CN107766717A - A kind of access control method, apparatus and system - Google Patents

A kind of access control method, apparatus and system Download PDF

Info

Publication number
CN107766717A
CN107766717A CN201610682386.8A CN201610682386A CN107766717A CN 107766717 A CN107766717 A CN 107766717A CN 201610682386 A CN201610682386 A CN 201610682386A CN 107766717 A CN107766717 A CN 107766717A
Authority
CN
China
Prior art keywords
application program
safety chip
certificate
certificate parameter
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610682386.8A
Other languages
Chinese (zh)
Other versions
CN107766717B (en
Inventor
乐祖晖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201610682386.8A priority Critical patent/CN107766717B/en
Publication of CN107766717A publication Critical patent/CN107766717A/en
Application granted granted Critical
Publication of CN107766717B publication Critical patent/CN107766717B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of access control method, apparatus and system, wherein, the access control method includes:Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to destination object and the first application program, utilize first certificate parameter and second certificate parameter, judge whether first application program has the authority for accessing the destination object, when judging that first application program has the authority for accessing the destination object, allow first application program to access the destination object, otherwise refuse first application program and access the destination object.It the solution of the present invention, can conveniently realize to the certification of LPA existing for application forms, and only when application program LPA has the authority of access target object, just allow the application program LPA to access the destination object, realize secure communication.

Description

A kind of access control method, apparatus and system
Technical field
The present invention relates to field of terminal technology, more particularly to a kind of access control method, apparatus and system.
Background technology
Generally, universal embedded integrated circuit card (Embedded Universal Integrated Circuit Card, Abbreviation eUICC) embedded electronic equipment such as automobile, wrist-watch, mobile phone in use, to eUICC demand for can be with preset/dynamic Download configuration file Profile, can without between Profile switch etc..
Shown in Figure 1 in existing eUICC system architectures, equipment vendor is by local profile assistant (Local Profile Assistant, abbreviation LPA) function be integrated in electronic equipment operating system (Operating System, referred to as OS in), Profile operation interfaces are provided the user, connect signing management server and eUICC, the signing management server Prepare for subscription management and data.Also, LPA is communicated by local interface with the LPA servers on eUICC, with wound Build, activation/deactivation, deletion Profile.And ISD-P is existing ways of the Profile on eUICC, difference signing management service The Profile that device (SM-DP in Fig. 1) provides corresponds to different ISD-P, mutual security isolation on eUICC.Need to illustrate , in Fig. 1, solid line represents the physical channel of reality, and dotted line connection is two objects that there are data/commands to transmit.
However, the eUICC system architectures of prior art there is due to LPA be integrated in the OS of electronic equipment cause it is more difficult The problem of checking.
The content of the invention
It is existing due to LPA collection to solve it is an object of the invention to provide a kind of access control method, apparatus and system Into causing the problem of more difficult checking in the OS of electronic equipment.
In order to realize above-mentioned purpose, the present invention provides a kind of access control method, and methods described includes:
Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to destination object and the first application program;
Using first certificate parameter and second certificate parameter, judge whether first application program has and visit Ask the authority of the destination object;
When judging that first application program has the authority for accessing the destination object, it is allowed to first application Destination object described in routine access, otherwise refuse first application program and access the destination object.
The present invention also provides a kind of access control apparatus, and described device includes:
First acquisition module, for obtaining corresponding to the first certificate parameter corresponding to destination object and the first application program Two certificate parameters;
Judge module, for utilizing first certificate parameter and second certificate parameter, judge first application Whether program has the authority for accessing the destination object;
Control module, for when judging that first application program has the authority for accessing the destination object, permitting Perhaps described first application program accesses the destination object, otherwise refuses first application program and accesses the destination object.
The present invention also provides a kind of access control method, and methods described includes:
Obtain the certificate parameter that electronic equipment is sent and obtain request;
Obtain the first certificate parameter corresponding to safety chip;
Request response is obtained by certificate parameter first certificate parameter is sent to the electronic equipment so that be described Electronic equipment can when detecting that the first application requests access the safety chip, using first certificate parameter and Second certificate parameter corresponding to first application program judges whether first application program has and accesses the safe core The authority of piece, and when first application program has the authority for accessing the safety chip, it is allowed to described first applies journey Sequence accesses the safety chip, otherwise refuses first application program and accesses the safety chip.
The present invention provides a kind of access control apparatus again, and described device includes:
3rd acquisition module, the certificate parameter for obtaining electronic equipment transmission obtain request;
4th acquisition module, for obtaining the first certificate parameter corresponding to the safety chip;
First sending module, it is described for being sent to first certificate parameter by certificate parameter acquisition request response Electronic equipment so that the electronic equipment can utilize when detecting that the first application requests access the safety chip Whether second certificate parameter corresponding to first certificate parameter and first application program judges first application program With the authority for accessing the safety chip, and when first application program has the authority for accessing the safety chip, Allow first application program to access the safety chip, otherwise refuse first application program and access the safe core Piece.
The present invention provides a kind of access control system again, and the system includes electronic equipment and safety chip;
Wherein, the electronic equipment is being detected for detecting whether there is application requests to access the safety chip When first application requests access the safety chip, the first certificate parameter corresponding to the safety chip and described the are obtained Second certificate parameter corresponding to one application program, judge described using first certificate parameter and second certificate parameter Whether one application program has the authority for accessing the safety chip, is judging first application program with described in access During the authority of safety chip, it is allowed to which first application program accesses the safety chip, otherwise refuses described first and applies journey Sequence accesses the safety chip;
The safety chip is used to obtain the certificate parameter acquisition request that the electronic equipment is sent, and obtains the safe core First certificate parameter corresponding to piece, request response is obtained by certificate parameter first certificate parameter is sent to the electronics Equipment.
By the present invention above-mentioned technical proposal, the beneficial effects of the present invention are:
The access control method of the present invention, judged by verifying, conveniently can realized to existing for application forms LPA certification, and only when application program LPA has the authority of access target object, just allow the application program LPA to access The destination object, realizes secure communication.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, it will make below to required in the embodiment of the present invention Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for For those of ordinary skill in the art, without having to pay creative labor, it can also be obtained according to these accompanying drawings His accompanying drawing.
Fig. 1 represents the schematic diagram of existing eUICC system architectures.
Fig. 2 represents the flow chart of the access control method of the embodiment of the present invention.
Fig. 3 represents the schematic diagram of existing GSMA certificates framework.
Fig. 4 represents the structural representation of the access control apparatus of the embodiment of the present invention.
Fig. 5 represents the flow chart of another access control method of the embodiment of the present invention.
Fig. 6 represents the structural representation of another access control apparatus of the embodiment of the present invention.
Fig. 7 represents the structural representation of the access control system of the embodiment of the present invention.
Fig. 8 represents the schematic diagram of the eUICC system architectures of the embodiment of the present invention.
Fig. 9 represents the MNO LPA of instantiation of the present invention identifying procedure figure.
Figure 10 represents the schematic diagram of another eUICC system architectures of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is part of the embodiment of the present invention, rather than whole embodiments.Based on this hair Embodiment in bright, the every other implementation that those of ordinary skill in the art are obtained under the premise of creative work is not made Example, belongs to the scope of protection of the invention.
First, in the embodiment of the present invention, LPA exists in the form of application program, respectively connected signing management server And safety chip, in such manner, it is possible to make LPA effectively be separated with the OS of electronic equipment, facilitate independent upgrade applications LPA, and LPA is authenticated.
For above-mentioned with LPA existing for application forms, the embodiments of the invention provide a kind of access control method, Shown in Figure 2, methods described includes:
Step 201:Obtain the second checking ginseng corresponding to the first certificate parameter corresponding to destination object and the first application program Number;
Step 202:Using first certificate parameter and second certificate parameter, judge that first application program is It is no that there is the authority for accessing the destination object;
Step 203:When judging that first application program has the authority for accessing the destination object, it is allowed to described First application program accesses the destination object, otherwise refuses first application program and accesses the destination object.
So, the access control method of the embodiment of the present invention, judged by verifying, conveniently can realized to application program The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access target object Program LPA accesses the destination object, realizes secure communication.
Wherein, in the specific embodiment of the invention, LPA is as connection signing management server and the " centre of safety chip Part ", signing management server and safety chip can verify to it, therefore, in the specific embodiment of the invention, the mesh It can be safety chip or signing management server to mark object, and the signing management server is corresponding with operator, for subscribing to Management and data prepare.
In the embodiment of the present invention, the safety chip is specially universal embedded integrated circuit card eUICC, and described first should It is specially to connect signing management server and the eUICC, the application program for configuration management with program.
In the embodiment of the present invention, when the destination object is safety chip, methods described is used to be provided with using journey The electronic equipment of LPA existing for sequence, before the step 201, methods described also includes:
Detect whether that application requests access the safety chip.
And the step 201 is specially:When detecting that first application requests access the safety chip, obtain Take the second certificate parameter corresponding to the first certificate parameter corresponding to the safety chip and first application program.
Further, the application programming for being interacted with the safety chip is provided with the electronic equipment Interface API.
It is described to have detected whether that the step of application requests access the safety chip is specially:Detect the API's Calling situation, it is determined whether there are application requests to access the safety chip;I.e. when there is application requests to call API, It is determined that there are application requests to access the safety chip.
The step 203 is specially:Judging first application program with the authority for accessing the safety chip When, it is allowed to API described in first application call accesses the safety chip, otherwise refuses first application program The API is called to access the safety chip.
In the embodiment of the present invention, first certificate parameter is specially the root card being pre-stored within the safety chip Book, second certificate parameter are the certificate to be verified that first application program provides.
Wherein, it is shown in Figure 3, in existing GSMA certificates framework, certification authorities (Certificate Issuer, abbreviation CI) root certificate be CI Cert, CI to card vendor (eUICC Manufacturer, abbreviation EUM) grant a certificate EUM Cert, while to operator SM-DP+ grant a certificates SM-DP+Cert, EUM to eUICC grant a certificate eUICC Cert.Such as Fruit eUICC is with SM-DP+ by LPA exchange commands, it is necessary to which first passing through LPA exchanges respective certificate.
And in the embodiment of the present invention, in order to realize the certification to LPA, root certificate CI Cert are preset in safety chip In, and certificate LPA Cert corresponding with application program LPA is signed and issued using the CI Cert, to verify the application program LPA。
That is, under normal circumstances, second certificate parameter is the to be verified of the first application program offer Certificate, signed and issued by the root certificate being pre-stored within the safety chip.
And the root certificate being pre-stored within the safety chip, mainly in electronic equipment start-up course or Safety chip is received when certificate parameter obtains request and provided by the safety chip.
It is described to utilize first certificate parameter and second certificate parameter, judge whether first application program has There is the step of authority for accessing the destination object to specifically include:
Verify the certificate to be verified whether be root certificate signature certificate;
When the certificate to be verified is the certificate of root certificate signature, described in the certification authentication to be verified the is utilized The integrality of one application program;
Verify first application program it is complete when, determine that first application program has and access the safe core The authority of piece, otherwise determine first application program without the authority for accessing the safety chip.
In the embodiment of the present invention, when the destination object is signing management server, the access control method can use In signing management server, first application program is corresponding application program LPA, to realize signing management server to phase The application program LPA answered certification.
Specifically, when the destination object is signing management server, the access control method also includes:
Obtain the 3rd certificate parameter that safety chip is sent;
According to the 3rd certificate parameter, the safety chip is verified.
In such manner, it is possible to realize legitimate verification of the signing management server to safety chip.
Further, second certificate parameter be sent in company with the 3rd certificate parameter by the safety chip it is described Signing management server, the safety chip obtains second certificate parameter at first application program.So, institute State the second certificate parameter and the 3rd certificate parameter is sent in the lump, the signing management server can be made to safety chip Application program LPA is verified in the lump when being verified, streamline operation.
It should be noted that safety chip is tested when sending certificate parameter to signing management server in order to ensure described Card parameter will not be tampered in transmitting procedure, the information comprising the certificate parameter can be signed, to be tested described in guarantee Demonstrate,prove the accuracy of parameter.
Referring to Fig. 4, the embodiment of the present invention also provides a kind of access control apparatus, with the access control method phase shown in Fig. 2 Corresponding, described device includes:
First acquisition module 41, for obtaining corresponding to the first certificate parameter corresponding to destination object and the first application program Second certificate parameter;
Judge module 42, for utilizing first certificate parameter and second certificate parameter, judge that described first should Whether there is the authority for accessing the destination object with program;
Control module 43, for when judging that first application program has the authority for accessing the destination object, Allow first application program to access the destination object, otherwise refuse first application program and access the target pair As.
So, the access control apparatus of the embodiment of the present invention, judged by verifying, conveniently can realized to application program The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access target object Program LPA accesses the destination object, realizes secure communication.
Wherein, when the destination object is safety chip, described device also includes:
Detection module, for detecting whether there is application requests to access the safety chip;
First acquisition module is specifically used for:Detecting the first application requests access safety chip When, obtain the second certificate parameter corresponding to the first certificate parameter corresponding to the safety chip and first application program.
In the embodiment of the present invention, described device can be used for electronic equipment, be provided with the electronic equipment for and it is described The application programming interface API that safety chip interacts.
The detection module is specifically used for:Detect the calling situation of the API, it is determined whether have application requests access The safety chip.
The control module is specifically used for:Judging first application program with the power for accessing the safety chip In limited time, it is allowed to which API described in first application call accesses the safety chip, otherwise refuses described first and applies journey Sequence calls the API to access the safety chip.
Wherein, first certificate parameter is the root certificate being pre-stored within the safety chip, second checking Parameter is the certificate to be verified that first application program provides.
The root certificate being pre-stored within the safety chip is in the electronic equipment start-up course or is receiving Obtain to certificate parameter and provided when asking by the safety chip.
In the embodiment of the present invention, the judge module specifically includes:
First authentication unit, for verify the certificate to be verified whether be root certificate signature certificate;
Second authentication unit, for when the certificate to be verified is the certificate of the root certificate signature, being treated using described Verify the integrality of the first application program described in certification authentication;
Determining unit, for verify first application program it is complete when, determine that first application program has The authority of the safety chip is accessed, otherwise determines first application program without the authority for accessing the safety chip.
Specifically, the safety chip is universal embedded integrated circuit card, first application program is contracted for connection Management server and the universal embedded integrated circuit card, the application program for configuration management.
In the embodiment of the present invention, when the destination object is signing management server, described device also includes:
Second acquisition module, for obtaining the 3rd certificate parameter of safety chip transmission;
Authentication module, for according to the 3rd certificate parameter, verifying the safety chip;
Wherein, second certificate parameter is to be sent to the label by the safety chip in company with the 3rd certificate parameter About management server, the safety chip obtains second certificate parameter at first application program.
Shown in Figure 5, the embodiment of the present invention also provides a kind of access control method, applied to safety chip, the side Method includes:
Step 501:Obtain the certificate parameter that electronic equipment is sent and obtain request;
Step 502:Obtain the first certificate parameter corresponding to the safety chip;
Step 503:Request response is obtained by certificate parameter first certificate parameter is sent to the electronic equipment, The electronic equipment is tested when detecting that the first application requests access the safety chip using described first Second certificate parameter corresponding to card parameter and first application program judges whether first application program has and accesses institute State the authority of safety chip, and when first application program has the authority for accessing the safety chip, it is allowed to described the One application program accesses the safety chip, otherwise refuses first application program and accesses the safety chip.
So, the access control method of the embodiment of the present invention, judged by verifying, conveniently can realized to application program The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access safety chip Program LPA accesses the safety chip, realizes secure communication.
Specifically, the safety chip is universal embedded integrated circuit card, first application program is contracted for connection Management server and the universal embedded integrated circuit card, the application program for configuration management.
Further, in the embodiment of the present invention, methods described also includes:
Receive second certificate parameter that the electronic equipment is sent;
By second certificate parameter in company with the 3rd certificate parameter for being used for the universal embedded integrated circuit card checking It is sent to the signing management server so that the signing management server can utilize second certificate parameter to described First application program is verified, and the universal embedded integrated circuit card is tested using the 3rd certificate parameter Card.
In such manner, it is possible to realize checking of the signing management server to safety chip and application program LPA simultaneously, simplify operation Flow.
Wherein, first certificate parameter is the root certificate being pre-stored within the safety chip, second checking Parameter is the certificate to be verified that the first application program provides.
Shown in Figure 6, the embodiment of the present invention also provides a kind of access control apparatus, with the access control side shown in Fig. 5 Method is corresponding, and described device includes:
3rd acquisition module 61, the certificate parameter for obtaining electronic equipment transmission obtain request;
4th acquisition module 62, for obtaining the first certificate parameter corresponding to the safety chip;
First sending module 63, first certificate parameter is sent to institute for obtaining request response by certificate parameter State electronic equipment so that the electronic equipment can be when detecting that the first application requests access the safety chip, profit The second certificate parameter corresponding to first certificate parameter and first application program judges that first application program is It is no that there is the authority for accessing the safety chip, and there is the authority for accessing the safety chip in first application program When, it is allowed to first application program accesses the safety chip, otherwise refuses first application program and accesses the safety Chip.
Specifically, the safety chip is universal embedded integrated circuit card, first application program is contracted for connection Management server and the universal embedded integrated circuit card, the application program for configuration management.
In the embodiment of the present invention, described device also includes:
Receiving module, second certificate parameter sent for receiving the electronic equipment;
Second sending module, for second certificate parameter to be tested in company with for the universal embedded integrated circuit card 3rd certificate parameter of card is sent to the signing management server so that the signing management server can utilize described the Two certificate parameters are verified to first application program, and utilize the 3rd certificate parameter to the universal embedded collection Verified into circuit card.
First certificate parameter is the root certificate being pre-stored within the safety chip, and second certificate parameter is The certificate to be verified that first application program provides.
Shown in Figure 7, the embodiment of the present invention also provides a kind of access control system, and the system includes electronic equipment 71 With safety chip 72;
Wherein, the electronic equipment 71 is being examined for detecting whether there is application requests to access the safety chip 72 When measuring the first application requests access safety chip 72, the first certificate parameter corresponding to the safety chip 72 is obtained With first application program corresponding to the second certificate parameter, sentenced using first certificate parameter and second certificate parameter Whether first application program of breaking has the authority for accessing the safety chip 72, is judging the first application program tool When having the authority for accessing the safety chip 72, it is allowed to which first application program accesses the safety chip 72, otherwise refuses First application program accesses the safety chip 72;
The safety chip 72 is used to obtain the certificate parameter acquisition request that the electronic equipment is sent, and obtains the safety First certificate parameter corresponding to chip 72, by certificate parameter obtain request response first certificate parameter is sent to it is described Electronic equipment 71.
So, the access control system of the embodiment of the present invention, judged by verifying, conveniently can realized to application program The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access safety chip Program LPA accesses the safety chip, realizes secure communication.
Below, it is shown in Figure 8, the eUICC system architectures of the present invention are illustrated by instantiation.
Specifically, in fig. 8, LPA can include two classes, as follows:
First kind LPA, is integrated in the OS of electronic equipment, and the function as OS is present, such as the 2nd LPA;
Second class LPA, the application forms separated with the OS with electronic equipment are present, such as the first LPA, operator LPA (MNO LPA) and third party LPA;
All LPA are used to connect signing management server SM-DP and eUICC, unlike, the second class LPA can be with By calling application programming interface API and eUICC to interact, specific interaction is by access control actuator AC Enforcer is realized.
And LPA services and access control application program AC Applet, the AC Applet are provided with the eUICC In be previously stored with certificate parameter, the certification for application program LPA.It should be noted that in fig. 8, solid line represents actual Physical channel, dotted line connection be two objects with data/commands transmission demand.
It is shown in Figure 9 based on the eUICC system architectures shown in Fig. 8, illustrate the verification process to MNO LPA, specifically such as Under:
Step 901:AC Enforcer selection AC Applet;Generally, AC Enforcer are communicated with AC Applet Before must first select an AC Applet;
Step 902:AC Applet return to Response to selection;
Step 903:AC Enforcer send certificate parameter to AC Applet and obtain request;
Step 904:AC Applet return to CI Cert;
Step 905:AC Enforcer send certificate parameter to MNO LPA and obtain request;
Step 906:MNO LPA return to signing certificate LPA Cert;
Step 907:AC Enforcer are using CI Cert checking LPA Cert, if LPA Cert authentication faileds, MNO LPA It will be unable to call the api interface for accessing eUICC;
Step 908:If LPA Cert are verified, AC Enforcer are complete using LPA Cert checking MNO LPA's Property, if being proved to be successful, MNO LPA can access eUICC api interface with normal call, otherwise can not call.
In the flow that existing GSMA specifications define, signing management server is not authenticated to LPA, and think LPA by Equipment vendor provides, and only legal LPA side can access eUICC, and only eUICC is authenticated.But in the present invention, LPA with should Exist with the mode of program, security is relatively low, and only certification eUICC is likely to occur risk.
For example, in eUICC system architectures shown in Figure 10, MNO LPA1 and MNO LPA2 are respectively operator 1 and operation The application program LPA that business 2 provides, equally possess the authority for accessing eUICC, signing management server SM-DP+1 and operator 1 are right Should, so, SM-DP+1 will not wish that MNO LPA2 can obtain its caused Profile.
So in order to improve the legitimacy that application program LPA accesses signing management server, signing management server can be made Corresponding application program LPA is authenticated.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (25)

1. a kind of access control method, it is characterised in that methods described includes:
Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to destination object and the first application program;
Using first certificate parameter and second certificate parameter, judge whether first application program has and access institute State the authority of destination object;
When judging that first application program has the authority for accessing the destination object, it is allowed to first application program The destination object is accessed, otherwise refuses first application program and accesses the destination object.
2. according to the method for claim 1, it is characterised in that the destination object is safety chip, in the acquisition mesh Before the step of marking the second certificate parameter corresponding to the first certificate parameter corresponding to object and the first application program, methods described is also Including:
Detect whether that application requests access the safety chip;
Corresponding to first certificate parameter corresponding to the acquisition destination object and the first application program the step of the second certificate parameter Specially:
When detecting that first application requests access the safety chip, obtain first corresponding to the safety chip Second certificate parameter corresponding to certificate parameter and first application program.
3. according to the method for claim 2, it is characterised in that methods described is used for electronic equipment, in the electronic equipment It is provided with the application programming interface for being interacted with the safety chip;
It is described to have detected whether that the step of application requests access the safety chip is specially:The application program is detected to compile The calling situation of journey interface, it is determined whether there are application requests to access the safety chip;
It is described when judging that first application program has the authority for accessing the destination object, it is allowed to first application Destination object described in routine access, otherwise refusing the first application program access destination object step is specially:
When judging that first application program has the authority for accessing the safety chip, it is allowed to first application program The application programming interface is called to access the safety chip, otherwise refusing should described in first application call The safety chip is accessed with Program Interfaces.
4. according to the method for claim 2, it is characterised in that first certificate parameter is to be pre-stored within the safety Root certificate in chip, second certificate parameter are the certificate to be verified that first application program provides.
5. according to the method for claim 4, it is characterised in that the root certificate being pre-stored within the safety chip There is provided in electronic equipment start-up course or when receiving certificate parameter and obtaining request by the safety chip.
6. according to the method for claim 5, it is characterised in that described to be tested using first certificate parameter and described second Parameter is demonstrate,proved, judges whether first application program there is the step of authority for accessing the destination object to specifically include:
Verify the certificate to be verified whether be root certificate signature certificate;
, should using described in the certification authentication to be verified first when the certificate to be verified is the certificate of the root certificate signature With the integrality of program;
Verify first application program it is complete when, determine that first application program has and access the safety chip Authority, otherwise determine first application program without the authority for accessing the safety chip.
7. according to the method described in any one in claim 2-6, it is characterised in that the safety chip is universal embedded Integrated circuit card, first application program are connection signing management server and the universal embedded integrated circuit card, are used In the application program of configuration management.
8. according to the method for claim 1, it is characterised in that the destination object is signing management server, the side Method also includes:
Obtain the 3rd certificate parameter that safety chip is sent;
According to the 3rd certificate parameter, the safety chip is verified;
Wherein, second certificate parameter is to be sent to the signing by the safety chip in company with the 3rd certificate parameter to manage Server is managed, the safety chip obtains second certificate parameter at first application program.
9. a kind of access control apparatus, it is characterised in that described device includes:
First acquisition module, tested for corresponding to obtaining the first certificate parameter corresponding to destination object and the first application program second Demonstrate,prove parameter;
Judge module, for utilizing first certificate parameter and second certificate parameter, judge first application program Whether there is the authority for accessing the destination object;
Control module, for when judging that first application program has the authority for accessing the destination object, it is allowed to institute State the first application program and access the destination object, otherwise refuse first application program and access the destination object.
10. device according to claim 9, it is characterised in that the destination object is safety chip, and described device is also wrapped Include:
Detection module, for detecting whether there is application requests to access the safety chip;
First acquisition module is specifically used for:When detecting that first application requests access the safety chip, Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to the safety chip and first application program.
11. device according to claim 10, it is characterised in that described device is used for electronic equipment, the electronic equipment In be provided with application programming interface for being interacted with the safety chip;
The detection module is specifically used for:Detect the calling situation of the application programming interface, it is determined whether have using journey Sequence request accesses the safety chip;
The control module is specifically used for:Judging first application program with the authority for accessing the safety chip When, it is allowed to application programming interface described in first application call accesses the safety chip, otherwise refuses institute Application programming interface described in the first application call is stated to access the safety chip.
12. device according to claim 10, it is characterised in that first certificate parameter is to be pre-stored within the peace Root certificate in full chip, second certificate parameter are the certificate to be verified that first application program provides.
13. device according to claim 12, it is characterised in that the root card being pre-stored within the safety chip Book provides in electronic equipment start-up course or when receiving certificate parameter and obtaining request by the safety chip.
14. device according to claim 13, it is characterised in that the judge module specifically includes:
First authentication unit, for verify the certificate to be verified whether be root certificate signature certificate;
Second authentication unit, for when the certificate to be verified is the certificate of root certificate signature, using described to be verified The integrality of first application program described in certification authentication;
Determining unit, for verify first application program it is complete when, determine first application program have access The authority of the safety chip, otherwise determine first application program without the authority for accessing the safety chip.
15. according to the device described in any one in claim 10-14, it is characterised in that the safety chip is embedded Universal Integrated Circuit Card, first application program are connection signing management server and the universal embedded integrated circuit Card, the application program for configuration management.
16. device according to claim 9, it is characterised in that the destination object is signing management server, the dress Putting also includes:
Second acquisition module, for obtaining the 3rd certificate parameter of safety chip transmission;
Authentication module, for according to the 3rd certificate parameter, verifying the safety chip;
Wherein, second certificate parameter is to be sent to the signing by the safety chip in company with the 3rd certificate parameter to manage Server is managed, the safety chip obtains second certificate parameter at first application program.
17. a kind of access control method, it is characterised in that methods described includes:
Obtain the certificate parameter that electronic equipment is sent and obtain request;
Obtain the first certificate parameter corresponding to safety chip;
Request response is obtained by certificate parameter first certificate parameter is sent to the electronic equipment so that the electronics Equipment can utilize first certificate parameter and described when detecting that the first application requests access the safety chip Second certificate parameter corresponding to first application program judges whether first application program has and accesses the safety chip Authority, and when first application program has the authority for accessing the safety chip, it is allowed to first application program is visited The safety chip is asked, otherwise refuses first application program and accesses the safety chip.
18. according to the method for claim 17, it is characterised in that the safety chip is universal embedded integrated circuit Card, first application program are connection signing management server and the universal embedded integrated circuit card, are managed for configuring The application program of reason.
19. according to the method for claim 18, it is characterised in that methods described also includes:
Receive second certificate parameter that the electronic equipment is sent;
Second certificate parameter is sent in company with the 3rd certificate parameter for being used for the universal embedded integrated circuit card checking To the signing management server so that the signing management server can utilize second certificate parameter to described first Application program is verified, and the universal embedded integrated circuit card is verified using the 3rd certificate parameter.
20. according to the method for claim 17, it is characterised in that first certificate parameter is to be pre-stored within the peace Root certificate in full chip, second certificate parameter are the certificate to be verified that the first application program provides.
21. a kind of access control apparatus, it is characterised in that described device includes:
3rd acquisition module, the certificate parameter for obtaining electronic equipment transmission obtain request;
4th acquisition module, for obtaining the first certificate parameter corresponding to safety chip;
First sending module, first certificate parameter is sent to the electronics for obtaining request response by certificate parameter Equipment so that the electronic equipment can be when detecting that the first application requests access the safety chip, using described Second certificate parameter corresponding to first certificate parameter and first application program judges whether first application program has The authority of the safety chip is accessed, and when first application program has the authority for accessing the safety chip, it is allowed to First application program accesses the safety chip, otherwise refuses first application program and accesses the safety chip.
22. device according to claim 21, it is characterised in that the safety chip is universal embedded integrated circuit Card, first application program are connection signing management server and the universal embedded integrated circuit card, are managed for configuring The application program of reason.
23. device according to claim 22, it is characterised in that described device also includes:
Receiving module, second certificate parameter sent for receiving the electronic equipment;
Second sending module, for second certificate parameter companion to be used for into the universal embedded integrated circuit card checking 3rd certificate parameter is sent to the signing management server so that the signing management server can be tested using described second Card parameter is verified to first application program, and utilizes the 3rd certificate parameter to the universal embedded integrated electricity An outpost of the tax office is verified.
24. access control apparatus according to claim 21, it is characterised in that first certificate parameter is to prestore Root certificate in the safety chip, second certificate parameter are the certificate to be verified that the first application program provides.
25. a kind of access control system, it is characterised in that the system includes electronic equipment and safety chip;
Wherein, the electronic equipment is detecting first for detecting whether there is application requests to access the safety chip When application requests access the safety chip, obtaining the first certificate parameter corresponding to the safety chip and described first should The second certificate parameter corresponding to program, judge that described first should using first certificate parameter and second certificate parameter Whether there is the authority for accessing the safety chip with program, the safety is accessed judging that first application program has During the authority of chip, it is allowed to which first application program accesses the safety chip, otherwise refuses first application program and visits Ask the safety chip;
The safety chip is used to obtain the certificate parameter acquisition request that the electronic equipment is sent, and obtains the safety chip pair The first certificate parameter answered, first certificate parameter is sent to by the electronics by certificate parameter acquisition request response and set It is standby.
CN201610682386.8A 2016-08-17 2016-08-17 Access control method, device and system Active CN107766717B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610682386.8A CN107766717B (en) 2016-08-17 2016-08-17 Access control method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610682386.8A CN107766717B (en) 2016-08-17 2016-08-17 Access control method, device and system

Publications (2)

Publication Number Publication Date
CN107766717A true CN107766717A (en) 2018-03-06
CN107766717B CN107766717B (en) 2020-04-14

Family

ID=61261390

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610682386.8A Active CN107766717B (en) 2016-08-17 2016-08-17 Access control method, device and system

Country Status (1)

Country Link
CN (1) CN107766717B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021073440A1 (en) * 2019-10-14 2021-04-22 中国移动通信有限公司研究院 Access control method and device for embedded universal integrated circuit card, and storage medium
CN113132990A (en) * 2021-04-19 2021-07-16 东信和平科技股份有限公司 Profile remote subscription method based on eSIM, server and terminal equipment
CN113746777A (en) * 2020-05-27 2021-12-03 华为技术有限公司 Method for safely accessing data and electronic equipment
CN113867826A (en) * 2020-06-11 2021-12-31 深圳市文鼎创数据科技有限公司 Extended package access control method and device, Java smart card and storage medium
US20220129536A1 (en) * 2020-10-27 2022-04-28 Dell Products L.P. Device access control system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060143704A1 (en) * 2004-12-23 2006-06-29 Sap Ag Reverse engineering access control
CN102118749A (en) * 2009-12-30 2011-07-06 比亚迪股份有限公司 Network access control device for mobile terminal and mobile terminal equipment
CN102625309A (en) * 2012-01-18 2012-08-01 中兴通讯股份有限公司 Access control method and device
CN104008352A (en) * 2013-08-22 2014-08-27 中华电信股份有限公司 Protection system and method with smart card device
CN104769983A (en) * 2012-09-12 2015-07-08 苹果公司 Methods and apparatus for managing data within a secure element

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060143704A1 (en) * 2004-12-23 2006-06-29 Sap Ag Reverse engineering access control
CN102118749A (en) * 2009-12-30 2011-07-06 比亚迪股份有限公司 Network access control device for mobile terminal and mobile terminal equipment
CN102625309A (en) * 2012-01-18 2012-08-01 中兴通讯股份有限公司 Access control method and device
CN104769983A (en) * 2012-09-12 2015-07-08 苹果公司 Methods and apparatus for managing data within a secure element
CN104008352A (en) * 2013-08-22 2014-08-27 中华电信股份有限公司 Protection system and method with smart card device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021073440A1 (en) * 2019-10-14 2021-04-22 中国移动通信有限公司研究院 Access control method and device for embedded universal integrated circuit card, and storage medium
CN113746777A (en) * 2020-05-27 2021-12-03 华为技术有限公司 Method for safely accessing data and electronic equipment
CN113867826A (en) * 2020-06-11 2021-12-31 深圳市文鼎创数据科技有限公司 Extended package access control method and device, Java smart card and storage medium
US20220129536A1 (en) * 2020-10-27 2022-04-28 Dell Products L.P. Device access control system
US11537705B2 (en) * 2020-10-27 2022-12-27 Dell Products L.P. Device access control system
CN113132990A (en) * 2021-04-19 2021-07-16 东信和平科技股份有限公司 Profile remote subscription method based on eSIM, server and terminal equipment

Also Published As

Publication number Publication date
CN107766717B (en) 2020-04-14

Similar Documents

Publication Publication Date Title
EP3304465B1 (en) Nfc-enabled devices for performing secure contactless transactions and using hce
CN102404727B (en) The method of controlling security and device of mobile terminal
CN107766717A (en) A kind of access control method, apparatus and system
CN104052775B (en) Right management method, device and the system of a kind of cloud platform service
CN104158824B (en) Genuine cyber identification authentication method and system
CN105207775B (en) The read method and device of verification information
CN100583114C (en) System and method for remote security enablement
CN110266642A (en) Identity identifying method and server, electronic equipment
CN103152402A (en) Method and system for logging in through mobile terminal and cloud server
CN103744686A (en) Control method and system for installing application in intelligent terminal
CN108990047B (en) Test method, device and medium for subscription relationship management data preparation platform
CN109670968A (en) Processing method, device, equipment and the computer storage medium of insurance data
CN110278084B (en) eID establishing method, related device and system
CN105263193A (en) WIFI connection method and system for mobile terminal
CN104424676A (en) Identity information sending method, identity information sending device, access control card reader and access control system
CN104717648A (en) Unified authentication method and device based on SIM card
CN109766152A (en) A kind of exchange method and device
CN106203021A (en) The application login method of a kind of many certification modes integration and system
KR20060118247A (en) System and method for security of information
CN105743651A (en) Method and apparatus for utilizing card application in chip security domain, and application terminal
CN103559430B (en) application account management method and device based on Android system
CN105553675B (en) Log in the method and device of router
CN104144152B (en) For the authorization method and system of third party's resource provider
CN105279414A (en) Verification device based on fingerprint application and verification method based on fingerprint application
KR20140089730A (en) Method and System for Registering Payment Means by using Alliance Application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant