CN107766717A - A kind of access control method, apparatus and system - Google Patents
A kind of access control method, apparatus and system Download PDFInfo
- Publication number
- CN107766717A CN107766717A CN201610682386.8A CN201610682386A CN107766717A CN 107766717 A CN107766717 A CN 107766717A CN 201610682386 A CN201610682386 A CN 201610682386A CN 107766717 A CN107766717 A CN 107766717A
- Authority
- CN
- China
- Prior art keywords
- application program
- safety chip
- certificate
- certificate parameter
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of access control method, apparatus and system, wherein, the access control method includes:Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to destination object and the first application program, utilize first certificate parameter and second certificate parameter, judge whether first application program has the authority for accessing the destination object, when judging that first application program has the authority for accessing the destination object, allow first application program to access the destination object, otherwise refuse first application program and access the destination object.It the solution of the present invention, can conveniently realize to the certification of LPA existing for application forms, and only when application program LPA has the authority of access target object, just allow the application program LPA to access the destination object, realize secure communication.
Description
Technical field
The present invention relates to field of terminal technology, more particularly to a kind of access control method, apparatus and system.
Background technology
Generally, universal embedded integrated circuit card (Embedded Universal Integrated Circuit Card,
Abbreviation eUICC) embedded electronic equipment such as automobile, wrist-watch, mobile phone in use, to eUICC demand for can be with preset/dynamic
Download configuration file Profile, can without between Profile switch etc..
Shown in Figure 1 in existing eUICC system architectures, equipment vendor is by local profile assistant (Local
Profile Assistant, abbreviation LPA) function be integrated in electronic equipment operating system (Operating System, referred to as
OS in), Profile operation interfaces are provided the user, connect signing management server and eUICC, the signing management server
Prepare for subscription management and data.Also, LPA is communicated by local interface with the LPA servers on eUICC, with wound
Build, activation/deactivation, deletion Profile.And ISD-P is existing ways of the Profile on eUICC, difference signing management service
The Profile that device (SM-DP in Fig. 1) provides corresponds to different ISD-P, mutual security isolation on eUICC.Need to illustrate
, in Fig. 1, solid line represents the physical channel of reality, and dotted line connection is two objects that there are data/commands to transmit.
However, the eUICC system architectures of prior art there is due to LPA be integrated in the OS of electronic equipment cause it is more difficult
The problem of checking.
The content of the invention
It is existing due to LPA collection to solve it is an object of the invention to provide a kind of access control method, apparatus and system
Into causing the problem of more difficult checking in the OS of electronic equipment.
In order to realize above-mentioned purpose, the present invention provides a kind of access control method, and methods described includes:
Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to destination object and the first application program;
Using first certificate parameter and second certificate parameter, judge whether first application program has and visit
Ask the authority of the destination object;
When judging that first application program has the authority for accessing the destination object, it is allowed to first application
Destination object described in routine access, otherwise refuse first application program and access the destination object.
The present invention also provides a kind of access control apparatus, and described device includes:
First acquisition module, for obtaining corresponding to the first certificate parameter corresponding to destination object and the first application program
Two certificate parameters;
Judge module, for utilizing first certificate parameter and second certificate parameter, judge first application
Whether program has the authority for accessing the destination object;
Control module, for when judging that first application program has the authority for accessing the destination object, permitting
Perhaps described first application program accesses the destination object, otherwise refuses first application program and accesses the destination object.
The present invention also provides a kind of access control method, and methods described includes:
Obtain the certificate parameter that electronic equipment is sent and obtain request;
Obtain the first certificate parameter corresponding to safety chip;
Request response is obtained by certificate parameter first certificate parameter is sent to the electronic equipment so that be described
Electronic equipment can when detecting that the first application requests access the safety chip, using first certificate parameter and
Second certificate parameter corresponding to first application program judges whether first application program has and accesses the safe core
The authority of piece, and when first application program has the authority for accessing the safety chip, it is allowed to described first applies journey
Sequence accesses the safety chip, otherwise refuses first application program and accesses the safety chip.
The present invention provides a kind of access control apparatus again, and described device includes:
3rd acquisition module, the certificate parameter for obtaining electronic equipment transmission obtain request;
4th acquisition module, for obtaining the first certificate parameter corresponding to the safety chip;
First sending module, it is described for being sent to first certificate parameter by certificate parameter acquisition request response
Electronic equipment so that the electronic equipment can utilize when detecting that the first application requests access the safety chip
Whether second certificate parameter corresponding to first certificate parameter and first application program judges first application program
With the authority for accessing the safety chip, and when first application program has the authority for accessing the safety chip,
Allow first application program to access the safety chip, otherwise refuse first application program and access the safe core
Piece.
The present invention provides a kind of access control system again, and the system includes electronic equipment and safety chip;
Wherein, the electronic equipment is being detected for detecting whether there is application requests to access the safety chip
When first application requests access the safety chip, the first certificate parameter corresponding to the safety chip and described the are obtained
Second certificate parameter corresponding to one application program, judge described using first certificate parameter and second certificate parameter
Whether one application program has the authority for accessing the safety chip, is judging first application program with described in access
During the authority of safety chip, it is allowed to which first application program accesses the safety chip, otherwise refuses described first and applies journey
Sequence accesses the safety chip;
The safety chip is used to obtain the certificate parameter acquisition request that the electronic equipment is sent, and obtains the safe core
First certificate parameter corresponding to piece, request response is obtained by certificate parameter first certificate parameter is sent to the electronics
Equipment.
By the present invention above-mentioned technical proposal, the beneficial effects of the present invention are:
The access control method of the present invention, judged by verifying, conveniently can realized to existing for application forms
LPA certification, and only when application program LPA has the authority of access target object, just allow the application program LPA to access
The destination object, realizes secure communication.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, it will make below to required in the embodiment of the present invention
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, without having to pay creative labor, it can also be obtained according to these accompanying drawings
His accompanying drawing.
Fig. 1 represents the schematic diagram of existing eUICC system architectures.
Fig. 2 represents the flow chart of the access control method of the embodiment of the present invention.
Fig. 3 represents the schematic diagram of existing GSMA certificates framework.
Fig. 4 represents the structural representation of the access control apparatus of the embodiment of the present invention.
Fig. 5 represents the flow chart of another access control method of the embodiment of the present invention.
Fig. 6 represents the structural representation of another access control apparatus of the embodiment of the present invention.
Fig. 7 represents the structural representation of the access control system of the embodiment of the present invention.
Fig. 8 represents the schematic diagram of the eUICC system architectures of the embodiment of the present invention.
Fig. 9 represents the MNO LPA of instantiation of the present invention identifying procedure figure.
Figure 10 represents the schematic diagram of another eUICC system architectures of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is part of the embodiment of the present invention, rather than whole embodiments.Based on this hair
Embodiment in bright, the every other implementation that those of ordinary skill in the art are obtained under the premise of creative work is not made
Example, belongs to the scope of protection of the invention.
First, in the embodiment of the present invention, LPA exists in the form of application program, respectively connected signing management server
And safety chip, in such manner, it is possible to make LPA effectively be separated with the OS of electronic equipment, facilitate independent upgrade applications LPA, and
LPA is authenticated.
For above-mentioned with LPA existing for application forms, the embodiments of the invention provide a kind of access control method,
Shown in Figure 2, methods described includes:
Step 201:Obtain the second checking ginseng corresponding to the first certificate parameter corresponding to destination object and the first application program
Number;
Step 202:Using first certificate parameter and second certificate parameter, judge that first application program is
It is no that there is the authority for accessing the destination object;
Step 203:When judging that first application program has the authority for accessing the destination object, it is allowed to described
First application program accesses the destination object, otherwise refuses first application program and accesses the destination object.
So, the access control method of the embodiment of the present invention, judged by verifying, conveniently can realized to application program
The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access target object
Program LPA accesses the destination object, realizes secure communication.
Wherein, in the specific embodiment of the invention, LPA is as connection signing management server and the " centre of safety chip
Part ", signing management server and safety chip can verify to it, therefore, in the specific embodiment of the invention, the mesh
It can be safety chip or signing management server to mark object, and the signing management server is corresponding with operator, for subscribing to
Management and data prepare.
In the embodiment of the present invention, the safety chip is specially universal embedded integrated circuit card eUICC, and described first should
It is specially to connect signing management server and the eUICC, the application program for configuration management with program.
In the embodiment of the present invention, when the destination object is safety chip, methods described is used to be provided with using journey
The electronic equipment of LPA existing for sequence, before the step 201, methods described also includes:
Detect whether that application requests access the safety chip.
And the step 201 is specially:When detecting that first application requests access the safety chip, obtain
Take the second certificate parameter corresponding to the first certificate parameter corresponding to the safety chip and first application program.
Further, the application programming for being interacted with the safety chip is provided with the electronic equipment
Interface API.
It is described to have detected whether that the step of application requests access the safety chip is specially:Detect the API's
Calling situation, it is determined whether there are application requests to access the safety chip;I.e. when there is application requests to call API,
It is determined that there are application requests to access the safety chip.
The step 203 is specially:Judging first application program with the authority for accessing the safety chip
When, it is allowed to API described in first application call accesses the safety chip, otherwise refuses first application program
The API is called to access the safety chip.
In the embodiment of the present invention, first certificate parameter is specially the root card being pre-stored within the safety chip
Book, second certificate parameter are the certificate to be verified that first application program provides.
Wherein, it is shown in Figure 3, in existing GSMA certificates framework, certification authorities (Certificate
Issuer, abbreviation CI) root certificate be CI Cert, CI to card vendor (eUICC Manufacturer, abbreviation EUM) grant a certificate
EUM Cert, while to operator SM-DP+ grant a certificates SM-DP+Cert, EUM to eUICC grant a certificate eUICC Cert.Such as
Fruit eUICC is with SM-DP+ by LPA exchange commands, it is necessary to which first passing through LPA exchanges respective certificate.
And in the embodiment of the present invention, in order to realize the certification to LPA, root certificate CI Cert are preset in safety chip
In, and certificate LPA Cert corresponding with application program LPA is signed and issued using the CI Cert, to verify the application program
LPA。
That is, under normal circumstances, second certificate parameter is the to be verified of the first application program offer
Certificate, signed and issued by the root certificate being pre-stored within the safety chip.
And the root certificate being pre-stored within the safety chip, mainly in electronic equipment start-up course or
Safety chip is received when certificate parameter obtains request and provided by the safety chip.
It is described to utilize first certificate parameter and second certificate parameter, judge whether first application program has
There is the step of authority for accessing the destination object to specifically include:
Verify the certificate to be verified whether be root certificate signature certificate;
When the certificate to be verified is the certificate of root certificate signature, described in the certification authentication to be verified the is utilized
The integrality of one application program;
Verify first application program it is complete when, determine that first application program has and access the safe core
The authority of piece, otherwise determine first application program without the authority for accessing the safety chip.
In the embodiment of the present invention, when the destination object is signing management server, the access control method can use
In signing management server, first application program is corresponding application program LPA, to realize signing management server to phase
The application program LPA answered certification.
Specifically, when the destination object is signing management server, the access control method also includes:
Obtain the 3rd certificate parameter that safety chip is sent;
According to the 3rd certificate parameter, the safety chip is verified.
In such manner, it is possible to realize legitimate verification of the signing management server to safety chip.
Further, second certificate parameter be sent in company with the 3rd certificate parameter by the safety chip it is described
Signing management server, the safety chip obtains second certificate parameter at first application program.So, institute
State the second certificate parameter and the 3rd certificate parameter is sent in the lump, the signing management server can be made to safety chip
Application program LPA is verified in the lump when being verified, streamline operation.
It should be noted that safety chip is tested when sending certificate parameter to signing management server in order to ensure described
Card parameter will not be tampered in transmitting procedure, the information comprising the certificate parameter can be signed, to be tested described in guarantee
Demonstrate,prove the accuracy of parameter.
Referring to Fig. 4, the embodiment of the present invention also provides a kind of access control apparatus, with the access control method phase shown in Fig. 2
Corresponding, described device includes:
First acquisition module 41, for obtaining corresponding to the first certificate parameter corresponding to destination object and the first application program
Second certificate parameter;
Judge module 42, for utilizing first certificate parameter and second certificate parameter, judge that described first should
Whether there is the authority for accessing the destination object with program;
Control module 43, for when judging that first application program has the authority for accessing the destination object,
Allow first application program to access the destination object, otherwise refuse first application program and access the target pair
As.
So, the access control apparatus of the embodiment of the present invention, judged by verifying, conveniently can realized to application program
The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access target object
Program LPA accesses the destination object, realizes secure communication.
Wherein, when the destination object is safety chip, described device also includes:
Detection module, for detecting whether there is application requests to access the safety chip;
First acquisition module is specifically used for:Detecting the first application requests access safety chip
When, obtain the second certificate parameter corresponding to the first certificate parameter corresponding to the safety chip and first application program.
In the embodiment of the present invention, described device can be used for electronic equipment, be provided with the electronic equipment for and it is described
The application programming interface API that safety chip interacts.
The detection module is specifically used for:Detect the calling situation of the API, it is determined whether have application requests access
The safety chip.
The control module is specifically used for:Judging first application program with the power for accessing the safety chip
In limited time, it is allowed to which API described in first application call accesses the safety chip, otherwise refuses described first and applies journey
Sequence calls the API to access the safety chip.
Wherein, first certificate parameter is the root certificate being pre-stored within the safety chip, second checking
Parameter is the certificate to be verified that first application program provides.
The root certificate being pre-stored within the safety chip is in the electronic equipment start-up course or is receiving
Obtain to certificate parameter and provided when asking by the safety chip.
In the embodiment of the present invention, the judge module specifically includes:
First authentication unit, for verify the certificate to be verified whether be root certificate signature certificate;
Second authentication unit, for when the certificate to be verified is the certificate of the root certificate signature, being treated using described
Verify the integrality of the first application program described in certification authentication;
Determining unit, for verify first application program it is complete when, determine that first application program has
The authority of the safety chip is accessed, otherwise determines first application program without the authority for accessing the safety chip.
Specifically, the safety chip is universal embedded integrated circuit card, first application program is contracted for connection
Management server and the universal embedded integrated circuit card, the application program for configuration management.
In the embodiment of the present invention, when the destination object is signing management server, described device also includes:
Second acquisition module, for obtaining the 3rd certificate parameter of safety chip transmission;
Authentication module, for according to the 3rd certificate parameter, verifying the safety chip;
Wherein, second certificate parameter is to be sent to the label by the safety chip in company with the 3rd certificate parameter
About management server, the safety chip obtains second certificate parameter at first application program.
Shown in Figure 5, the embodiment of the present invention also provides a kind of access control method, applied to safety chip, the side
Method includes:
Step 501:Obtain the certificate parameter that electronic equipment is sent and obtain request;
Step 502:Obtain the first certificate parameter corresponding to the safety chip;
Step 503:Request response is obtained by certificate parameter first certificate parameter is sent to the electronic equipment,
The electronic equipment is tested when detecting that the first application requests access the safety chip using described first
Second certificate parameter corresponding to card parameter and first application program judges whether first application program has and accesses institute
State the authority of safety chip, and when first application program has the authority for accessing the safety chip, it is allowed to described the
One application program accesses the safety chip, otherwise refuses first application program and accesses the safety chip.
So, the access control method of the embodiment of the present invention, judged by verifying, conveniently can realized to application program
The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access safety chip
Program LPA accesses the safety chip, realizes secure communication.
Specifically, the safety chip is universal embedded integrated circuit card, first application program is contracted for connection
Management server and the universal embedded integrated circuit card, the application program for configuration management.
Further, in the embodiment of the present invention, methods described also includes:
Receive second certificate parameter that the electronic equipment is sent;
By second certificate parameter in company with the 3rd certificate parameter for being used for the universal embedded integrated circuit card checking
It is sent to the signing management server so that the signing management server can utilize second certificate parameter to described
First application program is verified, and the universal embedded integrated circuit card is tested using the 3rd certificate parameter
Card.
In such manner, it is possible to realize checking of the signing management server to safety chip and application program LPA simultaneously, simplify operation
Flow.
Wherein, first certificate parameter is the root certificate being pre-stored within the safety chip, second checking
Parameter is the certificate to be verified that the first application program provides.
Shown in Figure 6, the embodiment of the present invention also provides a kind of access control apparatus, with the access control side shown in Fig. 5
Method is corresponding, and described device includes:
3rd acquisition module 61, the certificate parameter for obtaining electronic equipment transmission obtain request;
4th acquisition module 62, for obtaining the first certificate parameter corresponding to the safety chip;
First sending module 63, first certificate parameter is sent to institute for obtaining request response by certificate parameter
State electronic equipment so that the electronic equipment can be when detecting that the first application requests access the safety chip, profit
The second certificate parameter corresponding to first certificate parameter and first application program judges that first application program is
It is no that there is the authority for accessing the safety chip, and there is the authority for accessing the safety chip in first application program
When, it is allowed to first application program accesses the safety chip, otherwise refuses first application program and accesses the safety
Chip.
Specifically, the safety chip is universal embedded integrated circuit card, first application program is contracted for connection
Management server and the universal embedded integrated circuit card, the application program for configuration management.
In the embodiment of the present invention, described device also includes:
Receiving module, second certificate parameter sent for receiving the electronic equipment;
Second sending module, for second certificate parameter to be tested in company with for the universal embedded integrated circuit card
3rd certificate parameter of card is sent to the signing management server so that the signing management server can utilize described the
Two certificate parameters are verified to first application program, and utilize the 3rd certificate parameter to the universal embedded collection
Verified into circuit card.
First certificate parameter is the root certificate being pre-stored within the safety chip, and second certificate parameter is
The certificate to be verified that first application program provides.
Shown in Figure 7, the embodiment of the present invention also provides a kind of access control system, and the system includes electronic equipment 71
With safety chip 72;
Wherein, the electronic equipment 71 is being examined for detecting whether there is application requests to access the safety chip 72
When measuring the first application requests access safety chip 72, the first certificate parameter corresponding to the safety chip 72 is obtained
With first application program corresponding to the second certificate parameter, sentenced using first certificate parameter and second certificate parameter
Whether first application program of breaking has the authority for accessing the safety chip 72, is judging the first application program tool
When having the authority for accessing the safety chip 72, it is allowed to which first application program accesses the safety chip 72, otherwise refuses
First application program accesses the safety chip 72;
The safety chip 72 is used to obtain the certificate parameter acquisition request that the electronic equipment is sent, and obtains the safety
First certificate parameter corresponding to chip 72, by certificate parameter obtain request response first certificate parameter is sent to it is described
Electronic equipment 71.
So, the access control system of the embodiment of the present invention, judged by verifying, conveniently can realized to application program
The certification of LPA existing for form, and only just allow the application when application program LPA has the authority of access safety chip
Program LPA accesses the safety chip, realizes secure communication.
Below, it is shown in Figure 8, the eUICC system architectures of the present invention are illustrated by instantiation.
Specifically, in fig. 8, LPA can include two classes, as follows:
First kind LPA, is integrated in the OS of electronic equipment, and the function as OS is present, such as the 2nd LPA;
Second class LPA, the application forms separated with the OS with electronic equipment are present, such as the first LPA, operator LPA
(MNO LPA) and third party LPA;
All LPA are used to connect signing management server SM-DP and eUICC, unlike, the second class LPA can be with
By calling application programming interface API and eUICC to interact, specific interaction is by access control actuator AC
Enforcer is realized.
And LPA services and access control application program AC Applet, the AC Applet are provided with the eUICC
In be previously stored with certificate parameter, the certification for application program LPA.It should be noted that in fig. 8, solid line represents actual
Physical channel, dotted line connection be two objects with data/commands transmission demand.
It is shown in Figure 9 based on the eUICC system architectures shown in Fig. 8, illustrate the verification process to MNO LPA, specifically such as
Under:
Step 901:AC Enforcer selection AC Applet;Generally, AC Enforcer are communicated with AC Applet
Before must first select an AC Applet;
Step 902:AC Applet return to Response to selection;
Step 903:AC Enforcer send certificate parameter to AC Applet and obtain request;
Step 904:AC Applet return to CI Cert;
Step 905:AC Enforcer send certificate parameter to MNO LPA and obtain request;
Step 906:MNO LPA return to signing certificate LPA Cert;
Step 907:AC Enforcer are using CI Cert checking LPA Cert, if LPA Cert authentication faileds, MNO LPA
It will be unable to call the api interface for accessing eUICC;
Step 908:If LPA Cert are verified, AC Enforcer are complete using LPA Cert checking MNO LPA's
Property, if being proved to be successful, MNO LPA can access eUICC api interface with normal call, otherwise can not call.
In the flow that existing GSMA specifications define, signing management server is not authenticated to LPA, and think LPA by
Equipment vendor provides, and only legal LPA side can access eUICC, and only eUICC is authenticated.But in the present invention, LPA with should
Exist with the mode of program, security is relatively low, and only certification eUICC is likely to occur risk.
For example, in eUICC system architectures shown in Figure 10, MNO LPA1 and MNO LPA2 are respectively operator 1 and operation
The application program LPA that business 2 provides, equally possess the authority for accessing eUICC, signing management server SM-DP+1 and operator 1 are right
Should, so, SM-DP+1 will not wish that MNO LPA2 can obtain its caused Profile.
So in order to improve the legitimacy that application program LPA accesses signing management server, signing management server can be made
Corresponding application program LPA is authenticated.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (25)
1. a kind of access control method, it is characterised in that methods described includes:
Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to destination object and the first application program;
Using first certificate parameter and second certificate parameter, judge whether first application program has and access institute
State the authority of destination object;
When judging that first application program has the authority for accessing the destination object, it is allowed to first application program
The destination object is accessed, otherwise refuses first application program and accesses the destination object.
2. according to the method for claim 1, it is characterised in that the destination object is safety chip, in the acquisition mesh
Before the step of marking the second certificate parameter corresponding to the first certificate parameter corresponding to object and the first application program, methods described is also
Including:
Detect whether that application requests access the safety chip;
Corresponding to first certificate parameter corresponding to the acquisition destination object and the first application program the step of the second certificate parameter
Specially:
When detecting that first application requests access the safety chip, obtain first corresponding to the safety chip
Second certificate parameter corresponding to certificate parameter and first application program.
3. according to the method for claim 2, it is characterised in that methods described is used for electronic equipment, in the electronic equipment
It is provided with the application programming interface for being interacted with the safety chip;
It is described to have detected whether that the step of application requests access the safety chip is specially:The application program is detected to compile
The calling situation of journey interface, it is determined whether there are application requests to access the safety chip;
It is described when judging that first application program has the authority for accessing the destination object, it is allowed to first application
Destination object described in routine access, otherwise refusing the first application program access destination object step is specially:
When judging that first application program has the authority for accessing the safety chip, it is allowed to first application program
The application programming interface is called to access the safety chip, otherwise refusing should described in first application call
The safety chip is accessed with Program Interfaces.
4. according to the method for claim 2, it is characterised in that first certificate parameter is to be pre-stored within the safety
Root certificate in chip, second certificate parameter are the certificate to be verified that first application program provides.
5. according to the method for claim 4, it is characterised in that the root certificate being pre-stored within the safety chip
There is provided in electronic equipment start-up course or when receiving certificate parameter and obtaining request by the safety chip.
6. according to the method for claim 5, it is characterised in that described to be tested using first certificate parameter and described second
Parameter is demonstrate,proved, judges whether first application program there is the step of authority for accessing the destination object to specifically include:
Verify the certificate to be verified whether be root certificate signature certificate;
, should using described in the certification authentication to be verified first when the certificate to be verified is the certificate of the root certificate signature
With the integrality of program;
Verify first application program it is complete when, determine that first application program has and access the safety chip
Authority, otherwise determine first application program without the authority for accessing the safety chip.
7. according to the method described in any one in claim 2-6, it is characterised in that the safety chip is universal embedded
Integrated circuit card, first application program are connection signing management server and the universal embedded integrated circuit card, are used
In the application program of configuration management.
8. according to the method for claim 1, it is characterised in that the destination object is signing management server, the side
Method also includes:
Obtain the 3rd certificate parameter that safety chip is sent;
According to the 3rd certificate parameter, the safety chip is verified;
Wherein, second certificate parameter is to be sent to the signing by the safety chip in company with the 3rd certificate parameter to manage
Server is managed, the safety chip obtains second certificate parameter at first application program.
9. a kind of access control apparatus, it is characterised in that described device includes:
First acquisition module, tested for corresponding to obtaining the first certificate parameter corresponding to destination object and the first application program second
Demonstrate,prove parameter;
Judge module, for utilizing first certificate parameter and second certificate parameter, judge first application program
Whether there is the authority for accessing the destination object;
Control module, for when judging that first application program has the authority for accessing the destination object, it is allowed to institute
State the first application program and access the destination object, otherwise refuse first application program and access the destination object.
10. device according to claim 9, it is characterised in that the destination object is safety chip, and described device is also wrapped
Include:
Detection module, for detecting whether there is application requests to access the safety chip;
First acquisition module is specifically used for:When detecting that first application requests access the safety chip,
Obtain the second certificate parameter corresponding to the first certificate parameter corresponding to the safety chip and first application program.
11. device according to claim 10, it is characterised in that described device is used for electronic equipment, the electronic equipment
In be provided with application programming interface for being interacted with the safety chip;
The detection module is specifically used for:Detect the calling situation of the application programming interface, it is determined whether have using journey
Sequence request accesses the safety chip;
The control module is specifically used for:Judging first application program with the authority for accessing the safety chip
When, it is allowed to application programming interface described in first application call accesses the safety chip, otherwise refuses institute
Application programming interface described in the first application call is stated to access the safety chip.
12. device according to claim 10, it is characterised in that first certificate parameter is to be pre-stored within the peace
Root certificate in full chip, second certificate parameter are the certificate to be verified that first application program provides.
13. device according to claim 12, it is characterised in that the root card being pre-stored within the safety chip
Book provides in electronic equipment start-up course or when receiving certificate parameter and obtaining request by the safety chip.
14. device according to claim 13, it is characterised in that the judge module specifically includes:
First authentication unit, for verify the certificate to be verified whether be root certificate signature certificate;
Second authentication unit, for when the certificate to be verified is the certificate of root certificate signature, using described to be verified
The integrality of first application program described in certification authentication;
Determining unit, for verify first application program it is complete when, determine first application program have access
The authority of the safety chip, otherwise determine first application program without the authority for accessing the safety chip.
15. according to the device described in any one in claim 10-14, it is characterised in that the safety chip is embedded
Universal Integrated Circuit Card, first application program are connection signing management server and the universal embedded integrated circuit
Card, the application program for configuration management.
16. device according to claim 9, it is characterised in that the destination object is signing management server, the dress
Putting also includes:
Second acquisition module, for obtaining the 3rd certificate parameter of safety chip transmission;
Authentication module, for according to the 3rd certificate parameter, verifying the safety chip;
Wherein, second certificate parameter is to be sent to the signing by the safety chip in company with the 3rd certificate parameter to manage
Server is managed, the safety chip obtains second certificate parameter at first application program.
17. a kind of access control method, it is characterised in that methods described includes:
Obtain the certificate parameter that electronic equipment is sent and obtain request;
Obtain the first certificate parameter corresponding to safety chip;
Request response is obtained by certificate parameter first certificate parameter is sent to the electronic equipment so that the electronics
Equipment can utilize first certificate parameter and described when detecting that the first application requests access the safety chip
Second certificate parameter corresponding to first application program judges whether first application program has and accesses the safety chip
Authority, and when first application program has the authority for accessing the safety chip, it is allowed to first application program is visited
The safety chip is asked, otherwise refuses first application program and accesses the safety chip.
18. according to the method for claim 17, it is characterised in that the safety chip is universal embedded integrated circuit
Card, first application program are connection signing management server and the universal embedded integrated circuit card, are managed for configuring
The application program of reason.
19. according to the method for claim 18, it is characterised in that methods described also includes:
Receive second certificate parameter that the electronic equipment is sent;
Second certificate parameter is sent in company with the 3rd certificate parameter for being used for the universal embedded integrated circuit card checking
To the signing management server so that the signing management server can utilize second certificate parameter to described first
Application program is verified, and the universal embedded integrated circuit card is verified using the 3rd certificate parameter.
20. according to the method for claim 17, it is characterised in that first certificate parameter is to be pre-stored within the peace
Root certificate in full chip, second certificate parameter are the certificate to be verified that the first application program provides.
21. a kind of access control apparatus, it is characterised in that described device includes:
3rd acquisition module, the certificate parameter for obtaining electronic equipment transmission obtain request;
4th acquisition module, for obtaining the first certificate parameter corresponding to safety chip;
First sending module, first certificate parameter is sent to the electronics for obtaining request response by certificate parameter
Equipment so that the electronic equipment can be when detecting that the first application requests access the safety chip, using described
Second certificate parameter corresponding to first certificate parameter and first application program judges whether first application program has
The authority of the safety chip is accessed, and when first application program has the authority for accessing the safety chip, it is allowed to
First application program accesses the safety chip, otherwise refuses first application program and accesses the safety chip.
22. device according to claim 21, it is characterised in that the safety chip is universal embedded integrated circuit
Card, first application program are connection signing management server and the universal embedded integrated circuit card, are managed for configuring
The application program of reason.
23. device according to claim 22, it is characterised in that described device also includes:
Receiving module, second certificate parameter sent for receiving the electronic equipment;
Second sending module, for second certificate parameter companion to be used for into the universal embedded integrated circuit card checking
3rd certificate parameter is sent to the signing management server so that the signing management server can be tested using described second
Card parameter is verified to first application program, and utilizes the 3rd certificate parameter to the universal embedded integrated electricity
An outpost of the tax office is verified.
24. access control apparatus according to claim 21, it is characterised in that first certificate parameter is to prestore
Root certificate in the safety chip, second certificate parameter are the certificate to be verified that the first application program provides.
25. a kind of access control system, it is characterised in that the system includes electronic equipment and safety chip;
Wherein, the electronic equipment is detecting first for detecting whether there is application requests to access the safety chip
When application requests access the safety chip, obtaining the first certificate parameter corresponding to the safety chip and described first should
The second certificate parameter corresponding to program, judge that described first should using first certificate parameter and second certificate parameter
Whether there is the authority for accessing the safety chip with program, the safety is accessed judging that first application program has
During the authority of chip, it is allowed to which first application program accesses the safety chip, otherwise refuses first application program and visits
Ask the safety chip;
The safety chip is used to obtain the certificate parameter acquisition request that the electronic equipment is sent, and obtains the safety chip pair
The first certificate parameter answered, first certificate parameter is sent to by the electronics by certificate parameter acquisition request response and set
It is standby.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610682386.8A CN107766717B (en) | 2016-08-17 | 2016-08-17 | Access control method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610682386.8A CN107766717B (en) | 2016-08-17 | 2016-08-17 | Access control method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107766717A true CN107766717A (en) | 2018-03-06 |
CN107766717B CN107766717B (en) | 2020-04-14 |
Family
ID=61261390
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610682386.8A Active CN107766717B (en) | 2016-08-17 | 2016-08-17 | Access control method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107766717B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021073440A1 (en) * | 2019-10-14 | 2021-04-22 | 中国移动通信有限公司研究院 | Access control method and device for embedded universal integrated circuit card, and storage medium |
CN113132990A (en) * | 2021-04-19 | 2021-07-16 | 东信和平科技股份有限公司 | Profile remote subscription method based on eSIM, server and terminal equipment |
CN113746777A (en) * | 2020-05-27 | 2021-12-03 | 华为技术有限公司 | Method for safely accessing data and electronic equipment |
CN113867826A (en) * | 2020-06-11 | 2021-12-31 | 深圳市文鼎创数据科技有限公司 | Extended package access control method and device, Java smart card and storage medium |
US20220129536A1 (en) * | 2020-10-27 | 2022-04-28 | Dell Products L.P. | Device access control system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060143704A1 (en) * | 2004-12-23 | 2006-06-29 | Sap Ag | Reverse engineering access control |
CN102118749A (en) * | 2009-12-30 | 2011-07-06 | 比亚迪股份有限公司 | Network access control device for mobile terminal and mobile terminal equipment |
CN102625309A (en) * | 2012-01-18 | 2012-08-01 | 中兴通讯股份有限公司 | Access control method and device |
CN104008352A (en) * | 2013-08-22 | 2014-08-27 | 中华电信股份有限公司 | Protection system and method with smart card device |
CN104769983A (en) * | 2012-09-12 | 2015-07-08 | 苹果公司 | Methods and apparatus for managing data within a secure element |
-
2016
- 2016-08-17 CN CN201610682386.8A patent/CN107766717B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060143704A1 (en) * | 2004-12-23 | 2006-06-29 | Sap Ag | Reverse engineering access control |
CN102118749A (en) * | 2009-12-30 | 2011-07-06 | 比亚迪股份有限公司 | Network access control device for mobile terminal and mobile terminal equipment |
CN102625309A (en) * | 2012-01-18 | 2012-08-01 | 中兴通讯股份有限公司 | Access control method and device |
CN104769983A (en) * | 2012-09-12 | 2015-07-08 | 苹果公司 | Methods and apparatus for managing data within a secure element |
CN104008352A (en) * | 2013-08-22 | 2014-08-27 | 中华电信股份有限公司 | Protection system and method with smart card device |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2021073440A1 (en) * | 2019-10-14 | 2021-04-22 | 中国移动通信有限公司研究院 | Access control method and device for embedded universal integrated circuit card, and storage medium |
CN113746777A (en) * | 2020-05-27 | 2021-12-03 | 华为技术有限公司 | Method for safely accessing data and electronic equipment |
CN113867826A (en) * | 2020-06-11 | 2021-12-31 | 深圳市文鼎创数据科技有限公司 | Extended package access control method and device, Java smart card and storage medium |
US20220129536A1 (en) * | 2020-10-27 | 2022-04-28 | Dell Products L.P. | Device access control system |
US11537705B2 (en) * | 2020-10-27 | 2022-12-27 | Dell Products L.P. | Device access control system |
CN113132990A (en) * | 2021-04-19 | 2021-07-16 | 东信和平科技股份有限公司 | Profile remote subscription method based on eSIM, server and terminal equipment |
Also Published As
Publication number | Publication date |
---|---|
CN107766717B (en) | 2020-04-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3304465B1 (en) | Nfc-enabled devices for performing secure contactless transactions and using hce | |
CN102404727B (en) | The method of controlling security and device of mobile terminal | |
CN107766717A (en) | A kind of access control method, apparatus and system | |
CN104052775B (en) | Right management method, device and the system of a kind of cloud platform service | |
CN104158824B (en) | Genuine cyber identification authentication method and system | |
CN105207775B (en) | The read method and device of verification information | |
CN100583114C (en) | System and method for remote security enablement | |
CN110266642A (en) | Identity identifying method and server, electronic equipment | |
CN103152402A (en) | Method and system for logging in through mobile terminal and cloud server | |
CN103744686A (en) | Control method and system for installing application in intelligent terminal | |
CN108990047B (en) | Test method, device and medium for subscription relationship management data preparation platform | |
CN109670968A (en) | Processing method, device, equipment and the computer storage medium of insurance data | |
CN110278084B (en) | eID establishing method, related device and system | |
CN105263193A (en) | WIFI connection method and system for mobile terminal | |
CN104424676A (en) | Identity information sending method, identity information sending device, access control card reader and access control system | |
CN104717648A (en) | Unified authentication method and device based on SIM card | |
CN109766152A (en) | A kind of exchange method and device | |
CN106203021A (en) | The application login method of a kind of many certification modes integration and system | |
KR20060118247A (en) | System and method for security of information | |
CN105743651A (en) | Method and apparatus for utilizing card application in chip security domain, and application terminal | |
CN103559430B (en) | application account management method and device based on Android system | |
CN105553675B (en) | Log in the method and device of router | |
CN104144152B (en) | For the authorization method and system of third party's resource provider | |
CN105279414A (en) | Verification device based on fingerprint application and verification method based on fingerprint application | |
KR20140089730A (en) | Method and System for Registering Payment Means by using Alliance Application |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |