CN109196891A

CN109196891A - A kind of management method, terminal and the server of subscription data collection

Info

Publication number: CN109196891A
Application number: CN201780032616.9A
Authority: CN
Inventors: 高林毅
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2017-01-13
Filing date: 2017-01-13
Publication date: 2019-01-11
Anticipated expiration: 2037-01-13
Also published as: WO2018129723A1; CN109196891B

Abstract

A kind of management method, terminal and the server of subscription data collection of the embodiment of the present invention.In this method, when terminal downloads subscription data collection to eUICC from signing management server, terminal is the authentication information for knowing third-party application.When third-party application request executes management operation to the subscription data collection in eUICC, the stored subscription data collection of terminal is searched according to the subscription data set identifier that third-party application server returns.Terminal verifies whether the third-party application has the permission operated to the subscription data collection triggering management in eUICC according to the authentication information of the centrally stored third-party application of subscription data.By the existing eUICC system architecture of present terminal, in the case where not increasing additional application module, realizes through third-party application management and increase the administration portal of the subscription data collection in eUICC to the subscription data collection in eUICC.

Description

A kind of management method, terminal and the server of subscription data collection

Technical field

The present invention relates to the communications field more particularly to a kind of management method, terminal and the servers of subscription data collection.

Background technique

At present, terminal user buys SIM (Subscriber Identification Module to operator, client identification module) card or UICC (Universal Integrated Circuit Card, Universal Integrated Circuit Card), it can be according to the network for the data set access carrier being written in card by SIM card or UICC insertion terminal (device).EUICC refers to the UICC for supporting safely the remotely UICC of management subscription data collection (profile) and/or supporting local management profile.

It is not generally to be purchased to manufacture by operator, therefore after terminal factory, may and not include in eUICC can be with the data of access carrier network since eUICC is usually to be integrated in the terminal by terminal manufacturer.Terminal needs to connect SM-DP+ (Subscription Manager Data Preparation+ using remote management technologies, signing management-data preparation entity), receive the profile that SM-DP+ is issued, and download to profile in eUICC, eUICC can be using the profile come the network of access carrier later.When Profile is active, the function of eUICC is identical with traditional UICC, can be used for accessing the network of corresponding Mobile Network Operator.It further include LPA (Local Profile Assistant, local file assistant) in terminal, for being managed to the profile in eUICC, such as download other new profile, profile has been downloaded in activation, deactivates profile, deletes profile etc..

Terminal can only be managed the profile in eUICC by LPA at present, and user cannot be managed the profile in eUICC by third-party application (Application), such as applications client of operator.

Summary of the invention

The embodiment of the present invention provides management method, terminal and the server of a kind of subscription data collection, using the system architecture and access control mechanisms of current eUICC, third-party application in terminal is made to access management the profile in eUICC.

In order to achieve the above objectives, the embodiment of the present invention adopts the following technical scheme that

First aspect, a kind of management method of subscription data collection is disclosed, the method is executed by terminal, and the terminal includes integrated circuit card eUICC, LPA (Local Profile Assistant, local file assistant) and third-party application, which comprises

Terminal obtains subscription data collection from signing management server, and the subscription data concentrates the authentication information including third-party application；

The terminal receives the first request that the third-party application server is sent, and the mark ICCID of the subscription data collection is carried in first request, first request is for triggering in the eUICC Subscription data collection execute management operation；

The terminal obtains the authentication information for the third-party application that the subscription data collection in the eUICC includes according to the mark ICCID of the subscription data collection；

The terminal obtains the certificate information of the third-party application stored in the terminal；

The certificate information of the authentication information for the third-party application that the terminal is concentrated according to the subscription data and the third-party application determines whether the third-party application has permission and triggers management operation to the subscription data collection；

If the third-party application, which has permission, triggers management operation to the subscription data collection, the terminal executes the management to the subscription data collection and operates.

In the embodiment of the present invention, using the existing eUICC system architecture of present terminal, in the case where not increasing additional application module, realizes through third-party application management and increase the administration portal of the subscription data collection in eUICC to the subscription data collection in eUICC.

With reference to first aspect, in the first possible implementation of the first aspect, before the terminal receives the first request that the third-party application server is sent, the method also includes:

The third-party application of the terminal sends the first management operation request to third-party application server, includes that third-party application request operates the management that the subscription data collection in the eUICC executes in first management operation request.

With reference to first aspect, in the second possible implementation of the first aspect, before the terminal receives the first request that the third-party application server is sent, the method also includes:

The third-party application server, which generates, operates the management that the subscription data collection in the eUICC executes.

With reference to first aspect, and the first of first aspect and second of possible implementation, in a third possible implementation of the first aspect, before the terminal obtains the authentication information for the third-party application that the subscription data collection in the eUICC includes according to the mark ICCID of the subscription data collection, the method also includes:

The terminal receives the mark EID for the eUICC that the third-party application server returns；

The terminal determines whether the mark EID of the mark EID and eUICC of the terminal for the eUICC that the third-party application server returns is identical；

If the terminal determines that the mark EID for the eUICC that the third-party application server returns is identical as the mark EID of the eUICC of the terminal, the terminal obtains the authentication information for the third-party application that the subscription data collection in the eUICC includes according to the mark ICCID of the subscription data collection.

With reference to first aspect, and the first of first aspect is to the third possible implementation, in a fourth possible implementation of the first aspect, the authentication information for the third-party application that the terminal is concentrated according to the subscription data, with the certificate information of the third-party application, it determines whether the third-party application has permission and management operation is triggered to the subscription data collection, comprising:

The certificate information of the authentication information for the third-party application that the LPA of the terminal is concentrated according to the subscription data and the third-party application determines whether the third-party application has permission and triggers management operation to the subscription data collection；

Alternatively, the authentication information for the third-party application that the eUICC of the terminal is concentrated according to the subscription data and the certificate information of the third-party application, determine whether the third-party application has permission and trigger management operation to the subscription data collection.

With reference to first aspect and first aspect the first to the 4th kind of possible implementation, in the fifth possible implementation of the first aspect, the terminal executes the management operation to the subscription data collection, comprising:

The LPA of the terminal sends management instruction acquisition request to the signing management server according to first request；

The LPA of the terminal receives the signing management server and is instructed according to the management that the management instruction acquisition request returns；

The LPA of the terminal is instructed according to the management, executes the operation of the management in first management operation request to the subscription data collection in the eUICC.

With reference to first aspect and first aspect the first to the 4th kind of possible implementation, in the sixth possible implementation of the first aspect, the method also includes:

It include the instruction of instruction management operation in first request；

The terminal executes the management to the subscription data collection and operates, comprising:

The LPA of the terminal executes the management indicated in first request to the subscription data collection in the eUICC and operates according to first request.

Second aspect, discloses a kind of management method of subscription data collection, and the method is executed by signing management server, which is characterized in that the described method includes:

The signing management server receives the second management operation request that third-party application server is sent, and includes the authentication information of the management operation executed to the subscription data in terminal, the mark ICCID of the subscription data collection in the terminal, the mark EID of the terminal eUICC and the third-party application in the terminal in second management operation request；

The signing management server, which sends management, requests response to the third-party application server, the mark EID for managing mark ICCID and the terminal eUICC in request response including the subscription data collection in the terminal；

Specifically, after signing management server sends management request response to the third-party application server, third-party application server sends the mark ICCID to the terminal of the subscription data collection in the terminal

The signing management server obtains the management instruction acquisition request that the terminal is sent, and the certificate information of the third-party application stored in the mark EID and the terminal of the terminal eUICC is carried in the management instruction acquisition request；

The signing management server instructs acquisition request and second management operation request according to the management, verifies whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC；

If the third-party application that the signing management server verifies in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, then the signing management server returns to management instruction to the terminal, so that the terminal is instructed according to the management to the subscription data collection in terminal eUICC Execute management operation.

In the embodiment of the present invention, using the existing eUICC system architecture of present terminal, in the case where not increasing additional application module, realizes through third-party application management and increase the administration portal of the subscription data collection in eUICC to the subscription data collection in eUICC.It is verified network side is put into the authorization of MNO APP, further simplifies the complexity of method flow, simplify the authentication operation of terminal side.

In conjunction with second aspect, in the first possible implementation of the second aspect, the signing management server instructs acquisition request and second management operation request according to the management, verify whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, comprising:

The signing management server searches the second management operation request associated with the mark EID of the terminal eUICC according to the mark EID of the terminal eUICC in the management instruction acquisition request；

The signing management server determines whether the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of the third-party application in second management operation request；

If the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of third-party application in second management operation request, it is determined that the third-party application in the terminal, which has permission, executes management operation to the subscription data collection in terminal eUICC.

In conjunction with second aspect, and the first possible implementation of second aspect, in a second possible implementation of the second aspect, it further include registered events mark event ID in the management request response that the signing management server is sent, the registered events mark event ID is for identifying the management action event that the signing management server is registered according to second management operation request；

The signing management server, which obtains, also carries the registered events mark event ID in the management instruction acquisition request that the terminal is sent；

The signing management server instructs acquisition request and second management operation request according to the management, verifies whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, comprising:

The signing management server identifies event ID according to the registered events in the management instruction acquisition request, searches the second management operation request associated with registered events mark event ID；

If the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of third-party application in second management operation request, the third-party application in the terminal, which has permission, executes management operation to the subscription data collection in terminal eUICC.

The third aspect, disclose a kind of terminal, it is characterized in that, the terminal includes transceiver, the integrated circuit card eUICC for storing subscription data collection, memory and the one or more processors for executing the one or more programs being stored in memory

One or more of processors are used for:

It controls the transceiver and obtains subscription data collection, the subscription data collection from signing management server In include third-party application authentication information；

The first request that the third-party application server that the transceiver receives is sent is received, the mark ICCID of the subscription data collection is carried in first request, first request executes management operation to the subscription data collection in the eUICC for triggering；

The authentication information for the third-party application that the subscription data collection in the eUICC includes is obtained according to the mark ICCID of the subscription data collection；

Obtain the certificate information of the third-party application stored in the terminal；

According to the certificate information of the authentication information of the third-party application of subscription data concentration and the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection；

If the third-party application, which has permission, triggers management operation to the subscription data collection, the management is executed to the subscription data collection and is operated.

In conjunction with the third aspect, in the first possible implementation of the third aspect, the processor is also used to:

It controls the transceiver and sends the first management operation request to third-party application server, include that third-party application request operates the management that the subscription data collection in the eUICC executes in first management operation request.

In conjunction with the third aspect, in the second possible implementation of the third aspect, the third-party application server, which generates, operates the management that the subscription data collection in the eUICC executes.

In conjunction with the first of the third aspect and the third aspect and second of possible implementation, in the third possible implementation of the third aspect, the processor is also used to:

Receive the mark EID for the eUICC that the third-party application server that the transceiver receives returns；

Determine whether the mark EID of the mark EID and eUICC of the terminal for the eUICC that the third-party application server returns is identical；

If it is determined that the mark EID for the eUICC that the third-party application server returns is identical as the mark EID of the eUICC of the terminal, then the authentication information for the third-party application that the subscription data collection in the eUICC includes is obtained according to the mark ICCID of the subscription data collection.

In conjunction with the first of the third aspect and the third aspect to the third possible implementation, in the fourth possible implementation of the third aspect, the processor is also used to:

It indicates the authentication information for the third-party application that the LPA of the terminal is concentrated according to the subscription data and the certificate information of the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection；

Alternatively, indicating the authentication information for the third-party application that the eUICC of the terminal is concentrated according to the subscription data and the certificate information of the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection.

In conjunction with the first of the third aspect and the third aspect to the 4th kind of possible implementation, in the 5th kind of possible implementation of the third aspect, the processor is also used to:

Indicate that the LPA of the terminal sends management instruction acquisition request to the signing management server according to first request；

The signing management server that the transceiver receives is received to be instructed according to the management that the management instruction acquisition request returns；

It indicates that the LPA of the terminal is instructed according to the management, the operation of the management in first management operation request is executed to the subscription data collection in the eUICC.

It include that instruction manages the administration order operated in first request in the 6th kind of possible implementation of the third aspect in conjunction with the first of the third aspect and the third aspect to the 4th kind of possible implementation；

The processor is also used to:

Indicate that the LPA of the terminal according to first request, executes the management indicated in first request to the subscription data collection in the eUICC and operates.

Fourth aspect, a kind of signing management server, which is characterized in that the terminal includes transceiver, memory and the one or more processors for executing the one or more programs being stored in memory,

One or more of processors are used for:

The second management operation request that the third-party application server that the transceiver receives is sent is received, includes the authentication information of the management operation executed to the subscription data in terminal, the mark ICCID of the subscription data collection in the terminal, the mark EID of the terminal eUICC and the third-party application in the terminal in second management operation request；

Generate management request response, and it controls the transceiver and sends the management request response to the third-party application server, include the mark EID of the mark ICCID and the terminal eUICC of the subscription data collection in the terminal in the management request response, the mark EID of the mark ICCID and terminal eUICC of the subscription data collection in the terminal is sent for the third-party application server to the terminal；

The management instruction acquisition request that the terminal that the transceiver receives is sent is received, the certificate information of the third-party application stored in the mark EID and the terminal of the terminal eUICC is carried in the management instruction acquisition request；

Acquisition request and second management operation request are instructed according to the management, verifies whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC；

If the third-party application that the signing management server verifies in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, it then controls the transceiver and returns to management instruction to the terminal, so that the terminal executes management operation to the subscription data collection in terminal eUICC according to the management instruction.

In the embodiment of the present invention, using the existing eUICC system architecture of present terminal, in the case where not increasing additional application module, realize through third-party application management to the subscription data collection in eUICC, Increase the administration portal of the subscription data collection in eUICC.It is verified network side is put into the authorization of MNO APP, further simplifies the complexity of method flow, simplify the authentication operation of terminal side.

In conjunction with fourth aspect, in the first possible implementation of the fourth aspect, one or more of processors are also used to:

According to the mark EID of the terminal eUICC in the management instruction acquisition request, the second management operation request associated with the mark EID of the terminal eUICC is searched；

Determine whether the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of the third-party application in second management operation request；

In conjunction with fourth aspect, and the first possible implementation of fourth aspect, in the second possible implementation of the fourth aspect, it further include registered events mark event ID in the management request response, the registered events mark event ID is for identifying the management action event that the signing management server is registered according to second management operation request；

The registered events mark event ID is also carried in the management instruction acquisition request；

One or more of processors are also used to:

Event ID is identified according to the registered events in the management instruction acquisition request, searches the second management operation request associated with registered events mark event ID；

Detailed description of the invention

Figure 1A is the application scenario diagram being managed by third-party application to the profile in terminal eUICC；

Figure 1B is the architecture diagram of the long-distance management system of eUICC；

Fig. 2 is a kind of flow diagram of the management method of subscription data collection provided in an embodiment of the present invention；

Fig. 3 is a kind of signaling interaction diagram of the management method of subscription data collection provided in an embodiment of the present invention；

Fig. 4 is the signaling interaction diagram of the management method of another subscription data collection provided in an embodiment of the present invention；

Fig. 5 is the signaling interaction diagram of the management method of another subscription data collection provided in an embodiment of the present invention；

Fig. 6 is the signaling interaction diagram of the management method of another subscription data collection provided in an embodiment of the present invention；

Fig. 7 is the flow diagram of the management method of another subscription data collection provided in an embodiment of the present invention；

Fig. 8 is the signaling interaction diagram of the management method of another subscription data collection provided in an embodiment of the present invention；

Fig. 9 is the signaling interaction diagram of the management method of another subscription data collection provided in an embodiment of the present invention；

Figure 10 is the structural block diagram of terminal provided in an embodiment of the present invention；

Figure 11 is the structural block diagram of signing management server provided in an embodiment of the present invention.

Specific embodiment

Existing SIM card or UICC card are usually by MNO (mobile network operator, Mobile Network Operator) it concentrates and is ordered to card vendor, so just network insertion application and data needed for access carrier network have been downloaded in card before card factory, such as: USIM (Universal Subscriber Identity Module, Universal Subscriber Identity Module), IMSI (International Mobile Subscriber Identity, international mobile subscriber identity), KI (Key Identity, individual subscriber authentication key) etc..In this way, user buy insertion terminal (device) after SIM card or UICC card can access carrier network.

Different from UICC card, eUICC is usually to be embedded in UICC card in the terminal.For eUICC, not necessarily purchased from operator to card vendor, it is also possible to terminal is integrated in after being purchased by terminal manufacturer.So eUICC may not include can be with the data of access carrier network after factory, need these data of remote download, such as: subscription data collection (profile, it is configured to and is used to provide the data of service and the set of application program in eUICC), it later could be according to these data access carrier networks.After profile is downloaded in eUICC, user can activate the profile, deactivate, delete, downloading the management such as new profile operation.Currently, operation can only be managed to the profile in eUICC by the LPA in terminal.Administration portal is single, and user is desirable to be managed the profile in eUICC by more entrances.

The embodiment of the present application provides a kind of application scenarios, by third-party application, is managed to the profile in terminal eUICC.Figure 1A is the application scenario diagram being managed by third-party application to the profile in terminal eUICC, as shown in Figure 1A:

User starts the operator on terminal desktop and applies (MNO APP), and user inputs username and password and logs in operator's application server.Operator applies the signing information according to user, and display user can be operated by the down operation and management of the subscription data collection of operator's applications trigger.After user's selection " management profile ", operator's application shows the management action type that user can trigger.Since multiple profile, the management action type that operator can trigger one or more profile users using display may have been downloaded in terminal.Such as user's selection " activation profile X ", i.e., expression user wishes " profile X " in activated terminals.After " profile X " is activated successfully, operator's application display activates the successful interface UI.

Wherein operator's application is only for illustrating, in the embodiment of the present application, however it is not limited to which operator applies a kind of this third-party application.

In order to realize above-mentioned application scenarios, the profile in eUICC is managed by third-party application, such as application of operator, in the case where not increasing additional application, what it is according to current eUICC is System framework and access control mechanisms, the embodiment of the present invention propose the following two kinds technical solution.

One, third-party application is pre-set in the profile of SM-DP+ the administration authority information for being managed operation of profile in eUICC.Terminal has known that third-party application is managed the administration authority of operation to profile in eUICC in terminal after having downloaded the profile comprising third-party application administration authority information in SM-DP+.For example, third-party application A is managed the administration authority of operation to profile in eUICC as activation and deactivates, delete operation must not be executed to the profile in eUICC using A.Or third-party application B only allows to call a part of application programming interfaces (Application Programming Interface, API) of LPA in terminal, must not call other API of LPA.

When third-party application, which initiates the management to profile in eUICC, to be operated, the eUICC or LPA of terminal can verify that whether the third-party application has the permission being managed to profile in eUICC.If the verification passes, then allow third-party application activated, deactivated to profile in eUICC, deleted, download the management such as new profile operation.

Two, when third-party application, which initiates the management to profile in eUICC, to be operated, the server of third-party application sends the certificate information of the management operation and third-party application to SM-DP+.Whether there is the permission being managed to profile in eUICC by the server systems verifying third-party application such as SM-DP+ or SM-DS (Subscription Manager-Discovery Server, management-discovery server of contracting).If the verification passes, then allow third-party application activated, deactivated to profile in eUICC, deleted, download the management such as new profile operation.

Firstly, to the present embodiments relate to system, term etc. it is as described below:

It one, is as shown in Figure 1B, a kind of architecture diagram for the long-distance management system that the embodiment of the present invention provides eUICC.With reference to Figure 1B, the system includes SM-DP+ (Subscription Manager Data Preparation+, signing management-data preparation) server, SM-DS (Subscription Manager-Discovery Server, contract management-discovery server), operator (Operator), card vendor (EUM), certificate publishing center CI (Certificate Issuer), terminal (Terminal), user (End User).

In addition, making the interface between each entity to introduce: ES6 is the interface between eUICC and operator；ES2+ is the interface between operator and SM-DP+；ES8+ is the interface between eUICC and SM-DP+；ES11 is the interface between the LDS (Local Discovery Service, local discovery service) of terminal and SM-DS；ES12 is the interface between SM-DS and SM-DP+；ES10a is the interface between LDS and eUICC；ES10c is LUI (local user interface, local user interface) and eUICC；ESci is the interface between interface or CI and SM-DP+ between EUM and CI；ESeum is the interface between EUM and eUICC；ESop is the interface that user (End User) interacts with operator；Interface of the ESeu between End User and LUI；Interface of the interface, ES10b that ES9+ is SM-DP+ between LPD (local profile download, local file downloading) between LPD and eUICC.

Wherein, the function of SM-DP+ includes the generation of subscription data collection (profile), the protection of subscription data collection (such as: encryption), the storage of subscription data collection; subscription data collection binding (such as: profile and Event (event) ID is bound), subscription data collection is sent or downloading; long-range subscription data collection management, SM-DS event registration etc..SM-DS is mainly responsible for event (Event) registration for receiving SM-DP+ transmission, and sends an event to terminal.Event includes subscription data collection download event or subscription data collection management event.Eventually End subscription data collection is downloaded from SM-DP+ according to subscription data collection download event；Alternatively, terminal obtains the administration order of subscription data collection from SM-DP+ according to subscription data collection management event.

Further, with reference to Figure 1B, there are LPA and eUICC in terminal, include LDS, LPD and LUI in LPA.In specific implementation, the LDS of terminal is to SM-DS query event, LPD is responsible for downloading subscription data collection, that is LPD passes through HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer protocol) secure link from SM-DP+ downloading profile to LPD, then re-send to the subscription data collection downloaded in eUICC by local APDU order.Here subscription data collection refers to the set of file structure, data and application program etc., may include one or more network insertion applications and corresponding network insertion credential.It should be noted that subscription data collection is a general designation in the embodiment of the present invention, including the subscription data collection being installed on the eUICC of terminal and the profile package stored in SM-DP+.

In addition, the LUI of terminal is provided can complete the management to profile with the interaction logic of user and interface, user by LUI, new profile is such as downloaded, activates profile, deactivates profile, deletes profile etc..

According to the eUICC system architecture of present terminal, LPA can be communicated with eUICC, other third-party applications APP needs the application programming interfaces (API) for calling LPA open to realize the communication with eUICC.In order to guarantee the safety to the API Calls of LPA, needs to verify whether third-party application App has permission the API for calling LPA, operation is managed to profile corresponding in eUICC.

Embodiment one

The embodiment of the present invention provides a kind of management method of subscription data collection, as shown in Fig. 2, the described method comprises the following steps:

101, subscription data collection is obtained in terminal unit contractual management server, the subscription data concentrates the authentication information including third-party application.

Terminal is downloaded automatically or downloads subscription data collection into the eUICC of terminal from signing management server according to the download instruction of user's input.The authentication information of the third-party application can be carried in the metadata (metadata) of the subscription data collection, specifically, can be added to the data field of StoreMetadata order.After subscription data collection downloads in eUICC, the metadata of subscription data collection be can store in the safe domain space (Issuer Security Domain-Profile, ISD-P) that eUICC is created by subscription data collection.Wherein, the authentication information of third-party application may include the cryptographic Hash of third-party application certificate.

The signing management server can be SM-DP+ (Subscription Manager Data Preparation+, management-data preparation of contracting) server.It is also possible to SM-DP+ server and SM-DS (Subscription Manager-Discovery Server, management-discovery server of contracting).It is not specifically limited herein.

Optionally, the authentication information of third-party application can also include hash algorithm, packet name (package name), the API of LPA for allowing the third-party application to access of third-party application certificate etc..Optionally, if the authentication information of third-party application does not include the API for the LPA for allowing the third-party application to access, the API for allowing all openings of third-party application access LPA is represented.

Optionally, the authentication information of third-party application can also include the management action type for allowing the third-party application to execute the subscription data collection in eUICC.

The authentication information of third-party application, which can be, to be set in advance in SM-DP+ by Mobile Network Operator (MNO) by MNO portal server, is also possible to MNO when ordering profile to SM-DP+, is supplied to SM-DP+'s.

102, the third-party application of the terminal sends the first management operation request to third-party application server.

It include that third-party application request operates the management that the subscription data collection in the eUICC executes in first management operation request.

After terminal starts third-party application, third-party application server is logged in.The management operation for the subscription data collection in user interface input management eUICC that user passes through the third-party application.Third-party application, which sends to carry, executes the request message for managing operation to the subscription data collection in eUICC to third-party application server.

Specifically, third-party application server belongs to the server in operator in framework shown in Figure 1B (Operator).Or third-party application server is communicated by operator (Operator) and signing management server.

In another embodiment, step 102 can not execute.Third-party application server can also be triggered to generate according to other events and be operated to the management that the subscription data collection in the eUICC executes.The first management operation request is sent to third-party application server without third-party application.

103, terminal receives the first request that third-party application server is sent, wherein carrying the mark ICCID of subscription data collection in the first request.

First request executes management operation to the subscription data collection in the eUICC for triggering.

Specifically, after the first management operation request that the third-party application that third-party application server receives terminal is sent, or after third-party application server automatically generates the management operation executed to the subscription data collection in the eUICC, management in first management operation request can be operated and be sent to signing management server by third-party application server, receive the mark ICCID that signing management server returns to subscription data collection, then it generates the first request and is sent to terminal, it is also possible to directly generate the first request by third-party application server, send the mark ICCID for carrying subscription data collection first is requested to terminal.It is not specifically limited herein.

Optionally, the mark EID of eUICC can also be carried in the first request.

Optionally, instruction third-party application can also be carried in the first request to operate the management that the subscription data collection in eUICC executes.Or first request itself be third-party application in eUICC subscription data collection execute management operation administration order.For example, the first request is enable profile order.

104, terminal obtains the authentication information for the third-party application that subscription data collection includes in eUICC according to the mark ICCID of the subscription data collection.

The mark ICCID for the subscription data collection that terminal is returned according to third-party application server obtains the information of the corresponding subscription data collection of mark ICCID in eUICC.Due to may include multiple subscription data collection in the eUICC of terminal, the mark ICCID returned according to signing management server, the available subscription data collection to triggering management operation required for third-party application.

After terminal gets the subscription data collection in eUICC, the authentication information of the centrally stored third-party application of subscription data is further obtained.Specifically, obtaining described in the metadata of subscription data collection The authentication information of tripartite's application.The authentication information of third-party application may include the cryptographic Hash of third-party application certificate.Optionally, the authentication information of third-party application can also include hash algorithm, packet name (package name), the API of LPA for allowing the third-party application to access of third-party application certificate etc..

Optionally, if signing management server also returns the mark EID of terminal eUICC simultaneously, further determine that whether the mark EID and mark EID of the eUICC in terminal for the eUICC that signing management server returns is consistent.If two EID marks are consistent, step 104 is just executed.

105, terminal obtains the certificate information of the third-party application stored in the terminal.

When third-party application is installed on terminal, the certificate information of the third-party application will be stored in terminal.Specifically, certificate information may include the information such as the packet name of the certificate of third-party application, the third-party application.

Specifically, if the authentication information of the third-party application stored in eUICC in step 104 includes hash algorithm, then terminal obtains the certificate of third-party application from operating system, and cryptographic Hash is calculated using the hash algorithm in the authentication information of third-party application, perhaps terminal obtains the cryptographic Hash of third party's certificate using the hash algorithm calculating cryptographic Hash or terminal of default according to the hash algorithm of hash algorithm or default in the authentication information of third-party application from operating system.If the authentication information of the third-party application stored in eUICC in step 104 further includes the packet name of third-party application, terminal obtains the packet name of the third-party application from operating system.

106, the certificate information of the authentication information for the third-party application that terminal is concentrated according to the subscription data and the third-party application determines whether the third-party application has permission and triggers management operation to the subscription data collection.

The certificate information of the third-party application obtained in the authentication information and step 105 of the third-party application that terminal is concentrated according to the subscription data obtained in step 104 determines whether the third-party application has permission and triggers management operation to the subscription data collection.

For example, judge the cryptographic Hash of third-party application described in the authentication information of third-party application, it is whether consistent with the cryptographic Hash of the certificate of third-party application.Judge whether packet name and the packet name in the certificate information of third-party application of third-party application described in the authentication information of third-party application are consistent.

The executing subject of step 106 can be the LPA of terminal, be also possible to the eUICC of terminal.

If 107, the third-party application, which has permission, triggers management operation to the subscription data collection, the terminal executes the management to the subscription data collection and operates.

If the judging result in step 106 be it is consistent, illustrate the third-party application have permission to the subscription data collection trigger management operation.If judging result in step 106 be it is inconsistent, illustrate that the third-party application does not have permission to execute management operation to the subscription data collection, Flow ends do not allow the third-party application to be managed operation to the subscription data collection in eUICC.

There are many ways to terminal executes management operation to subscription data collection in step 107, is not specifically limited herein.It is exemplified below:

Example one:

The LPA of the terminal sends management instruction acquisition request to the signing management server according to first request.

The LPA of the terminal receives the signing management server and instructs acquisition request to return according to the management The management instruction returned.

Example two:

The LPA of the terminal executes the management indicated in first request to the subscription data collection in the eUICC and operates according to first request.Wherein, it includes the instruction for indicating management operation that terminal, which receives in the first request that the third-party application server is sent,.

The authentication information of default third-party application is concentrated in subscription data, when terminal download subscription data collection to eUICC from signing management server, terminal knows the authentication information of third-party application.When third-party application request executes management operation to the subscription data collection in eUICC, the stored subscription data collection of terminal is searched according to the subscription data set identifier that third-party application server returns.Terminal verifies whether the third-party application has the permission operated to the subscription data collection triggering management in eUICC according to the authentication information of the centrally stored third-party application of subscription data.In the embodiment of the present invention, using the existing eUICC system architecture of present terminal, in the case where not increasing additional application module, realizes through third-party application management and increase the administration portal of the subscription data collection in eUICC to the subscription data collection in eUICC.

Specifically, the executing subject of step 106 can be the LPA in terminal, can also be the eUICC in terminal.

It is described in detail separately below with two specific embodiments.Assuming that the operator being installed in terminal that third-party application is operator's exploitation applies (MNO APP).

Embodiment two

As shown in figure 3, network element main body involved in embodiment two includes terminal, the portal server (MNO portal) of Mobile Network Operator and signing management server.Specifically, terminal includes eUICC, LPA, the operator being installed in terminal using (MNO APP).Signing management server includes SM-DP+ server and SM-DS server.Determine the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by the LPA in terminal.Specific Signalling exchange process is as follows:

1, Mobile Network Operator (MNO) develops a operator for being used to install at the terminal and applies (MNO APP).When operator's application is installed at the terminal, terminal will store the certificate information, such as certificate, packet name etc. that the operator applies.In order to allow users to the profile directly by eUICC in operator's application management terminal, when Mobile Network Operator (MNO) customizes subscription data collection by MNO portal server in SM-DP+ in advance, the authentication information of the application is stored in the metadata of the subscription data collection.

The authentication information of operator application includes the cryptographic Hash of the certificate of operator's application.Optionally, the authentication information of operator application can also include hash algorithm, packet name (package name), the API of LPA for allowing operator's application access of the certificate of operator application etc..

2, after having downloaded the subscription data collection of the Mobile Network Operator from SM-DP+ when terminal, the authentication information for the application which is developed downloads in terminal also with the subscription data collection.Specifically, the authentication information of operator application can store in the metadata of the subscription data collection.Described in downloading After subscription data collection is into the eUICC of terminal, the metadata of the subscription data collection be can store in the safe domain space (ISD-P) that eUICC is created by subscription data collection.

When terminal downloads finish the subscription data collection of Mobile Network Operator, the subscription data collection Download History of terminal can be stored in the MNO portal server of Mobile Network Operator.Specifically, subscription data collection Download History may include the mark ICCID for having downloaded subscription data collection, download mark EID of the eUICC of subscription data collection etc..

3, user open a terminal on operator apply (MNO APP) client, log in MNO portal.

4, it is operated by the management of the subscription data collection in the client user interface input management eUICC of operator's application (MNO APP).The client transmission carrying of operator's application (MNO APP) requests the first management operation request (PRM/ReM) operated to the subscription data collection execution management in eUICC to MNO portal.Management operation, which can be, to be activated subscription data collection, deactivates subscription data collection, delete subscription data collection, inquiry eUICC information, download another new subscription data collection etc..For details, reference can be made to application scenarios shown in Figure 1A.

Specifically, after operator's application (MNO APP) client on user's registration terminal, operator obtains signing information of the user in operator's registration using (MNO APP) client from MNO portal, is operated according to the management of subscription data collection of the signing information in the client user interface input management eUICC of the application.

5, after the first management operation request that the applications client that MNO portal receives operator is sent, the mark ICCID of corresponding subscription data collection is searched (in embodiment two to five according to user signing contract information, referred to as " target profile identifies ICCID "), and it is mounted with the mark EID (in embodiment two to five, referred to as " target eUICC identifies EID ") of the eUICC of the subscription data collection.MNO portal sends the second management operation request to signing management server.It wherein include that third-party application request operates the management that the subscription data collection in the eUICC executes, and carries target profile mark ICCID and target eUICC mark EID in the second management operation request.

Specifically, MNO portal sends the second management operation request to SM-DP+.Optionally, if necessary to which the client request of operator's application is registered to SM-DS to the management operation that the subscription data collection in eUICC executes, MNO portal also sends the address of SM-DS to SM-DP+.SM-DP+ carries out one management action event of registration to management operation in SM-DS, generates a registered events mark eventID.

6, step 6 is optional step.If MNO portal also has sent the address of SM-DS to SM-DP+, SM-DP+ registers a management action event to the management operation that the eUICC is executed in SM-DS, for operator's application request, and generates a registered events and identify eventID.

7, after SM-DP+ server receives the second management operation request that MNO portal is sent, then the parameter information in the second management operation request is stored.

SM-DP+ returns to request response to MNO portal, and target profile mark ICCID and target eUICC is carried in the request response and identifies EID.If SM-DP+ is in SM-DS in step 6, the management operation one management action event of registration for being the eUICC generates a registered events mark eventID, then SM-DP+, which is returned, can also carry the registered events mark eventID in request response.

8, after MNO portal receives the request response that SM-DP+ is returned, MNO portal generation is taken The first request with target profile mark ICCID, the operator being sent in terminal apply (MNO APP).Specifically, MNO portal can carry the target profile by trigger request (polling trigger) message and identify ICCID, and the operator being sent in terminal applies (MNO APP).Optionally, the target eUICC mark EID can also be carried in trigger request (polling trigger) message.If operator's application request is registered to SM-DS to the management operation that the subscription data collection in eUICC executes by SM-DP+, SM-DP+ can also be carried in trigger request (polling trigger) message in the registered events that SM-DS registers management operation and identifies eventID.

9, after operator receives the first request that MNO portal is issued using (MNO APP), forward first request to the LPA of terminal.

10, step 10 is optional step.If it includes that the target eUICC identifies EID that LPA, which is received in the triggering request that operator's application (MNO APP) is sent, then LPA obtains the EID mark of terminal eUICC from eUICC in step 9.

11, step 11 is optional step.It is identical to determine that the EID of the mark EID and the terminal eUICC of the eUICC carried in triggering request are identified whether.If the same step 12 is executed.

12, the authentication information for the third-party application that LPA includes to eUICC request subscription data collection corresponding with target profile mark ICCID.Specifically, LPA sends GetProfileInfo message to eUICC, and the GetProfileInfo message carries target profile and identifies ICCID.

13, eUICC identifies ICCID according to target profile, search with the corresponding subscription data collection of target profile mark ICCID, and send the authentication information of the third-party application that the subscription data is concentrated to LPA.Specifically, eUICC identifies ICCID according to target profile, obtains the metadata of the corresponding subscription data collection of the target profile mark ICCID.Returning to the operator stored in the metadata applies the authentication information of (MNO APP) to LPA.Or the metadata is returned to LPA.

14, after LPA receives the subscription data collection information that eUICC is returned, generated certificate information, such as certificate, packet name etc. when terminal is installed are applied from the operator is obtained in the operating system (Operating System, OS) of terminal.

Specifically, if LPA is received in the metadata of the subscription data collection of eUICC return including hash algorithm, LPA obtains the certificate of operator's application from the operating system of terminal.The cryptographic Hash of the certificate of operator's application is calculated using the hash algorithm that the subscription data is concentrated.If it includes certificate cryptographic Hash in generated certificate information that operator, which applies in terminal installation, then obtain the certificate cryptographic Hash in the certificate information (operating system of default terminal according to the hash algorithm in authentication information, has carried out Hash operation to the certificate of operator's application and produced cryptographic Hash).If it further includes packet name that LPA, which is received in the metadata of the subscription data collection of eUICC return, LPA obtains the packet name of operator's application from the operating system of terminal.

15, LPA judges the authentication information that the subscription data that eUICC is returned concentrates operator to apply, and whether the certificate information for obtaining operator's application from the operating system of terminal with LPA is consistent.

Specifically, judge that the subscription data that eUICC is returned concentrates the certificate cryptographic Hash of operator's application and the certificate cryptographic Hash of operator's application in operating system whether consistent.Optionally, if also getting the packet name of operator, judge that the subscription data that eUICC is returned concentrates the packet name of operator's application and the packet name of operator's application in operating system whether consistent.Optionally, it further determines whether that operator's application is allowed to call The API of LPA.

16, after step 15 is verified, LPA sends the address that message request obtains the centrally stored signing management server side of the corresponding subscription data of the target profile mark ICCID, i.e. polling address (Polling address) to eUICC.Specifically, LPA sends Get polling address message to eUICC, wherein carries target profile in Get polling address message and identifies ICCID.

17, eUICC is according to the request of LPA, returns to the address of SM-DP+ server to LPA.Optionally, eUICC can also return to the address of SM-DS server to LPA.

If the address that eUICC is returned is the address of SM-DS server 18, in step 17, LPA and SM-DS execute two-way authentication, execute step 18a and 18b.

18a:LPA obtains (retrieve RPM/ReM) request to SM-DS transmission management instruction, and target eUICC mark EID is carried in (retrieve RPM/ReM) request wherein managing instruction and obtaining.Specifically, management instruction acquisition request can be Authentication Client (AuthenticateClient) request.

Optionally, if SM-DP+, which operates operator's application request to the management that the subscription data collection in eUICC executes, is registered to SM-DS, the registered events mark eventID that SM-DP+ registers management operation in SM-DS can also be carried by managing instruction acquisition (retrieve RPM/ReM) request.

18b:SM-DS identifies EID according to the target eUICC or registered events identify eventID, after searching corresponding registered events, returns to the corresponding registered events record (event record) of the registered events.Wherein, the address of eventID and SM-DP+ are carried in registered events record.

When the mark of the target eUICC described in SM-DS server EID correspond to multiple registered events, the corresponding registered events information of registered events mark can be directly acquired by identifying eventID according to registered events.

19, LPA sends management instruction to SM-DP+ and obtains (retrieve RPM/ReM) request.Wherein, management instruction, which obtains, carries the target eUICC mark EID in (retrieve RPM/ReM) request.Optionally, management instruction, which obtains, also carries the registered events mark eventID in (retrieve RPM/ReM) request.Specifically, management instruction acquisition request can be Authentication Client (AuthenticateClient) request.

20, SM-DP+ returns to management instruction to LPA, so that LPA executes management operation to the subscription data collection in eUICC according to the management instruction.

In the technical scheme of this embodiment, user can use MNO APP and directly be managed to the subscription data collection for the Mobile Network Operator downloaded, and improve the consistency of user experience.API the and MNO APP for accessing MNO APP LPA by profile metadata simultaneously manages Profile and carries out access control management, the safety that the MNO APP of guarantee manages profile.

Embodiment three

As shown in figure 4, network element main body involved in embodiment three includes terminal, the portal server (MNO portal) of Mobile Network Operator and signing management server.Specifically, terminal includes eUICC, LPA, the operator being installed in terminal using (MNO APP).Signing management server includes SM-DP+ server and SM-DS server.Determine the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by the eUICC in terminal.

Wherein the step 1-11 in embodiment three is similar with the step 1-11 in embodiment two, in order to describe Succinctly, details are not described herein.

12, LPA obtains the operator from the operating system (Operating System, OS) of terminal and applies generated certificate information, such as certificate, packet name etc. when terminal is installed.

13, LPA sends the certificate information and target profile mark ICCID to eUICC of operator's application.

Specifically, LPA sends the request (authenticateApp) of certification MNO App to eUICC, and the certificate of target profile mark ICCID, MNO App are carried in the request.Optionally, also certificate informations such as LPA API for requesting access to of carrying package name and MNO APP in the request.

14, eUICC identifies ICCID according to target profile, searches the authentication information for operator's application that subscription data corresponding with target profile mark ICCID is concentrated.Specifically, eUICC identifies ICCID according to target profile, obtains the metadata (metadata) of the corresponding subscription data collection of the target profile mark ICCID.

If including the certificate including operator's application in hash algorithm and the certificate information of LPA transmission in metadata, eUICC calculates the cryptographic Hash hash (Cert) for the certificate that operator applies according to hash algorithm.If LPA is sent to the MNO APP certificate of eUICC as the certificate cryptographic Hash by Hash operation, eUICC directly utilizes cryptographic Hash hash (Cert).

15, eUICC judges the authentication information for operator's application that subscription data is concentrated, and whether the certificate information for obtaining operator's application from the operating system of terminal with LPA is consistent.

Specifically, judge that subscription data concentrates the certificate cryptographic Hash of operator's application and the certificate cryptographic Hash of operator's application in operating system whether consistent.Optionally, if there are packet name in authentication information and certificate information, further judge that the subscription data that eUICC is returned concentrates the packet name of operator's application and the packet name of operator's application in operating system whether consistent.Optionally, the API for allowing operator's application to call LPA is further determined whether.

16, after step 15 is verified, eUICC is to LPA returning response message, the address of the centrally stored signing management server side of the corresponding subscription data of the target profile mark ICCID, i.e. polling address (Polling address) are carried in the response message.

Specifically, if the corresponding subscription data collection of target profile mark ICCID is stored in SM-DP+ server, eUICC returns to the address of SM-DP+ server.Optionally, eUICC can also return to eUICC and return to the address of SM-DS server to LPA.

If the address that eUICC is returned is the address of SM-DS server 17, in step 16, LPA and SM-DS execute two-way authentication, execute step 17a and 17b.

17a:LPA obtains (retrieve RPM/ReM) request to SM-DS transmission management instruction, and target eUICC mark EID is carried in (retrieve RPM/ReM) request wherein managing instruction and obtaining.Specifically, it can be Authentication Client (AuthenticateClient) request.

17b:SM-DS identifies EID according to the target eUICC or registered events identify eventID, after searching corresponding registered events, returns to the corresponding registered events record (event of the registered events record).Wherein, the address of eventID and SM-DP+ are carried in registered events record.

18, LPA sends management instruction to SM-DP+ and obtains (retrieve RPM/ReM) request.Wherein, management instruction, which obtains, carries the target eUICC mark EID in (retrieve RPM/ReM) request.Optionally, management instruction, which obtains, also carries the registered events mark eventID in (retrieve RPM/ReM) request.

19, SM-DP+ returns to management instruction to LPA, so that LPA executes management operation to the subscription data collection in eUICC according to the management instruction.

In the technical scheme of this embodiment, user can use MNO APP and directly be managed to the subscription data collection for the Mobile Network Operator downloaded, and improve the consistency of user experience.API the and MNO APP for accessing MNO APP LPA by profile metadata simultaneously manages Profile and carries out access control management, the safety that the MNO APP of guarantee manages profile.By the permission of eUICC verifying APP, security of system is higher.

In the technical scheme of this embodiment, user can use MNO APP and directly be managed to the subscription data collection for the Mobile Network Operator downloaded, and improve the consistency of user experience.API the and MNO APP for accessing MNO APP LPA by profile metadata simultaneously manages Profile and carries out access control management, the safety that the MNO APP of guarantee manages profile.Profile is managed to the MNO APP API and MNO APP for accessing LPA by eUICC and carries out access control management, further improves safety.

It includes a variety of specific implementation methods that step 107 terminal, which executes management operation to subscription data collection, in embodiment one, it can also include that management instruction is directly issued by MNO portal to terminal LPA other than requesting management instruction to SM-DP+ server in embodiment two, three.The application is not specifically limited the implementation of step 107.The method flow that management instruction to terminal LPA is directly issued by MNO portal is specifically described below by example IV and embodiment five.

Example IV

As shown in figure 5, network element main body involved in example IV includes terminal, the portal server (MNO portal) of Mobile Network Operator and signing management server.Specifically, terminal includes eUICC, LPA, the operator being installed in terminal using (MNO APP).Signing management server includes SM-DP+ server.Determine the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by the LPA in terminal.Specific Signalling exchange process is as follows:

It is in place of the difference of example IV and embodiment two, MNO portal is preset at the subscription data in SM-DP+ and concentrates the certificate cryptographic Hash applied in addition to storing operator, and being also stored allows the management of operator's application execution to operate.When operator's application sends management request to MNO portal, whether the management operation request that the application of MNO portal verifying operator is sent, which belongs to, allows the management of operator's application execution to operate.Allow the management of operator's application execution to operate if the management operation request that operator's application is sent belongs to, directly returns to the management operation to terminal, so that LPA executes management operation.LPA obtains management instruction without sending message request again after being verified.

In the present embodiment, determine the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by the LPA of terminal.

Specific Signalling exchange process is as follows:

The authentication information of operator application includes the cryptographic Hash of the certificate of operator's application and the management of operator's application execution is allowed to operate.Optionally, the authentication information of operator application can also include hash algorithm, the packet name (package name) of certificate etc. of operator application.

2, after having downloaded the subscription data collection of the Mobile Network Operator from SM-DP+ when terminal, the authentication information for the application which is developed downloads in terminal also with the subscription data collection.Specifically, the authentication information of operator application can store in the metadata of the subscription data collection.After the subscription data collection is downloaded into the eUICC of terminal, the metadata of the subscription data collection be can store in the safe domain space (ISD-P) that eUICC is created by subscription data collection.

3, user open a terminal on operator apply (MNO APP) client, log in MNO portal.

4, it is operated by the management of the subscription data collection in the client user interface input management eUICC of operator's application (MNO APP).The client transmission carrying of operator's application (MNO APP) requests the first management operation request (PRM/ReM) operated to the subscription data collection execution management in eUICC to MNO portal.Management operation, which can be, to be activated subscription data collection, deactivates subscription data collection, delete subscription data collection, inquiry eUICC information, download another new subscription data collection etc..For details, reference can be made to application scenarios shown in Figure 1A.Specifically, after operator's application (MNO APP) client on user's registration terminal, operator obtains signing information of the user in operator's registration using (MNO APP) client from MNO portal, is operated according to the management of subscription data collection of the signing information in the client user interface input management eUICC of the application.

5, after the first management operation request that the client that MNO portal receives operator's application is sent, determine whether the management operation carried in the request message is that the management of operator's application execution is allowed to operate.

If it is, MNO portal searches the mark ICCID (referred to as " target profile identifies ICCID ") of corresponding subscription data collection according to user signing contract information, and the first request is returned to terminal.

Wherein, the management operation for managing operation or the MNO portal being allowed to generation of carrying target profile mark ICCID and the MNO APP request being allowed in the first request.

Optionally, target eUICC mark EID is also carried in first request.

Optionally, MNO portal signs to the above-mentioned information for being sent to MNO App.Operator application of the certificate of signature and portal that MNO portal is also carried in first request into terminal.

6, MNO App calls the API of LPA, and the receive in step 5 first request is sent to LPA.

7, step 7 is optional step.If LPA is received in the first request of MNO APP forwarding and identified EID including target eUICC in step 6, then LPA obtains the EID mark of terminal eUICC from eUICC.

8, step 8 is optional step.If LPA receives the mark EID of the eUICC of MNO APP forwarding in step 10, and LPA gets the EID mark of the terminal eUICC from eUICC, it is determined that the EID of the target eUICC mark EID and terminal eUICC identifies whether identical.If the same step 9 is executed.

9, step 9 is optional step.If it includes that MNO portal signs to the above-mentioned information for being sent to MNO App that LPA, which is received in the first request that MNO APP is forwarded, then whether the LPA verifying signature is correct in step 6.If signature is correct, 10 are thened follow the steps.

Optionally, if signature is correct, further LPA whether is allowed to execute management operation to eUICC by the UI interface prompt user of LPA.Allow LPA to execute management operation to eUICC if user confirms, thens follow the steps 10.

10, LPA sends the eUICC that target profile identifies ICCID to terminal, to obtain the authentication information for the third-party application that subscription data collection corresponding with the ICCID includes.Specifically, LPA sends GetProfileInfo message to eUICC, and the GetProfileInfo message carries target profile and identifies ICCID.

11, eUICC identifies ICCID according to the target profile, search with the corresponding subscription data collection of target profile mark ICCID, and send the authentication information of the third-party application that the subscription data is concentrated to LPA.Specifically, target profile described in eUICC identifies ICCID, obtains the metadata of the corresponding subscription data collection of the target profile mark ICCID.Returning to the operator stored in the metadata applies the authentication information of (MNO APP) to LPA.Or the metadata is returned to LPA.

12, after LPA receives the subscription data collection information that eUICC is returned, generated certificate information, such as certificate, packet name etc. when terminal is installed are applied from the operator is obtained in the operating system (Operating System, OS) of terminal.

Specifically, if LPA is received in the metadata of the subscription data collection of eUICC return including hash algorithm, LPA obtains the certificate of operator's application from the operating system of terminal.The cryptographic Hash of the certificate of operator's application is calculated using the hash algorithm that the subscription data is concentrated.If it includes certificate cryptographic Hash in generated certificate information that operator, which applies in terminal installation, the certificate cryptographic Hash in the certificate information is obtained.(operating system of default terminal is according to the hash algorithm in authentication information, the certificate of operator's application has been carried out by Hash operation produces cryptographic Hash) if it further includes packet name that LPA, which is received in the metadata of the subscription data collection of eUICC return, LPA obtains the packet name of operator's application from the operating system of terminal.

13, LPA judges the authentication information that the subscription data that eUICC is returned concentrates operator to apply, and whether the certificate information for obtaining operator's application from the operating system of terminal with LPA is consistent.

Specifically, judge that the subscription data that eUICC is returned concentrates the certificate cryptographic Hash of operator's application and the certificate cryptographic Hash of operator's application in operating system whether consistent.Optionally, if also getting operator Packet name, then judge eUICC return subscription data concentrate operator application packet name and in operating system operator apply packet name it is whether consistent.Optionally, further determine whether to allow the management in operator's application execution step 6 to operate.

If 14, step 13 is verified, LPA sends the first request to eUICC.The management operation and target profile carried in step 6 in first request identifies ICCID.

15, eUICC returns to the implementing result of management operation.

Specifically, if management operational order is editor eUICC, the result returned includes the relevant information of eUICC, such as free memory etc..

16, the implementing result of management operation is returned to MNO APP by LPA.

17, the implementing result of management operation is returned to MNO portal by MNO App.

Through this embodiment, operator can directly be managed profile using MNO APP, need not move through SM-DP+ and SM-DS, shorten whole flow process, improve user experience.

Embodiment five

As shown in fig. 6, network element main body involved in embodiment five includes terminal, the portal server (MNO portal) of Mobile Network Operator and signing management server.Specifically, terminal includes eUICC, LPA, the operator being installed in terminal using (MNO APP).Signing management server includes SM-DP+ server.Determine the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by the LPA in terminal.

It is in place of the difference of the present embodiment and example IV, determines the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by the eUICC of terminal.

Specific Signalling exchange process is as follows:

The method flow of step 1-8 is similar with the method flow of step 1-8 in example IV in the present embodiment, and succinct in order to describe, therefore not to repeat here.

9, step 9 is optional step.Whether the UI interface prompt user of LPA allows LPA to execute management operation to eUICC.Allow LPA to execute management operation to eUICC if user confirms, thens follow the steps 10.

10, LPA sends the first request to eUICC.The management operation in step 6, the certificate information of operator's application and target profile are carried in first request identifies ICCID.

11, eUICC identifies ICCID according to target profile and obtains subscription data collection metadata corresponding with the ICCID.

Specifically, target profile described in eUICC identifies ICCID, obtains the metadata of the corresponding subscription data collection of the target profile mark ICCID.

Specifically, if in the metadata of subscription data collection including hash algorithm, eUICC calculates the cryptographic Hash of the certificate of operator's application using the hash algorithm that the subscription data is concentrated.If including certificate cryptographic Hash in the certificate information of operator's application of LPA forwarding, the certificate cryptographic Hash in the certificate information is directly acquired.

Optionally, if including the signature of MNO portal in the first request that eUICC is received, whether eUICC verifies the signature correct.If signature is correct, just according to target profile identify ICCID obtain with The corresponding subscription data collection of the ICCID.

12, eUICC determines that subscription data concentrates the authentication information of operator's application and the certificate information for operator's application that LPA is sent whether consistent.

Specifically, judge that subscription data concentrates the certificate cryptographic Hash of operator's application and the certificate cryptographic Hash that operator applies whether consistent.Optionally, if also getting the packet name of operator, judge that subscription data concentrates the packet name of operator's application and the packet name that operator applies whether consistent.

Concentrate the authentication information of operator's application consistent with the certificate information of operator's application that LPA is sent if verifying subscription data, eUICC executes the management operation in step 10.

Optionally, after whether verifying subscription data concentrates the authentication information of operator's application consistent with the certificate information for operator's application that LPA is sent, further determine whether to allow the management in operator's application execution step 10 to operate.If the verification passes, and the management in operator's application execution step 10 is allowed to operate, then eUICC executes the management operation in step 10.

13, eUICC returns to the implementing result of management operation.

14, the implementing result of management operation is returned to MNO APP by LPA.

15, the implementing result of management operation is returned to MNO portal by MNO App.

Through this embodiment, operator can directly be managed profile using MNO APP, need not move through SM-DP+ and SM-DS, shorten whole flow process, improve user experience.Profile is managed to the MNO APP API and MNO APP for accessing LPA by eUICC and carries out access control management, further improves safety.

In above-described embodiment, the main body authenticated to the permission of MNO APP management profile is terminal.In another embodiment, the main body authenticated to the permission of MNO APP management profile is also possible to signing management server.

Embodiment six

The embodiment of the present invention provides the management method of another subscription data collection, as shown in fig. 7, having downloaded subscription data collection in the eUICC of the terminal in advance, and the access authority of LPA application interface has been pre-configured in the terminal.It the described method comprises the following steps:

201, the third-party application of terminal sends the first management operation request to third-party application server.

It wherein, include that third-party application request operates the management that the subscription data in eUICC executes in first management operation request.

202, third-party application server sends the second management operation request to signing management server, include in second management operation request third-party application request subscription data is executed management operation, subscription data collection mark ICCID, terminal eUICC identify the authentication information of EID and third-party application.

In another embodiment, step 201 can not also execute, and directly execute step 202.

I.e. third-party application server automatically generates the second management operation request, is sent to signing management server, sends the first management operation request without the third-party application in terminal.

203, the management that third-party application server receives that signing management server returns requests to respond, and includes mark ICCID and terminal eUICC the mark EID of subscription data collection in the management request response.

Third-party application server sends the mark ICCID to terminal of the subscription data collection in the terminal

Optionally, third-party application server can also send terminal eUICC and identify EID to terminal

204, terminal obtains the certificate information for the third-party application being pre-stored in terminal, determines whether the third-party application has the permission for calling terminal LPA application interface according to the certificate information of the third-party application.If the third-party application has the permission for calling terminal LPA application interface, 205 are thened follow the steps.

205, terminal transmission management instructs acquisition request to signing management server, the certificate information for managing carried terminal eUICC in instruction acquisition request and identifying the third-party application being pre-stored in EID and terminal.

206, signing management server verifies whether the third-party application in the terminal has permission to the subscription data collection execution management operation in terminal eUICC.If the verification passes, 207. are thened follow the steps

207, terminal receives the management instruction that signing management server returns, and executes management operation to the subscription data collection in terminal eUICC according to the management instruction.

Embodiment seven

As shown in figure 8, network element main body involved in embodiment seven includes terminal, the portal server (MNO portal) of Mobile Network Operator and signing management server.Specifically, terminal includes eUICC, LPA, the operator being installed in terminal using (MNO APP).EUICC in terminal has downloaded subscription data collection in advance.Signing management server includes SM-DP+ server and SM-DS server.Determine the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by signing management server.Specific Signalling exchange process is as follows:

0, the access authority that third-party application calls LPA application interface is configured in the LPA of terminal.For example, allowing the third-party application to call the application interface of LPA when the root certificate of the certificate of third-party application is the certificate of GSMA CI.

Optionally, third-party application calls the access authority of LPA application interface that can also be configured in the eUICC of terminal, and LPA obtains the access authority that third-party application calls LPA application interface from eUICC again.

1, Mobile Network Operator (MNO) develops a operator for being used to install at the terminal and applies (MNO APP).When operator's application is installed at the terminal, terminal will store the certificate information, such as certificate, packet name etc. that the operator applies.

User open a terminal on operator apply (MNO APP) client, log in MNO portal.

2, it is operated by the management of the subscription data collection in the client user interface input management eUICC of operator's application (MNO APP).Operator's application (MNO APP) client, which is sent, carries request pair Subscription data collection in eUICC executes the request message (i.e. the first management operation request) of management operation request to MNO portal.Management operation, which can be, to be activated subscription data collection, deactivates subscription data collection, delete subscription data collection, inquiry eUICC information, download another new subscription data collection etc..

Specifically, after operator's application (MNO APP) client on user's registration terminal, signing information of the user in operator's registration is obtained, is operated according to the management of subscription data collection of the signing information in the client user interface input management eUICC of the application.

3, after MNO portal receives the first management operation request, mark ICCID, the terminal downloads for the subscription data collection that the terminal has been downloaded the mark EID of the eUICC of subscription data collection and the authentication information of operator's application are searched.It generates the second management operation request and is sent to SM-DP+ server.Wherein, the second management operation request carries the mark ICCID of subscription data collection, the mark EID of terminal eUICC, the authentication information of operator's application and operator's application request and operates to the management that the subscription data collection in eUICC executes.

The authentication information of operator's application includes certificate cryptographic Hash.Optionally, the authentication information of operator's application can also include packet name, hash algorithm of operator's application etc..

4, step 4 is optional step.SM-DP+ sends the mark EID of terminal eUICC and the authentication information of operator's application to SM-DS.

If MNO portal also sends the address of SM-DS to SM-DP+, SM-DP+, for management operation one management action event of registration that operator's application request executes the eUICC, generates a registered events mark eventID in SM-DS.After SM-DS generates registered events mark eventID, the registered events mark eventID to SM-DP+ is sent.

5, after SM-DP+ server receives the second management operation request that MNO portal is sent, the message carried in the second management operation request is stored.

SM-DP+ returns to request response to MNO portal, and the mark EID of the mark ICCID and terminal eUICC of subscription data collection is carried in the request response.

It optionally, then can also include that registered events identify eventID in the request response that SM-DP+ is returned for management operation one management action event of registration that operator's application request executes the eUICC if SM-DP+ is in SM-DS.

6, after MNO portal receives the request response that SM-DP+ is returned, MNO APP of the triggering request into terminal is sent.The mark ICCID of subscription data collection is wherein carried in trigger request (polling trigger) message.

Optionally, one or more of parameters described below can also be carried in trigger request (polling trigger) message: mark EID, registered events mark eventID and the hash algorithm of terminal eUICC.

7, after operator receives the triggering request that MNO portal is issued using (MNO APP), forward the triggering request to the LPA of terminal.

8, LPA obtains the certificate of MNO APP from operating system, confirms whether the MNO APP has the access authority for calling LPA application interface.For example, confirmation MNO APP certificate root certificate whether be GSMA CI certificate, if it is allow the MNO APP call LPA application interface.

9, step 9 is optional step.If LPA receives the mark EID in the triggering request that operator's application (MNO APP) is sent including terminal eUICC, then LPA is obtained from eUICC in step 7 The EID of terminal eUICC is identified.

10, step 10 is optional step.It is identical to determine that the EID for the eUICC that the terminal eUICC mark EID and LPA in triggering request is obtained from eUICC is identified whether.If the same step 11 is executed.

11, LPA sends the message for carrying the mark ICCID of subscription data collection, the address of the centrally stored signing management server of the corresponding subscription data of mark ICCID of request subscription data collection to eUICC.

If 12, the corresponding subscription data collection of the mark ICCID of subscription data collection is stored in SM-DP+ server, eUICC returns to the address of SM-DP+ server.If the corresponding subscription data collection of the mark ICCID of subscription data collection is stored in SM-DS server, eUICC returns to the address of SM-DS server.

If the address that eUICC is returned is the address of SM-DS server 13, in step 12, step 13 and 14 is executed.If the address that eUICC is returned is the address of SM-DP+ server, step 16. is directly executed

LPA sends the request message for obtaining registered events (retrieve event) to SM-DS to SM-DS, and the corresponding registered events of terminal eUICC mark EID are searched in request.Wherein in the request message of registered events (retrieve event) carried terminal eUICC identify EID and MNO APP certificate information.

Optionally, registered events mark eventID can also be carried by obtaining in the request message of registered events (retrieve event).

Optionally, the packet name (package name) that MNO APP can also be carried in the request message of registered events (retrieve event) is obtained.

Optionally, the certificate information of MNO APP can be the certificate of MNO APP, is also possible to terminal according to certificate of the hash algorithm carried in triggering request in step 7 to MNO APP and carries out the cryptographic Hash obtained after Hash operation.

14, after SM-DS receives the request message for obtaining registered events (retrieve event), EID is identified according to terminal eUICC or registered events mark eventID searches corresponding registered events record (event record).

Then determine whether the cryptographic Hash of the certificate carried in the request message for obtaining registered events (retrieve event) is identical as the cryptographic Hash recorded in registered events.If what is carried in the request message of acquisition registered events (retrieve event) is certificate, before being compared, SM-DS needs first to carry out Hash operation to certificate, calculates cryptographic Hash and is compared again with the cryptographic Hash of registered events record.

Optionally, if the packet name (package name) of MNO APP can also be carried in the request message of acquisition registered events (retrieve event).Then determine whether the packet name of the Bao Mingyu registered events record carried in the request message of registered events (retrieve event) is identical.

If 15, the verification result of step 14 is identical, SM-DS returns to the LPA that registered events record the corresponding address eventID, SM-DP+ to terminal.

16, the address SM-DP+ that the address SM-DP+ or step 12 eUICC that terminal is returned according to 14 steps are sent sends management instruction to corresponding SM-DP+ server and obtains (retrieve RPM/ReM) request request management instruction.

Wherein, management instruction obtains the certificate of carried terminal eUICC mark EID and MNO APP in (retrieve RPM/ReM) request.

Optionally, management instruction, which obtains, can also carry registered events mark eventID in (retrieve RPM/ReM) request.

Optionally, management instruction obtains the packet name (package name) that MNO APP can also be carried in (retrieve RPM/ReM) request.

17, after SM-DP+ receives acquisition management instruction acquisition (retrieve RPM/ReM) request, EID is identified according to terminal eUICC or registered events mark eventID searches corresponding management request.Management request is the second management operation request that SM-DP+ is received in step 3.

Then determine whether the cryptographic Hash for obtaining the certificate carried in management instruction acquisition (retrieve RPM/ReM) request is identical as the certificate cryptographic Hash carried in the second management operation request.If what is carried in acquisition management instruction acquisition (retrieve RPM/ReM) request is certificate, so before being compared, SM-DP+ needs first to carry out Hash operation to certificate, calculates cryptographic Hash and is compared again with the cryptographic Hash carried in the second management operation request.

Optionally, if management instruction obtains the packet name (package name) that can also carry MNO APP in (retrieve RPM/ReM) request.Whether the packet name for then determining that management instruction obtains in the second management operation request of Bao Mingyu carried in (retrieve RPM/ReM) request is identical.

If 18, the verification result of step 17 is identical, SM-DP+ returns to the corresponding management instruction of the second management operation request to LPA, so that LPA executes management operation to the subscription data collection in eUICC according to the management instruction.

In the technical solution of the present embodiment, do not need to expand application range in the preset authorization message to MNO APP of profile in advance.Network side will be put into the authorization of MNO APP simultaneously to verify, further simplify the complexity of method flow, simplify the authentication operation of terminal side.

Embodiment eight

As shown in figure 9, network element main body involved in embodiment eight includes terminal, the portal server (MNO portal) of Mobile Network Operator and signing management server.Specifically, terminal includes eUICC, LPA, the operator being installed in terminal using (MNO APP).EUICC in terminal has downloaded subscription data collection in advance.Signing management server includes SM-DP+ server and SM-DS server.Determine the operator in terminal executes management operation to the subscription data collection in terminal using whether (MNO APP) has permission by signing management server.

Embodiment eight and the difference of embodiment seven are, when terminal authentication third-party application calls the access authority of LPA application interface, executing subject is the eUICC of terminal.

Specific Signalling exchange process is as follows:

As shown in figure 9, the step 8-14 of embodiment eight is different from embodiment seven, remaining step can refer to illustrating for similar step in embodiment seven, and succinct in order to describe, details are not described herein.

8, LPA obtains the certificate of MNO APP from operating system.Optionally, LPA can also obtain the packet name of MNO APP from operating system.

9, step 9 is optional step.If LPA receives operator and applies (MNO APP) in step 7 It include the mark EID of terminal eUICC in the triggering request of transmission, then LPA obtains the EID mark of terminal eUICC from eUICC.

11, LPA sends the certificate of MNO APP, request eUICC verifying to eUICC.

12, eUICC confirms whether the MNO APP has the access authority for calling LPA application interface.For example, confirmation MNO APP certificate root certificate whether be GSMA CI certificate, if it is allow the MNO APP call LPA application interface.If the verification passes, 13. are thened follow the steps

13, eUICC sends the message of step 12 being verified to LPA.So that LPA is according to the message of the mark ICCID of message transmission carrying subscription data collection, the address of the centrally stored signing management server of the corresponding subscription data of mark ICCID of request subscription data collection.

In the technical solution of the present embodiment, whether there is the access authority for calling LPA application interface by eUICC verifying third-party application, safety is higher.

In addition, the embodiment of the present invention provides a kind of terminal, which is used to execute step performed by the terminal in the management method of the above subscription data collection.Terminal provided by the embodiments of the present application may include module corresponding to corresponding steps.

Two or more functions can also be integrated in a processing module according to the division that above method example carries out functional module to terminal for example, each functional module of each function division can be corresponded to by the embodiment of the present application.Above-mentioned integrated module both can take the form of hardware realization, can also be realized in the form of software function module.It is schematically that only a kind of logical function partition, there may be another division manner in actual implementation to the division of module in the embodiment of the present application.

Using integrated unit, Figure 10 shows a kind of possible structural schematic diagram of terminal involved in above-described embodiment.As shown in Figure 10, terminal includes processor 701, memory 702, integrated circuit card eUICC703 and system bus 704, transceiver 705.Wherein, processor 701 is for executing Fig. 2-method and step shown in fig. 6；EUICC703 is for storing the subscription data collection downloaded in terminal.Terminal is interacted by transceiver 705 with other equipment, such as: signing management server, third-party application server.

In the application specific embodiment, memory 702 may include volatile memory, such as NVRAM (Nonvolatile Random Access Memory, non-volatile dynamic random access memory), PRAM (Phase Change RAM, phase change random access memory), MRAM (Magnetic Random Access Memory, magnetic-resistance random access memory) etc.；Memory 702 can also include nonvolatile memory, a for example, at least disk memory, EEPROM (Electrically Erasable Programmable Read-Only Memory, Electrical Erasable programmable read only memory), flush memory device, such as anti-or flash memory (NOR flash memory) or anti-and flash memory (NAND flash memory).Nonvolatile storage stores operating system and application program performed by processor.Processor 701 is stored in mass storage from nonvolatile storage load operating program and data to memory and by data content.

One or more processors 701 are the control centres of terminal.Processor 701 using various interfaces and The various pieces of the entire terminal of connection, by running or executing the software program being stored in memory 172 and/or application module, and the data being stored in memory 702 are called, the various functions and processing data of terminal are executed, to carry out integral monitoring to terminal.

Processor 701 can only include CPU, be also possible to the combination of CPU, GPU (Graphic Processing Unit, image processor), DSP and the control chip (such as baseband chip) in communication unit.In the application embodiment, CPU can be single operation core, also may include multioperation core.

System bus 704 can be ISA (Industry Standard Architecture, industry standard architecture) bus, PCI (Peripheral Component Interconnect, external equipment interconnection) bus or EISA (Extended Industry Standard Architecture, extended industry-standard architecture) bus etc..The system bus 704 can be divided into address bus, data/address bus, control bus etc..For clear explanation in the embodiment of the present application, various buses are all illustrated as system bus 704 in Figure 10.

As shown in Figure 10, one or more processors 701 are for executing following steps.

It controls the transceiver and obtains subscription data collection from signing management server, the subscription data concentrates the authentication information including third-party application.

The first request that the third-party application server that the transceiver receives is sent is received, the mark ICCID of the subscription data collection is carried in first request, first request executes management operation to the subscription data collection in the eUICC for triggering.

The authentication information for the third-party application that the subscription data collection in the eUICC includes is obtained according to the mark ICCID of the subscription data collection.

Obtain the certificate information of the third-party application stored in the terminal.

According to the certificate information of the authentication information of the third-party application of subscription data concentration and the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection.

Optionally, processor 701 is also used to: being controlled the transceiver and is sent the first management operation request to third-party application server, includes that third-party application request operates the management that the subscription data collection in the eUICC executes in first management operation request.

In another embodiment, the third-party application server, which generates, operates the management that the subscription data collection in the eUICC executes.

Optionally, processor 701 is also used to:

Receive the mark EID for the eUICC that the third-party application server that the transceiver receives returns.

Determine whether the mark EID of the mark EID and eUICC of the terminal for the eUICC that the third-party application server returns is identical.

Optionally, processor 701 is also used to:

It indicates the authentication information for the third-party application that the LPA of the terminal is concentrated according to the subscription data and the certificate information of the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection.

Optionally, processor 701 is also used to:

Indicate that the LPA of the terminal sends management instruction acquisition request to the signing management server according to first request.

The signing management server that the transceiver receives is received to be instructed according to the management that the management instruction acquisition request returns.

It optionally, include the administration order of instruction management operation in first request.Processor 701 is also used to indicate that the LPA of the terminal according to first request, executes the management indicated in first request to the subscription data collection in the eUICC and operates.

Figure 11 shows a kind of possible structural schematic diagram of signing management server involved in above-described embodiment.As shown in figure 11, signing management server includes processor 801, memory 802 and system bus 803, transceiver 804.Wherein, processor 801 is for executing Fig. 7-method and step shown in Fig. 9.Signing management server is interacted by communication interface 804 with other equipment, such as: terminal, third-party application server.

As shown in figure 11, one or more processors 801 are for executing following steps.

The second management operation request that the third-party application server that the transceiver receives is sent is received, includes the authentication information of the management operation executed to the subscription data in terminal, the mark ICCID of the subscription data collection in the terminal, the mark EID of the terminal eUICC and the third-party application in the terminal in second management operation request.

Generate management request response, and it controls the transceiver and sends the management request response to the third-party application server, include the mark EID of the mark ICCID and the terminal eUICC of the subscription data collection in the terminal in the management request response, the mark EID of the mark ICCID and terminal eUICC of the subscription data collection in the terminal is sent for the third-party application server to the terminal.

The management instruction acquisition request that the terminal that the transceiver receives is sent is received, the certificate information of the third-party application stored in the mark EID and the terminal of the terminal eUICC is carried in the management instruction acquisition request.

Acquisition request and second management operation request are instructed according to the management, verifies whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC.

If the third-party application that the signing management server verifies in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, controls the transceiver and return to management instruction to institute Terminal is stated, so that the terminal executes management operation to the subscription data collection in terminal eUICC according to the management instruction.

Optionally, one or more of processors are also used to:

It optionally, further include registered events mark event ID in the management request response, the registered events mark event ID is for identifying the management action event that the signing management server is registered according to second management operation request.

The registered events mark event ID is also carried in the management instruction acquisition request.

One or more of processors are also used to:

It is apparent to those skilled in the art that, for convenience and simplicity of description, only the example of the division of the above functional modules, in practical application, it can according to need and be completed by different functional modules above-mentioned function distribution, the internal structure of mobile device is divided into different functional modules, to complete all or part of the functions described above.The specific work process and technical effect of the system of foregoing description, mobile device and unit, can refer to corresponding processes in the foregoing method embodiment, details are not described herein.

In several embodiments provided herein, it should be understood that disclosed system, mobile device and method may be implemented in other ways.Such as, mobile device embodiment described above is only schematical, such as, the division of the module or unit, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, shown or discussed mutual coupling, direct-coupling or communication connection can be through some interfaces, the indirect coupling or communication connection of mobile device or unit, can be electrical property, mechanical or other forms.

The unit as illustrated by the separation member may or may not be physically separated, and component shown as a unit may or may not be physical unit, it can and it is in one place, or may be distributed over multiple network units.It can some or all of the units may be selected to achieve the purpose of the solution of this embodiment according to the actual needs.

In addition, each functional unit in each embodiment of the application can integrate in one processing unit, it is also possible to each unit and physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated unit both can take the form of hardware realization, can also realize in the form of software functional units.

If the integrated unit is realized in the form of SFU software functional unit and when sold or used as an independent product, can store in a computer readable storage medium.Based on this understanding, substantially all or part of the part that contributes to existing technology or the technical solution can be embodied in the form of software products the technical solution of the application in other words, the computer software product is stored in a storage medium, it uses including some instructions so that a computer equipment (can be personal computer, server or the network equipment etc.) or processor (processor) execute each embodiment the method for the application all or part of the steps.And storage medium above-mentioned includes: the various media that can store program code such as USB flash disk (Universal Serial Bus flash disk, general serial bus USB), mobile hard disk, ROM, RAM, magnetic or disk.

It is described above; the only specific embodiment of the application, but the protection scope of the application is not limited thereto, and anyone skilled in the art is within the technical scope of the present application; it can easily think of the change or the replacement, should all cover within the scope of protection of this application.Therefore, the protection scope of the application should be based on the protection scope of the described claims.

Claims

A kind of management method of subscription data collection, it is characterized in that, the method is executed by terminal, the terminal includes integrated circuit card eUICC, LPA (Local Profile Assistant, local file assistant) and third-party application, which comprises

Terminal obtains subscription data collection from signing management server, and the subscription data concentrates the authentication information including third-party application；

The terminal receives the first request that the third-party application server is sent, and the mark ICCID of the subscription data collection is carried in first request, and first request executes management operation to the subscription data collection in the eUICC for triggering；

The terminal obtains the authentication information for the third-party application that the subscription data collection in the eUICC includes according to the mark ICCID of the subscription data collection；

The terminal obtains the certificate information of the third-party application stored in the terminal；

The certificate information of the authentication information for the third-party application that the terminal is concentrated according to the subscription data and the third-party application determines whether the third-party application has permission and triggers management operation to the subscription data collection；

If the third-party application, which has permission, triggers management operation to the subscription data collection, the terminal executes the management to the subscription data collection and operates.
Management method according to claim 1, which is characterized in that before the terminal receives the first request that the third-party application server is sent, the method also includes:

The third-party application of the terminal sends the first management operation request to third-party application server, includes that third-party application request operates the management that the subscription data collection in the eUICC executes in first management operation request.
Management method according to claim 1, which is characterized in that before the terminal receives the first request that the third-party application server is sent, the method also includes:

The third-party application server, which generates, operates the management that the subscription data collection in the eUICC executes.
Management method according to any one of claims 1 to 3, which is characterized in that before the terminal obtains the authentication information for the third-party application that the subscription data collection in the eUICC includes according to the mark ICCID of the subscription data collection, the method also includes:

The terminal receives the mark EID for the eUICC that the third-party application server returns；

The terminal determines whether the mark EID of the mark EID and eUICC of the terminal for the eUICC that the third-party application server returns is identical；

If the terminal determines that the mark EID for the eUICC that the third-party application server returns is identical as the mark EID of the eUICC of the terminal, the terminal obtains the authentication information for the third-party application that the subscription data collection in the eUICC includes according to the mark ICCID of the subscription data collection.
Management method according to any one of claims 1 to 4, it is characterized in that, the authentication information for the third-party application that the terminal is concentrated according to the subscription data, with the certificate information of the third-party application, it determines whether the third-party application has permission and management operation is triggered to the subscription data collection, comprising:

The authentication information for the third-party application that the LPA of the terminal is concentrated according to the subscription data and described The certificate information of third-party application determines whether the third-party application has permission and triggers management operation to the subscription data collection；

Alternatively, the authentication information for the third-party application that the eUICC of the terminal is concentrated according to the subscription data and the certificate information of the third-party application, determine whether the third-party application has permission and trigger management operation to the subscription data collection.
Management method according to any one of claims 1 to 5, which is characterized in that the terminal executes the management to the subscription data collection and operates, comprising:

The LPA of the terminal sends management instruction acquisition request to the signing management server according to first request；

The LPA of the terminal receives the signing management server and is instructed according to the management that the management instruction acquisition request returns；

The LPA of the terminal is instructed according to the management, executes the operation of the management in first management operation request to the subscription data collection in the eUICC.
Management method according to any one of claims 1 to 5, which is characterized in that the method also includes:

It include the instruction of instruction management operation in first request；

The terminal executes the management to the subscription data collection and operates, comprising:

The LPA of the terminal executes the management indicated in first request to the subscription data collection in the eUICC and operates according to first request.
A kind of management method of subscription data collection, which is characterized in that the method is executed by signing management server, which is characterized in that the described method includes:

The signing management server receives the second management operation request that third-party application server is sent, and includes the authentication information of the management operation executed to the subscription data in terminal, the mark ICCID of the subscription data collection in the terminal, the mark EID of the terminal eUICC and the third-party application in the terminal in second management operation request；

The signing management server, which sends management, requests response to the third-party application server, the mark EID for managing mark ICCID and the terminal eUICC in request response including the subscription data collection in the terminal；

The signing management server obtains the management instruction acquisition request that the terminal is sent, and the certificate information of the third-party application stored in the mark EID and the terminal of the terminal eUICC is carried in the management instruction acquisition request；

The signing management server instructs acquisition request and second management operation request according to the management, verifies whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC；

If the third-party application that the signing management server verifies in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, then the signing management server returns to management instruction to the terminal, so that the terminal executes management operation to the subscription data collection in terminal eUICC according to the management instruction.
Management method according to claim 8, it is characterized in that, the signing management server instructs acquisition request and second management operation request according to the management, verify whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, comprising:

The signing management server searches the second management operation request associated with the mark EID of the terminal eUICC according to the mark EID of the terminal eUICC in the management instruction acquisition request；

The signing management server determines whether the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of the third-party application in second management operation request；

If the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of third-party application in second management operation request, it is determined that the third-party application in the terminal, which has permission, executes management operation to the subscription data collection in terminal eUICC.
Management method according to claim 7 or 8, it is characterized in that, it further include registered events mark event ID in the management request response that the signing management server is sent, the registered events mark event ID is for identifying the management action event that the signing management server is registered according to second management operation request；

The signing management server, which obtains, also carries the registered events mark event ID in the management instruction acquisition request that the terminal is sent；

The signing management server instructs acquisition request and second management operation request according to the management, verifies whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, comprising:

The signing management server identifies event ID according to the registered events in the management instruction acquisition request, searches the second management operation request associated with registered events mark event ID；

The signing management server determines whether the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of the third-party application in second management operation request；

If the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of third-party application in second management operation request, the third-party application in the terminal, which has permission, executes management operation to the subscription data collection in terminal eUICC.
A kind of terminal, which is characterized in that the terminal includes transceiver, the integrated circuit card eUICC for storing subscription data collection, memory and the one or more processors for executing the one or more programs being stored in memory,

One or more of processors are used for:

It controls the transceiver and obtains subscription data collection from signing management server, the subscription data concentrates the authentication information including third-party application；

The first request that the third-party application server that the transceiver receives is sent is received, the mark ICCID of the subscription data collection is carried in first request, first request executes management operation to the subscription data collection in the eUICC for triggering；

The authentication information for the third-party application that the subscription data collection in the eUICC includes is obtained according to the mark ICCID of the subscription data collection；

Obtain the certificate information of the third-party application stored in the terminal；

According to the certificate information of the authentication information of the third-party application of subscription data concentration and the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection；

If the third-party application, which has permission, triggers management operation to the subscription data collection, the management is executed to the subscription data collection and is operated.
Terminal according to claim 11, which is characterized in that the processor is also used to:

It controls the transceiver and sends the first management operation request to third-party application server, include that third-party application request operates the management that the subscription data collection in the eUICC executes in first management operation request.
Terminal according to claim 11, which is characterized in that

The third-party application server, which generates, operates the management that the subscription data collection in the eUICC executes.
1 to 13 any terminal according to claim 1, which is characterized in that the processor is also used to:

Receive the mark EID for the eUICC that the third-party application server that the transceiver receives returns；

Determine whether the mark EID of the mark EID and eUICC of the terminal for the eUICC that the third-party application server returns is identical；

If it is determined that the mark EID for the eUICC that the third-party application server returns is identical as the mark EID of the eUICC of the terminal, then the authentication information for the third-party application that the subscription data collection in the eUICC includes is obtained according to the mark ICCID of the subscription data collection.
1 to 14 any terminal according to claim 1, which is characterized in that the processor is also used to:

It indicates the authentication information for the third-party application that the LPA of the terminal is concentrated according to the subscription data and the certificate information of the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection；

Alternatively, indicating the authentication information for the third-party application that the eUICC of the terminal is concentrated according to the subscription data and the certificate information of the third-party application, determines whether the third-party application has permission and management operation is triggered to the subscription data collection.
1 to 15 any terminal according to claim 1, which is characterized in that the processor is also used to:

Indicate that the LPA of the terminal sends management instruction acquisition request to the signing management server according to first request；

The signing management server that the transceiver receives is received to be instructed according to the management that the management instruction acquisition request returns；

It indicates that the LPA of the terminal is instructed according to the management, the operation of the management in first management operation request is executed to the subscription data collection in the eUICC.
1 to 15 any terminal according to claim 1, which is characterized in that include the administration order of instruction management operation in first request；

The processor is also used to:

The LPA of the terminal is indicated according to first request, to the subscription data collection in the eUICC Execute the management operation indicated in first request.
A kind of signing management server, which is characterized in that the terminal includes transceiver, memory and the one or more processors for executing the one or more programs being stored in memory,

One or more of processors are used for:

The second management operation request that the third-party application server that the transceiver receives is sent is received, includes the authentication information of the management operation executed to the subscription data in terminal, the mark ICCID of the subscription data collection in the terminal, the mark EID of the terminal eUICC and the third-party application in the terminal in second management operation request；

Generate management request response, and it controls the transceiver and sends the management request response to the third-party application server, include the mark EID of the mark ICCID and the terminal eUICC of the subscription data collection in the terminal in the management request response, the mark EID of the mark ICCID and terminal eUICC of the subscription data collection in the terminal is sent for the third-party application server to the terminal；

The management instruction acquisition request that the terminal that the transceiver receives is sent is received, the certificate information of the third-party application stored in the mark EID and the terminal of the terminal eUICC is carried in the management instruction acquisition request；

Acquisition request and second management operation request are instructed according to the management, verifies whether the third-party application in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC；

If the third-party application that the signing management server verifies in the terminal has permission to the subscription data collection triggering management operation in terminal eUICC, it then controls the transceiver and returns to management instruction to the terminal, so that the terminal executes management operation to the subscription data collection in terminal eUICC according to the management instruction.
Server according to claim 18, which is characterized in that one or more of processors are also used to:

According to the mark EID of the terminal eUICC in the management instruction acquisition request, the second management operation request associated with the mark EID of the terminal eUICC is searched；

Determine whether the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of the third-party application in second management operation request；

If the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of third-party application in second management operation request, it is determined that the third-party application in the terminal, which has permission, executes management operation to the subscription data collection in terminal eUICC.
Server described in 7 or 18 according to claim 1, it is characterized in that, it further include registered events mark event ID in the management request response, the registered events mark event ID is for identifying the management action event that the signing management server is registered according to second management operation request；

The registered events mark event ID is also carried in the management instruction acquisition request；

One or more of processors are also used to:

Event ID is identified according to the registered events in the management instruction acquisition request, searches the second management operation request associated with registered events mark event ID；

Determine the certificate information and described second of the third-party application carried in the management instruction acquisition request Whether the authentication information of the third-party application in management operation request is identical；

If the certificate information of the third-party application carried in the management instruction acquisition request is identical as the authentication information of third-party application in second management operation request, it is determined that the third-party application in the terminal, which has permission, executes management operation to the subscription data collection in terminal eUICC.