are generation, management and issuing of card data. The RSP terminal may include, but is not limited to, a wireless POS, a computer, etc. The identifier of the certificate is used to identify the certificate, and specifically, the identifier of the certificate may be an ID of a root certificate of the certificate.
Optionally, if a DP certificate with a consistent identifier is not found, on the basis of the fifth embodiment, the management platform may further include: a sending module, configured to send an error message to the RSP terminal if the DP certificate that is consistent with the identifier of the eSIM certificate is not found.
in practical applications, each DP certificate supported by the management platform may be stored locally, or may be stored in a separate DP platform. Assuming that each DP certificate is stored in the DP platform, the management platform may locally maintain only an identification list of the DP certificate, and when the receiving module 41 receives the authentication request, it may determine whether there is a certificate that is consistent with the certificate supported by the eSIM in each DP certificate supported by the management platform based on the list, specifically, the certificate that is consistent with the identification may be searched by performing a loop traversal on the list. Further, when processing module 42 needs to invoke a certain DP certificate, it may be invoked from the DP platform.
further, as shown in fig. 4B, fig. 4B is a schematic structural diagram of another management platform provided in a fifth embodiment of the present invention, and on the basis of the fifth embodiment, the authentication request further includes a generated eSIM random number; accordingly, the processing module 42 may include:
A signature unit 421, configured to obtain a DP signature body according to the eSIM random number and the generated DP random number, and sign the DP certificate and the DP signature body to obtain a DP signature;
a sending unit 422, configured to send the identification of the DP certificate, the DP signer, and the DP signature to the RSP terminal, so that the RSP terminal verifies the DP certificate with a public key of the eSIM certificate that is consistent with the identification of the DP certificate;
a receiving module 41, further configured to receive the eSIM certificate, the EUM certificate of the eSIM, an eSIM signet, and an eSIM signature sent by the RSP terminal, and verify the eSIM certificate and the EUM certificate according to the DP certificate;
The processing module 42 is further configured to, if the verification is successful, sign off the eSIM signature by using the public key of the eSIM certificate, compare the signed eSIM signature with the eSIM signature body, and if the signed eSIM signature is consistent with the eSIM signature body, successfully authenticate the eSIM.
Specifically, if the processing module 42 finds a DP certificate that is consistent with the identifier of the eSIM certificate supported by the eSIM, the signing unit 421 obtains a DP signature body according to the eSIM random number in the authentication request and the generated DP random number, and signs the DP certificate and the DP signature body to obtain a DP signature; the sending unit 422 sends the identification of the DP certificate, the DP signature body, and the DP signature one to the RSP terminal; after receiving the data, the RSP terminal verifies the DP certificate by using the public key of the eSIM certificate consistent with the identification of the DP certificate, if the verification fails, the RSP terminal sends a verification failure message to the management platform, if the verification passes, the RSP terminal further uses the public key of the DP certificate to sign off the DP signature, compares the signed off DP signature with the DP signature, if the comparison is consistent, the RSP terminal packs the DP random number and the information of the eSIM together to generate an eSIM signature body, and signs on the eSIM signature body to obtain the eSIM signature; the RSP terminal sends an eSIM certificate, an EUM certificate of the eSIM, an eSIM signature body and an eSIM signature to a management platform, and optionally, if the comparison in the steps is inconsistent, the RSP terminal returns a verification failure message to the management platform; the receiving module 41 verifies the received eSIM certificate and the EUM certificate according to the DP certificate, and if the verification passes, the processing module 42 performs the signature splitting on the eSIM signature by using the public key of the received eSIM certificate, compares the signed eSIM signature with the received eSIM signature body, and if the comparison is consistent, the authentication is successful, and the authentication is completed.
the step of signing may be performed by the management platform itself, or may also be performed by authorizing an independent module to perform signing separately, for example, an encryption engine is separately provided, and the management platform sends data that needs to be signed to the encryption engine to perform signing and obtains a signature returned by the encryption engine.
it should be noted that, if the eSIM of the RSP terminal supports multiple eSIM certificates, each eSIM certificate is authenticated according to the authentication method provided in the present solution, so as to implement the multi-operator support function of the RSP terminal. Specifically, the relevant steps executed by the RSP terminal in this embodiment may refer to the relevant contents in the first embodiment.
the management platform provided in this embodiment, after receiving the certificate identifier supported by the eSIM sent by the RSP terminal, determines whether there is a DP certificate with the same identifier by comparing the locally supported DP certificates with the identifier of the certificate supported by the eSIM, and if so, determines that it can support the authentication of the eSIM of the RSP terminal, thereby confirming the certificates supported by both parties before performing the authentication procedure, implementing the mutual authentication between the management platform and the RSP terminal, and improving the authentication efficiency.
it can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the RSP terminal and the management platform described above may refer to corresponding processes in the foregoing method embodiments, and are not described herein again.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. An authentication method applied to an eSIM, comprising:
An RSP terminal provided with an eSIM sends an authentication request to a management platform, wherein the authentication request comprises an identification of an eSIM certificate supported by the eSIM, and the identification of the eSIM certificate is used for the management platform to search a DP certificate consistent with the identification of the eSIM certificate;
The RSP terminal receives an authentication result returned by the management platform, wherein the authentication result is obtained by authenticating the eSIM according to the authentication request after the DP certificate is found by the platform;
wherein the authentication request further includes the generated eSIM random number; before the RSP terminal receives the authentication result returned by the management platform, the method further includes:
The RSP terminal receives the identification of the DP certificate, a DP signature body and a DP signature which are sent by the management platform, and verifies the DP certificate by using a public key of the eSIM certificate which is consistent with the identification of the DP certificate;
if the verification is passed, the RSP terminal uses the public key of the DP certificate to sign off the DP signature, compares the DP signature subjected to the sign off with the DP signature body, and if the DP signature body is consistent with the DP signature body, obtains an eSIM signature body according to the DP random number and the information of the eSIM, and signs the eSIM signature body to obtain an eSIM signature;
the RSP terminal transmits the eSIM certificate, the EUM certificate of the eSIM, the eSIM signatory, and the eSIM signature to the management platform, so that the management platform authenticates the eSIM.
2. The method of claim 1, further comprising:
And the RSP terminal receives an error message sent by the management platform, wherein the error message is used for representing that the DP certificate consistent with the identification of the eSIM certificate is not found.
3. an authentication method applied to an eSIM, comprising:
The method comprises the steps that a management platform receives an authentication request sent by an RSP terminal provided with an eSIM, wherein the authentication request comprises an identification of an eSIM certificate supported by the eSIM;
the management platform searches for a DP certificate consistent with the identification of the eSIM certificate, authenticates the eSIM according to the authentication request if the DP certificate is found, and returns an authentication result to the RSP terminal;
Wherein the authentication request further includes the generated eSIM random number; the management platform authenticates the eSIM according to the authentication request, and the authentication comprises the following steps:
The management platform obtains a DP signature body according to the eSIM random number and the generated DP random number, and signs the DP certificate and the DP signature body to obtain a DP signature;
The management platform sends the identification of the DP certificate, the DP signatory and the DP signature to the RSP terminal so that the RSP terminal verifies the DP certificate with a public key of the eSIM certificate consistent with the identification of the DP certificate;
The management platform receives the eSIM certificate, the EUM certificate of the eSIM, an eSIM signing body and an eSIM signature sent by the RSP terminal, and verifies the eSIM certificate and the EUM certificate according to the DP certificate;
and if the verification is passed, the management platform uses the public key of the eSIM certificate to sign off the eSIM signature, compares the signed eSIM signature with the eSIM signature body, and if the signature is consistent with the eSIM signature body, successfully authenticates the eSIM.
4. The method of claim 3, further comprising:
and if the DP certificate consistent with the identification of the eSIM certificate is not found, the management platform sends an error message to the RSP terminal.
5. An RSP terminal, wherein the RSP terminal is provided with an eSIM, and wherein the RSP terminal comprises:
A sending module, configured to send an authentication request to a management platform, where the authentication request includes an identifier of an eSIM certificate supported by the eSIM, and the identifier of the eSIM certificate is used for the management platform to search for a DP certificate that is consistent with the identifier of the eSIM certificate;
a receiving module, configured to receive an authentication result returned by the management platform, where the authentication result is obtained by authenticating, according to the authentication request, the eSIM after the DP certificate is found by the platform;
wherein the authentication request further includes the generated eSIM random number;
The receiving module is further configured to receive the identification of the DP certificate, a DP signature body, and a DP signature sent by the management platform, and verify the DP certificate with a public key of the eSIM certificate that is consistent with the identification of the DP certificate;
The RSP terminal further includes:
the processing module is used for performing signature release on the DP signature by using the public key of the DP certificate if the DP signature passes the verification, comparing the DP signature subjected to signature release with the DP signature body, and if the DP signature is consistent with the DP signature body, obtaining an eSIM signature body according to a DP random number and the information of the eSIM, and signing the eSIM signature body to obtain an eSIM signature;
the sending module is further configured to send the eSIM certificate, the EUM certificate of the eSIM, the eSIM signatory, and the eSIM signature to the management platform, so that the management platform authenticates the eSIM.
6. a management platform, comprising:
the system comprises a receiving module and a sending module, wherein the receiving module is used for receiving an authentication request sent by an RSP terminal provided with an eSIM, and the authentication request comprises an identification of an eSIM certificate supported by the eSIM;
The processing module is used for searching a DP certificate consistent with the identification of the eSIM certificate, authenticating the eSIM according to the authentication request if the DP certificate is found, and returning an authentication result to the RSP terminal;
wherein the authentication request further includes the generated eSIM random number; the processing module comprises:
the signature unit is used for obtaining a DP signature body according to the eSIM random number and the generated DP random number, and signing the DP certificate and the DP signature body to obtain a DP signature;
a transmitting unit configured to transmit the identification of the DP certificate, the DP signer, and the DP signature to the RSP terminal, so that the RSP terminal verifies the DP certificate with a public key of the eSIM certificate that is identical to the identification of the DP certificate;
The receiving module is further configured to receive the eSIM certificate, the EUM certificate of the eSIM, an eSIM signatory body, and an eSIM signature sent by the RSP terminal, and verify the eSIM certificate and the EUM certificate according to the DP certificate;
The processing module is further configured to, if the verification is successful, sign off the eSIM signature by using the public key of the eSIM certificate, compare the signed eSIM signature with the eSIM signature body, and if the signed eSIM signature is consistent with the eSIM signature body, successfully authenticate the eSIM.
CN201710995976.0A 2017-10-23 2017-10-23 authentication method applied to eSIM, RSP terminal and management platform Active CN107547573B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710995976.0A CN107547573B (en) 2017-10-23 2017-10-23 authentication method applied to eSIM, RSP terminal and management platform

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710995976.0A CN107547573B (en) 2017-10-23 2017-10-23 authentication method applied to eSIM, RSP terminal and management platform

Publications (2)

Publication Number Publication Date
CN107547573A CN107547573A (en) 2018-01-05
CN107547573B true CN107547573B (en) 2019-12-10

Family

ID=60967434

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710995976.0A Active CN107547573B (en) 2017-10-23 2017-10-23 authentication method applied to eSIM, RSP terminal and management platform

Country Status (1)

Country Link
CN (1) CN107547573B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108848491B (en) * 2018-03-16 2019-07-02 深圳杰睿联科技有限公司 Virtual SIM card creates system
CN109218028B (en) * 2018-09-19 2019-08-09 恒宝股份有限公司 A kind of method, apparatus and system for signing and issuing eSIM certificate online
CN109274684B (en) * 2018-10-31 2020-12-29 中国—东盟信息港股份有限公司 Internet of things terminal system based on integration of eSIM communication and navigation service and implementation method thereof
CN109462601B (en) * 2018-12-13 2020-12-22 中国联合网络通信集团有限公司 Multi-platform access method and device based on eSIM
CN110198537A (en) * 2019-05-13 2019-09-03 深圳杰睿联科技有限公司 Support eSIM management method, system and the eSIM activating method of multi-digital certificate
CN110661624A (en) * 2019-09-23 2020-01-07 江苏恒宝智能系统技术有限公司 Safety authentication method based on PKI digital certificate
CN112654039B (en) * 2019-09-25 2024-03-01 紫光同芯微电子有限公司 Terminal validity identification method, device and system
DE102019214919A1 (en) * 2019-09-27 2021-04-01 SIGOS GmbH Test procedure for checking an RSP process and active test system for providing such a test procedure
CN110677263B (en) * 2019-09-30 2022-08-02 恒宝股份有限公司 Method and system for issuing certificate under new CI system by eSIM card on line
CN111885055B (en) * 2020-07-22 2023-01-31 中国联合网络通信集团有限公司 Communication method and device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103974250A (en) * 2013-01-30 2014-08-06 华为终端有限公司 Configuration method and equipment
CN105792179A (en) * 2016-04-29 2016-07-20 宇龙计算机通信科技(深圳)有限公司 Data processing method and device and terminal
EP3057350A1 (en) * 2015-02-13 2016-08-17 Gemalto Sa Method for remote subscription management of an eUICC, corresponding terminal
WO2016153281A1 (en) * 2015-03-25 2016-09-29 삼성전자 주식회사 Method and apparatus for downloading profile in wireless communication system
CN106851621A (en) * 2017-02-17 2017-06-13 惠州Tcl移动通信有限公司 A kind of LPA applications implementation method based on RSP and realize system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103974250A (en) * 2013-01-30 2014-08-06 华为终端有限公司 Configuration method and equipment
EP3057350A1 (en) * 2015-02-13 2016-08-17 Gemalto Sa Method for remote subscription management of an eUICC, corresponding terminal
WO2016153281A1 (en) * 2015-03-25 2016-09-29 삼성전자 주식회사 Method and apparatus for downloading profile in wireless communication system
CN105792179A (en) * 2016-04-29 2016-07-20 宇龙计算机通信科技(深圳)有限公司 Data processing method and device and terminal
CN106851621A (en) * 2017-02-17 2017-06-13 惠州Tcl移动通信有限公司 A kind of LPA applications implementation method based on RSP and realize system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"RSP Technical Specification Version 1.2";GSM Association;《https://www.gsma.com/newsroom/wp-content/uploads//SGP.22_V1.2.pdf》;20170227;第3.1.2节、第4.3节、第5.2.3.1节以及第5.3.3.1节 *

Also Published As

Publication number Publication date
CN107547573A (en) 2018-01-05

Similar Documents

Publication Publication Date Title
CN107547573B (en) authentication method applied to eSIM, RSP terminal and management platform
CN108768970B (en) Binding method of intelligent equipment, identity authentication platform and storage medium
EP3726804B1 (en) Device authentication method, service access control method, device, and non-transitory computer-readable recording medium
CN106161359B (en) It authenticates the method and device of user, register the method and device of wearable device
CN110958111B (en) Block chain-based identity authentication mechanism of electric power mobile terminal
CN105554037A (en) Identity identification processing method and service platform
CN100433616C (en) Method for authenticating a user in a terminal, an authentication system, a terminal, and an authorization device
US11778458B2 (en) Network access authentication method and device
KR20160124648A (en) Method and apparatus for downloading and installing a profile
KR102657876B1 (en) Apparatus and methods for ssp device and server to negociate digital certificates
CN108022100B (en) Cross authentication system and method based on block chain technology
CN111783068A (en) Device authentication method, system, electronic device and storage medium
US20080181401A1 (en) Method of Establishing a Secure Communication Link
WO2020057314A1 (en) Method, device and system for issuing esim certificate online
CN113507358B (en) Communication system, authentication method, electronic device, and storage medium
CN102217280A (en) Method, system, and server for user service authentication
CN103905194A (en) Identity traceability authentication method and system
CN104935435A (en) Login methods, terminal and application server
CN103166998A (en) User information relating method, system and server
CN107872800A (en) A kind of bluetooth equipment BLE cut-in methods based on software double factor authentication
CN110719292B (en) Connection authentication method and system for edge computing equipment and central cloud platform
CN117240473A (en) Electronic contract signing method, electronic contract signing device, electronic equipment and storage medium
CN110311928B (en) Network authentication method and authentication device of cloud terminal system
CN114125844B (en) Method and device for generating and downloading digital certificate
WO2019047714A1 (en) Temporary user credential generation method, user card, terminal, and network device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant